Provide service for selective role sharing with application sharing #525

HasiniSama · 2025-07-09T07:05:12Z

Purpose

Issue: wso2/product-is#21100

Ported the implementation from: #512

Additional changes introduced:

Update the /share GET API to return the sharingInitiationMode.
/share POST API requests now doesn't require the complete hierarchy to be sent in the payload. However the application should be already shared with the parent org.
Fixed the bug on getting the roles shared overridden by the parent's roles shared.
If shareWithAllChildren property is set to true, it will be treated same as the ALL_EXISTING_AND_FUTURE_ORGS and the sharingInitiationMode will be sent in the GET API.
An application cannot be unshared from a child organization if there's parent organization that enforces a future policy.
Fixed the error in the PATCH API when having both add/remove share for a single organization.
sharingInitiationMode is only included if it's sent in the 'attributes' query param.
Update the roles list limit returned in GET API to 100.
Fix the pagination bug on href link.

Related PR(s)

wso2/identity-api-server#929

…haring

- Provide the support to get application with filtering option. - Add new error message for application sharing - Moved application share operations models to a new package

# Conflicts: # components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/OrgApplicationManagerImpl.java # components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/constant/OrgApplicationMgtConstants.java # components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/internal/OrgApplicationMgtDataHolder.java # components/org.wso2.carbon.identity.organization.management.application/src/main/java/org/wso2/carbon/identity/organization/management/application/internal/OrgApplicationMgtServiceComponent.java

- Convert logs to debug - Convert the ShareRoleMgt behaviour to previous behavior

- Improve logging - Add unit tests - Reduce using start tenant flows - Optimize to execute less DB queries

…anization

…itiationMode for future-impacting policy-holder organizations

Copilot

Pull Request Overview

This PR adds support for selective role sharing within application-sharing flows, ports existing logic from the organization-management extension, and extends resource sharing to include applications.

Introduce getResourceSharingPolicyByInitiatingOrgId methods in DAO, service interface, and service impl
Extend ResourceType and PolicyEnum to include APPLICATION resources
Add new SQL constant and update POM version for organization-management core
Implement comprehensive application share handlers and utility classes (e.g., hierarchy processing, SCIM filter parsing, filter builders)

Reviewed Changes

Copilot reviewed 38 out of 39 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pom.xml	Bump `<identity.organization.management.core.version>` to 1.1.33
ResourceSharingPolicyHandlerDAOImpl.java	Implement `getResourceSharingPolicyByInitiatingOrgId`
ResourceSharingSQLConstants.java	Add `GET_RESOURCE_SHARING_POLICIES_WITH_INITIATING_ORG_ID` SQL template
ResourceType.java & PolicyEnum.java	Add `APPLICATION` as a valid resource type and include in all policies
FilterQueriesUtil.java	Introduce generic SCIM filter-to-query builder with various operations
SharedRoleMgtHandler.java / SharedRoleMgtListener.java / SharedRoleMgtHandlerTest.java	Enhance event handling for application share and selective role updates
OrgApplicationShareProcessor.java	Add BFS-based priority sorting for selective organization shares

Comments suppressed due to low confidence (2)

components/org.wso2.carbon.identity.organization.resource.sharing.policy.management/src/main/java/org/wso2/carbon/identity/organization/resource/sharing/policy/management/dao/ResourceSharingPolicyHandlerDAOImpl.java:476

The new getResourceSharingPolicyByInitiatingOrgId method is not covered by unit tests. Please add tests for this DAO method to verify grouping logic and empty-case behavior.

            return result.stream().collect(Collectors.groupingBy(

components/org.wso2.carbon.identity.organization.resource.sharing.policy.management/src/main/java/org/wso2/carbon/identity/organization/resource/sharing/policy/management/constant/ResourceSharingSQLConstants.java:73

The SQL string includes semicolons before the AND clauses, which will break the query. Remove the semicolons so that it reads ... = :INITIATING_ORG_ID AND ... = :RESOURCE_TYPE AND ... = :RESOURCE_ID.

                    "WHERE rsp.UM_INITIATING_ORG_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_INITIATING_ORG_ID

...ava/org/wso2/carbon/identity/organization/management/application/util/FilterQueriesUtil.java

...main/java/org/wso2/carbon/identity/organization/management/handler/SharedRoleMgtHandler.java

…rit shared apps

.../org/wso2/carbon/identity/organization/management/application/OrgApplicationManagerImpl.java

HasiniSama · 2025-07-11T05:27:13Z

.../org/wso2/carbon/identity/organization/management/application/OrgApplicationManagerImpl.java

+
+        String filter = RoleConstants.AUDIENCE_ID + " " + RoleConstants.EQ + " " + appId;
+        return getRoleManagementServiceV2().getRoles(filter, null, 0, null, null, tenantDomain);
+    }


Refactor the code to the role handler.

Check the role amount returned.

Add pagination here. Same as the listener.

Check whether the roles get unshared.

...2/carbon/identity/organization/management/application/util/OrgApplicationShareProcessor.java

...ity/organization/resource/sharing/policy/management/dao/ResourceSharingPolicyHandlerDAO.java

.../org/wso2/carbon/identity/organization/management/application/OrgApplicationManagerImpl.java

...main/java/org/wso2/carbon/identity/organization/management/handler/SharedRoleMgtHandler.java

codecov · 2025-07-21T11:33:40Z

Codecov Report

Attention: Patch coverage is 24.71910% with 804 lines in your changes missing coverage. Please review.

Project coverage is 52.90%. Comparing base (ab592a4) to head (127d210).
Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
...ation/management/handler/SharedRoleMgtHandler.java	35.90%	199 Missing and 42 partials ⚠️
...application/util/OrgApplicationShareProcessor.java	33.54%	93 Missing and 14 partials ⚠️
...lication/listener/OrganizationCreationHandler.java	0.00%	92 Missing ⚠️
...management/application/util/FilterQueriesUtil.java	0.00%	79 Missing ⚠️
...istener/ApplicationSharingManagerListenerImpl.java	0.00%	40 Missing ⚠️
...application/dao/impl/OrgApplicationMgtDAOImpl.java	0.00%	39 Missing ⚠️
...ement/dao/ResourceSharingPolicyHandlerDAOImpl.java	14.70%	27 Missing and 2 partials ⚠️
...plication/util/OrgApplicationScimFilterParser.java	0.00%	24 Missing ⚠️
...ation/model/SharedApplicationOrganizationNode.java	0.00%	22 Missing ⚠️
...del/operation/ApplicationShareUpdateOperation.java	0.00%	19 Missing ⚠️
... and 14 more

❌ Your patch status has failed because the patch coverage (24.71%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #525      +/-   ##
============================================
- Coverage     56.18%   52.90%   -3.28%     
- Complexity     1988     2002      +14     
============================================
  Files           186      199      +13     
  Lines         10977    12505    +1528     
  Branches       1640     1947     +307     
============================================
+ Hits           6167     6616     +449     
- Misses         4269     5255     +986     
- Partials        541      634      +93

Flag	Coverage Δ
unit	`36.74% <24.71%> (-1.16%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

HasiniSama · 2025-07-21T11:43:21Z

Unit test to improve coverage will be tracked via: wso2/product-is#24757

jenkins-is-staging · 2025-07-21T11:43:52Z

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16416038982

jenkins-is-staging · 2025-07-21T12:25:06Z

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16416038982
Status: failure

jenkins-is-staging · 2025-07-21T13:29:18Z

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16418350186

jenkins-is-staging · 2025-07-21T14:10:05Z

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16418350186
Status: failure

jenkins-is-staging · 2025-07-22T03:06:44Z

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16433543452

jenkins-is-staging · 2025-07-22T03:46:37Z

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16433543452
Status: failure

jenkins-is-staging · 2025-07-22T04:04:47Z

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/16434336417

jenkins-is-staging · 2025-07-22T04:45:41Z

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/16434336417
Status: success

jenkins-is-staging

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/16434336417

… ALL role mode

sahandilshan added 14 commits May 16, 2025 12:09

Add applciation configs for sharing policy

df33662

Add new application sharing model classes

22a9aec

Add new util classes required for new application sharing

cee390c

Update application sharing implementation to support selective role s…

41b8ddc

…haring

Update listeners according to new sharing mode

3322727

Refactored the application sharing

732dfc9

- Provide the support to get application with filtering option. - Add new error message for application sharing - Moved application share operations models to a new package

Refactor rolemgt listners and handlers

a56c8bf

Add async status for app sharing with policy

45b232b

Use new application share methods instead of deprecated methods

2fa656e

Bump organization.management.core version

d93fcad

Improve role sharing of application

dfdd654

- Convert logs to debug - Convert the ShareRoleMgt behaviour to previous behavior

Improve application sharing services

1c19eb4

- Improve logging - Add unit tests - Reduce using start tenant flows - Optimize to execute less DB queries

Fix issue flows

73f2fca

HasiniSama mentioned this pull request Jul 9, 2025

Provide API support for selective role sharing with application sharing wso2/identity-api-server#929

Merged

HasiniSama added 2 commits July 9, 2025 12:37

Use a single entry for the policy holder instead of one per child org…

9057587

…anization

Update getApplicationSharedOrganizations service to include sharingIn…

cd835be

…itiationMode for future-impacting policy-holder organizations

HasiniSama force-pushed the sahandilshan branch from 053d49b to cd835be Compare July 9, 2025 09:08

Remove unshare logic for omitted orgs and add a log for invalid org Ids

0804ebf

AnuradhaSK requested a review from Copilot July 9, 2025 11:19

Copilot AI reviewed Jul 9, 2025

View reviewed changes

...ava/org/wso2/carbon/identity/organization/management/application/util/FilterQueriesUtil.java Show resolved Hide resolved

...main/java/org/wso2/carbon/identity/organization/management/handler/SharedRoleMgtHandler.java Show resolved Hide resolved

Change organization creation logic to traverse the hierarchy and inhe…

657c71b

…rit shared apps