Skip claim config initialization for organizations#8101
Open
HasiniSama wants to merge 1 commit into
Open
Conversation
![wso2-engineering[bot]](https://avatars.githubusercontent.com/in/1856828?s=60&v=4){kind=small}
Comment on lines
64
to
+69
| try { | ||
| /* | ||
| * Sub-organization tenants do not maintain their own claim metadata. Therefore, the per-tenant | ||
| * claim configuration initialization for the tenant must NOT run for sub-organization tenants. | ||
| */ | ||
| if (isOrganization(tenantId)) { |
Contributor
There was a problem hiding this comment.
Log Improvement Suggestion No: 1
Suggested change
| try { | |
| /* | |
| * Sub-organization tenants do not maintain their own claim metadata. Therefore, the per-tenant | |
| * claim configuration initialization for the tenant must NOT run for sub-organization tenants. | |
| */ | |
| if (isOrganization(tenantId)) { | |
| try { | |
| log.debug("Initializing claim metadata store for tenant: " + tenantId); | |
| /* | |
| * Sub-organization tenants do not maintain their own claim metadata. Therefore, the per-tenant | |
| * claim configuration initialization for the tenant must NOT run for sub-organization tenants. | |
| */ | |
| if (isOrganization(tenantId)) { |
Comment on lines
+69
to
+72
| if (isOrganization(tenantId)) { | ||
| this.tenantId = tenantId; | ||
| return; | ||
| } |
Contributor
There was a problem hiding this comment.
Log Improvement Suggestion No: 2
Suggested change
| if (isOrganization(tenantId)) { | |
| this.tenantId = tenantId; | |
| return; | |
| } | |
| if (isOrganization(tenantId)) { | |
| log.info("Skipping claim metadata initialization for sub-organization tenant: " + tenantId); | |
| this.tenantId = tenantId; | |
| return; | |
| } |
Contributor
There was a problem hiding this comment.
AI Agent Log Improvement Checklist
- The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
- Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.
✅ Before merging this pull request:
- Review all AI-generated comments for accuracy and relevance.
- Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.
| Comment | Accepted (Y/N) | Reason |
|---|---|---|
| #### Log Improvement Suggestion No: 1 | ||
| #### Log Improvement Suggestion No: 2 |
Contributor
📝 WalkthroughWalkthroughThe PR updates ChangesSub-organization tenant detection in claim metadata initialization
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@components/claim-mgt/org.wso2.carbon.identity.claim.metadata.mgt/src/main/java/org/wso2/carbon/identity/claim/metadata/mgt/DefaultClaimMetadataStore.java`:
- Around line 95-97: In DefaultClaimMetadataStore (the initialization path that
checks tenant sub-organization status) change the error logging call that
currently uses log.error(..., e) to log only the error message string (remove
the exception object) so the ERROR log contains no stack trace; if you still
need the exception for diagnostics, log the exception at DEBUG/TRACE using the
same message (e.g., use log.debug(...) with the exception) and keep the ERROR
call as a plain message string without the exception parameter.
- Around line 94-99: The catch in DefaultClaimMetadataStore that currently logs
OrganizationManagementException and returns false allows code to proceed with
default claim initialization for tenants when org-check fails; change the catch
to treat failures as "sub-organization" (fail-closed) by returning true (or
rethrowing the exception) so that the default initialization path is not
executed — locate the boolean org-check method (the
isSubOrganization/organization-check call inside DefaultClaimMetadataStore that
catches OrganizationManagementException) and replace the return false in that
catch with return true (or throw a runtime/checked exception) so
sub-organization tenants are not seeded on org-check errors.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: ce37eca3-ef6f-4b8c-bf61-4c826b61e660
📒 Files selected for processing (1)
components/claim-mgt/org.wso2.carbon.identity.claim.metadata.mgt/src/main/java/org/wso2/carbon/identity/claim/metadata/mgt/DefaultClaimMetadataStore.java
Comment on lines
+94
to
+99
| } catch (OrganizationManagementException e) { | ||
| log.error("Error while checking whether tenant: " + tenantId + | ||
| " is a sub-organization during claim metadata store initialization. " + | ||
| "Proceeding with the default claim configuration initialization path.", e); | ||
| return false; | ||
| } |
Contributor
There was a problem hiding this comment.
Fail-open fallback can initialize sub-organization tenants on org-check errors.
When tenant-type detection fails, returning false (Line 98) continues into the default initialization path, which can seed claim metadata for sub-organization tenants.
Suggested fix
private boolean isOrganization(int tenantId) {
try {
return OrganizationManagementUtil.isOrganization(tenantId);
} catch (OrganizationManagementException e) {
- log.error("Error while checking whether tenant: " + tenantId +
- " is a sub-organization during claim metadata store initialization. " +
- "Proceeding with the default claim configuration initialization path.", e);
- return false;
+ log.error("Error while checking whether tenant: " + tenantId +
+ " is a sub-organization during claim metadata store initialization. " +
+ "Skipping claim configuration initialization for safety.");
+ return true;
}
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@components/claim-mgt/org.wso2.carbon.identity.claim.metadata.mgt/src/main/java/org/wso2/carbon/identity/claim/metadata/mgt/DefaultClaimMetadataStore.java`
around lines 94 - 99, The catch in DefaultClaimMetadataStore that currently logs
OrganizationManagementException and returns false allows code to proceed with
default claim initialization for tenants when org-check fails; change the catch
to treat failures as "sub-organization" (fail-closed) by returning true (or
rethrowing the exception) so that the default initialization path is not
executed — locate the boolean org-check method (the
isSubOrganization/organization-check call inside DefaultClaimMetadataStore that
catches OrganizationManagementException) and replace the return false in that
catch with return true (or throw a runtime/checked exception) so
sub-organization tenants are not seeded on org-check errors.
Comment on lines
+95
to
+97
| log.error("Error while checking whether tenant: " + tenantId + | ||
| " is a sub-organization during claim metadata store initialization. " + | ||
| "Proceeding with the default claim configuration initialization path.", e); |
Contributor
There was a problem hiding this comment.
ERROR log should not include the exception object.
This log.error(..., e) pattern violates the repository logging rule for ERROR level in this PR context.
As per coding guidelines, “for ERROR logs, log only the error message (no stack traces/exception objects).”
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@components/claim-mgt/org.wso2.carbon.identity.claim.metadata.mgt/src/main/java/org/wso2/carbon/identity/claim/metadata/mgt/DefaultClaimMetadataStore.java`
around lines 95 - 97, In DefaultClaimMetadataStore (the initialization path that
checks tenant sub-organization status) change the error logging call that
currently uses log.error(..., e) to log only the error message string (remove
the exception object) so the ERROR log contains no stack trace; if you still
need the exception for diagnostics, log the exception at DEBUG/TRACE using the
same message (e.g., use log.debug(...) with the exception) and keep the ERROR
call as a plain message string without the exception parameter.
|
Codecov Report❌ Patch coverage is
❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## master #8101 +/- ##
============================================
- Coverage 53.28% 53.28% -0.01%
Complexity 20627 20627
============================================
Files 2147 2147
Lines 126484 126491 +7
Branches 18132 18133 +1
============================================
- Hits 67403 67395 -8
- Misses 50866 50881 +15
Partials 8215 8215
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes in this pull request
$subject
Child organization tenants do not maintain their own claim metadata. Their claim dialects, local claims, and external claim mappings are resolved hierarchically from the parent (root) organization via UnifiedClaimMetadataManager and OrgResourceResolverService [1]. Therefore, the per-tenant claim configuration initialization (which seeds rows into IDN_CLAIM_DIALECT / IDN_CLAIM / IDN_CLAIM_MAPPED_ATTRIBUTE for the tenant) must NOT run for child organization tenants.
[1] https://github.com/wso2/carbon-identity-framework/blob/master/components/claim-mgt/org.wso2.carbon.identity.claim.metadata.mgt/src/main/java/org/wso2/carbon/identity/claim/metadata/mgt/UnifiedClaimMetadataManager.java#L93