[PM-19232] Implement externalId handling in PatchUserCommand with validation

bitwarden_license/src/Scim/Users/PatchUserCommand.cs

@@ -5,6 +5,7 @@
 using Bit.Core.Repositories;
 using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;
+using Bit.Scim.Utilities;
 
 namespace Bit.Scim.Users;
 
@@ -38,7 +39,7 @@ public async Task PatchUserAsync(Guid organizationId, Guid id, ScimPatchModel mo
         foreach (var operation in model.Operations)
         {
             // Replace operations
-            if (operation.Op?.ToLowerInvariant() == "replace")
+            if (operation.Op?.ToLowerInvariant() == PatchOps.Replace)
             {
                 // Active from path
                 if (operation.Path?.ToLowerInvariant() == "active")
@@ -60,6 +61,21 @@ public async Task PatchUserAsync(Guid organizationId, Guid id, ScimPatchModel mo
                         operationHandled = handled;
                     }
                 }
+                // ExternalId from path
+                else if (operation.Path?.ToLowerInvariant() == PatchPaths.ExternalId)
+                {
+                    var newExternalId = operation.Value.GetString();
+                    await HandleExternalIdOperationAsync(orgUser, newExternalId);
+                    operationHandled = true;
+                }
+                // ExternalId from value object
+                else if (string.IsNullOrWhiteSpace(operation.Path) &&
+                    operation.Value.TryGetProperty("externalId", out var externalIdProperty))
+                {
+                    var newExternalId = externalIdProperty.GetString();
+                    await HandleExternalIdOperationAsync(orgUser, newExternalId);
+                    operationHandled = true;
+                }
             }
         }
 
@@ -84,4 +100,28 @@ private async Task<bool> HandleActiveOperationAsync(Core.Entities.OrganizationUs
         }
         return false;
     }
+
+    private async Task HandleExternalIdOperationAsync(Core.Entities.OrganizationUser orgUser, string? newExternalId)
+    {
+        // Validate max length (300 chars per OrganizationUser.cs line 59)
+        if (!string.IsNullOrWhiteSpace(newExternalId) && newExternalId.Length > 300)
+        {
+            throw new BadRequestException("ExternalId cannot exceed 300 characters.");
+        }
+
+        // Check for duplicate externalId (same validation as PostUserCommand.cs)
+        if (!string.IsNullOrWhiteSpace(newExternalId))
+        {
+            var existingUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgUser.OrganizationId);
+            if (existingUsers.Any(u => u.Id != orgUser.Id &&
+                !string.IsNullOrWhiteSpace(u.ExternalId) &&
+                u.ExternalId.Equals(newExternalId, StringComparison.OrdinalIgnoreCase)))
+            {
+                throw new ConflictException("ExternalId already exists for another user.");
+            }
+        }
+
+        orgUser.ExternalId = newExternalId;
+        await _organizationUserRepository.ReplaceAsync(orgUser);
+    }
 }

bitwarden_license/src/Scim/Utilities/ScimConstants.cs

@@ -19,4 +19,5 @@ public static class PatchPaths
 {
     public const string Members = "members";
     public const string DisplayName = "displayname";
+    public const string ExternalId = "externalid";
 }

bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs

@@ -559,6 +559,118 @@ public async Task Patch_NotFound()
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
     }
 
+    [Fact]
+    public async Task Patch_ExternalIdFromPath_Success()
+    {
+        var organizationUserId = ScimApplicationFactory.TestOrganizationUserId1;
+        var newExternalId = "new-external-id-path";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Path = "externalId",
+                    Value = JsonDocument.Parse($"\"{newExternalId}\"").RootElement
+                },
+            },
+            Schemas = new List<string>()
+        };
+
+        var context = await _factory.UsersPatchAsync(ScimApplicationFactory.TestOrganizationId1, organizationUserId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        var organizationUser = databaseContext.OrganizationUsers.FirstOrDefault(g => g.Id == organizationUserId);
+        Assert.Equal(newExternalId, organizationUser.ExternalId);
+    }
+
+    [Fact]
+    public async Task Patch_ExternalIdFromValue_Success()
+    {
+        var organizationUserId = ScimApplicationFactory.TestOrganizationUserId2;
+        var newExternalId = "new-external-id-value";
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"externalId\":\"{newExternalId}\"}}").RootElement
+                },
+            },
+            Schemas = new List<string>()
+        };
+
+        var context = await _factory.UsersPatchAsync(ScimApplicationFactory.TestOrganizationId1, organizationUserId, inputModel);
+
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+
+        var databaseContext = _factory.GetDatabaseContext();
+        var organizationUser = databaseContext.OrganizationUsers.FirstOrDefault(g => g.Id == organizationUserId);
+        Assert.Equal(newExternalId, organizationUser.ExternalId);
+    }
+
+    [Fact]
+    public async Task Patch_ExternalIdDuplicate_ThrowsConflict()
+    {
+        var organizationUserId = ScimApplicationFactory.TestOrganizationUserId1;
+        var duplicateExternalId = "UB"; // This is the externalId of TestOrganizationUserId2
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "replace",
+                    Path = "externalId",
+                    Value = JsonDocument.Parse($"\"{duplicateExternalId}\"").RootElement
+                },
+            },
+            Schemas = new List<string>()
+        };
+        var expectedResponse = new ScimErrorResponseModel
+        {
+            Status = StatusCodes.Status409Conflict,
+            Detail = "ExternalId already exists for another user.",
+            Schemas = new List<string> { ScimConstants.Scim2SchemaError }
+        };
+
+        var context = await _factory.UsersPatchAsync(ScimApplicationFactory.TestOrganizationId1, organizationUserId, inputModel);
+
+        Assert.Equal(StatusCodes.Status409Conflict, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimErrorResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+
+    [Fact]
+    public async Task Patch_UnsupportedOperation_LogsWarningAndSucceeds()
+    {
+        var organizationUserId = ScimApplicationFactory.TestOrganizationUserId1;
+        var inputModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>()
+            {
+                new ScimPatchModel.OperationModel
+                {
+                    Op = "add",
+                    Path = "displayName",
+                    Value = JsonDocument.Parse("\"John Doe\"").RootElement
+                },
+            },
+            Schemas = new List<string>()
+        };
+
+        var context = await _factory.UsersPatchAsync(ScimApplicationFactory.TestOrganizationId1, organizationUserId, inputModel);
+
+        // Unsupported operations are logged as warnings but don't fail the request
+        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+    }
+
     [Fact]
     public async Task Delete_Success()
     {