feat(config-api): feature wise admin scope for endpoints#12736
Conversation
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
…12374 Signed-off-by: pujavs <pujas.works@gmail.com>
…12374 Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
…oints#11633 Signed-off-by: pujavs <pujas.works@gmail.com>
…oints#11633 Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
jans-config-api/plugins/docs/lock-plugin-swagger.yaml (1)
24-25: Typo: "Rerquest" should be "Request" in operation descriptions.Multiple endpoints have a typo in the summary/description fields:
- Line 24-25:
/lock/audit/health/search- Line 77-78:
/lock/audit/log/search- Line 131:
/lock/audit/telemetry/search🔎 Proposed fix
- summary: Rerquest health records for specific event range - description: Rerquest health records for specific event range + summary: Request health records for specific event range + description: Request health records for specific event range- summary: Rerquest log records for specific event range - description: Rerquest log records for specific event range + summary: Request log records for specific event range + description: Request log records for specific event range- description: Rerquest telemetry records for specific event range + description: Request telemetry records for specific event rangeAlso applies to: 77-78, 131-131
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (1)
1241-1243: Missing scope definitions: Webhook scopes not in securitySchemes.Multiple webhook endpoints reference scopes that are not defined in
securitySchemes:
https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonlyhttps://jans.io/oauth/jans-auth-server/config/adminui/webhook.writehttps://jans.io/oauth/jans-auth-server/config/adminui/webhook.deleteThese should be added to the
securitySchemes.oauth2.flows.clientCredentials.scopessection for the OpenAPI spec to be complete.Also applies to: 1317-1319, 1429-1431
♻️ Duplicate comments (2)
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.java (1)
42-42: Minor description inaccuracy forLOCK_ADMIN_ACCESSscope.The description states "Admin to manage Lock telemetry related information," but this scope appears to be a general admin scope for the Lock plugin, not limited to telemetry. Consider updating the description to reflect its broader purpose, such as "Admin access to manage Lock plugin configuration and resources."
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (1)
552-555: Missing scope definitions:properties.readonlyandproperties.writenot in securitySchemes.The
/admin-ui/configendpoints reference these scopes:
https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly(line 553)https://jans.io/oauth/jans-auth-server/config/adminui/properties.write(line 555, 591)However, these scopes are not defined in the
securitySchemessection (lines 2067-2107). OpenAPI consumers and documentation tools rely on scope definitions for discovery.#!/bin/bash # Verify if these scopes are defined in the source plugin code echo "=== Searching for properties scope definitions ===" rg -n "properties\.readonly|properties\.write" --type=java jans-config-api/plugins/jans-admin-ui-plugin/Also applies to: 590-591
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (7)
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/service/logger/LoggerService.java
💤 Files with no reviewable changes (1)
- jans-config-api/server/src/main/java/io/jans/configapi/service/logger/LoggerService.java
🧰 Additional context used
🧠 Learnings (15)
📓 Common learnings
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
📚 Learning: 2025-12-22T15:34:36.425Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-18T12:50:04.709Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-24T06:56:54.128Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T12:44:48.624Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-17T12:44:48.624Z
Learning: In the jans-config-api project, the model class referenced in the Swagger file at jans-config-api/docs/jans-config-api-swagger.yaml (around line 17747 with properties like `logoutStatusJwt` and `accessToken`) is out of scope of Config-API and is managed by another component.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:06:51.178Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:06:51.178Z
Learning: Swagger spec files in jans-config-api/docs are auto-generated from the underlying API source components. Do not modify property descriptions directly in the generated YAML; instead, add (or adjust) property descriptions in the corresponding source components (e.g., jans-auth, jans-fido2, jans-lock) so the descriptions propagate to the generated Swagger.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T12:44:14.086Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T12:44:14.086Z
Learning: In the jans-config-api (Janssen Project), the model class containing the `runAllUpdateTokenScripts` field is out of scope of Config-API and should not be included in `jans-config-api/docs/jans-config-api-swagger.yaml`.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java
📚 Learning: 2025-12-18T13:11:58.866Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:11:58.866Z
Learning: This swagger file is auto-generated from JansAttribute.java in the Jans Core module. Do not edit jans-config-api/docs/jans-config-api-swagger.yaml manually. Validate that the swagger properties correspond to Java getters (e.g., adminCanEdit comes from isAdminCanEdit(), userCanView from isUserCanView()) and any computed properties are represented via getters. To change the set of properties, modify JansAttribute.java (or the generator configuration) and re-run the code generation so the YAML reflects the updated model.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-11-14T12:07:49.986Z
Learnt from: moabu
Repo: JanssenProject/jans PR: 12687
File: terraform-provider-jans/jans/schemas.go:44-61
Timestamp: 2025-11-14T12:07:49.986Z
Learning: In terraform-provider-jans/jans/schemas.go, the SCIM schema endpoints (/jans-scim/restv1/v2/Schemas/) are public discovery endpoints per RFC 7644 and do not require OAuth scopes or authentication tokens. The GetSchemas and GetSchema methods intentionally pass empty strings for token and scope parameters.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yaml
📚 Learning: 2025-12-22T15:34:27.638Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:27.638Z
Learning: Guideline: In the Jans config-api module, when defining OAuth scope URLs, do not include the project name prefix (e.g., omit the 'jans-' prefix). Use URLs like https://jans.io/oauth/config/link.admin rather than https://jans.io/oauth/config/jans-link.admin. This renaming should be applied across Java files that declare or construct scope URLs within the config-api component, and related tests should be updated to reflect the new convention.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java
📚 Learning: 2025-12-18T13:12:06.219Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:12:06.219Z
Learning: In the jans-config-api project, the swagger spec file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated from the `jans-core/service/src/main/java/io/jans/model/JansAttribute.java` model class. Properties in the swagger spec correspond to getter methods in the Java class, including computed properties like `adminCanEdit` (from `isAdminCanEdit()`), `userCanView` (from `isUserCanView()`), etc.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: In the JanssenProject/jans repository, Swagger specification files under `jans-config-api/docs/` are auto-generated from underlying API code in source components. Property descriptions must be added in the source components (like `jans-auth`, `jans-fido2`, `jans-lock`) rather than directly in the generated Swagger YAML files.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-11-18T07:43:55.761Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12704
File: jans-config-api/docs/jans-config-api-swagger.yaml:17540-17546
Timestamp: 2025-11-18T07:43:55.761Z
Learning: The file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated with dependent modules changes and metadata. The config API does not override it.
Applied to files:
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java
📚 Learning: 2025-12-17T13:08:11.604Z
Learnt from: dagregi
Repo: JanssenProject/jans PR: 12833
File: jans-cedarling/schema/minimal_policy_store.json:13-21
Timestamp: 2025-12-17T13:08:11.604Z
Learning: In jans-cedarling/schema/cedarling_core.cedarschema, the Access_token entity intentionally includes both a `scope?: Set<String>` attribute and `tags Set<String>` declaration. This dual approach is by design, allowing scope to be accessed either as an attribute or dynamically as a tag depending on the use case.
Applied to files:
jans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java
🧬 Code graph analysis (2)
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java (1)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.java (2)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/util/Constants.java (1)
Constants(9-43)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: sonar scan (jans-casa)
- GitHub Check: sonar scan (jans-fido2)
- GitHub Check: sonar scan (jans-link)
- GitHub Check: sonar scan (jans-cli-tui)
- GitHub Check: sonar scan (jans-config-api)
🔇 Additional comments (10)
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java (1)
16-16: LGTM!The import is necessary for referencing the super admin scope constants used in lines 62-64.
jans-config-api/server/src/main/java/io/jans/configapi/rest/ApiApplication.java (2)
125-148: LGTM: Comprehensive admin scope additions with consistent naming.The 24 new admin-level scopes follow the established
*_ADMIN_ACCESSnaming convention consistently and provide clear, uniform descriptions. The past naming issues withMESSAGE_ADMIN_ACCESS,SCOPES_ADMIN_ACCESS,AUTH_SSA_ADMIN_ACCESS, andHEALTH_ADMIN_ACCESShave been properly addressed (confirmed in review history).Based on learnings, this aligns with the project's scope naming convention (excluding the "jans-" prefix) and provides the feature-wise admin access control required by issue #11633.
199-201: Good practice: Conditional resource registration based on configuration.The conditional inclusion of
AssetResourcebased onassetMgtEnabledconfiguration is a sound approach that prevents exposing endpoints when the feature is disabled.jans-config-api/plugins/docs/lock-plugin-swagger.yaml (2)
62-72: LGTM! Security scopes properly expanded for read endpoints.The security configuration for search endpoints correctly implements the feature-wise admin scope pattern:
- Feature-specific readonly scope (e.g.,
health.readonly)- Feature-specific write scope (e.g.,
health.write)- Lock admin scope (
config/lock.admin)- Lock-level read-all (
lock/read-all)- Config-level read-all (
config/read-all)This provides appropriate access at multiple privilege levels.
Also applies to: 115-125, 168-178
216-224: LGTM! Write endpoint security follows consistent pattern.Bulk save operations correctly require write-level scopes with admin override capability via
config/lock.admin,lock/write-all, andconfig/write-all.Also applies to: 262-270, 308-316
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (2)
2090-2107: LGTM! New admin scope definitions are properly documented.The newly added scope definitions correctly document:
- Feature-specific admin scopes (
license.admin,role.admin,permission.admin,rolePermissionMapping.admin)- Super-admin scopes (
read-all,write-all,delete-all)Descriptions appropriately indicate "super-user level" access.
221-226: The swagger scopes for role-permission mapping endpoints are correct. The Java implementation explicitly designatespermission.adminas the superscope for all rolePermissionMapping operations (GET, POST, PUT), notrolePermissionMapping.admin. While the constantSCOPE_ROLE_PERMISSION_MAPPING_ADMINis defined in AdminUIResource.java (line 58), it is intentionally unused—the endpoints usepermission.admintogether with granular read/write scopes for role-permission mappings. The swagger file accurately reflects this design.Likely an incorrect or invalid review comment.
jans-config-api/docs/jans-config-api-swagger.yaml (3)
71-15361: LGTM! Systematic feature-wise admin scope implementation.The security scope additions are well-structured and consistent across all 128 endpoint modifications:
- Each feature now has a dedicated admin scope (e.g.,
acrs.admin,agama.admin,attributes.admin)- Global admin scopes (
read-all,write-all,delete-all) provide super-admin access- Scope naming convention is uniform:
https://jans.io/oauth/{namespace}/{feature}.admin- Existing read/write/delete scopes are preserved and complemented with admin-level access
- The
auth/ssa.adminscope at line 14295 correctly references the jans-auth component scope (per learnings)This implementation provides fine-grained RBAC control while maintaining backward compatibility with existing scopes.
Based on learnings, this swagger file is auto-generated from Java source components.
18618-18678: LGTM! Comprehensive security scope definitions.The OAuth2 security scheme definitions are well-documented with clear descriptions for all new admin scopes:
- Super admin scopes (
read-all,write-all,delete-all) are clearly marked as super admin access- Feature-specific admin scopes follow consistent description pattern: "Admin for {feature} management"
- All scopes added to endpoints (hunks 1-128) are properly defined here
- OpenID and UMA scopes include both readonly/write/delete and admin variants for fine-grained control
The scope documentation provides clear guidance for API consumers on authorization requirements.
18486-18487: No changes required. TheaccessTokenproperty is a computed boolean field derived from theisAccessToken()method inTokenEntity.java(lines 230-233), which checks whether the token type is an access token. This follows standard Java conventions where "is" prefix boolean getters are converted to property names in auto-generated Swagger specifications. The property naming is correct and semantically clear.
...api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java
Show resolved
Hide resolved
|
Signed-off-by: pujavs <pujas.works@gmail.com>
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java (3)
56-56: Minor typo in constant value.
"Asset Data From"appears to be a typo for"Asset Data Form".🔎 Proposed fix
- private static final String ASSET_DATA_FORM = "Asset Data From"; + private static final String ASSET_DATA_FORM = "Asset Data Form";
361-361: Misleading log message references wrong resource type.The log message mentions "IdentityProvider" but this is
AssetResource. This appears to be a copy-paste artifact.🔎 Proposed fix
- log.info("Create IdentityProvider - asset:{}", asset); + log.info("Created asset:{}", asset);
401-401: Log message incorrectly says "Create" for update operation.🔎 Proposed fix
- log.debug(" Create asset:{} ", asset); + log.debug(" Update asset:{} ", asset);
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
🧰 Additional context used
🧠 Learnings (11)
📓 Common learnings
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
📚 Learning: 2025-12-22T15:34:36.425Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-18T12:50:04.709Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
📚 Learning: 2025-12-24T06:56:54.128Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
📚 Learning: 2025-12-17T13:06:51.178Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:06:51.178Z
Learning: Swagger spec files in jans-config-api/docs are auto-generated from the underlying API source components. Do not modify property descriptions directly in the generated YAML; instead, add (or adjust) property descriptions in the corresponding source components (e.g., jans-auth, jans-fido2, jans-lock) so the descriptions propagate to the generated Swagger.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-17T12:44:48.624Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-17T12:44:48.624Z
Learning: In the jans-config-api project, the model class referenced in the Swagger file at jans-config-api/docs/jans-config-api-swagger.yaml (around line 17747 with properties like `logoutStatusJwt` and `accessToken`) is out of scope of Config-API and is managed by another component.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-17T12:44:14.086Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T12:44:14.086Z
Learning: In the jans-config-api (Janssen Project), the model class containing the `runAllUpdateTokenScripts` field is out of scope of Config-API and should not be included in `jans-config-api/docs/jans-config-api-swagger.yaml`.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-18T13:11:58.866Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:11:58.866Z
Learning: This swagger file is auto-generated from JansAttribute.java in the Jans Core module. Do not edit jans-config-api/docs/jans-config-api-swagger.yaml manually. Validate that the swagger properties correspond to Java getters (e.g., adminCanEdit comes from isAdminCanEdit(), userCanView from isUserCanView()) and any computed properties are represented via getters. To change the set of properties, modify JansAttribute.java (or the generator configuration) and re-run the code generation so the YAML reflects the updated model.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-11-14T12:07:49.986Z
Learnt from: moabu
Repo: JanssenProject/jans PR: 12687
File: terraform-provider-jans/jans/schemas.go:44-61
Timestamp: 2025-11-14T12:07:49.986Z
Learning: In terraform-provider-jans/jans/schemas.go, the SCIM schema endpoints (/jans-scim/restv1/v2/Schemas/) are public discovery endpoints per RFC 7644 and do not require OAuth scopes or authentication tokens. The GetSchemas and GetSchema methods intentionally pass empty strings for token and scope parameters.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-22T15:34:27.638Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:27.638Z
Learning: Guideline: In the Jans config-api module, when defining OAuth scope URLs, do not include the project name prefix (e.g., omit the 'jans-' prefix). Use URLs like https://jans.io/oauth/config/link.admin rather than https://jans.io/oauth/config/jans-link.admin. This renaming should be applied across Java files that declare or construct scope URLs within the config-api component, and related tests should be updated to reflect the new convention.
Applied to files:
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
🧬 Code graph analysis (1)
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java (2)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)jans-config-api/common/src/main/java/io/jans/configapi/util/ApiConstants.java (1)
ApiConstants(9-189)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: sonar scan (jans-config-api)
🔇 Additional comments (9)
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java (6)
97-99: Scope hierarchy for read endpoint is well-structured.The authorization levels correctly escalate: read access at the base level, write access as a group scope (implying read capability), and admin scopes as super scopes. This provides appropriate flexibility for authorization.
139-141: Consistent read endpoint authorization.Scope configuration aligns with the
getAssetsendpoint pattern.
180-182: Read endpoint authorization is consistent.
224-226: Read-only service/type/mapping endpoints follow consistent authorization pattern.Also applies to: 257-259, 287-289
324-325: Scope duplication issue addressed.The previous review feedback was implemented correctly—
groupScopes = {}removes the redundantASSET_ADMIN_ACCESSthat would otherwise appear in both arrays.
534-581: Private helper methods unchanged.The
doSearch,searchByName, andgetDocumentPagedResulthelper methods have no functional changes and correctly support the endpoint implementations.jans-config-api/docs/jans-config-api-swagger.yaml (3)
71-77: LGTM — Systematic addition of admin-level scopes follows RBAC best practices.The security scope additions are comprehensive and consistent across all 128 endpoint operations:
- Admin scopes (
.admin) added alongside existing CRUD scopes for feature-level administration- Super-admin scopes (
read-all,write-all,delete-all) added appropriately for cross-feature access- Namespace consistency maintained:
/oauth/config/,/oauth/jans-auth-server/,/oauth/client/- Hierarchical access model implemented: admin > write > read
- Feature grouping logical: e.g.,
agama.admincovers both agama-deployment and agama-repoSpecial cases correctly handled:
https://jans.io/auth/ssa.adminuses/auth/namespace (managed by jans-auth component, as per learnings)https://jans.io/oauth/client/authorizations.adminuses/client/namespace (consistent with prior fix)The scope descriptions in the
securitySchemessection (lines 18618-18678) provide clear documentation for all new admin scopes.Based on learnings: This swagger file is auto-generated from Java source. The scope naming convention intentionally excludes the "jans-" prefix.
Also applies to: 198-204, 230-241, 285-292, 325-336, 380-387, 411-418, 449-460, 537-544, 579-590, 619-630, 656-667, 697-708, 763-775, 810-818, 856-868, 897-909, 1023-1035, 1064-1076, 1105-1117, 1167-1175, 1240-1248, 1303-1311, 1454-1465, 1550-1557, 1644-1651, 1712-1723, 1745-1752, 1821-1828, 1883-1894, 1912-1923, 1958-1965, 1985-1996, 2021-2032, 2084-2095, 2162-2169, 2194-2205, 2242-2249, 2286-2293, 2322-2333, 2380-2387, 2428-2435, 2463-2474, 2517-2524, 2564-2571, 2604-2615, 2668-2675, 2720-2727, 2762-2769, 2888-2897, 3565-3578, 3792-3801, 4012-4021, 4166-4177, 4199-4208, 4367-4376, 4394-4405, 4434-4441, 4470-4481, 4533-4540, 4590-4597, 4610-4617, 4646-4653, 4770-4781, 4855-4862, 4945-4952, 4975-4982, 5022-5029, 5082-5093, 5146-5157, 5245-5256, 5304-5315, 5418-5429, 10907-10918, 10983-10994, 11016-11023, 11079-11086, 11126-11137, 11203-11210, 11269-11276, 11335-11342, 11387-11398, 11469-11476, 11547-11554, 11602-11613, 11638-11645, 11706-11713, 11743-11752, 11781-11792, 11837-11844, 11866-11877, 11910-11917, 11939-11950, 11981-11988, 12021-12028, 12050-12061, 12092-12099, 12132-12139, 12172-12183, 12235-12242, 12280-12289, 12314-12323, 12458-12469, 12546-12553, 12626-12633, 13010-13021, 13043-13050, 13116-13123, 13496-13507, 13881-13892, 13923-13932, 13955-13962, 13986-13993, 14095-14104, 14255-14264, 14291-14300, 14348-14359, 14543-14554, 14603-14614, 14639-14648, 14869-14880, 14996-15008, 15068-15076, 15132-15140, 15184-15196, 15217-15225, 15280-15288, 15350-15362, 18618-18678
12293-12294: Documentation improvement: endpoint description now accurate.The endpoint summary and description were updated from "Get all plugins" to "Check if plugin is deployed", which correctly reflects that this endpoint queries a specific plugin by name (path parameter
{pluginName}), not all plugins.
18483-18490: No issue found - accessToken boolean field is correctly generated.The
accessTokenfield in the swagger schema is auto-generated from theisAccessToken()method in TokenEntity.java (lines 230-233), which computes a boolean value based on the tokenType. Jackson/Swagger automatically serializesisAccessToken()asaccessToken: booleanfollowing standard JSON naming conventions. Similarly,isLogoutStatusJwt()is serialized aslogoutStatusJwt: boolean. These are computed properties, not direct fields, so the boolean type and naming are semantically correct and require no changes.
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
Outdated
Show resolved
Hide resolved
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
Outdated
Show resolved
Hide resolved
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
Outdated
Show resolved
Hide resolved
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (1)
218-226: Inconsistent admin scope:permission.adminused instead ofrolePermissionMapping.adminin rolePermissionMapping endpoints.The rolePermissionMapping endpoints grant access via
permission.admin(lines 224, 266, 308, 635, 678), but the feature-specific admin scoperolePermissionMapping.adminis defined (line 2106) and unused. This breaks the established pattern where role endpoints userole.adminand permission endpoints usepermission.admin. The current configuration grants permission administrators unintended access to role-permission mapping operations. Replacepermission.adminwithrolePermissionMapping.adminin all rolePermissionMapping endpoint definitions.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (6)
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java
🧰 Additional context used
🧠 Learnings (14)
📓 Common learnings
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
📚 Learning: 2025-12-18T12:50:04.709Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Applied to files:
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.javajans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-24T06:56:54.128Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
Applied to files:
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.javajans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-22T15:34:27.638Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:27.638Z
Learning: Guideline: In the Jans config-api module, when defining OAuth scope URLs, do not include the project name prefix (e.g., omit the 'jans-' prefix). Use URLs like https://jans.io/oauth/config/link.admin rather than https://jans.io/oauth/config/jans-link.admin. This renaming should be applied across Java files that declare or construct scope URLs within the config-api component, and related tests should be updated to reflect the new convention.
Applied to files:
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.javajans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.java
📚 Learning: 2025-12-17T12:44:48.624Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-17T12:44:48.624Z
Learning: In the jans-config-api project, the model class referenced in the Swagger file at jans-config-api/docs/jans-config-api-swagger.yaml (around line 17747 with properties like `logoutStatusJwt` and `accessToken`) is out of scope of Config-API and is managed by another component.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: In the JanssenProject/jans repository, Swagger specification files under `jans-config-api/docs/` are auto-generated from underlying API code in source components. Property descriptions must be added in the source components (like `jans-auth`, `jans-fido2`, `jans-lock`) rather than directly in the generated Swagger YAML files.
Applied to files:
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T12:44:14.086Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T12:44:14.086Z
Learning: In the jans-config-api (Janssen Project), the model class containing the `runAllUpdateTokenScripts` field is out of scope of Config-API and should not be included in `jans-config-api/docs/jans-config-api-swagger.yaml`.
Applied to files:
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.javajans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-22T15:34:36.425Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:06:51.178Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:06:51.178Z
Learning: Swagger spec files in jans-config-api/docs are auto-generated from the underlying API source components. Do not modify property descriptions directly in the generated YAML; instead, add (or adjust) property descriptions in the corresponding source components (e.g., jans-auth, jans-fido2, jans-lock) so the descriptions propagate to the generated Swagger.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-18T13:11:58.866Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:11:58.866Z
Learning: This swagger file is auto-generated from JansAttribute.java in the Jans Core module. Do not edit jans-config-api/docs/jans-config-api-swagger.yaml manually. Validate that the swagger properties correspond to Java getters (e.g., adminCanEdit comes from isAdminCanEdit(), userCanView from isUserCanView()) and any computed properties are represented via getters. To change the set of properties, modify JansAttribute.java (or the generator configuration) and re-run the code generation so the YAML reflects the updated model.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-11-14T12:07:49.986Z
Learnt from: moabu
Repo: JanssenProject/jans PR: 12687
File: terraform-provider-jans/jans/schemas.go:44-61
Timestamp: 2025-11-14T12:07:49.986Z
Learning: In terraform-provider-jans/jans/schemas.go, the SCIM schema endpoints (/jans-scim/restv1/v2/Schemas/) are public discovery endpoints per RFC 7644 and do not require OAuth scopes or authentication tokens. The GetSchemas and GetSchema methods intentionally pass empty strings for token and scope parameters.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-11-18T07:43:55.761Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12704
File: jans-config-api/docs/jans-config-api-swagger.yaml:17540-17546
Timestamp: 2025-11-18T07:43:55.761Z
Learning: The file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated with dependent modules changes and metadata. The config API does not override it.
Applied to files:
jans-config-api/plugins/docs/lock-plugin-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-18T13:12:06.219Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:12:06.219Z
Learning: In the jans-config-api project, the swagger spec file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated from the `jans-core/service/src/main/java/io/jans/model/JansAttribute.java` model class. Properties in the swagger spec correspond to getter methods in the Java class, including computed properties like `adminCanEdit` (from `isAdminCanEdit()`), `userCanView` (from `isUserCanView()`), etc.
Applied to files:
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
🧬 Code graph analysis (2)
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java (2)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)jans-config-api/common/src/main/java/io/jans/configapi/util/ApiConstants.java (1)
ApiConstants(9-189)
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.java (2)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/util/Constants.java (1)
Constants(9-43)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: sonar scan (jans-config-api)
🔇 Additional comments (14)
jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/ApiApplication.java (2)
4-4: LGTM! Necessary import for super admin scope constants.The import of
ApiAccessConstantsis required for referencing the super admin scopes added to the security definitions below.
41-46: LGTM! Admin and super admin scopes properly added.The OAuth scope definitions are correct and well-structured:
- The
LOCK_ADMIN_ACCESSdescription has been properly updated to reflect its broader admin purpose (addressing the previous review comment).- Super admin scopes (
SUPER_ADMIN_READ_ACCESS,SUPER_ADMIN_WRITE_ACCESS,SUPER_ADMIN_DELETE_ACCESS) are consistently added with clear descriptions.- All scope constants are properly referenced from their respective classes.
- This aligns well with the PR objective of introducing feature-wise admin scopes.
jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java (1)
73-580: LGTM! Well-implemented feature-wise admin scope authorization.The security scope implementation is correct and consistent across all asset endpoints:
- Read operations properly define a privilege hierarchy: primary read scope, with write as a group scope (since write implies read), and admin/super-admin scopes for elevated access
- Write/delete operations correctly use
groupScopes = {}to avoid redundant scope declarations (addressing previous review feedback)- Comprehensive Javadocs clearly document each endpoint's parameters, return values, and behavior
- Authorization model is logical: ASSET_ADMIN_ACCESS grants full control over the asset feature, while SUPER_ADMIN_* scopes provide cross-feature administrative capabilities
The fixes from previous reviews have been properly applied—no scope duplication remains.
jans-config-api/docs/jans-config-api-swagger.yaml (2)
230-240: Verify that write scopes on GET operations align with intended RBAC model.GET operations throughout the file include
writeandwrite-allscopes alongsidereadonlyandread-allscopes (examples: lines 230-240, 1454-1464, 2888-2896, 3565-3577, 4166-4176). This pattern suggests a hierarchical permissions model where write permission holders can also read.While this may be intentional, confirm this aligns with your security design. A stricter least-privilege approach would limit GET operations to only read-related scopes (
readonly,admin,read-all), reserving write scopes exclusively for mutating operations.Based on learnings, this swagger file is auto-generated from Java security annotations. If the current pattern is correct, no action needed. If GET operations should not require write permissions, update the source
@ProtectedApiannotations to remove write scopes from read-only endpoints.Also applies to: 1454-1464, 2888-2896, 3565-3577, 4166-4176
18618-18678: LGTM! Comprehensive security scope definitions.The security scheme documentation thoroughly defines the new RBAC model with:
- Super-admin scopes (
read-all,write-all,delete-all)- Feature-specific admin scopes for granular control
- Consistent scope naming conventions per project standards
The scope descriptions clearly communicate each permission level, supporting the PR objective to introduce feature-wise admin-level scopes.
Based on learnings, scope naming correctly excludes the "jans-" prefix and uses appropriate namespaces.
jans-config-api/plugins/docs/lock-plugin-swagger.yaml (5)
62-72: Security scope additions for read endpoints are consistent and follow proper RBAC pattern.The OR-based security model (multiple
- oauth2:blocks) correctly allows access via any of: resource-specific readonly, resource-specific write, feature admin (lock.admin), or super-admin scopes (read-all,config/read-all). This is a standard privilege escalation pattern.Also applies to: 115-125, 168-178
216-224: Write endpoint security scopes are correctly configured.All POST endpoints consistently require either the resource-specific write scope, feature-level admin (
lock.admin), or super-admin write scopes (write-all,config/write-all). The pattern correctly excludes read-only scopes from write operations.Also applies to: 262-270, 308-316, 352-360, 396-404, 440-448
467-479: Lock configuration endpoint security is properly configured.The GET endpoint correctly includes both read and write super-admin scopes (following the pattern that write access implies read access). PUT and PATCH endpoints correctly require write-level scopes only.
Also applies to: 507-515, 545-553
601-610: Statistics endpoint security follows the established pattern.The scope additions are consistent with other read endpoints, allowing access via admin or super-admin scopes while maintaining backward compatibility with the existing
jans_statscope.
882-890: Scope definitions are complete;delete-allscope is defined but unused in this plugin.The scope descriptions are well-defined and the previous concern about
lock.adminbeing too narrow has been addressed. Thehttps://jans.io/oauth/config/delete-allscope is defined but not used in any endpoint within this file, only theread-allandwrite-allscopes are referenced in security blocks. This appears intentional since there are no DELETE operations in the Lock plugin API endpoints.jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java (2)
16-16: LGTM: Import required for super admin scope constants.The import of
ApiAccessConstantsis necessary to reference the super admin scope constants used in lines 65-67.
48-67: LGTM: Feature-wise admin scopes properly defined.The OAuth scope definitions correctly implement the PR's objective of adding feature-wise admin scopes:
- Consistent naming convention using
.readonly,.write,.delete, and.adminsuffixes- Clear privilege hierarchy with
.adminscopes described as "super-user level"- Super admin global scopes properly imported from
ApiAccessConstants- Descriptions clearly differentiate between write and admin privilege levels
The scope additions align with the established patterns and past feedback has been addressed.
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (2)
864-869: LGTM: License endpoint admin scopes properly configured.License endpoints consistently implement the two-tier authorization model:
- Read operations:
license.readonly,license.write,license.admin,read-all- Write operations:
license.write,license.admin,write-allThis provides both feature-specific admin control (
license.admin) and global super-admin access (read-all,write-all), aligning with the PR's objective.Also applies to: 936-941, 1010-1015, 1047-1052, 1089-1093, 1125-1130
2108-2113: No action required—scope namespace patterns are correctly differentiated by scope scope.The pattern difference between global super admin scopes (
https://jans.io/oauth/config/read-all) and feature-specific scopes (https://jans.io/oauth/jans-auth-server/config/adminui/read-all) is intentional. Global scopes spanning the entire Config API use the simpler, generic namespace, while component-specific scopes use qualified namespaces. This is consistent with the established naming convention of simplifying scope identifiers.
|
|
|
|
Signed-off-by: pujavs <pujas.works@gmail.com>
|
|
@coderabbitai please re-review this PR again |
|
@pujavs I'll perform a comprehensive review of this PR, analyzing all the changes related to the feature-wise admin scope implementation across the config-api components. 🧠 Learnings used✅ Actions performedReview triggered.
🧠 Learnings used✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml (1)
1241-1243: Critical: Webhook scopes missing from securitySchemes.The webhook endpoints reference three scopes that are not defined in the
securitySchemessection (lines 2068-2117):
https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly(used at lines 1243, 1538, 1587, 1658, 1736)https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write(used at lines 1319, 1395)https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete(used at line 1431)OpenAPI specifications require all scopes referenced in endpoint security declarations to be defined under
securitySchemes. Missing definitions will cause OpenAPI validation failures and prevent proper API documentation.Based on learnings, this file is auto-generated from source annotations. Add the missing scope definitions in the underlying Java source code (likely in
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java) by adding@OAuthScopeannotations similar to the pattern used for other scopes:@OAuthScope(name = "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly", description = "View webhook related information"), @OAuthScope(name = "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write", description = "Manage webhook related information"), @OAuthScope(name = "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete", description = "Delete webhook related information"),Then regenerate this OpenAPI specification file.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
🧰 Additional context used
🧠 Learnings (14)
📓 Common learnings
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
📚 Learning: 2025-12-22T15:34:36.425Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:36.425Z
Learning: In the Jans project's config-api component, there is an intentional shift in OAuth scope URL naming convention to exclude the "jans-" prefix from scope identifiers. Scope URLs like `https://jans.io/oauth/config/link.admin` (without "jans-link") are preferred over `https://jans.io/oauth/config/jans-link.admin`. This is part of a deliberate renaming effort to exclude the project name from scope names.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-18T12:50:04.709Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-18T12:50:04.709Z
Learning: In the Jans project's jans-config-api component, the scope `https://jans.io/auth/ssa.admin` is specified by the jans-auth component for SSA (Software Statement Assertion) endpoints and is out of scope for the Config API.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-24T06:56:54.128Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/profiles/local/test.properties:2-2
Timestamp: 2025-12-24T06:56:54.128Z
Learning: In jans-config-api test configuration files (like test.properties), the scopes `https://jans.io/auth/ssa.admin`, `https://jans.io/auth/ssa.portal`, and `https://jans.io/auth/ssa.developer` are required for test cases to execute successfully, even though these scopes are managed by the jans-auth component. Test configurations can include scopes from other components when needed for integration testing.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T12:44:48.624Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:0-0
Timestamp: 2025-12-17T12:44:48.624Z
Learning: In the jans-config-api project, the model class referenced in the Swagger file at jans-config-api/docs/jans-config-api-swagger.yaml (around line 17747 with properties like `logoutStatusJwt` and `accessToken`) is out of scope of Config-API and is managed by another component.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.javajans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T12:44:14.086Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T12:44:14.086Z
Learning: In the jans-config-api (Janssen Project), the model class containing the `runAllUpdateTokenScripts` field is out of scope of Config-API and should not be included in `jans-config-api/docs/jans-config-api-swagger.yaml`.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:06:51.178Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:06:51.178Z
Learning: Swagger spec files in jans-config-api/docs are auto-generated from the underlying API source components. Do not modify property descriptions directly in the generated YAML; instead, add (or adjust) property descriptions in the corresponding source components (e.g., jans-auth, jans-fido2, jans-lock) so the descriptions propagate to the generated Swagger.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-12-18T13:11:58.866Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/docs/jans-config-api-swagger.yaml:14949-14965
Timestamp: 2025-12-18T13:11:58.866Z
Learning: This swagger file is auto-generated from JansAttribute.java in the Jans Core module. Do not edit jans-config-api/docs/jans-config-api-swagger.yaml manually. Validate that the swagger properties correspond to Java getters (e.g., adminCanEdit comes from isAdminCanEdit(), userCanView from isUserCanView()) and any computed properties are represented via getters. To change the set of properties, modify JansAttribute.java (or the generator configuration) and re-run the code generation so the YAML reflects the updated model.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yaml
📚 Learning: 2025-11-14T12:07:49.986Z
Learnt from: moabu
Repo: JanssenProject/jans PR: 12687
File: terraform-provider-jans/jans/schemas.go:44-61
Timestamp: 2025-11-14T12:07:49.986Z
Learning: In terraform-provider-jans/jans/schemas.go, the SCIM schema endpoints (/jans-scim/restv1/v2/Schemas/) are public discovery endpoints per RFC 7644 and do not require OAuth scopes or authentication tokens. The GetSchemas and GetSchema methods intentionally pass empty strings for token and scope parameters.
Applied to files:
jans-config-api/docs/jans-config-api-swagger.yamljans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-22T15:34:27.638Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12736
File: jans-config-api/plugins/jans-link-plugin/src/main/java/io/jans/configapi/plugin/link/util/Constants.java:16-17
Timestamp: 2025-12-22T15:34:27.638Z
Learning: Guideline: In the Jans config-api module, when defining OAuth scope URLs, do not include the project name prefix (e.g., omit the 'jans-' prefix). Use URLs like https://jans.io/oauth/config/link.admin rather than https://jans.io/oauth/config/jans-link.admin. This renaming should be applied across Java files that declare or construct scope URLs within the config-api component, and related tests should be updated to reflect the new convention.
Applied to files:
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java
📚 Learning: 2025-12-17T13:07:08.750Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: In the JanssenProject/jans repository, Swagger specification files under `jans-config-api/docs/` are auto-generated from underlying API code in source components. Property descriptions must be added in the source components (like `jans-auth`, `jans-fido2`, `jans-lock`) rather than directly in the generated Swagger YAML files.
Applied to files:
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-11-18T07:43:55.761Z
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12704
File: jans-config-api/docs/jans-config-api-swagger.yaml:17540-17546
Timestamp: 2025-11-18T07:43:55.761Z
Learning: The file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated with dependent modules changes and metadata. The config API does not override it.
Applied to files:
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
📚 Learning: 2025-12-17T13:08:11.604Z
Learnt from: dagregi
Repo: JanssenProject/jans PR: 12833
File: jans-cedarling/schema/minimal_policy_store.json:13-21
Timestamp: 2025-12-17T13:08:11.604Z
Learning: In jans-cedarling/schema/cedarling_core.cedarschema, the Access_token entity intentionally includes both a `scope?: Set<String>` attribute and `tags Set<String>` declaration. This dual approach is by design, allowing scope to be accessed either as an attribute or dynamically as a tag depending on the use case.
Applied to files:
jans-config-api/plugins/docs/jans-admin-ui-plugin-swagger.yaml
🧬 Code graph analysis (1)
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java (1)
jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java (1)
ApiAccessConstants(3-141)
🔇 Additional comments (5)
jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/ApiApplication.java (3)
16-16: LGTM!Good practice to import and use the centralized
ApiAccessConstantsfor super admin scope constants rather than hardcoding the URIs.
48-66: LGTM!The OAuth scope additions are well-structured:
- Clear hierarchy with
.readonly,.write,.delete, and.adminvariants.- Descriptions properly differentiate access levels (e.g., "Manage..." for
.writevs "Full administrative access... (super-user level)" for.admin).
67-69: LGTM!Super admin scopes correctly reference
ApiAccessConstantsand descriptions now explicitly convey the global/omnipotent nature ("Super admin ... access to all configuration resources"), which aligns with the-allsuffix in the scope URIs.jans-config-api/docs/jans-config-api-swagger.yaml (2)
12293-12294: Documentation clarification approved.The endpoint description update to "Check if plugin is deployed" provides clearer intent for this operation.
15695-15709: Schema property additions approved.The new properties (
adminCanAccess,userCanAccess,adminCanEdit,userCanEdit,includeRequestedClaimsInIdToken,disableExternalLoggerConfiguration,opbrowserState,logoutStatusJwt) and reorderings are correctly auto-generated from the underlying Java models (e.g., JansAttribute.java, AppConfiguration.java).Based on learnings, these schema definitions reflect the getter methods and field declarations in the source models.
Also applies to: 15775-15782, 17579-17586, 18309-18318, 18493-18500
|
@coderabbitai please re-review this PR again |
|
@pujavs I'll perform a comprehensive review of this PR, analyzing all the changes related to the feature-wise admin scope implementation across the config-api components. 🧠 Learnings used✅ Actions performedReview triggered.
🧠 Learnings used✅ Actions performedFull review triggered. |
|
@coderabbitai i have resolved all of your review comments in scope of Config API. |
|
@pujavs Thank you for addressing all the review comments in the scope of the Config API! I appreciate your thorough work on implementing the feature-wise admin scopes across all the endpoints and plugins. The PR introduces a comprehensive authorization model with granular admin-level scopes, which will provide better access control for the Config API. The implementation looks consistent across all components including:
I'm approving this PR as requested. Great work on this significant enhancement! 🎉 🧠 Learnings used✅ Actions performedComments resolved and changes approved. |
5 participants
Prepare
Description
Defined new admin level scopes for each feature that will be as required #11633
Target issue
closes 11633
Implementation Details
Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.Summary by CodeRabbit
New Features
Security Improvements
Documentation
Tests
✏️ Tip: You can customize this high-level summary in your review settings.