Introduce Policy Management component by kaviska · Pull Request #8158 · wso2/carbon-identity-framework

kaviska · 2026-06-16T05:32:16Z

Proposed changes in this pull request

This PR introduces a new Policy Management component (org.wso2.carbon.identity.policy.management) to the framework.

A policy is a named, tenant-scoped container that groups one or more resources. A resource can be a rule component or an action component; currently only the rule component is supported. Policy management also supports policy evaluation by calling its resources.

The component provides:

A domain model for policies and their resources.
A management service offering CRUD operations over policies, with paginated and filterable listing.
An evaluation service that, given a runtime context, selects the matching resource and delegates the actual evaluation to the underlying engine (rule-mgt).
A persistence layer backed by new database tables, with caching on the read path.
Unit tests covering the persistence, service, and evaluation layers.

When should this PR be merged

No preconditions. The module depends only on rule-mgt (rule.management + rule.evaluation),
which is already on the target branch.

Follow up actions

N/A

Introduce the org.wso2.carbon.identity.policy.management OSGi module: Policy and PolicyResource models, CRUD management service with pagination/filtering, rule-based policy evaluation, and caching. Add IDN_POLICY and IDN_POLICY_RESOURCE schema across all supported databases (h2, db2, mssql, mysql, mysql-cluster, oracle, oracle_rac, postgresql) and register the module in the root pom.

Add cache-backed DAO, DAO facade (rule-mgt orchestration and saga compensation), and policy evaluation service test classes, and extend the DAO tests with pagination, filtering, count, resource round-trip and unique-target constraint coverage. Register the new classes in testng.xml.

coderabbitai · 2026-06-16T05:32:24Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Introduces a new org.wso2.carbon.identity.policy.management OSGi bundle as a multi-module Maven project providing policy CRUD and evaluation services. The bundle includes a multi-dialect JDBC DAO with read-through name-based caching, rule-management saga compensation, service implementations with validation and hydration, OSGi wiring, and comprehensive TestNG coverage. Database schemas for IDN_POLICY and IDN_POLICY_RESOURCE tables are added across all seven supported SQL dialects.

Changes

Policy Management Module

Layer / File(s)	Summary
Build scaffolding and DB schema `components/policy-mgt/pom.xml`, `components/policy-mgt/org.wso2.carbon.identity.policy.management/pom.xml`, `features/identity-core/.../dbscripts/*.sql`, `components/policy-mgt/.../src/test/resources/dbscripts/h2.sql`	Maven aggregator and bundle POMs define the module structure, artifact packaging, OSGi bundle instructions, and dependencies. DDL scripts for H2, MySQL, MySQL Cluster, PostgreSQL, Oracle, Oracle RAC, DB2, and MS SQL Server each create `IDN_POLICY` and `IDN_POLICY_RESOURCE` tables with primary keys, composite uniqueness constraints, and cascading foreign keys.
API models, exceptions, service interfaces, and error utilities `components/policy-mgt/.../api/model/Policy.java`, `components/policy-mgt/.../api/model/PolicyBasicInfo.java`, `components/policy-mgt/.../api/model/PolicyResource.java`, `components/policy-mgt/.../api/model/ResourceType.java`, `components/policy-mgt/.../api/exception/PolicyManagementException.java`, `components/policy-mgt/.../api/exception/PolicyManagementClientException.java`, `components/policy-mgt/.../api/exception/PolicyManagementServerException.java`, `components/policy-mgt/.../api/constant/ErrorMessage.java`, `components/policy-mgt/.../api/service/PolicyManagementService.java`, `components/policy-mgt/.../api/service/PolicyEvaluationService.java`, `components/policy-mgt/.../api/util/PolicyManagementExceptionHandler.java`	Public API types define Policy (immutable with unmodifiable resource list), PolicyBasicInfo (lightweight list view), PolicyResource (with nullable hydrated rule), and ResourceType enum (RULE vs ACTION). Exception hierarchy includes PolicyManagementException base with errorCode/description, PolicyManagementClientException, and PolicyManagementServerException. ErrorMessage enum defines 12 error constants with code/message/description. PolicyManagementService interface declares CRUD, retrieval by ID/name, paginated listing, and count methods. PolicyEvaluationService interface declares single evaluate method with policy lookup, selector matching, and rule evaluation semantics. PolicyManagementExceptionHandler provides static factory methods to construct client/server exceptions from ErrorMessage with optional template data and cause.
Policy cache infrastructure `components/policy-mgt/.../internal/cache/PolicyCacheKey.java`, `components/policy-mgt/.../internal/cache/PolicyCacheEntry.java`, `components/policy-mgt/.../internal/cache/PolicyCache.java`	PolicyCacheKey stores policyName and implements equals/hashCode for name-based matching; tenant scoping is handled by the cache's tenantId. PolicyCacheEntry extends CacheEntry and wraps an un-hydrated Policy. PolicyCache is a singleton extending BaseCache, initialized eagerly with a private constructor, and accessed via getInstance() with security checks.
SQL constants, DAO interface, and JDBC implementation `components/policy-mgt/.../internal/constant/PolicyMgtSQLConstants.java`, `components/policy-mgt/.../internal/dao/PolicyManagementDAO.java`, `components/policy-mgt/.../internal/dao/impl/PolicyManagementDAOImpl.java`	PolicyMgtSQLConstants defines SQL column and query string constants for dialect-specific pagination (Oracle/DB2/MSSQL/default) and multi-resource operations. PolicyManagementDAO interface declares CRUD, retrieval, listing, counting, and lookup methods. PolicyManagementDAOImpl implements transactional CRUD with per-resource UUID generation, dialect-aware paginated listing with offset/limit sanitization and wildcard filtering, and resource hydration via nested query; all failures are wrapped by PolicyManagementExceptionHandler with specific error codes and debug logging on success.
Cache-backed DAO wrapper `components/policy-mgt/.../internal/dao/impl/CacheBackedPolicyManagementDAO.java`	Wraps an underlying PolicyManagementDAO with read-through caching for getPolicyByName (name-keyed, tenant-scoped): cache hit returns cached Policy, cache miss fetches from DAO and populates cache. Write operations (updatePolicy, deletePolicy) load the persisted policy by ID to determine old cached name, clear old and new name entries, then delegate to the underlying DAO. All other methods (addPolicy, getPolicyById, getPolicies, getPolicyCount, getPolicyIdByName) delegate directly without cache interaction.
PolicyManagementServiceImpl and PolicyEvaluationServiceImpl `components/policy-mgt/.../internal/service/impl/PolicyManagementServiceImpl.java`, `components/policy-mgt/.../internal/service/impl/PolicyEvaluationServiceImpl.java`	PolicyManagementServiceImpl validates policy (non-null, non-empty name), enforces case-insensitive uniqueness of (resourceType, target) per policy and tenant-scoped policy name uniqueness, resolves tenant IDs, and delegates to the DAO. For RULE resources, creates rules via RuleManagementService and implements saga compensation: if rule creation or DAO persistence fails, deletes previously created rules. On update, performs existence check, creates new rules, updates DAO, then deletes old rules on success. On delete, is idempotent and best-effort removes associated rules. Read operations hydrate only RULE-typed resources by fetching from rule-management. PolicyEvaluationServiceImpl retrieves policy by name, treats null selector as compliant (non-null result with null rule id), matches resource target case-insensitively, and delegates to RuleEvaluationService for matched RULE resources or returns compliant for unmatched/missing rules.
OSGi service holder and DS component `components/policy-mgt/.../internal/component/PolicyMgtComponentServiceHolder.java`, `components/policy-mgt/.../internal/component/PolicyMgtServiceComponent.java`	PolicyMgtComponentServiceHolder is a singleton with static getInstance() and private constructor, exposing getters/setters for RuleManagementService, RuleEvaluationService, and PolicyManagementService. PolicyMgtServiceComponent is an immediate DS component that on activation instantiates PolicyManagementServiceImpl and PolicyEvaluationServiceImpl, registers each in the OSGi BundleContext under their API interfaces, stores them in the holder, and wires mandatory dynamically-bound references to RuleManagementService and RuleEvaluationService with bind/unbind logging and conditional field clearing.
Unit and integration tests, test resources `components/policy-mgt/.../src/test/java/org/wso2/carbon/identity/policy/management/dao/PolicyManagementDAOImplTest.java`, `components/policy-mgt/.../src/test/java/org/wso2/carbon/identity/policy/management/dao/CacheBackedPolicyManagementDAOTest.java`, `components/policy-mgt/.../src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyManagementServiceImplTest.java`, `components/policy-mgt/.../src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyEvaluationServiceImplTest.java`, `components/policy-mgt/.../src/test/resources/dbscripts/h2.sql`, `components/policy-mgt/.../src/test/resources/repository/conf/carbon.xml`, `components/policy-mgt/.../src/test/resources/repository/conf/identity/identity.xml`, `components/policy-mgt/.../src/test/resources/testng.xml`	PolicyManagementDAOImplTest uses H2 for end-to-end CRUD, retrieval by ID/name, pagination with limit/offset, filtering by name prefix, and constraint validation (rejecting duplicate target-per-type). CacheBackedPolicyManagementDAOTest verifies read-through name-based caching: cache miss populates entry, cache hit returns without DAO call, getPolicyById always delegates, and write operations clear corresponding cache entries. PolicyManagementServiceImplTest covers CRUD with input validation, rule orchestration (RULE vs ACTION resources), and saga compensation (deleting created rules on failure). PolicyEvaluationServiceImplTest verifies null-policy returns null, null-selector returns compliant, no-match returns compliant, matching delegates to RuleEvaluationService, case-insensitive matching, and null-target skips evaluation. Test configuration includes carbon.xml (server metadata, JNDI, caching, Axis2, security), identity.xml (persistence, OAuth/OpenID/SSO endpoints, ResourceAccessControl mappings), and testng.xml (DAO test group and service test group).

Suggested Reviewers

DilshanSenarath
piraveena
RushanNanayakkara
ThaminduR
Thumimku

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description covers purpose, proposed changes, and merge preconditions, but is missing several required template sections (Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, detailed test coverage, security checks, samples, related PRs, migrations, test environment, and learning).	Complete the PR description by filling in all required template sections, including Goals, Approach, Release notes, Documentation links, Automation test details, Security checks (yes/no answers), and Test environment specifications.
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.99% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: introducing a new Policy Management component to the framework.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 9

🧹 Nitpick comments (4)

components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOFacade.java (1)
58-157: ⚡ Quick win

Add entry/exit logs for saga-critical operations (addPolicy, updatePolicy, deletePolicy).

These are key orchestration boundaries across DB + rule-mgt and currently lack clear invocation/outcome logs, which hurts incident diagnosis.

As per coding guidelines, add logs around major method executions and at critical service entry/exit points.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOFacade.java`
around lines 58 - 157, Add entry and exit logs for the three saga-critical
operations addPolicy, updatePolicy, and deletePolicy methods to improve incident
diagnosis. For each method: add an entry log at the beginning (after method
entry) that captures the input parameters (policy name/id and tenantId), and add
exit logs before each successful return statement that confirms the operation
completed. Ensure logs provide sufficient context to trace orchestration between
the DB and rule management service layers.
Source: Coding guidelines
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java (1)
168-187: ⚡ Quick win

Add a concise debug log around rule hydration API calls.

hydrateResources performs repeated RuleManagementService lookups but has no execution log context, which makes troubleshooting hard when hydration behavior changes.

As per coding guidelines, significant API calls should include clear, concise logging around major method execution and key decisions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`
around lines 168 - 187, The hydrateResources method in
PolicyManagementServiceImpl performs multiple RuleManagementService lookups to
retrieve rules by ID but lacks any logging context, making it difficult to debug
hydration issues. Add concise debug log statements around the getRuleByRuleId
API call to log when rule hydration begins for a resource and when it completes
successfully, and include relevant context like the rule ID and tenant domain.
This will provide visibility into the hydration process without being overly
verbose.
Source: Coding guidelines
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java (1)
57-63: ⚡ Quick win

Add a guarded debug log for evaluate-path external calls.

This is a critical service entry point and it calls both policy retrieval and rule evaluation services; a concise debug log for invocation context would improve diagnosability.

As per coding guidelines, entry points of critical services and significant operations should log invocation context.

Also applies to: 86-88
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java`
around lines 57 - 63, Add guarded debug logging at the entry point of the
evaluate method in PolicyEvaluationServiceImpl to capture invocation context. At
the beginning of the evaluate method (before calling
getPolicyManagementService), add a debug log statement that includes the method
parameters: policyName, ruleSelector, and tenantDomain. This guarded debug log
should help with diagnosability of this critical service entry point. The same
debug logging pattern should also be applied to the other evaluate method
overload at lines 86-88 with its corresponding parameters.
Source: Coding guidelines
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java (1)
60-60: ⚡ Quick win

Use INFO for activation/deactivation state transitions.

These lifecycle transitions are major component state changes; keeping them at INFO improves operational visibility without adding noise.

As per coding guidelines, major actions/state transitions should use INFO log level.

Also applies to: 69-69
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java`
at line 60, In the PolicyMgtServiceComponent class, change the log level from
DEBUG to INFO for component lifecycle transitions to improve operational
visibility. Replace the LOG.debug call for the "Policy management bundle
activated" message with LOG.info, and also apply the same change to the
deactivation log statement at line 69 (the corresponding deactivation message)
to ensure both activation and deactivation state transitions are logged at INFO
level as per coding guidelines for major state changes.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/Policy.java`:
- Around line 34-40: In the Policy constructor,
`Collections.unmodifiableList(resources)` only wraps the reference to the
caller's list without creating a defensive copy, so mutations to the original
list will still be visible. Create a defensive copy of the resources list first
(by constructing a new ArrayList from it) before wrapping it with
Collections.unmodifiableList(). This ensures the Policy object's resources list
is truly immutable and isolated from changes to the caller's original list.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCache.java`:
- Around line 32-40: The public constructor in the PolicyCache class allows
direct instantiation bypassing the security check enforced in the getInstance()
method. Change the visibility of the PolicyCache constructor from public to
private to ensure all instances are created through getInstance(), which
properly calls CarbonUtils.checkSecurity() before returning the singleton
INSTANCE.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheEntry.java`:
- Around line 32-37: The PolicyCacheEntry class stores a non-serializable Policy
object in its policy field, but since PolicyCacheEntry implements CacheEntry
which is Serializable, this will cause runtime serialization failures. Fix this
by either: (1) implementing Serializable interface on both Policy and
PolicyResource classes and adding appropriate serialVersionUID fields, or (2)
creating a new serializable wrapper class that extracts and stores only the
essential safe identifiers (such as id, name, and tenantDomain) from the Policy
object, then replace the Policy field in PolicyCacheEntry with this new wrapper
and update the constructor and any accessor methods accordingly.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java`:
- Around line 85-88: The unsetRuleManagementService method unconditionally
clears the service reference by setting it to null, which can erase a newly
bound service in dynamic mandatory reference scenarios where binding occurs
before unbinding completes. Fix this by adding a conditional check to only null
the reference if it matches the service parameter being unbound, comparing the
current held service with the parameter before clearing. Apply the same
defensive pattern to the other unbind method that has the same issue (around
lines 104-107 in the same file), ensuring both methods follow the safe pattern
used in ActionExecutionServiceComponent.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOFacade.java`:
- Around line 106-139: The updatePolicy method has two issues: (1)
existingPolicy is dereferenced without a null check after calling
policyManagementDAO.getPolicyById(), which can cause a NullPointerException, and
(2) the method deletes old rules first before creating new ones and updating the
database, which can orphan rule references if new rule creation or the DB update
fails. Fix by adding a null check for existingPolicy immediately after it is
retrieved, and reorder the operations to: create new rules first, then update
the policy in the database via policyManagementDAO.updatePolicy(), and only
delete the old rules after the database update succeeds. This ensures old rules
are preserved if any failure occurs during the update process.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java`:
- Around line 57-59: In the evaluate method of PolicyEvaluationServiceImpl, add
null guards for ruleSelector before calling equalsIgnoreCase() on it and for
policy.getResources() before using it in stream matching operations. This will
prevent NullPointerException when either value is null and properly validate the
input parameters before attempting to use them in comparisons and stream
filtering.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`:
- Around line 70-76: The addPolicy method logs policy fields before validating
the policy object, risking NPE if the policy or its fields are null. Move the
validatePolicyFields(policy) call to occur before the logging statement that
dereferences policy.getName(), ensuring validation happens first and provides
controlled validation errors instead of 500 errors. Apply the same fix to
updatePolicy and other affected methods where the same pattern exists—call
validatePolicyFields before any dereference of the policy or its nested objects.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyManagementServiceImplTest.java`:
- Around line 66-85: The setUp method mutates the singleton
PolicyManagementServiceImpl by replacing its policyManagementDAO field via
reflection, and MockitoAnnotations.openMocks(this) opens a Mockito session, but
the tearDown method does not clean up either. Store the original
policyManagementDAO before setting the mock in setUp, then in tearDown restore
the original DAO to the singleton and close the AutoCloseable resource returned
by MockitoAnnotations.openMocks(this) to prevent state leakage into subsequent
tests.

In `@components/policy-mgt/pom.xml`:
- Around line 25-30: There is a version drift issue where both new POMs pin
parent version 7.11.110-SNAPSHOT while the root aggregator is at
7.11.126-SNAPSHOT, causing potential build breaks. In
components/policy-mgt/pom.xml (lines 25-30), update the parent
identity-framework version from 7.11.110-SNAPSHOT to 7.11.126-SNAPSHOT. In
components/policy-mgt/org.wso2.carbon.identity.policy.management/pom.xml (lines
25-30), update the parent policy-mgt version to 7.11.126-SNAPSHOT to align with
the root aggregator version and maintain consistency across the module
hierarchy.

---

Nitpick comments:
In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java`:
- Line 60: In the PolicyMgtServiceComponent class, change the log level from
DEBUG to INFO for component lifecycle transitions to improve operational
visibility. Replace the LOG.debug call for the "Policy management bundle
activated" message with LOG.info, and also apply the same change to the
deactivation log statement at line 69 (the corresponding deactivation message)
to ensure both activation and deactivation state transitions are logged at INFO
level as per coding guidelines for major state changes.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOFacade.java`:
- Around line 58-157: Add entry and exit logs for the three saga-critical
operations addPolicy, updatePolicy, and deletePolicy methods to improve incident
diagnosis. For each method: add an entry log at the beginning (after method
entry) that captures the input parameters (policy name/id and tenantId), and add
exit logs before each successful return statement that confirms the operation
completed. Ensure logs provide sufficient context to trace orchestration between
the DB and rule management service layers.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java`:
- Around line 57-63: Add guarded debug logging at the entry point of the
evaluate method in PolicyEvaluationServiceImpl to capture invocation context. At
the beginning of the evaluate method (before calling
getPolicyManagementService), add a debug log statement that includes the method
parameters: policyName, ruleSelector, and tenantDomain. This guarded debug log
should help with diagnosability of this critical service entry point. The same
debug logging pattern should also be applied to the other evaluate method
overload at lines 86-88 with its corresponding parameters.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`:
- Around line 168-187: The hydrateResources method in
PolicyManagementServiceImpl performs multiple RuleManagementService lookups to
retrieve rules by ID but lacks any logging context, making it difficult to debug
hydration issues. Add concise debug log statements around the getRuleByRuleId
API call to log when rule hydration begins for a resource and when it completes
successfully, and include relevant context like the rule ID and tenant domain.
This will provide visibility into the hydration process without being overly
verbose.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 86176907-1ec7-4000-934a-1cbfa18babe4

📥 Commits

Reviewing files that changed from the base of the PR and between 9073bb7 and 8565365.

📒 Files selected for processing (43)

components/policy-mgt/org.wso2.carbon.identity.policy.management/pom.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/constant/ErrorMessage.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/exception/PolicyManagementClientException.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/exception/PolicyManagementException.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/exception/PolicyManagementServerException.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/Policy.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/PolicyBasicInfo.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/PolicyResource.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/ResourceType.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/service/PolicyEvaluationService.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/service/PolicyManagementService.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/util/PolicyManagementExceptionHandler.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCache.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheEntry.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheKey.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtComponentServiceHolder.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/constant/PolicyMgtSQLConstants.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/PolicyManagementDAO.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOFacade.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/PolicyManagementDAOImpl.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/dao/CacheBackedPolicyManagementDAOTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/dao/PolicyManagementDAOFacadeTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/dao/PolicyManagementDAOImplTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyEvaluationServiceImplTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyManagementServiceImplTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/dbscripts/h2.sql
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/repository/conf/carbon.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/repository/conf/identity/identity.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/testng.xml
components/policy-mgt/pom.xml
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql
features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql
pom.xml

…etons, simplify caching to name-only with precise invalidation, and harden request validation, update ordering, and dynamic-reference unbinding.

github-actions · 2026-06-17T08:40:53Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

github-actions · 2026-06-17T10:18:21Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (1)

components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java (1)

326-345: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing null guard for policy.getResources().

The previous review flagged that policy.getResources() should be validated for null before iteration. While null checks for resource and resourceType were added, the null check for the resources list itself is still missing. If getResources() returns null, the for-each loop at line 329 will throw NPE.

     private void validateUniqueTargetsPerResourceType(Policy policy) throws PolicyManagementClientException {

+        if (policy.getResources() == null || policy.getResources().isEmpty()) {
+            throw PolicyManagementExceptionHandler.handleClientException(
+                    ErrorMessage.ERROR_INVALID_POLICY_REQUEST_FIELD, "Policy resources");
+        }
         Set<String> seenTargets = new HashSet<>();
         for (PolicyResource resource : policy.getResources()) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`
around lines 326 - 345, The validateUniqueTargetsPerResourceType method is
missing a null guard for policy.getResources() before the for-each loop
iteration. Add a null check for the resources list returned by
policy.getResources() at the beginning of the method, right after the
seenTargets HashSet initialization. If getResources() returns null, either
return early or throw an appropriate PolicyManagementClientException using the
PolicyManagementExceptionHandler.

🧹 Nitpick comments (2)

components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java (1)
62-65: ⚡ Quick win

Add boundary logs for DAO operations that currently execute silently.

These methods perform DB-facing operations but have no invocation/fallback logs, which reduces traceability during production incidents.

As per coding guidelines, “Flag functions or methods that perform significant operations (DB calls...) but lack log statements,” and “Flag entry/exit points of critical services that don't log their invocation.”

Also applies to: 128-131, 175-179, 190-193, 205-208
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java`
around lines 62 - 65, The addPolicy method performs a significant database
operation by delegating to policyManagementDAO.addPolicy but lacks any logging
statements for traceability. Add boundary logs (entry and exit logs) to the
addPolicy method to track when this critical DAO operation is invoked and when
it completes. Include the tenantId and policy information in the logs to provide
context. Apply the same logging pattern to the other DAO methods mentioned at
lines 128-131, 175-179, 190-193, and 205-208 to ensure consistent traceability
across all database-facing operations in the CacheBackedPolicyManagementDAO
class.
Source: Coding guidelines
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java (1)
190-207: 💤 Low value

Consider adding INFO-level log for policy deletion completion.

Per logging guidelines, major actions/state transitions should use INFO. The delete operation successfully completing is a significant state change that should be logged at INFO level for audit purposes.
         policyManagementDAO.deletePolicy(policyId, tenantId);
+        LOG.info("Policy deleted: " + policyId + " for tenant: " + tenantDomain);
         deleteRulesFromRuleManagementService(existingPolicy.getResources(), tenantDomain, ruleManagementService,
                 policyId);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`
around lines 190 - 207, The deletePolicy method in PolicyManagementServiceImpl
only logs at DEBUG level when the deletion starts, but does not log at INFO
level when the deletion completes successfully. Add an INFO-level log statement
at the end of the deletePolicy method (after the
deleteRulesFromRuleManagementService call completes) to log the successful
completion of the policy deletion operation, including the policyId and
tenantDomain in the log message for audit trail purposes.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheKey.java`:
- Around line 33-36: The PolicyCacheKey constructor accepts a policyName
parameter without validating it against null, but the equals and hashCode
methods at lines 49 and 55 assume policyName is non-null and will throw NPEs if
null is passed. Add a null guard check in the PolicyCacheKey constructor to
validate that policyName is not null before assigning it to the field. If
policyName is null, throw an appropriate exception such as
IllegalArgumentException with a descriptive error message to fail fast and
prevent NPEs in downstream equals/hashCode operations.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java`:
- Around line 81-82: The cache invalidation after updating a policy uses the
name from the request payload (policy.getName()) instead of the actual persisted
name returned by the DAO. When the DAO canonicalizes or normalizes policy names
during persistence, the cache key used for invalidation may not match the actual
stored policy name, leaving a stale cache entry. Use the name from the
updatedPolicy object (returned from policyManagementDAO.updatePolicy on line 81)
instead of policy.getName() when clearing the cache, to ensure the correct cache
entry is invalidated with the actual persisted name.

---

Duplicate comments:
In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`:
- Around line 326-345: The validateUniqueTargetsPerResourceType method is
missing a null guard for policy.getResources() before the for-each loop
iteration. Add a null check for the resources list returned by
policy.getResources() at the beginning of the method, right after the
seenTargets HashSet initialization. If getResources() returns null, either
return early or throw an appropriate PolicyManagementClientException using the
PolicyManagementExceptionHandler.

---

Nitpick comments:
In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java`:
- Around line 62-65: The addPolicy method performs a significant database
operation by delegating to policyManagementDAO.addPolicy but lacks any logging
statements for traceability. Add boundary logs (entry and exit logs) to the
addPolicy method to track when this critical DAO operation is invoked and when
it completes. Include the tenantId and policy information in the logs to provide
context. Apply the same logging pattern to the other DAO methods mentioned at
lines 128-131, 175-179, 190-193, and 205-208 to ensure consistent traceability
across all database-facing operations in the CacheBackedPolicyManagementDAO
class.

In
`@components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java`:
- Around line 190-207: The deletePolicy method in PolicyManagementServiceImpl
only logs at DEBUG level when the deletion starts, but does not log at INFO
level when the deletion completes successfully. Add an INFO-level log statement
at the end of the deletePolicy method (after the
deleteRulesFromRuleManagementService call completes) to log the successful
completion of the policy deletion operation, including the policyId and
tenantDomain in the log message for audit trail purposes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 67eb8f7f-f2f0-4757-bfa7-7798448ec711

📥 Commits

Reviewing files that changed from the base of the PR and between 8565365 and a2118d9.

📒 Files selected for processing (14)

components/policy-mgt/org.wso2.carbon.identity.policy.management/pom.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/Policy.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCache.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheKey.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyEvaluationServiceImpl.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/service/impl/PolicyManagementServiceImpl.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/dao/CacheBackedPolicyManagementDAOTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyEvaluationServiceImplTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/java/org/wso2/carbon/identity/policy/management/service/PolicyManagementServiceImplTest.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/testng.xml
components/policy-mgt/pom.xml
pom.xml

💤 Files with no reviewable changes (1)

components/policy-mgt/org.wso2.carbon.identity.policy.management/src/test/resources/testng.xml

🚧 Files skipped from review as they are similar to previous changes (6)

components/policy-mgt/pom.xml
pom.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/api/model/Policy.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/pom.xml
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/component/PolicyMgtServiceComponent.java
components/policy-mgt/org.wso2.carbon.identity.policy.management/src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCache.java

github-actions · 2026-06-17T10:29:13Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

codecov · 2026-06-17T10:47:25Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.80%. Comparing base (93e0996) to head (73cdb7d).

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8158      +/-   ##
============================================
+ Coverage     52.76%   52.80%   +0.03%     
+ Complexity    21214    21176      -38     
============================================
  Files          2197     2197              
  Lines        130819   130615     -204     
  Branches      19654    19622      -32     
============================================
- Hits          69033    68971      -62     
+ Misses        53371    53248     -123     
+ Partials       8415     8396      -19

Flag	Coverage Δ
unit	`38.23% <ø> (+0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-06-17T15:13:10Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

github-actions · 2026-06-21T05:51:25Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

github-actions · 2026-06-21T05:53:02Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

github-actions · 2026-06-21T06:00:28Z

🚨 New Database Tables Detected

This PR introduces new database table(s). Please ensure that the corresponding resource cleanup scripts are updated accordingly.

New Tables:

IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/db2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mssql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-cluster.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/oracle_rac.sql)
IDN_POLICY (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)
IDN_POLICY_RESOURCE (in features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/postgresql.sql)

Required Actions:

Update Resource Cleanup Scripts: Please update the cleanup scripts in the identity-organization-resource-cleanup repository:
- Repository: https://github.com/wso2-extensions/identity-organization-resource-cleanup
- Add cleanup logic for the new table(s) to handle data removal during organization deletion
- Ensure cleanup scripts support all database types (MySQL, PostgreSQL, Oracle, MS SQL Server, DB2, H2)
Test Cleanup Functionality:
- Verify that the new table data is properly cleaned up during organization resource cleanup operations
- Test across all supported database platforms
- Ensure no orphaned data remains after cleanup
Update Documentation: If applicable, update any related documentation regarding the cleanup process for the new tables

Database Support Checklist:

Please verify your new table(s) are compatible with all supported databases:

This is an automated message. If this is a false positive or if you have questions, please reach out to the maintainers.

sonarqubecloud · 2026-06-21T06:01:53Z

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.9% Duplication on New Code

See analysis details on SonarQube Cloud

kaviska added 2 commits June 15, 2026 21:07

Thisara-Welmilla changed the base branch from device-mgt to master June 16, 2026 06:23

coderabbitai Bot reviewed Jun 16, 2026

View reviewed changes

Refactor policy management to remove the DAO facade and service singl…

fc41116

…etons, simplify caching to name-only with precise invalidation, and harden request validation, update ordering, and dynamic-reference unbinding.

Merge branch 'wso2:master' into policy-management-module

a2118d9

coderabbitai Bot reviewed Jun 17, 2026

View reviewed changes

Comment thread .../src/main/java/org/wso2/carbon/identity/policy/management/internal/cache/PolicyCacheKey.java

Comment thread ...wso2/carbon/identity/policy/management/internal/dao/impl/CacheBackedPolicyManagementDAO.java

Update pom.xml versions

bdf5382

Harden getPolicyByName against null/blank policy name

c2f0052

coderabbitai Bot requested a review from pamodaaw June 17, 2026 15:11

Add Javadoc to PolicyManagementDAO interface methods

6490ced

coderabbitai Bot requested review from DilshanSenarath, RushanNanayakkara, ThaminduR, Thumimku and piraveena June 21, 2026 05:51

Merge branch 'wso2:master' into policy-management-module

9533d1d

Update policy-mgt module pom.xml versions

73cdb7d

Uh oh!

Conversation

kaviska commented Jun 16, 2026

Proposed changes in this pull request

When should this PR be merged

Follow up actions

Uh oh!

coderabbitai Bot commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Suggested Reviewers

❌ Failed checks (2 warnings)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Jun 17, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

github-actions Bot commented Jun 17, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Jun 17, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

codecov Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented Jun 17, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

github-actions Bot commented Jun 21, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

github-actions Bot commented Jun 21, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

github-actions Bot commented Jun 21, 2026

🚨 New Database Tables Detected

New Tables:

Required Actions:

Database Support Checklist:

Uh oh!

sonarqubecloud Bot commented Jun 21, 2026

Quality Gate passed

coderabbitai Bot commented Jun 16, 2026 •

edited

Loading

codecov Bot commented Jun 17, 2026 •

edited

Loading