Skip to content

Add granular scope feature#8178

Open
mpmadhavig wants to merge 3 commits into
wso2:masterfrom
mpmadhavig:granular-console-scopes
Open

Add granular scope feature#8178
mpmadhavig wants to merge 3 commits into
wso2:masterfrom
mpmadhavig:granular-console-scopes

Conversation

@mpmadhavig

@mpmadhavig mpmadhavig commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Purpose

Resolve console feature action scopes (e.g. console:applications_edit, console:applications_create) as holders when they appear inside another collection's <Read> / <Create> / <Update> / <Delete> block. The holder is replaced by the leaf scopes from the matching action block of the owning collection, and the holder name itself is dropped from the bucket — so the apiResources payload of /api-resource-collections/{id} surfaces the underlying internal scopes (and their owning API resource) instead of an opaque console scope that no API resource owns.

Changes

  • Parser (APIResourceCollectionMgtConfigBuilder): pre-build a holder → leaf scopes map from each collection's <Feature> block + matching action block. _view → owner Read, _create/_update/_delete → matching owner block, _edit → owner Create + Update + Delete (legacy coarse write). Resolution is recursive with cycle protection + memoisation so an owner's action block can itself reference another holder.
  • api-resource-collection.xml.j2: declare _create/_update/_delete siblings next to every _edit holder inside non-<Feature> blocks (8 sites: applicationAuthenticationScript, applicationClientSecretManagement, applicationInternalAPIAuthorization, userSharingV2, and the four org_* counterparts).
  • Tests: 7 new cases in APIResourceCollectionMgtConfigBuilderTest — update/view/edit holder resolution, write-bucket propagation, transitive recursion, literal scopes preserved alongside holders, owner collection unaffected.

Related Issues

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 27e3b65b-9cdc-4275-9216-349e7d818ad4

📥 Commits

Reviewing files that changed from the base of the PR and between 2c38ad3 and dc414aa.

📒 Files selected for processing (1)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java
🚧 Files skipped from review as they are similar to previous changes (1)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java

📝 Walkthrough

Walkthrough

This PR adds granular create, update, and delete console permissions across API resource collection models, configuration parsing, resource bucketing, feature definitions, system scopes, identity-core configuration, and related tests.

Changes

Granular console permissions

Layer / File(s) Summary
Contracts and toggle
components/api-resource-mgt/.../pom.xml, components/api-resource-mgt/.../constant/..., components/api-resource-mgt/.../model/..., components/api-resource-mgt/.../util/..., features/identity-core/...
Models, constants, utilities, bundle imports, identity-core configuration, and tests define granular scope fields and the enablement setting.
Config builder and holder resolution
components/api-resource-mgt/.../APIResourceCollectionMgtConfigBuilder.java, components/api-resource-mgt/.../src/test/resources/..., components/api-resource-mgt/.../APIResourceCollectionMgtConfigBuilderTest.java
Configuration parsing tracks action scopes, resolves nested holder scopes into leaf scopes, assigns feature-scope fields, and validates legacy and granular behavior.
Manager bucket population
components/api-resource-mgt/.../APIResourceCollectionManagerImpl.java, components/api-resource-mgt/.../APIResourceCollectionManagerTest.java
Resource collection population conditionally creates CREATE, UPDATE, and DELETE buckets while retaining READ and WRITE behavior when granular permissions are disabled.
API resource collection scopes
features/api-resource-mgt/.../api-resource-collection.xml.j2, features/api-resource-mgt/.../api-resource-collection.xml
Tenant and organization collection definitions add create, update, and delete console feature scopes.
System console scopes
features/api-resource-mgt/.../system-api-resource.xml.j2, features/api-resource-mgt/.../system-api-resource.xml
Console feature API resources add operation-specific update, create, and delete scopes across tenant and organization resources.

Possibly related PRs

Suggested reviewers: pavindulakshan, thamindur, sujansanjula96

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers purpose and implementation details, but most required template sections are missing. Add the missing template sections: Goals, Approach, User stories, Release note, Documentation, Testing, Security, and other requested fields.
Docstring Coverage ⚠️ Warning Docstring coverage is 7.59% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the main change: adding granular scope handling.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.27273% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.39%. Comparing base (d038569) to head (dc414aa).
⚠️ Report is 27 commits behind head on master.

Files with missing lines Patch % Lines
...gt/util/APIResourceCollectionMgtConfigBuilder.java 81.57% 13 Missing and 15 partials ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##             master    #8178      +/-   ##
============================================
+ Coverage     52.81%   53.39%   +0.57%     
- Complexity    21557    21764     +207     
============================================
  Files          2199     2200       +1     
  Lines        134728   133110    -1618     
  Branches      20723    20723              
============================================
- Hits          71159    71072      -87     
+ Misses        54772    53372    -1400     
+ Partials       8797     8666     -131     
Flag Coverage Δ
unit 38.57% <87.27%> (+0.11%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mpmadhavig mpmadhavig marked this pull request as ready for review June 25, 2026 18:15

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml (1)

799-807: 🗄️ Data Integrity & Integration | 🟠 Major

Shipped XML is missing new sibling scopes defined in the template.

The <Update> blocks in features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml lack the console:applications_create, console:applications_update, and console:applications_delete scopes present in the api-resource-collection.xml.j2 template.

Specific discrepancies confirmed:

  • applicationAuthenticationScript: The <Update> block containing internal_application_script_update has only console:applications_edit in the generated file, whereas the template defines console:applications_edit plus create, update, and delete.
  • applicationClientSecretManagement: Similarly missing the expanded console:applications_create/update/delete scopes in the generated version.
  • Total Impact: The generated file is missing 44 scopes found in the template.

Ensure this artifact is regenerated from the template or manually updated to include these missing permissions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`
around lines 799 - 807, The generated api-resource-collection.xml is out of sync
with the api-resource-collection.xml.j2 template and is missing sibling console
application scopes in several <Update> blocks. Regenerate the artifact from the
template, or manually update the affected sections such as
applicationAuthenticationScript and applicationClientSecretManagement to include
the missing console:applications_create, console:applications_update, and
console:applications_delete scopes alongside the existing entries, ensuring all
template-defined permissions are present.
🧹 Nitpick comments (2)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java (2)

174-209: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Unresolved holder scopes are silently dropped.

When a holder scope under <Read>/<Create>/<Update>/<Delete> is not owned by any collection's <Feature> block, holderResolutionMap.getOrDefault(scopeName, Collections.emptySet()) contributes nothing and the holder name is removed, so a misconfigured/unknown holder vanishes with no diagnostics. Consider a guarded debug log to aid troubleshooting of misconfigured console scopes.

As per path instructions: "Suggest log statements at error handling boundaries" and around "key decision points".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`
around lines 174 - 209, Unresolved holder scopes are being dropped silently in
APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete
scopes. Update the holder-scope handling in the action branches to detect when
holderResolutionMap has no entry for scopeName, preserve or report that
unresolved scope, and add a guarded debug log at this decision point so
misconfigured console scopes are visible during troubleshooting.

Source: Path instructions


415-441: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

resolveOwnerActionScopes returns null for unrecognized feature scopes.

SonarCloud flags the return null at the end of this method. The caller (buildHolderResolutionMap) does null-check it, so this is functionally safe; the null meaningfully signals "not a recognized feature scope" versus an owned holder with no leaves. If you prefer to satisfy the static-analysis rule, document the intent or have the caller filter rather than relying on the sentinel.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`
around lines 415 - 441, resolveOwnerActionScopes currently uses a null sentinel
for unrecognized feature scopes, which triggers static-analysis warnings. Update
APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return
an empty set instead of null and have buildHolderResolutionMap treat empty
results as “not recognized,” or keep the sentinel but document and centralize
the null handling at the caller. Use the resolveOwnerActionScopes and
buildHolderResolutionMap symbols to make the behavior clear and avoid relying on
an undocumented null return.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`:
- Around line 73-76: The granular console permissions flag is parsed directly
from IdentityUtil.getProperty(...) in
APIResourceCollectionManagementUtil.isGranularConsolePermissionsEnabled(), so
whitespace-padded config values can be misread as false. Trim the property value
before passing it to Boolean.parseBoolean, and apply the same normalization
anywhere else this helper’s result is used by the manager path so both paths
interpret the config consistently.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java`:
- Around line 1-17: The license header in
APIResourceCollectionManagementUtilTest is using an outdated copyright year for
a newly added Java file. Update the header at the top of the file so the year
reflects the current year or a range ending in the current year, matching the
project’s Java license header convention.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`:
- Around line 297-310: `assertBucketScopes` in
`APIResourceCollectionManagerTest` only verifies that expected scopes are
present, so it can miss accidental scope leakage between buckets. Update this
helper to also assert isolation by checking that the collected scope set for the
bucket matches exactly the `expectedScopes` set, using `assertEquals` or
equivalent, so `CREATE`, `UPDATE`, and `DELETE` buckets do not contain extra
scopes.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2`:
- Around line 841-843: The scope names in the API resource templates are
inconsistent: `api-resource-collection.xml.j2` references
`console:apiResources*` scopes while `system-api-resource.xml.j2` defines
`internal_*` scopes. Update the scope declarations in
`system-api-resource.xml.j2` (and any related references in the collection
template) so the names match exactly, including `console:apiResources`,
`console:apiResources_view`, `console:apiResources_create`,
`console:apiResources_update`, and `console:apiResources_delete`, using the
existing resource/template symbols to keep the definitions aligned.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`:
- Around line 2044-2049: The `Scope` entries for `console:userSharing_create`
and `console:userSharing_delete` in `system-api-resource.xml.j2` are using the
wrong description text copied from the update scope. Update the descriptions in
the template to match the intended create/delete wording already used by the
generated `system-api-resource.xml`, and keep the `console:userSharing_update`
description unchanged.

In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json`:
- Around line 413-419: The preserved-behavior override for console granular
permissions is missing for IS_7.0.0, so add the same pinned-off settings used
for the newer preserved versions in this infer JSON. Update the identity feature
mapping around the existing
console.console_settings.use_granular_console_permissions and
console.console_settings.disabled_features entries to include IS_7.0.0 as well,
matching the behavior already backfilled for IS_7.1.0 and IS_7.2.0.

---

Outside diff comments:
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`:
- Around line 799-807: The generated api-resource-collection.xml is out of sync
with the api-resource-collection.xml.j2 template and is missing sibling console
application scopes in several <Update> blocks. Regenerate the artifact from the
template, or manually update the affected sections such as
applicationAuthenticationScript and applicationClientSecretManagement to include
the missing console:applications_create, console:applications_update, and
console:applications_delete scopes alongside the existing entries, ensuring all
template-defined permissions are present.

---

Nitpick comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`:
- Around line 174-209: Unresolved holder scopes are being dropped silently in
APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete
scopes. Update the holder-scope handling in the action branches to detect when
holderResolutionMap has no entry for scopeName, preserve or report that
unresolved scope, and add a guarded debug log at this decision point so
misconfigured console scopes are visible during troubleshooting.
- Around line 415-441: resolveOwnerActionScopes currently uses a null sentinel
for unrecognized feature scopes, which triggers static-analysis warnings. Update
APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return
an empty set instead of null and have buildHolderResolutionMap treat empty
results as “not recognized,” or keep the sentinel but document and centralize
the null handling at the caller. Use the resolveOwnerActionScopes and
buildHolderResolutionMap symbols to make the behavior clear and avoid relying on
an undocumented null return.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 88ccc6e2-c3bf-4b48-9ef3-817eb2a3c6b6

📥 Commits

Reviewing files that changed from the base of the PR and between c97c4ea and 242fa2f.

📒 Files selected for processing (20)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xml
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/repository/conf/api-resource-collection.xml
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/testng.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json

@mpmadhavig mpmadhavig force-pushed the granular-console-scopes branch 3 times, most recently from 6cbee3c to 01142b7 Compare July 9, 2026 08:57
@mpmadhavig mpmadhavig force-pushed the granular-console-scopes branch from 01142b7 to 2c38ad3 Compare July 13, 2026 03:44
@sonarqubecloud

Copy link
Copy Markdown

@jenkins-is-staging

Copy link
Copy Markdown

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/29485528161

@jenkins-is-staging

Copy link
Copy Markdown

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/29485528161
Status: success

@jenkins-is-staging jenkins-is-staging left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/29485528161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants