antlr for scim filter parsing, why

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2022-06-11 23:59:57 +02:00 · 2022-06-11 23:59:57 +02:00 · 16bc7408e7
parent 7f12b14145
commit 16bc7408e7
23 changed files with 4539 additions and 27 deletions
--- a/authentik/sources/scim/api.py
+++ b/authentik/sources/scim/api.py
@ -57,6 +57,6 @@ class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
    queryset = SCIMSource.objects.all()
    serializer_class = SCIMSourceSerializer
    lookup_field = "slug"
-    filterset_fields = "__all__"
+    filterset_fields = ["name", "slug"]
    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
    ordering = ["name"]
--- a/authentik/sources/scim/errors.py
+++ b/authentik/sources/scim/errors.py
@ -0,0 +1,8 @@
 """SCIM Errors"""
 from authentik.lib.sentry import SentryIgnoredException
 class PatchError(SentryIgnoredException):
    """Error raised within an atomic block when an error happened
    so nothing is saved"""
--- a/authentik/sources/scim/filters/ScimFilter.g4
+++ b/authentik/sources/scim/filters/ScimFilter.g4
@ -0,0 +1,61 @@
 grammar ScimFilter;
 parse
    : filter
    ;
 filter
 	: attrPath SP PR                             #presentExp
 	| attrPath SP COMPAREOPERATOR SP VALUE       #operatorExp
 	| NOT? SP* '(' filter ')'                    #braceExp
 	| attrPath '[' valPathFilter ']'             #valPathExp
 	| filter SP AND SP filter                    #andExp
 	| filter SP OR SP filter                     #orExp
 	;										     
 valPathFilter								     
 	: attrPath SP PR                             #valPathPresentExp
 	| attrPath SP COMPAREOPERATOR SP VALUE       #valPathOperatorExp
 	| NOT? SP* '(' valPathFilter ')'             #valPathBraceExp
 	| valPathFilter SP AND SP valPathFilter      #valPathAndExp
 	| valPathFilter SP OR SP valPathFilter       #valPathOrExp
 	;
 attrPath 
 	: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
 	;
 COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
 EQ : [eE][qQ];
 NE : [nN][eE];
 CO : [cC][oO];
 SW : [sS][wW];
 EW : [eE][wW];
 PR : [pP][rR];
 GT : [gG][tT];
 GE : [gG][eE];
 LT : [lL][tT];
 LE : [lL][eE];
 NOT : [nN][oO][tT];
 AND : [aA][nN][dD];
 OR  : [oO][rR];
 SP : ' ';
 SCHEMA : 'urn:' (SEGMENT ':')+;
 ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
 fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
 fragment DIGIT : [0-9];
 fragment ALPHA : [a-z] | [A-Z];
 ESCAPED_QUOTE : '\\"';
 VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
 EXCLUDE : [\b | \t | \r | \n]+ -> skip;
--- a/authentik/sources/scim/filters/ScimFilter.interp
+++ b/authentik/sources/scim/filters/ScimFilter.interp
@ -0,0 +1,65 @@
 token literal names:
 null
 '('
 ')'
 '['
 ']'
 '.'
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 ' '
 null
 null
 '\\"'
 null
 null
 token symbolic names:
 null
 null
 null
 null
 null
 null
 COMPAREOPERATOR
 EQ
 NE
 CO
 SW
 EW
 PR
 GT
 GE
 LT
 LE
 NOT
 AND
 OR
 SP
 SCHEMA
 ATTRNAME
 ESCAPED_QUOTE
 VALUE
 EXCLUDE
 rule names:
 parse
 filter
 valPathFilter
 attrPath
 atn:
 [4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]
--- a/authentik/sources/scim/filters/ScimFilter.tokens
+++ b/authentik/sources/scim/filters/ScimFilter.tokens
@ -0,0 +1,32 @@
 T__0=1
 T__1=2
 T__2=3
 T__3=4
 T__4=5
 COMPAREOPERATOR=6
 EQ=7
 NE=8
 CO=9
 SW=10
 EW=11
 PR=12
 GT=13
 GE=14
 LT=15
 LE=16
 NOT=17
 AND=18
 OR=19
 SP=20
 SCHEMA=21
 ATTRNAME=22
 ESCAPED_QUOTE=23
 VALUE=24
 EXCLUDE=25
 '('=1
 ')'=2
 '['=3
 ']'=4
 '.'=5
 ' '=20
 '\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterLexer.interp
+++ b/authentik/sources/scim/filters/ScimFilterLexer.interp
--- a/authentik/sources/scim/filters/ScimFilterLexer.py
+++ b/authentik/sources/scim/filters/ScimFilterLexer.py
--- a/authentik/sources/scim/filters/ScimFilterLexer.tokens
+++ b/authentik/sources/scim/filters/ScimFilterLexer.tokens
@ -0,0 +1,32 @@
 T__0=1
 T__1=2
 T__2=3
 T__3=4
 T__4=5
 COMPAREOPERATOR=6
 EQ=7
 NE=8
 CO=9
 SW=10
 EW=11
 PR=12
 GT=13
 GE=14
 LT=15
 LE=16
 NOT=17
 AND=18
 OR=19
 SP=20
 SCHEMA=21
 ATTRNAME=22
 ESCAPED_QUOTE=23
 VALUE=24
 EXCLUDE=25
 '('=1
 ')'=2
 '['=3
 ']'=4
 '.'=5
 ' '=20
 '\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterListener.py
+++ b/authentik/sources/scim/filters/ScimFilterListener.py
@ -0,0 +1,118 @@
 # pylint: skip-file
 # Generated from ScimFilter.g4 by ANTLR 4.10.1
 from antlr4 import *
 if __name__ is not None and "." in __name__:
    from .ScimFilterParser import ScimFilterParser
 else:
    from ScimFilterParser import ScimFilterParser
 # This class defines a complete listener for a parse tree produced by ScimFilterParser.
 class ScimFilterListener(ParseTreeListener):
    # Enter a parse tree produced by ScimFilterParser#parse.
    def enterParse(self, ctx: ScimFilterParser.ParseContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#parse.
    def exitParse(self, ctx: ScimFilterParser.ParseContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#andExp.
    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#andExp.
    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathExp.
    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathExp.
    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#presentExp.
    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#presentExp.
    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#operatorExp.
    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#operatorExp.
    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#braceExp.
    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#braceExp.
    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#orExp.
    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#orExp.
    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathAndExp.
    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathAndExp.
    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathOrExp.
    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathOrExp.
    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#attrPath.
    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#attrPath.
    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        pass
 del ScimFilterParser
--- a/authentik/sources/scim/filters/ScimFilterParser.py
+++ b/authentik/sources/scim/filters/ScimFilterParser.py
--- a/authentik/sources/scim/filters/init.py
+++ b/authentik/sources/scim/filters/init.py
--- a/authentik/sources/scim/filters/django.py
+++ b/authentik/sources/scim/filters/django.py
@ -0,0 +1,101 @@
 """Django listener"""
 from django.db.models import Q
 from django.utils.tree import Node
 from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
 from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
 class DjangoQueryListener(ScimFilterListener):
    """SCIM filter listener that converts it to a query"""
    _query: Node
    _last_node: Node
    def __init__(self) -> None:
        super().__init__()
        self._query = Q()
        self._last_node = Q()
    @property
    def query(self) -> Node:
        return self._query
    def enterParse(self, ctx: ScimFilterParser.ParseContext):
        print("enterParse", ctx)
    def exitParse(self, ctx: ScimFilterParser.ParseContext):
        print("exitParse", ctx)
    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
        print("enterAndExp", ctx)
    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
        print("exitAndExp", ctx)
    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        print("enterValPathExp", ctx.getText())
    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        print("exitValPathExp", ctx)
    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        print("enterPresentExp", ctx)
    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        print("exitPresentExp", ctx)
    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        print("enterOperatorExp", ctx)
    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        print("exitOperatorExp", ctx)
    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        print("enterBraceExp", ctx)
    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        print("exitBraceExp", ctx)
    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
        print("enterOrExp", ctx)
    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
        print("exitOrExp", ctx)
    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        print("enterValPathOperatorExp", ctx)
    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        print("exitValPathOperatorExp", ctx)
    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        print("enterValPathPresentExp", ctx)
    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        print("exitValPathPresentExp", ctx)
    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        print("enterValPathAndExp", ctx.getText())
    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        print("exitValPathAndExp", ctx)
    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        print("enterValPathOrExp", ctx)
    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        print("exitValPathOrExp", ctx)
    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        print("enterValPathBraceExp", ctx)
    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        print("exitValPathBraceExp", ctx)
    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        self._last_node = Q(ctx.getText())
    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        self._query = self._last_node
        self._last_node = Q()
--- a/authentik/sources/scim/views/v2/auth.py
+++ b/authentik/sources/scim/views/v2/auth.py
@ -14,7 +14,7 @@ class SCIMTokenAuth(BaseAuthentication):
    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
        """Legacy HTTP-Basic auth for testing"""
-        if not settings.TEST or not settings.DEBUG:
+        if not settings.TEST and not settings.DEBUG:
            return None
        _username, _, password = b64decode(key.encode()).decode().partition(":")
        token = self.check_token(password, source_slug)
--- a/authentik/sources/scim/views/v2/base.py
+++ b/authentik/sources/scim/views/v2/base.py
@ -1,4 +1,9 @@
 """SCIM Utils"""
 from typing import Optional
 from urllib.parse import urlparse
 from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
 from django.urls import resolve
 from rest_framework.parsers import JSONParser
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer
@ -6,6 +11,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.models import Group, User
 from authentik.sources.scim.filters.django import DjangoQueryListener
 from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
 from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
 from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
 SCIM_CONTENT_TYPE = "application/scim+json"
@ -31,6 +40,39 @@ class SCIMView(APIView):
    parser_classes = [SCIMParser]
    renderer_classes = [SCIMRenderer]
    def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
        """Attempt to resolve a raw `value` attribute of a patch operation into
        a database model"""
        model = User
        query = {}
        if "$ref" in raw_value:
            url = urlparse(raw_value["$ref"])
            if match := resolve(url.path):
                if match.url_name == "v2-users":
                    model = User
                    query = {"pk": int(match.kwargs["user_id"])}
        elif "type" in raw_value:
            match raw_value["tyoe"]:
                case "User":
                    model = User
                    query = {"pk": int(raw_value["value"])}
                case "Group":
                    model = Group
        else:
            return None
        return model.objects.filter(**query).first()
    def patch_parse_path(self, path: str):
        """Parse the path of a Patch Operation"""
        lexer = ScimFilterLexer(InputStream(path))
        stream = CommonTokenStream(lexer)
        parser = ScimFilterParser(stream)
        tree = parser.filter_()
        listener = DjangoQueryListener()
        walker = ParseTreeWalker()
        walker.walk(listener, tree)
        return listener.query
 class SCIMRootView(SCIMView):
    """Root SCIM View"""
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@ -2,6 +2,7 @@
 from typing import Optional
 from django.core.paginator import Paginator
 from django.db.transaction import atomic
 from django.http import Http404, QueryDict
 from django.urls import reverse
 from rest_framework.request import Request
@ -9,6 +10,7 @@ from rest_framework.response import Response
 from structlog.stdlib import get_logger
 from authentik.core.models import Group
 from authentik.sources.scim.errors import PatchError
 from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
 LOGGER = get_logger()
@ -77,7 +79,28 @@ class GroupsView(SCIMView):
    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
        """Update group handler"""
-        return self.put(request, group_id, **kwargs)
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
        if not group:
            raise Http404
        if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
            return Response(status=400)
        try:
            with atomic():
                for op in request.data.get("Operations", []):
                    path = self.patch_parse_path(op["path"])
                    operation = op["op"]
                    raw_value = op.get("value", None)
                    values = []
                    for value in raw_value:
                        values.append(self.patch_resolve_value(value))
                    match operation:
                        case "add":
                            group.users.add(*[x.pk for x in values])
                        case "remove":
                            pass
                return Response(self.group_to_scim(group), status=200)
        except (KeyError, PatchError):
            return Response(status=400)
    def put(self, request: Request, group_id: str, **kwargs) -> Response:
        """Update group handler"""
--- a/poetry.lock
+++ b/poetry.lock
@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.
 [[package]]
 name = "aiohttp"
@ -161,6 +161,17 @@ files = [
    {file = "annotated_types-0.5.0.tar.gz", hash = "sha256:47cdc3490d9ac1506ce92c7aaa76c579dc3509ff11e098fc867e5130ab7be802"},
 ]
 [[package]]
 name = "antlr4-python3-runtime"
 version = "4.13.1"
 description = "ANTLR 4.13.1 runtime for Python 3"
 optional = false
 python-versions = "*"
 files = [
    {file = "antlr4-python3-runtime-4.13.1.tar.gz", hash = "sha256:3cd282f5ea7cfb841537fe01f143350fdb1c0b1ce7981443a2fa8513fddb6d1a"},
    {file = "antlr4_python3_runtime-4.13.1-py3-none-any.whl", hash = "sha256:78ec57aad12c97ac039ca27403ad61cb98aaec8a3f9bb8144f889aa0fa28b943"},
 ]
 [[package]]
 name = "anyio"
 version = "4.0.0"
@ -2096,16 +2107,6 @@ files = [
    {file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"},
    {file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"},
    {file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"},
    {file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"},
    {file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"},
    {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"},
    {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"},
@ -3095,7 +3096,6 @@ files = [
    {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"},
    {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"},
    {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"},
    {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"},
    {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"},
    {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"},
    {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"},
@ -3103,15 +3103,8 @@ files = [
    {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"},
    {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"},
    {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"},
    {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"},
    {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"},
    {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
    {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
    {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
    {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
    {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
    {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"},
    {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"},
    {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"},
    {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"},
@ -3128,7 +3121,6 @@ files = [
    {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"},
    {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"},
    {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"},
    {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"},
    {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"},
    {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"},
    {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"},
@ -3136,7 +3128,6 @@ files = [
    {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"},
    {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"},
    {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"},
    {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"},
    {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"},
    {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"},
    {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"},
@ -4313,4 +4304,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.11"
-content-hash = "2fc746976187f4674f04575cffd6a367744723bf78c356b6951c2370bc47ceae"
+content-hash = "a41a75fc3dac5e552ed99670c10a5a5a0947449701893fafd81d59c6439f324a"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -118,6 +118,7 @@ description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 [tool.poetry.dependencies]
 antlr4-python3-runtime = "*"
 argon2-cffi = "*"
 celery = "*"
 channels = { version = "*", extras = ["daphne"] }
@ -143,6 +144,7 @@ facebook-sdk = "*"
 flower = "*"
 geoip2 = "*"
 gunicorn = "*"
 jsonpatch = "*"
 kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
@ -171,7 +173,6 @@ webauthn = "*"
 wsproto = "*"
 xmlsec = "*"
 zxcvbn = "*"
 jsonpatch = "*"
 [tool.poetry.dev-dependencies]
 bandit = "*"
--- a/test.py
+++ b/test.py
@ -0,0 +1,14 @@
 from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
 from authentik.sources.scim.filters.django import DjangoQueryListener
 from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
 from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
 lexer = ScimFilterLexer(InputStream('emails[type eq "work" and value ew "example.com"]'))
 stream = CommonTokenStream(lexer)
 parser = ScimFilterParser(stream)
 tree = parser.filter_()
 listener = DjangoQueryListener()
 walker = ParseTreeWalker()
 walker.walk(listener, tree)
 print(listener.query)
--- a/website/integrations/sources/oauth/index.md
+++ b/website/integrations/sources/oauth/index.md
--- a/website/integrations/sources/saml/index.md
+++ b/website/integrations/sources/saml/index.md
@ -1,5 +1,5 @@
 ---
-title: SAML
+title: SAML Source
 ---
 This source allows authentik to act as a SAML Service Provider. Just like the SAML Provider, it supports signed requests. Vendor-specific documentation can be found in the Integrations Section.
--- a/website/docs/sources/scim.md
+++ b/website/docs/sources/scim.md
@ -0,0 +1,19 @@
 ---
 title: SCIM
 ---
 The SCIM source allows other applications to directly create users and groups within authentik. SCIM is supported by applications such as Microsoft Azure AD, Google Workspace and Okta.
 The base SCIM URL is in the format of `https://authentik.company/source/scim/<source-slug>/v2`. Authentication is done via Bearer tokens generated by authentik. When an SCIM source is created, a service account is created and a matching token.
 ## Supported Options & Resource types
 ### `/v2/Users`
 Endpoint to list, create, patch and delete users.
 ### `/v2/Groups`
 Endpoint to list, create, patch and delete groups.
 There is also the `/v2/ServiceProviderConfig` and `/v2/ResourceTypes`, which is used by SCIM-enabled applications to find out which features authentik supports.
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -165,6 +165,29 @@ const docsSidebar = {
                        "flow/executors/headless",
                    ],
                },
                {
                    type: "category",
                    label: "Stages",
                    items: [
                        "flow/stages/authenticator_duo/index",
                        "flow/stages/authenticator_sms/index",
                        "flow/stages/authenticator_static/index",
                        "flow/stages/authenticator_totp/index",
                        "flow/stages/authenticator_validate/index",
                        "flow/stages/authenticator_webauthn/index",
                        "flow/stages/captcha/index",
                        "flow/stages/deny",
                        "flow/stages/email/index",
                        "flow/stages/identification/index",
                        "flow/stages/invitation/index",
                        "flow/stages/password/index",
                        "flow/stages/prompt/index",
                        "flow/stages/user_delete",
                        "flow/stages/user_login",
                        "flow/stages/user_logout",
                        "flow/stages/user_write",
                    ],
                },
            ],
        },
        {
--- a/website/sidebarsIntegrations.js
+++ b/website/sidebarsIntegrations.js
@ -166,6 +166,7 @@ module.exports = {
                        "sources/ldap/index",
                        "sources/oauth/index",
                        "sources/saml/index",
                        "sources/scim/index",
                    ],
                },
                {