Add configs related to consent mgt webhook

[hwupathum]

---

Proposed changes in this pull request

Add webhook event support for consent and consent purpose events.

• Introduce ConsentEventPayloadBuilder and ConsentPurposeEventPayloadBuilder interfaces in the common module.
• Add ConsentEventHookHandler that subscribes to POST_ADD_RECEIPT and POST_REVOKE_RECEIPT identity events and publishes consent-added and consent-revoked webhook events.
• Add ConsentPurposeEventHookHandler that subscribes to POST_ADD_PURPOSE_VERSION and publishes a purpose-version-added webhook event.
• Implement WSO2-schema payload builders (WSO2ConsentEventPayloadBuilder, WSO2ConsentPurposeEventPayloadBuilder) with payload models (WSO2ConsentAddedEventPayload, WSO2ConsentRevokedEventPayload,
  WSO2ConsentPurposeVersionAddedEventPayload) and supporting model classes (Consent, ConsentElement, ConsentPurpose).
• Register the new event URIs and channel in WSO2EventProfileManager.
• Wire both handlers and builders into OSGi via EventHookHandlerServiceComponent and WSO2EventHookHandlerServiceComponent; handlers are gated by ConsentEventHook.enable and ConsentPurposeEventHook.enable flags in
  identity-event.properties.
• Add unit tests for both handlers and both WSO2 builders.

Dependent changes required in carbon-identity-framework:

• identity-event.properties: add module.name.63=ConsentEventHook and module.name.64=ConsentPurposeEventHook entries.
• org.wso2.carbon.identity.event.server.feature.default.json: add ConsentEventHook (index 71) and ConsentPurposeEventHook (index 72) entries.

When should this PR be merged

After the dependent carbon-identity-framework PR (adding the identity-event.properties and default.json entries) is merged.

Follow up actions

• Verify the events are published end-to-end in a running IS instance with ConsentEventHook.enable=true and ConsentPurposeEventHook.enable=true set in identity-event.properties.

---

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly?

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases
  that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won't regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

The pull request introduces configuration-driven channel filtering for event profiles and registers consent-related event hooks with corresponding webhook event channels. First, it implements infrastructure to disable specific event channels during profile loading via a DAO filter and configuration entries. Second, it registers ConsentEventHook and ConsentPurposeEventHook as enabled event modules and extends the WSO2 webhook profile with matching consent event channels. Third, it adds backwards-compatibility configuration for IS_7.3.0 to disable the consent hooks and channels when preserving previous product behavior.

Changes

Event Channel Disabling Infrastructure

Layer / File(s)

Summary

Channel filtering in DAO and configuration components/webhook-mgt/.../FileBasedEventProfileMetadataDAOImpl.java, features/identity-core/.../identity.xml.j2, features/identity-core/.../org.wso2.carbon.identity.core.server.feature.default.json

FileBasedEventProfileMetadataDAOImpl adds IdentityUtil and collection imports, introduces DISABLED_CHANNELS_PROPERTY, initializes a disabledChannels set from configuration in loadEventProfiles(), and filters out channels by URI before caching the modified profile. The identity.xml.j2 template conditionally renders DisabledChannels entries when the configuration is defined, and the default feature JSON introduces webhooks.event_profiles.disabled_channels as an empty list.

Consent Event Hooks and Webhook Channels

Layer / File(s)	Summary
Consent event hook registration features/identity-event/.../identity-event.properties, features/identity-event/.../org.wso2.carbon.identity.event.server.feature.default.json	ConsentEventHook (module index 71, subscriptions: POST_ADD_RECEIPT, POST_AUTHORIZE_CONSENT) and ConsentPurposeEventHook (module index 72, subscription: POST_ADD_PURPOSE_VERSION) are registered as enabled modules in both the properties file and the default scheme JSON configuration.
Webhook event profile consent channels features/webhook-mgt/.../wso2-event-profile.json	"Consent purpose" channel (with "Purpose version added" event) and "Consents" channel (with "Consent added" and "Consent authorized" events) are added as new top-level channel definitions in the WSO2 event profile, each including event names, descriptions, and URI paths.
IS_7.3.0 backwards-compatibility settings features/identity-core/.../org.wso2.carbon.identity.core.server.feature.infer.json	A version-specific preservation block for IS_7.3.0 disables the consent V2 API, disables the consent event hook modules (ConsentEventHook and ConsentPurposeEventHook), and adds the consent-purpose and consent event channels to webhooks.event_profiles.disabled_channels to preserve previous product behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides comprehensive details about the proposed changes, includes dependent PRs, and references configuration updates. However, several required template sections are missing or incomplete (Purpose/Issues, Goals, Release notes, Documentation links, Security checks, etc.).	Complete missing template sections including Purpose (with issue links), Goals, Release notes, Documentation links, Security verification checklist items, and Training/Certification/Marketing sections as applicable.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add configs related to consent mgt webhook' accurately summarizes the primary changes in the PR, which involve adding webhook and event hook configurations for consent management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties`:
- Around line 198-204: The properties file has module indices that are out of
sync with the JSON configuration file. The ConsentEventHook and
ConsentPurposeEventHook modules are currently at indices 63 and 64 in the
properties file but should be at indices 71 and 72 to match the JSON
configuration. Add the missing module.name entries for indices 63 through 70 to
the properties file before the ConsentEventHook entry, corresponding to the
OrganizationAgentSharingHandler and moesif-related modules that exist in the
JSON file. This will shift ConsentEventHook and ConsentPurposeEventHook to the
correct indices (71 and 72) and synchronize the module numbering between both
configuration files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 404e58a4-4779-4422-8f47-9761bf882f73

📥 Commits

Reviewing files that changed from the base of the PR and between 9073bb7 and 6e80f89.

📒 Files selected for processing (3)

• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json

[codecov]

Codecov Report

❌ Patch coverage is 37.77778% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.94%. Comparing base (a0b1a3a) to head (227d387).
⚠️ Report is 37 commits behind head on master.

Files with missing lines	Patch %	Lines
.../wso2/carbon/identity/core/context/model/Flow.java	0.00%	20 Missing ⚠️
...dao/impl/FileBasedEventProfileMetadataDAOImpl.java	14.28%	5 Missing and 1 partial ⚠️
...st/impl/consent/PolicyConsentPostAuthnHandler.java	88.88%	1 Missing and 1 partial ⚠️

❌ Your patch check has failed because the patch coverage (37.77%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8159      +/-   ##
============================================
- Coverage     52.97%   52.94%   -0.03%     
- Complexity    20994    21001       +7     
============================================
  Files          2197     2197              
  Lines        129323   129269      -54     
  Branches      19265    19245      -20     
============================================
- Hits          68504    68443      -61     
- Misses        52473    52479       +6     
- Partials       8346     8347       +1     

Flag	Coverage Δ
unit	38.21% <37.77%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json (1)

155-157: ⚡ Quick win

Semantic confusion: "Consent authorized" event description is unclear.

The event name "Consent authorized" typically implies approval, but the description states "Notify if a user consent is approved, rejected, or revoked." This creates semantic confusion because:

• "Authorized" doesn't naturally convey rejection or revocation
• Event consumers may misinterpret what this event represents

If this event is meant to cover multiple authorization state changes, consider either:

1. Using a more neutral name like "Consent authorization changed" or "Consent status updated"
2. Splitting into separate events: "Consent approved", "Consent rejected", "Consent revoked"
3. Clarifying in documentation that "authorized" is a catch-all term

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json`
around lines 155 - 157, The event name "Consent authorized" in the
wso2-event-profile.json file is semantically misaligned with its
eventDescription, which indicates the event covers approval, rejection, and
revocation states. Either rename the eventName to a more neutral term like
"Consent authorization changed" or "Consent status updated" that accurately
reflects all covered states, or split this into separate events for each state.
Ensure the eventName, eventDescription, and eventUri fields are consistent with
the chosen approach to avoid confusing event consumers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json`:
- Around line 155-157: The event name "Consent authorized" in the
wso2-event-profile.json file is semantically misaligned with its
eventDescription, which indicates the event covers approval, rejection, and
revocation states. Either rename the eventName to a more neutral term like
"Consent authorization changed" or "Consent status updated" that accurately
reflects all covered states, or split this into separate events for each state.
Ensure the eventName, eventDescription, and eventUri fields are consistent with
the chosen approach to avoid confusing event consumers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 7676b585-ba70-4ef5-b9d0-0e1b33192865

📥 Commits

Reviewing files that changed from the base of the PR and between ecc40e5 and d0d35b7.

📒 Files selected for processing (3)

• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json

🚧 Files skipped from review as they are similar to previous changes (2)

• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java`:
- Around line 136-138: The DEBUG log statement performing string concatenation
with "Skipping disabled event profile: " + profile.getProfile() is not guarded
by an isDebugEnabled() check, causing unnecessary string concatenation overhead
when DEBUG logging is disabled. Wrap the log.debug call in an if
(log.isDebugEnabled()) guard to prevent the concatenation from executing when
DEBUG level is not enabled, following the coding guidelines for
performance-sensitive logging.

In
`@features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json`:
- Around line 471-477: The ConsentEventHook and ConsentPurposeEventHook hooks
are set to enabled (true) in the JSON file at their respective properties.enable
settings, but this contradicts the disabled default state defined in the paired
identity-event.properties module configuration. To maintain consistency with the
module-registration contract and prevent unintended hook activation, change the
enable values from true to false for both ConsentEventHook.properties.enable and
ConsentPurposeEventHook.properties.enable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 17782d09-a666-403c-b042-0cbebfa393c2

📥 Commits

Reviewing files that changed from the base of the PR and between d0d35b7 and 3804871.

📒 Files selected for processing (6)

• components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json

🚧 Files skipped from review as they are similar to previous changes (2)

• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java (1)

137-142: ⚡ Quick win

Add a DEBUG log when channels are filtered out by configuration.

This branch introduces a key behavior change (profile channels are removed), but it is silent today. A guarded DEBUG log with safe identifiers and removed-count will make config troubleshooting much easier.

Suggested fix

                     if (!disabledChannels.isEmpty() && profile.getChannels() != null) {
+                        int originalCount = profile.getChannels().size();
                         List<Channel> filteredChannels = profile.getChannels().stream()
                                 .filter(channel -> !disabledChannels.contains(channel.getUri()))
                                 .collect(Collectors.toList());
+                        if (log.isDebugEnabled() && originalCount != filteredChannels.size()) {
+                            log.debug("Filtered disabled channels for profile: " + profile.getProfile() +
+                                    ", removed count: " + (originalCount - filteredChannels.size()));
+                        }
                         profile = new EventProfile(profile.getProfile(), profile.getUri(), filteredChannels);
                     }

As per coding guidelines, logs should cover key business decisions, and DEBUG logs with runtime string building should be guarded.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java`
around lines 137 - 142, The code block filters channels from a profile based on
disabledChannels configuration but does not log this important behavioral
change. Add a guarded DEBUG log statement after the profile filtering logic in
the if block that checks if DEBUG logging is enabled, then logs a message
containing the profile URI (as a safe identifier) and the count of removed
channels (calculated as the original channel count minus the filtered channel
count). This will help with configuration troubleshooting while following the
coding guideline that DEBUG logs with runtime string building should be guarded.

Sources: Coding guidelines, Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java`:
- Around line 138-140: In the FileBasedEventProfileMetadataDAOImpl file where
the profile.getChannels() stream is filtered, add a null check in the filter
predicate to exclude null channel entries before dereferencing channel.getUri().
Modify the filter condition to first check that the channel is not null, then
verify that the channel's URI is not in the disabledChannels list to prevent
NullPointerException during profile loading.

In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json`:
- Around line 446-455: The IS_7.3.0 configuration block is currently at the
wrong nesting level in the JSON structure. Move the entire IS_7.3.0 object
(containing consent_mgt.enable_v2_api, identity_mgt.events.schemes
configurations, and webhooks.event_profiles.disabled_channels) inside the
preserve_previous_product_behaviour.version object where it belongs, ensuring it
closes the version object properly rather than appearing as a sibling top-level
key. This will ensure the version-specific overrides are correctly applied as
part of the version preservation configuration.

---

Nitpick comments:
In
`@components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java`:
- Around line 137-142: The code block filters channels from a profile based on
disabledChannels configuration but does not log this important behavioral
change. Add a guarded DEBUG log statement after the profile filtering logic in
the if block that checks if DEBUG logging is enabled, then logs a message
containing the profile URI (as a safe identifier) and the count of removed
channels (calculated as the original channel count minus the filtered channel
count). This will help with configuration troubleshooting while following the
coding guideline that DEBUG logs with runtime string building should be guarded.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 739a78e2-4007-4bcd-a3a3-3dc75cb8f477

📥 Commits

Reviewing files that changed from the base of the PR and between 3804871 and adabebe.

📒 Files selected for processing (7)

• components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json

🚧 Files skipped from review as they are similar to previous changes (2)

• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json
• features/webhook-mgt/org.wso2.carbon.identity.webhook.management.server.feature/resources/identity/eventprofiles/wso2-event-profile.json

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/PolicyConsentPostAuthnHandler.java (1)

419-424: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Log the consent-app mapping lookup failure before wrapping it.

This catch block converts a data-access failure into PostAuthenticationFailedException without a framework log. Add a safe WARN log with identifiers and the error message only.

As per path instructions, "Suggest log statements at error handling boundaries (catch blocks, error returns)."

Proposed log

         } catch (ConsentAppMappingException e) {
+            if (LOG.isWarnEnabled()) {
+                LOG.warn(String.format("Error retrieving policy config mappings for application: %s in tenant: %s. "
+                        + "Error: %s.", appResourceId, context.getTenantDomain(), e.getMessage()));
+            }
             throw new PostAuthenticationFailedException(
                     ErrorMessages.ERROR_WHILE_PROCESSING_POLICY_CONSENT.getCode(),
                     String.format("Error retrieving policy config mappings for application: %s in tenant: %s.",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/PolicyConsentPostAuthnHandler.java`
around lines 419 - 424, The ConsentAppMappingException catch in
PolicyConsentPostAuthnHandler should emit a safe WARN log before throwing
PostAuthenticationFailedException. Add a warning in the catch block that
includes the relevant identifiers already available there, such as appResourceId
and context.getTenantDomain(), and log only the exception message (not the stack
trace) before wrapping and rethrowing the failure.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/PolicyConsentPostAuthnHandler.java`:
- Around line 346-356: Normalize the upstream persona before constructing the
consent flow in PolicyConsentPostAuthnHandler: when reading the current flow
from IdentityContext and its initiating persona, map unsupported values like
SYSTEM to a valid persona (for CONSENT_ADD this should fall back to APPLICATION
or another supported persona) before calling Flow.Builder.build(). Update the
consent-flow creation logic so Flow.Builder.validate() never sees an invalid
persona and the consent error handling path remains reachable.

In
`@components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/model/Flow.java`:
- Line 122: The divider comment in Flow’s consent management section does not
follow the Java comment guideline. Update the section comments around the
consent flow markers so they start with a space, begin with a capitalized word,
and end with a period, keeping the same intent while making the comment style
consistent with the rest of the class.

---

Nitpick comments:
In
`@components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/PolicyConsentPostAuthnHandler.java`:
- Around line 419-424: The ConsentAppMappingException catch in
PolicyConsentPostAuthnHandler should emit a safe WARN log before throwing
PostAuthenticationFailedException. Add a warning in the catch block that
includes the relevant identifiers already available there, such as appResourceId
and context.getTenantDomain(), and log only the exception message (not the stack
trace) before wrapping and rethrowing the failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: afc9361c-505f-4368-854e-d3a818f74be7

📥 Commits

Reviewing files that changed from the base of the PR and between 3804871 and ef6fd45.

📒 Files selected for processing (8)

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/PolicyConsentPostAuthnHandler.java
• components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/model/Flow.java
• components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/org.wso2.carbon.identity.event.server.feature.default.json

🚧 Files skipped from review as they are similar to previous changes (5)

• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
• features/identity-event/org.wso2.carbon.identity.event.server.feature/resources/identity-event.properties
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
• components/webhook-mgt/org.wso2.carbon.identity.webhook.metadata/src/main/java/org/wso2/carbon/identity/webhook/metadata/internal/dao/impl/FileBasedEventProfileMetadataDAOImpl.java
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud