Add Admin defined constraints for key manager application configurations

[manodyaSenevirathne]

Purpose

This PR introduces Frontend changes for configurable security guardrails in Key Manager Application configurations

Fixes : wso2/api-manager#4663

UI improvements

• In Admin Portal , Added a section named 'Application Configuration Constraints' under 'Advanced Configurations'.
• In Dev Portal , Added user input validation onChange and display relevant error message in the tooltip area.

See below example scenario
Admin Portal (Create/Edit Key Manager View)

Dev Portal (Applications -> OAuth2 Token -> Key Configuration)

0210.mp4

---

[update on 16/02/2026]

Redid the UI after the suggestions from code review

Screen.Recording.2026-02-16.at.21.28.52.mov

Screen.Recording.2026-02-16.at.21.29.49.mov

Summary by CodeRabbit

• New Features

  • Application Configuration Constraints: UI to define and enforce range/enum/regex constraints across Key Managers and App configuration, with live validation and persisted constraints during save/update.

• Bug Fixes

  • Improved validation/error display so required fields show errors correctly while tooltips remain for non-error states.

• Documentation

  • Added localization text for constraint-related UI.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds application-configuration constraints end-to-end: validator implementation (RANGE_MIN, RANGE_MAX, RANGE, ENUM, REGEX), UI validation and error reporting in AppConfiguration/KeyConfiguration, localization key, and wiring of constraints into Add/Edit Key Manager load/save flows.

Changes

Cohort / File(s)	Summary
Localization portals/admin/src/main/webapp/site/public/locales/en.json	Added KeyManagers.AddEditKeyManager.app.config.constraints localization key.
Key Manager Admin UI portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx, portals/admin/src/main/webapp/source/src/app/components/KeyManagers/KeyManagerConfiguration.jsx	Added CONSTRAINT_TYPES, parsing helpers, UI state for available/appConfigConstraints; propagate constraints into additionalProperties.constraints on save/update; initialize/populate constraints when editing; adjust helperText logic to prefer required-field errors over tooltips.
Developer Portal — App & Key Config UI portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/AppConfiguration.jsx, portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx	Added runtime constraint validation, constraint error messaging, onValidationError callback, per-config error tracking (configErrorsRef), aggregated error state in KeyConfiguration, and unified helper/error rendering across inputs.
Developer Portal — Validator portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js	New validateConstraint utility (default export) implementing RANGE_MIN, RANGE_MAX, RANGE, ENUM, REGEX checks; returns { valid, message } and supports intl message fallbacks.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant AppConfig as AppConfiguration
    participant Validator as constraintValidator
    participant KeyConfig as KeyConfiguration
    participant KMAdmin as AddEditKeyManager

    User->>AppConfig: Enter/update config value
    AppConfig->>Validator: validateConstraint(value, constraint)
    Validator-->>AppConfig: { valid, message }
    AppConfig->>AppConfig: Update local error state
    AppConfig->>KeyConfig: onValidationError(configName, hasError)
    KeyConfig->>KeyConfig: Aggregate config errors + callback errors
    KeyConfig->>KMAdmin: Provide constraints for save (additionalProperties.constraints)
    KMAdmin->>KMAdmin: Build/merge constraints and persist Key Manager
    KMAdmin-->>User: Confirm save/update

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hop through constraints, checking each line,

Ranges and enums keep values in line,
Regex and bounds I guard with care,
I nudge the form so errors beware,
A tiny hop — configurations align.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly and accurately reflects the main objective: adding admin-defined constraints for key manager application configurations, which is the primary feature implemented across multiple components.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/AppConfiguration.jsx (1)

248-262: ⚠️ Potential issue | 🟡 Minor

useEffect dependency array is missing config.

The effect reads config.constraint (line 255) but the dependency array only includes [previousValue, settingsContext]. If the constraint on a config changes (e.g., switching key managers) while previousValue stays the same, validation won't re-run. Add config (or at least config.constraint) to the dependency array.

-    }, [previousValue, settingsContext]);
+    }, [previousValue, settingsContext, config]);

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx (1)

529-538: ⚠️ Potential issue | 🟡 Minor

Missing key prop on <AppConfiguration> inside .map().

React requires a unique key when rendering lists. This will produce a console warning and can cause subtle UI bugs with component state preservation during re-renders.

Proposed fix

 {applicationConfiguration.length > 0 && applicationConfiguration.map((config) => (
     <AppConfiguration
+        key={config.name}
         config={config}
         previousValue={getPreviousValue(config)}

🤖 Fix all issues with AI agents

In
`@portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx`:
- Around line 741-746: The code assigns constraints[key] by calling
parseConstraintValueToInput with the wrong property: it passes
constraintConfig.type (UI input type) instead of the constraint type; update the
call where constraints[key] is set to pass constraintConfig.constraintType so
parseConstraintValueToInput receives the actual constraint kind (e.g., 'RANGE',
'REGEX') and returns the correct value; locate the assignment using the symbols
constraints[key], constraintConfig, and parseConstraintValueToInput to make this
change.

In
`@portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js`:
- Around line 50-62: The numeric branches (cases for VALIDATOR_TYPES.RANGE_MIN,
RANGE_MAX, and RANGE) incorrectly treat empty/blank input as 0 because
Number('') === 0; update each numeric branch in constraintValidator.js to first
guard against empty/blank input (check inputValue === '' || inputValue == null
|| /^\s*$/.test(inputValue)) and return { valid: false, message: <required
message> } before converting to Number; then proceed to parse numericInput and
run the existing NaN/min/max checks so blank values no longer silently pass the
range validation.
- Around line 109-131: In the VALIDATOR_TYPES.ENUM branch, guard against allowed
being null/undefined by providing a safe default or an early validation check:
ensure the destructured symbol allowed from value defaults to an empty array (or
bail out with valid:false) before any call to allowed.includes, so the
Array.isArray(inputValue) checks and the includes calls in this case
(referencing allowed, inputValue, messages, intl, and messages.enumInvalid)
never throw a TypeError; update the ENUM case to treat missing allowed as [] (or
return a clear invalid response) and use allowed.join(', ') only when
allowed.length > 0.

In
`@portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx`:
- Around line 218-233: In callBackHasErrors, the expression updateHasError(true
|| anyConstraintError) short-circuits and renders anyConstraintError dead;
replace that call with updateHasError(true) to be explicit (or, if you truly
meant “either callback OR constraint errors”, compute a boolean like const
hasError = true || anyConstraintError and pass hasError), updating the call in
callBackHasErrors that currently uses updateHasError(true || anyConstraintError)
and keeping surrounding calls to setHasCallbackError and setCallbackHelper
unchanged.

🧹 Nitpick comments (6)

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js (1)

134-151: Invalid regex silently passes validation — consider warning the user.

When the admin-provided regex pattern is itself invalid (caught at line 146), the validator returns { valid: true }, silently accepting any input. This could mask a misconfiguration. A log or console warning would help admins diagnose why their regex constraint appears to have no effect.

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/AppConfiguration.jsx (2)

180-209: defineMessages called inside the component body on every render.

defineMessages is a compile-time helper for message extraction and should be called at module level. Placing it inside the component doesn't break functionality, but it unnecessarily recreates the object on every render and is non-idiomatic.

---

118-147: Same observation for AppConfigLabels and AppConfigToolTips.

These defineMessages calls are also inside the component body. Consider hoisting all three (AppConfigLabels, AppConfigToolTips, ConstraintErrorMessages) to module scope.

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx (1)

162-176: handleConfigValidationError captures hasCallbackError from the render closure — potential stale state.

If setHasCallbackError and handleConfigValidationError are called in the same React batch (e.g., during initial mount effects), hasCallbackError in the closure may still reflect the previous render's value. Using a ref for hasCallbackError (similar to configErrorsRef) or a functional updater pattern would make this more robust.

This is unlikely to cause issues in practice with the current flow, but worth noting for future maintainability.

portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx (2)

545-561: RANGE parsing is fragile with - as both delimiter and negative sign.

Splitting on - means ranges with negative numbers (e.g., -100-200) will be misinterpreted. This is likely acceptable for the current use case (token expiry times are non-negative), but if this utility is reused for other constraint types in the future, it will silently fail.

Consider using a more unambiguous delimiter or documenting the non-negative assumption.

---

759-766: additionalProperties is read inside the effect but not listed as a dependency.

getAppConfigConstraints() reads additionalProperties from the closure, but only availableAppConfigConstraints and id are listed as dependencies. This works in practice due to React 18 batching (both dispatch and setAvailableAppConfigConstraints are called in the same .then() callback), but it's fragile and would be flagged by the react-hooks/exhaustive-deps lint rule.

If the effect is intentionally a one-time initialization, consider adding a comment explaining why additionalProperties is intentionally excluded, or use a ref to capture its latest value.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx (1)

528-537: ⚠️ Potential issue | 🟡 Minor

Missing key prop on AppConfiguration in the .map() iterator.

React requires a key prop for list-rendered components. Without it, reconciliation may behave incorrectly and React will emit a console warning.

Proposed fix

  {applicationConfiguration.length > 0 && applicationConfiguration.map((config) => (
      <AppConfiguration
+         key={config.name}
          config={config}
          previousValue={getPreviousValue(config)}
          isUserOwner={isUserOwner}
          handleChange={handleChange}
          subscriptionScopes={subscriptionScopes}
          onValidationError={handleConfigValidationError}
      />
  ))}

portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx (1)

316-324: ⚠️ Potential issue | 🟡 Minor

Use .find() instead of .map() to avoid stale availableAppConfigConstraints state.

The iteration at line 298 uses .map() but discards the return values. If keyManagerType is 'default' and no WSO2-IS entry exists in settings.keyManagerConfiguration, neither condition at lines 302 nor 318 matches, and setAvailableAppConfigConstraints is never called. This leaves the state with a stale value from a previous type selection. Consider using .find() to short-circuit the search and add a fallback that explicitly sets constraints to an empty array if no match is found.

🤖 Fix all issues with AI agents

In
`@portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx`:
- Around line 620-651: The code that builds additionalPropertiesWithConstraints
silently omits constraints when parseInputToConstraintValue(constraintType,
value) returns null (e.g., malformed RANGE); update the logic in the
constraint-building block (around additionalPropertiesWithConstraints and
parseInputToConstraintValue) to detect null returns and surface a validation
error instead of silently skipping: mark the form as invalid (e.g., set
formHasErrors or a new validation state for the specific key), add a user-facing
warning/message for that constraint key, and prevent the save until corrected
(mirror the existing formHasErrors handling used elsewhere), while still
preserving the ENUM-all-selected skip behavior for CONSTRAINT_TYPES.ENUM.
- Around line 525-543: parseConstraintValueToInput crashes when constraintValue
is null because branches access properties without a guard; update
parseConstraintValueToInput to first check if constraintValue is null/undefined
and return the appropriate empty default per CONSTRAINT_TYPES (e.g., '' for
RANGE/RANGE_MIN/RANGE_MAX/REGEX, [] for ENUM, or null for unknown types) before
accessing constraintValue.min/pattern/allowed; ensure the function still handles
valid objects as before and reference the parseConstraintValueToInput function
and CONSTRAINT_TYPES constants when applying the guard so
getAppConfigConstraints can safely pass null.
- Around line 717-749: The crash happens because getAppConfigConstraints calls
parseConstraintValueToInput(constraintConfig.constraintType, null) when there is
no saved value or default; update getAppConfigConstraints to avoid passing null
— e.g., compute const inputValue = savedConstraint?.value ??
(constraintConfig.default ?? undefined) and then call
parseConstraintValueToInput(constraintConfig.constraintType, inputValue)
(keeping the existing ENUM branch for CONSTRAINT_TYPES.ENUM); reference
getAppConfigConstraints, parseConstraintValueToInput,
availableAppConfigConstraints, additionalProperties, id and
CONSTRAINT_TYPES.ENUM when making the change.

In
`@portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js`:
- Around line 50-62: The RANGE_MIN/RANGE_MAX/RANGE branches in the validator
(switch on type in constraintValidator.js) call inputValue.trim() but inputValue
is typed any and may be number/null/undefined; coerce inputValue to a string
before trimming (e.g., const trimmed = String(inputValue || '').trim()) and then
use Number(trimmed) for numeric checks and comparisons in the
VALIDATOR_TYPES.RANGE_MIN, VALIDATOR_TYPES.RANGE_MAX and VALIDATOR_TYPES.RANGE
cases so the validator no longer throws when inputValue is not a string.

🧹 Nitpick comments (5)

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js (1)

137-154: Silently passing validation on an invalid admin-supplied regex may hide misconfiguration.

When new RegExp(pattern) throws (invalid regex), the catch block returns { valid: true }, effectively disabling the constraint. Consider logging a warning so admins can detect the bad pattern, rather than silently skipping.

Proposed enhancement

         } catch (e) {
             // If the regex itself is invalid, skip validation
+            console.warn('Invalid constraint regex pattern:', pattern, e);
             return { valid: true, message: '' };
         }

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/KeyConfiguration.jsx (1)

147-150: Remove unused callbackError from destructuring.

callbackError is destructured on line 148 but never referenced in the component. The callback-URL <TextField> error handling has been migrated to use hasCallbackError (a local state variable defined on line 163, used on line 518). Remove callbackError from the destructuring to clean up the code.

portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx (3)

545-561: RANGE parsing breaks for negative numbers or values containing hyphens.

String(value).split('-') at line 549 splits on every -, so inputs like "-100-200" (negative min) or even the more exotic "100--200" produce more than 2 parts and silently return null. While token expiry values are likely positive, the function doesn't document or enforce this assumption, and a user-entered negative range would be silently discarded during save with no error feedback.

Consider a more robust split, e.g., splitting on the last - preceded by a digit, or requiring the delimiter to be surrounded by digits.

Proposed fix — use a regex-based split

         case CONSTRAINT_TYPES.RANGE: {
-            // "min-max" → { min, max }
-            const parts = String(value).split('-');
-            if (parts.length !== 2) {
+            // "min-max" → { min, max }  (supports negative numbers)
+            const match = String(value).match(/^\s*(-?\d+(?:\.\d+)?)\s*-\s*(-?\d+(?:\.\d+)?)\s*$/);
+            if (!match) {
                 // invalid format
                 return null;
             }
-            const min = parseFloat(parts[0].trim());
-            const max = parseFloat(parts[1].trim());
+            const min = parseFloat(match[1]);
+            const max = parseFloat(match[2]);
             if (Number.isNaN(min) || Number.isNaN(max)) {

---

296-326: .map() used for side-effects only — should be .forEach().

settings.keyManagerConfiguration.map(...) at line 298 is used purely for side effects (setting state). The return values (true/false) are unused. Using .forEach() is semantically correct and avoids allocating a discarded array.

---

759-766: Missing additionalProperties in useEffect dependency array.

getAppConfigConstraints() reads additionalProperties (line 719), but the effect only depends on [availableAppConfigConstraints, id]. During edit, the flow works because both dispatch (which updates additionalProperties) and setAvailableAppConfigConstraints are called in the same tick (line 375–376), so the first render after both state updates will have the correct data when the effect fires.

However, this will trigger a React Hooks exhaustive-deps lint warning. Since adding additionalProperties would re-run the effect on every constraint edit (undesirable), consider either suppressing the lint rule with a justification comment, or extracting additionalProperties.constraints into a ref to break the closure dependency.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx`:
- Around line 547-560: The RANGE branch currently uses String(value).split('-')
which fails for negative numbers; replace that parsing with a regex that
captures two signed numbers and optional whitespace so negatives parse
correctly. In the CONSTRAINT_TYPES.RANGE case, match value against a pattern
like /^\s*([+-]?\d+(\.\d+)?)\s*-\s*([+-]?\d+(\.\d+)?)\s*$/; if there is no match
return null, otherwise parseFloat(match[1]) and parseFloat(match[3]) to obtain
min and max and return { min, max } (preserving the existing Number.isNaN
checks).
- Around line 759-766: The effect using useEffect should include
additionalProperties in its dependency array because getAppConfigConstraints()
reads additionalProperties?.constraints and importKMConfig() can update
additionalProperties without changing availableAppConfigConstraints; update the
dependency array for the useEffect that calls getAppConfigConstraints()
(referenced by useEffect, getAppConfigConstraints, setAppConfigConstraints,
availableAppConfigConstraints, additionalProperties, importKMConfig) to include
additionalProperties (or alternatively derive additionalProperties.constraints
into a stable ref and depend on that) so the effect re-runs with the latest
additionalProperties when config is imported.

🧹 Nitpick comments (1)

portals/admin/src/main/webapp/source/src/app/components/KeyManagers/AddEditKeyManager.jsx (1)

316-324: WSO2-IS fallback for default key manager type — verify intent.

When keyManagerType === 'default', this iterates through all KM configs looking for WSO2-IS to borrow its availableAppConfigConstraints. The return true/return false inside .map() has no practical effect (map return value is discarded), but the side effect (setAvailableAppConfigConstraints) will trigger for the last matching entry if multiple iterations occur. Consider using .find() or .some() instead of .map() to make the intent clearer and avoid executing the callback for every element.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js`:
- Around line 137-154: The REGEX branch currently calls new RegExp(pattern) even
when pattern is undefined, which creates a regex that matches everything; add a
guard before constructing the RegExp in the VALIDATOR_TYPES.REGEX case to detect
a missing/empty pattern (e.g., when value is {} or pattern is falsy) and
short-circuit to the same "skip validation" response used in the catch branch
(return { valid: true, message: '' }) so the validator does not silently accept
all inputs; update the logic around pattern/value in the REGEX block that
references pattern, value, inputValue, intl, and messages.

🧹 Nitpick comments (1)

portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js (1)

115-125: Fallback error message is slightly misleading for empty multi-select.

When inputValue is [] (empty selection) and allowed.length > 0, the condition on line 118 triggers, but the fallback message on line 123 reads:

Values must be from: web, native. Invalid:

The "Invalid: " suffix is empty, which is confusing. The intl.formatMessage path likely produces a cleaner message, but the fallback could be improved.

Proposed fix

                     return {
                         valid: false,
                         message: intl && messages
                             ? intl.formatMessage(messages.enumInvalid, { allowed: allowed.join(', ') })
-                            : `Values must be from: ${allowed.join(', ')}. Invalid: ${invalidValues.join(', ')}`,
+                            : invalidValues.length > 0
+                                ? `Values must be from: ${allowed.join(', ')}. Invalid: ${invalidValues.join(', ')}`
+                                : `At least one value must be selected from: ${allowed.join(', ')}`,
                     };

[sonarqubecloud]

Quality Gate passed

Issues
33 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud