Introduce new scopes for admin level consent APIs

[hwupathum]

Proposed changes in this pull request

Add API resource definitions and access control configurations for the Consent Management V2 Consents API.

• Add Consent Management V2 Consents API system API resource with internal_consent_mgt_consent_view, internal_consent_mgt_consent_create, and internal_consent_mgt_consent_update scopes for tenant-level access in
  system-api-resource.xml and system-api-resource.xml.j2
• Add Consent Management V2 Consents API system API resource with internal_org_consent_mgt_consent_view, internal_org_consent_mgt_consent_create, and internal_org_consent_mgt_consent_update scopes for organization-level access
• Update resource-access-control-v2.xml and resource-access-control-v2.xml.j2 to add proper scope-based authorization for POST and GET methods on /api/identity/consent-mgt/v2.0/consents and /o/api/identity/consent-mgt/v2.0/consents
  endpoints (previously unsecured)
• Add PATCH resource access control for /api/identity/consent-mgt/v2.0/consents/{id} and /o/api/identity/consent-mgt/v2.0/consents/{id} endpoints with update scopes

When should this PR be merged

This PR should be merged after the corresponding Consent Management V2 API implementation PRs are ready to merge.

Follow up actions

• Verify consent management V2 API endpoints enforce scopes correctly in integration testing
• Ensure the admin scopes are registered in the product-is pack

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly?

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two pairs of files are updated to register Consent Management V2 consents endpoints as system API resources with view/create/update scopes at both tenant and organization levels, and to expand the corresponding resource access control rules from simple method entries to operation-based authorization with a new PATCH-by-id rule.

Changes

Consent Management V2 Consents Authorization

Layer / File(s)	Summary
APIResource scope definitions (tenant and org) features/api-resource-mgt/.../system-api-resource.xml, features/api-resource-mgt/.../system-api-resource.xml.j2	Adds APIResource entries for /api/identity/consent-mgt/v2.0/consents (TENANT) and /o/api/identity/consent-mgt/v2.0/consents (ORGANIZATION), each declaring internal_consent_mgt_consent_view/create/update and internal_org_consent_mgt_consent_view/create/update scopes respectively, in both the static XML and its Jinja2 template.
Resource access control: operation-based authorization + PATCH rule features/identity-core/.../resource-access-control-v2.xml, features/identity-core/.../resource-access-control-v2.xml.j2	Replaces self-closing POST/GET and GET-by-id secured entries for both org-scoped and non-org-scoped consents endpoints with explicit rules requiring internal_login and mandatory createConsent/viewConsent operation checks tied to the new scopes. Adds new secured PATCH rules for consents/(.+)$ requiring the corresponding update scope. Applied to both the static XML and its Jinja2 template.

Suggested reviewers

• DilshanSenarath

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides thorough details on proposed changes, scope additions, file updates, endpoint security improvements, and follow-up actions. However, it does not follow the required template structure with sections like Purpose, Goals, Approach, and other mandatory sections.	Restructure the description to follow the repository's required template, including Purpose with issue links, Goals, Approach, User stories, Release notes, Documentation, Training, Certification, Marketing, Tests, Security checks, Samples, Related PRs, Migrations, Test environment, and Learning sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: introducing new scopes for admin-level consent APIs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2 (1)

495-505: 🔒 Security & Privacy | 🔵 Trivial

Constrain consent ID routes to single path segment to prevent regex overlap.

The current regex patterns (.+)$ on lines 379 and 387 (organization) and 453 and 461 (tenant) in the static XML, and the corresponding lines in the .j2 file, unintentionally match nested paths like /consents/{id}/validate. This creates overlap: requests to /consents/abc/validate match both the by-id GET rule and the dedicated validate route rule.

Change (.+) to [^/]+ in all four consent by-id routes (both GET and PATCH, organization and tenant, in both files). This restricts the ID capture to a single path segment, eliminating overlap and making routing intent explicit without changing authorization behavior for valid single-segment IDs.

Pattern comparison

/o/api/identity/consent-mgt/v2.0/consents/abc/validate

Current patterns (overlapping):
  ✓ matches: (.*)/o/api/identity/consent-mgt/v2.0/consents/(.+)$
  ✓ matches: (.*)/o/api/identity/consent-mgt/v2.0/consents/(.+)/validate

With proposed fix ([^/]+):
  ✗ no match: (.*)/o/api/identity/consent-mgt/v2.0/consents/[^/]+$
  ✓ matches: (.*)/o/api/identity/consent-mgt/v2.0/consents/[^/]+/validate

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2`
around lines 495 - 505, In the resource-access-control-v2.xml.j2 file, replace
the regex pattern `(.+)$` with `[^/]+$` in all consent by-id route definitions
to prevent regex overlap. Specifically, update the context attribute in both the
GET and PATCH Resource elements that match the consent-mgt v2.0 consents by-id
endpoint patterns. The pattern `[^/]+` will restrict the ID capture to a single
path segment without slashes, eliminating unintended matches to nested paths
like `/consents/{id}/validate` while maintaining the same authorization behavior
for valid single-segment IDs. Ensure this change is applied to all four
occurrences in the file (both GET and PATCH methods).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2`:
- Around line 495-505: In the resource-access-control-v2.xml.j2 file, replace
the regex pattern `(.+)$` with `[^/]+$` in all consent by-id route definitions
to prevent regex overlap. Specifically, update the context attribute in both the
GET and PATCH Resource elements that match the consent-mgt v2.0 consents by-id
endpoint patterns. The pattern `[^/]+` will restrict the ID capture to a single
path segment without slashes, eliminating unintended matches to nested paths
like `/consents/{id}/validate` while maintaining the same authorization behavior
for valid single-segment IDs. Ensure this change is applied to all four
occurrences in the file (both GET and PATCH methods).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d719f1b2-75c5-41f1-9022-3cb03ee6eae0

📥 Commits

Reviewing files that changed from the base of the PR and between c97c4ea and 85df370.

📒 Files selected for processing (4)

• features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
• features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml
• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.81%. Comparing base (93e0996) to head (85df370).
⚠️ Report is 17 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8180      +/-   ##
============================================
+ Coverage     52.77%   52.81%   +0.03%     
+ Complexity    21216    21178      -38     
============================================
  Files          2197     2197              
  Lines        130819   130615     -204     
  Branches      19654    19622      -32     
============================================
- Hits          69040    68978      -62     
+ Misses        53364    53241     -123     
+ Partials       8415     8396      -19     

Flag	Coverage Δ
unit	38.23% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.