Skip to content

Add API resources and access control for user share API V2 #7695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BimsaraBodaragama wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add API resources and access control for user share API V2 #7695

BimsaraBodaragama wants to merge 5 commits into from

Conversation

@BimsaraBodaragama
Copy link
Member

@BimsaraBodaragama BimsaraBodaragama commented Jan 26, 2026
edited by coderabbitai bot
Loading

Purpose

This PR adds the system API resource definitions and access control mappings required for User Sharing API v2, covering both tenant-level and organization-level contexts. It ensures that all v2 user sharing operations are protected by explicitly defined scopes and enforced consistently through the resource-access-control layer.

Goals

  • Introduce API resource definitions for User Sharing API v2 in system API resource configuration
  • Define clear and explicit scopes for share, unshare, view, and update operations
  • Enforce method-level access control for v2 endpoints across tenant and organization contexts

Approach

  • Added User Sharing API V2 entries to the system API resource configuration for:
    • Tenant context (/api/server/v2/users)
    • Organization context (/o/api/server/v2/users)
  • Defined dedicated scopes for each v2 operation:
    • Share users
    • Unshare users
    • View the organization with which a given user is shared
    • Update shared user attributes
  • Mapped v2 REST endpoints and HTTP methods to the corresponding scopes in
    resource-access-control-v2.xml
  • Applied consistent access control rules for both tenant-level and organization-level APIs

Related PRs

NOTE

PR of adding API Resources to User Sharing V1:

Related Issue

Summary by CodeRabbit

  • New Features
    • User Sharing API V2 introduced for tenant and organization contexts (/api/server/v2/users and /o/api/server/v2/users).
    • New endpoints: share, share-with-all, unshare, unshare-with-all, plus view (GET) and update (PATCH) for shared user access.
    • Added a new scope/permission to update attributes of shared users for finer-grained sharing control.

Copilot AI review requested due to automatic review settings January 26, 2026 05:53
This was referenced Jan 26, 2026
Merged
Merged
@coderabbitai
Copy link

coderabbitai bot commented Jan 26, 2026
edited
Loading

Walkthrough

Adds V2 User Sharing API resource declarations and matching access-control entries for tenant and organization contexts, introducing share, unshare, view, and update scopes and HTTP method mappings for /api/server/v2/users and /o/api/server/v2/users.

Changes

Cohort / File(s) Summary
API Resource Definitions
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml, features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2		 Added two APIResource entries named "User Sharing API V2": tenant (/api/server/v2/users) and organization (/o/api/server/v2/users), each requires authorization and exposes four scopes: share, unshare, view shared users, and update shared users attributes (organization scopes prefixed with internal_org_).
Resource Access Control V2
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml, features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2		 Added resource rules mapping V2 endpoints to scopes: POST endpoints for share and share-with-all, POST for unshare and unshare-with-all, PATCH for updating shared-user attributes, and GET for viewing shared users — duplicated for tenant (/api/server/v2/users/...) and organization (/o/api/server/v2/users/...) contexts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through XML, added paths anew,
Tenant and org, both wearing V2,
Share, unshare, view, and tweak with care,
I nibble scopes and sew them in the air,
A cheerful rabbit hops—changes done, hooray!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Add API resources and access control for user share API V2' accurately summarizes the main change—adding API resource definitions and access control mappings for User Sharing API v2.
Description check ✅ Passed The description covers Purpose, Goals, Approach, and Related PRs/Issues sections comprehensively, though it is missing several optional template sections like Security checks, Documentation, and Test environment.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

This was referenced Jan 26, 2026
Merged
Merged
Merged
Merged
Open
coderabbitai[bot]
coderabbitai bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml`:
- Around line 1796-1814: The PATCH Resource mapping currently uses the non-org
context "(.*)/api/server/v2/users/share(.*)" causing scope collision; modify the
Resource element with http-method="PATCH" (the one whose <Scopes> is
internal_org_shared_user_access_update) to use the org context
"(.*)/o/api/server/v2/users/share(.*)" so it aligns with the other org endpoints
and avoids applying the org scope to tenant routes.

In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2`:
- Around line 1979-2017: The org PATCH Resource currently maps the org scope to
the tenant path (/api/server/v2/users/share) causing a duplicate tenant PATCH
entry and scope mismatch; update the Resource with http-method="PATCH" that uses
scope internal_org_shared_user_access_update so its context is
"(.*)/o/api/server/v2/users/share(.*)" (matching the org pattern) instead of
"(.*)/api/server/v2/users/share(.*)" so the org PATCH maps to the /o/api/...
path and aligns with internal_org_shared_user_access_update.

@BimsaraBodaragama BimsaraBodaragama self-assigned this Jan 26, 2026
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds system API resource definitions and resource-access-control mappings to secure User Sharing API v2 operations in both tenant and organization contexts with explicit scopes.

Changes:

  • Added new v2 scopes for share/unshare/view/update operations under tenant and organization API resources.
  • Added resource-access-control mappings for v2 user sharing endpoints and HTTP methods.
  • Updated both template (.j2) and generated XML files to keep configurations aligned.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2 Adds v2 user sharing endpoint-to-scope mappings (template).
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml Adds v2 user sharing endpoint-to-scope mappings (generated XML).
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2 Defines tenant/org API resources and new v2 scopes (template).
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml Defines tenant/org API resources and new v2 scopes (generated XML).

@codecov
Copy link

codecov bot commented Jan 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.07%. Comparing base (ad9d90c) to head (6ebbcb1).
⚠️ Report is 87 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #7695      +/-   ##
============================================
- Coverage     51.26%   51.07%   -0.19%     
- Complexity    19363    19679     +316     
============================================
  Files          2144     2144              
  Lines        123096   128180    +5084     
  Branches      26224    27489    +1265     
============================================
+ Hits          63103    65471    +2368     
- Misses        51889    54371    +2482     
- Partials       8104     8338     +234
Flag Coverage Δ
unit 35.76% <ø> (+0.09%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

SujanSanjula96
SujanSanjula96 reviewed Jan 26, 2026
View reviewed changes
...t/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml Outdated
requiresAuthorization="true"
description="API representation of the user share API V2" type="TENANT">
<Scopes>
<Scope displayName="Share Users" name="internal_share_user"
Copy link
Contributor

@SujanSanjula96 SujanSanjula96 Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a new scope for the same purpose will be confusing for users and also it will grow the number of internal scopes unnecessarily (which is a concern right now as well).

@piraveena AFAIR, we decided that it is okay to share the internal scopes between APIs during Scim2 Roles V3 API implementation. Will it be okay to use similar approach here as well?

This was referenced Jan 27, 2026
Open
Open
@BimsaraBodaragama BimsaraBodaragama mentioned this pull request Jan 31, 2026
Open
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SujanSanjula96 SujanSanjula96 SujanSanjula96 left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@BimsaraBodaragama BimsaraBodaragama

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BimsaraBodaragama @SujanSanjula96