Add granular scope feature#8178
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR adds granular create, update, and delete console permissions across API resource collection models, configuration parsing, resource bucketing, feature definitions, system scopes, identity-core configuration, and related tests. ChangesGranular console permissions
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8178 +/- ##
============================================
+ Coverage 52.81% 53.39% +0.57%
- Complexity 21557 21764 +207
============================================
Files 2199 2200 +1
Lines 134728 133110 -1618
Branches 20723 20723
============================================
- Hits 71159 71072 -87
+ Misses 54772 53372 -1400
+ Partials 8797 8666 -131
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml (1)
799-807: 🗄️ Data Integrity & Integration | 🟠 MajorShipped XML is missing new sibling scopes defined in the template.
The
<Update>blocks infeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xmllack theconsole:applications_create,console:applications_update, andconsole:applications_deletescopes present in theapi-resource-collection.xml.j2template.Specific discrepancies confirmed:
- applicationAuthenticationScript: The
<Update>block containinginternal_application_script_updatehas onlyconsole:applications_editin the generated file, whereas the template definesconsole:applications_editpluscreate,update, anddelete.- applicationClientSecretManagement: Similarly missing the expanded
console:applications_create/update/deletescopes in the generated version.- Total Impact: The generated file is missing 44 scopes found in the template.
Ensure this artifact is regenerated from the template or manually updated to include these missing permissions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml` around lines 799 - 807, The generated api-resource-collection.xml is out of sync with the api-resource-collection.xml.j2 template and is missing sibling console application scopes in several <Update> blocks. Regenerate the artifact from the template, or manually update the affected sections such as applicationAuthenticationScript and applicationClientSecretManagement to include the missing console:applications_create, console:applications_update, and console:applications_delete scopes alongside the existing entries, ensuring all template-defined permissions are present.
🧹 Nitpick comments (2)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java (2)
174-209: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUnresolved holder scopes are silently dropped.
When a holder scope under
<Read>/<Create>/<Update>/<Delete>is not owned by any collection's<Feature>block,holderResolutionMap.getOrDefault(scopeName, Collections.emptySet())contributes nothing and the holder name is removed, so a misconfigured/unknown holder vanishes with no diagnostics. Consider a guarded debug log to aid troubleshooting of misconfigured console scopes.As per path instructions: "Suggest log statements at error handling boundaries" and around "key decision points".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java` around lines 174 - 209, Unresolved holder scopes are being dropped silently in APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete scopes. Update the holder-scope handling in the action branches to detect when holderResolutionMap has no entry for scopeName, preserve or report that unresolved scope, and add a guarded debug log at this decision point so misconfigured console scopes are visible during troubleshooting.Source: Path instructions
415-441: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
resolveOwnerActionScopesreturnsnullfor unrecognized feature scopes.SonarCloud flags the
return nullat the end of this method. The caller (buildHolderResolutionMap) does null-check it, so this is functionally safe; thenullmeaningfully signals "not a recognized feature scope" versus an owned holder with no leaves. If you prefer to satisfy the static-analysis rule, document the intent or have the caller filter rather than relying on the sentinel.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java` around lines 415 - 441, resolveOwnerActionScopes currently uses a null sentinel for unrecognized feature scopes, which triggers static-analysis warnings. Update APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return an empty set instead of null and have buildHolderResolutionMap treat empty results as “not recognized,” or keep the sentinel but document and centralize the null handling at the caller. Use the resolveOwnerActionScopes and buildHolderResolutionMap symbols to make the behavior clear and avoid relying on an undocumented null return.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`:
- Around line 73-76: The granular console permissions flag is parsed directly
from IdentityUtil.getProperty(...) in
APIResourceCollectionManagementUtil.isGranularConsolePermissionsEnabled(), so
whitespace-padded config values can be misread as false. Trim the property value
before passing it to Boolean.parseBoolean, and apply the same normalization
anywhere else this helper’s result is used by the manager path so both paths
interpret the config consistently.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java`:
- Around line 1-17: The license header in
APIResourceCollectionManagementUtilTest is using an outdated copyright year for
a newly added Java file. Update the header at the top of the file so the year
reflects the current year or a range ending in the current year, matching the
project’s Java license header convention.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`:
- Around line 297-310: `assertBucketScopes` in
`APIResourceCollectionManagerTest` only verifies that expected scopes are
present, so it can miss accidental scope leakage between buckets. Update this
helper to also assert isolation by checking that the collected scope set for the
bucket matches exactly the `expectedScopes` set, using `assertEquals` or
equivalent, so `CREATE`, `UPDATE`, and `DELETE` buckets do not contain extra
scopes.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2`:
- Around line 841-843: The scope names in the API resource templates are
inconsistent: `api-resource-collection.xml.j2` references
`console:apiResources*` scopes while `system-api-resource.xml.j2` defines
`internal_*` scopes. Update the scope declarations in
`system-api-resource.xml.j2` (and any related references in the collection
template) so the names match exactly, including `console:apiResources`,
`console:apiResources_view`, `console:apiResources_create`,
`console:apiResources_update`, and `console:apiResources_delete`, using the
existing resource/template symbols to keep the definitions aligned.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`:
- Around line 2044-2049: The `Scope` entries for `console:userSharing_create`
and `console:userSharing_delete` in `system-api-resource.xml.j2` are using the
wrong description text copied from the update scope. Update the descriptions in
the template to match the intended create/delete wording already used by the
generated `system-api-resource.xml`, and keep the `console:userSharing_update`
description unchanged.
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json`:
- Around line 413-419: The preserved-behavior override for console granular
permissions is missing for IS_7.0.0, so add the same pinned-off settings used
for the newer preserved versions in this infer JSON. Update the identity feature
mapping around the existing
console.console_settings.use_granular_console_permissions and
console.console_settings.disabled_features entries to include IS_7.0.0 as well,
matching the behavior already backfilled for IS_7.1.0 and IS_7.2.0.
---
Outside diff comments:
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`:
- Around line 799-807: The generated api-resource-collection.xml is out of sync
with the api-resource-collection.xml.j2 template and is missing sibling console
application scopes in several <Update> blocks. Regenerate the artifact from the
template, or manually update the affected sections such as
applicationAuthenticationScript and applicationClientSecretManagement to include
the missing console:applications_create, console:applications_update, and
console:applications_delete scopes alongside the existing entries, ensuring all
template-defined permissions are present.
---
Nitpick comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`:
- Around line 174-209: Unresolved holder scopes are being dropped silently in
APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete
scopes. Update the holder-scope handling in the action branches to detect when
holderResolutionMap has no entry for scopeName, preserve or report that
unresolved scope, and add a guarded debug log at this decision point so
misconfigured console scopes are visible during troubleshooting.
- Around line 415-441: resolveOwnerActionScopes currently uses a null sentinel
for unrecognized feature scopes, which triggers static-analysis warnings. Update
APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return
an empty set instead of null and have buildHolderResolutionMap treat empty
results as “not recognized,” or keep the sentinel but document and centralize
the null handling at the caller. Use the resolveOwnerActionScopes and
buildHolderResolutionMap symbols to make the behavior clear and avoid relying on
an undocumented null return.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 88ccc6e2-c3bf-4b48-9ef3-817eb2a3c6b6
📒 Files selected for processing (20)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xmlcomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/repository/conf/api-resource-collection.xmlcomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/testng.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xmlfeatures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.jsonfeatures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
6cbee3c to
01142b7
Compare
01142b7 to
2c38ad3
Compare
|
|
PR builder started |
|
PR builder completed |
jenkins-is-staging
left a comment
There was a problem hiding this comment.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/29485528161



Purpose
Resolve console feature action scopes (e.g.
console:applications_edit,console:applications_create) as holders when they appear inside another collection's<Read>/<Create>/<Update>/<Delete>block. The holder is replaced by the leaf scopes from the matching action block of the owning collection, and the holder name itself is dropped from the bucket — so theapiResourcespayload of/api-resource-collections/{id}surfaces the underlying internal scopes (and their owning API resource) instead of an opaque console scope that no API resource owns.Changes
APIResourceCollectionMgtConfigBuilder): pre-build aholder → leaf scopesmap from each collection's<Feature>block + matching action block._view→ owner Read,_create/_update/_delete→ matching owner block,_edit→ owner Create + Update + Delete (legacy coarse write). Resolution is recursive with cycle protection + memoisation so an owner's action block can itself reference another holder.api-resource-collection.xml.j2: declare_create/_update/_deletesiblings next to every_editholder inside non-<Feature>blocks (8 sites:applicationAuthenticationScript,applicationClientSecretManagement,applicationInternalAPIAuthorization,userSharingV2, and the fourorg_*counterparts).APIResourceCollectionMgtConfigBuilderTest— update/view/edit holder resolution, write-bucket propagation, transitive recursion, literal scopes preserved alongside holders, owner collection unaffected.Related Issues