Skip to content

Add integration tests to password recovery flow enumeration controls#28052

Open
VIHANGAGIT wants to merge 6 commits into
wso2:masterfrom
VIHANGAGIT:integration-test-recovery-flow-enumeration-controls
Open

Add integration tests to password recovery flow enumeration controls#28052
VIHANGAGIT wants to merge 6 commits into
wso2:masterfrom
VIHANGAGIT:integration-test-recovery-flow-enumeration-controls

Conversation

@VIHANGAGIT

@VIHANGAGIT VIHANGAGIT commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Purpose

Adds integration coverage for the password-recovery flow's user-enumeration and account-status controls — the UserResolveExecutor's notifyUserExistence and notifyUserAccountStatus flags. When enabled, the executor surfaces a user-facing message (carrying an i18n key) instead of silently advancing the flow, for a non-existent identifier, a locked account, or a disabled account.

Password Recovery Flow Support:

  • Added support for password recovery flows in FlowExecutionTestBase and FlowManagementTestBase, including methods to add, enable, and disable password recovery flows, and the corresponding flow type constant. [1] [2] [3] [4] [5]

Negative Test Coverage for Password Recovery:

  • Added a new test class RecoveryEnumerationControlsExecutionNegativeTest to cover negative scenarios for password recovery flow execution, such as attempting to initiate or execute the flow before it is enabled, using invalid flow IDs, and submitting empty inputs.

User-Facing Message Model and Integration:

  • Introduced a new Message model class to represent messages (error, warning, info) surfaced to the user during flow steps, including type, message, and i18n key fields.
  • Extended the Data model to include a list of Message objects, with appropriate getters, setters, and methods for adding messages, and updated equals, hashCode, and toString methods to include the new field. [1] [2] [3] [4] [5]

Related Issues

@VIHANGAGIT
VIHANGAGIT marked this pull request as draft June 17, 2026 04:22
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds integration test infrastructure for the PASSWORD_RECOVERY flow type. A new Message model class is introduced with a TypeEnum (ERROR, WARNING, INFO), message, and i18nKey fields. The existing Data model is extended to carry a List<Message>. Two JSON flow definitions are added (one for execution tests, one for management tests), each describing a four-step workflow: username collection via UserResolveExecutor, OTP verification via EmailOTPExecutor, password reset via PasswordProvisioningExecutor, and a terminal END screen via UserProvisioningExecutor. FlowExecutionTestBase and FlowManagementTestBase are each extended with a PASSWORD_RECOVERY_FLOW constant, a PASSWORD_RECOVERY flow type identifier, and lifecycle helper methods. Four new test classes are registered in testng.xml around the existing FlowExecutionPositiveTest.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 15.09% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding integration tests for password recovery flow enumeration controls.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description matches the password-recovery flow support, message model, and test coverage changes in the changeset.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (4)
modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/password-recovery-flow.json (1)

1-248: ⚡ Quick win

Duplicate flow definition increases maintenance burden.

This file is identical to modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/password-recovery-flow.json. Maintaining two copies risks inconsistency when updates are needed. Consider extracting the common definition to a shared location or adding validation tests to ensure the files remain synchronized.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/password-recovery-flow.json`
around lines 1 - 248, This password-recovery-flow.json file is a duplicate of
the file at
modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/password-recovery-flow.json.
To fix this duplication issue, identify which location is the canonical source
for the password recovery flow definition, delete the duplicate file, and update
any test code or references that point to the deleted file to instead use the
canonical location. Alternatively, if both locations need to be maintained for
different test contexts, add a validation test that verifies both
password-recovery-flow.json files remain synchronized to prevent future
inconsistencies.
modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/PasswordRecoveryFlowManagementTest.java (2)

118-121: ⚡ Quick win

Consider reusing a static ObjectMapper instance.

Creating a new ObjectMapper instance on each call is inefficient. ObjectMapper is thread-safe and expensive to construct, so using a static final instance would improve performance.

♻️ Proposed refactor

Add a static ObjectMapper field at the class level:

+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper(new JsonFactory());
+
     private FlowManagementClient flowManagementClient;
     private String passwordRecoveryFlowRequestJson;

Then use it in the helper:

     private FlowRequest getFlowRequest() throws IOException {
 
-        return new ObjectMapper(new JsonFactory()).readValue(passwordRecoveryFlowRequestJson, FlowRequest.class);
+        return OBJECT_MAPPER.readValue(passwordRecoveryFlowRequestJson, FlowRequest.class);
     }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/PasswordRecoveryFlowManagementTest.java`
around lines 118 - 121, The getFlowRequest() method is creating a new
ObjectMapper instance with a JsonFactory on each invocation, which is
inefficient since ObjectMapper is thread-safe and expensive to construct. Create
a static final ObjectMapper field at the class level initialized once with the
JsonFactory, and then modify the getFlowRequest() method to reuse this static
instance instead of creating a new one each time the method is called.

55-55: ⚡ Quick win

Remove unnecessary static modifier.

The passwordRecoveryFlowRequestJson variable is declared static but is populated in @BeforeClass, which runs per test instance created by @Factory. The static modifier is unnecessary and could cause issues if the suite configuration changes to allow parallel execution.

♻️ Proposed fix
-    private static String passwordRecoveryFlowRequestJson;
+    private String passwordRecoveryFlowRequestJson;
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/PasswordRecoveryFlowManagementTest.java`
at line 55, Remove the static modifier from the passwordRecoveryFlowRequestJson
field declaration. Since this variable is populated in the `@BeforeClass` method
which runs per test instance created by `@Factory`, the static modifier is
unnecessary and can cause issues with parallel test execution. Change the field
from a static variable to an instance variable by removing the static keyword.
modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/PasswordRecoveryFlowExecutionTest.java (1)

257-267: ⚡ Quick win

Extract hard-coded Base64 values to named constants.

Lines 265-266 pass hard-coded Base64-encoded strings "QWNjb3VudCBNYW5hZ2VtZW50" (Account Management) and "YWNjb3VudC1yZWNvdmVyeQ" (account-recovery) as category and connector IDs. These magic strings reduce readability and maintainability.

♻️ Proposed refactor

Add constants at the class level:

     private static final String ACCOUNT_LOCKED_I18N_KEY_PREFIX = "account.locked";
     private static final String ACCOUNT_DISABLED_I18N_KEY = "account.disabled";
+
+    // Identity Governance connector IDs (Base64-encoded)
+    private static final String ACCOUNT_MANAGEMENT_CATEGORY_ID = "QWNjb3VudCBNYW5hZ2VtZW50"; // "Account Management"
+    private static final String ACCOUNT_RECOVERY_CONNECTOR_ID = "YWNjb3VudC1yZWNvdmVyeQ"; // "account-recovery"

Then use them:

-        identityGovernanceRestClient.updateConnectors("QWNjb3VudCBNYW5hZ2VtZW50",
-                "YWNjb3VudC1yZWNvdmVyeQ", connectorsPatchReq);
+        identityGovernanceRestClient.updateConnectors(ACCOUNT_MANAGEMENT_CATEGORY_ID,
+                ACCOUNT_RECOVERY_CONNECTOR_ID, connectorsPatchReq);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/PasswordRecoveryFlowExecutionTest.java`
around lines 257 - 267, The updatePasswordRecoveryFeatureStatus method contains
hard-coded Base64-encoded strings that should be extracted to named constants
for better readability and maintainability. Define class-level constants for the
Base64 values "QWNjb3VudCBNYW5hZ2VtZW50" (which represents Account Management)
and "YWNjb3VudC1yZWNvdmVyeQ" (which represents account-recovery), then replace
the hard-coded strings in the identityGovernanceRestClient.updateConnectors call
with these constants.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/model/Message.java`:
- Around line 167-173: In the toIndentedString method, the replace call on the
return statement is replacing newline characters with the same newline character
without adding any indentation. Fix this by replacing each newline with a
newline followed by 4 spaces to properly indent the output. This will ensure
that multi-line object string representations are properly formatted with
consistent indentation.

In
`@modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/password-recovery-flow.json`:
- Around line 171-184: The OTP input field in the password-recovery-flow.json
file has a label mismatch with its executor. In the INPUT field with variant OTP
and identifier otp, update the label property from "Enter the code sent to your
mobile" to "Enter the code sent to your email" to correctly match the
EmailOTPExecutor that delivers the code via email instead of mobile.

In
`@modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/password-recovery-flow.json`:
- Around line 171-184: The label text in the OTP input field's config section is
inconsistent with the executor type being used. The label field currently states
"Enter the code sent to your mobile" but the flow uses EmailOTPExecutor which
sends codes via email. Update the label value in the config object to say "Enter
the code sent to your email" to match the actual delivery method and provide
accurate user guidance.

---

Nitpick comments:
In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/PasswordRecoveryFlowExecutionTest.java`:
- Around line 257-267: The updatePasswordRecoveryFeatureStatus method contains
hard-coded Base64-encoded strings that should be extracted to named constants
for better readability and maintainability. Define class-level constants for the
Base64 values "QWNjb3VudCBNYW5hZ2VtZW50" (which represents Account Management)
and "YWNjb3VudC1yZWNvdmVyeQ" (which represents account-recovery), then replace
the hard-coded strings in the identityGovernanceRestClient.updateConnectors call
with these constants.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/PasswordRecoveryFlowManagementTest.java`:
- Around line 118-121: The getFlowRequest() method is creating a new
ObjectMapper instance with a JsonFactory on each invocation, which is
inefficient since ObjectMapper is thread-safe and expensive to construct. Create
a static final ObjectMapper field at the class level initialized once with the
JsonFactory, and then modify the getFlowRequest() method to reuse this static
instance instead of creating a new one each time the method is called.
- Line 55: Remove the static modifier from the passwordRecoveryFlowRequestJson
field declaration. Since this variable is populated in the `@BeforeClass` method
which runs per test instance created by `@Factory`, the static modifier is
unnecessary and can cause issues with parallel test execution. Change the field
from a static variable to an instance variable by removing the static keyword.

In
`@modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/password-recovery-flow.json`:
- Around line 1-248: This password-recovery-flow.json file is a duplicate of the
file at
modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/password-recovery-flow.json.
To fix this duplication issue, identify which location is the canonical source
for the password recovery flow definition, delete the duplicate file, and update
any test code or references that point to the deleted file to instead use the
canonical location. Alternatively, if both locations need to be maintained for
different test contexts, add a validation test that verifies both
password-recovery-flow.json files remain synchronized to prevent future
inconsistencies.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dff843af-23ad-4d01-9ece-776091422832

📥 Commits

Reviewing files that changed from the base of the PR and between 51f3a44 and 5fc5c19.

📒 Files selected for processing (9)
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/FlowExecutionTestBase.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/PasswordRecoveryFlowExecutionTest.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/model/Data.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/model/Message.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/FlowManagementTestBase.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/PasswordRecoveryFlowManagementTest.java
  • modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/execution/v1/password-recovery-flow.json
  • modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/flow/management/v1/password-recovery-flow.json
  • modules/integration/tests-integration/tests-backend/src/test/resources/testng.xml

@VIHANGAGIT
VIHANGAGIT force-pushed the integration-test-recovery-flow-enumeration-controls branch from 1ab79a2 to 204368b Compare June 17, 2026 10:49
@VIHANGAGIT
VIHANGAGIT marked this pull request as ready for review June 17, 2026 11:06
@VIHANGAGIT
VIHANGAGIT force-pushed the integration-test-recovery-flow-enumeration-controls branch 4 times, most recently from 2c55b2a to d291565 Compare June 19, 2026 11:02
@VIHANGAGIT
VIHANGAGIT force-pushed the integration-test-recovery-flow-enumeration-controls branch from d291565 to 21651a8 Compare June 22, 2026 03:48
@VIHANGAGIT
VIHANGAGIT force-pushed the integration-test-recovery-flow-enumeration-controls branch from cef1f6d to f1f0dce Compare June 26, 2026 04:39
VIHANGAGIT and others added 2 commits June 26, 2026 10:13
…to integration-test-recovery-flow-enumeration-controls
…rols' into integration-test-recovery-flow-enumeration-controls"

This reverts commit 7b5cebd, reversing
changes made to f1f0dce.
@jenkins-is-staging

Copy link
Copy Markdown
Contributor

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/28227776244

@jenkins-is-staging

Copy link
Copy Markdown
Contributor

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/28227776244
Status: failure

@VIHANGAGIT
VIHANGAGIT force-pushed the integration-test-recovery-flow-enumeration-controls branch from c203c91 to 9ab3715 Compare June 30, 2026 08:44
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants