🐛 Add identity role handling to application manage credentials

[sjd78]

Part 1 of 2: https://issues.redhat.com/browse/MTA-6122
Part 1 of 2: #2599
Requires hub changes in: konveyor/tackle2-hub#911

Use kind=source identities for asset repositories by adding a role to the application.identities array. Removal of the management of kind=asset identities will be done in a later PR. The identity Ref roles will be used by HUB and AddOns as appropriate instead of relying on the identity's kind.

Manage Credentials modal:

• Remains unchanged visually
• Will retain any identities that do not have a role of source, maven, or asset
• Each drop down assigns a role to the selected identity

Summary by CodeRabbit

• New Features

  • Role-based identity management for applications with role-aware defaults and selection (source, maven, asset).

• Bug Fixes

  • Preserves existing non-managed identities when updating.
  • Improved validation and clearer error feedback to prevent duplicate or mismatched identities.

• Refactor

  • Consolidated identities into a unified top-level structure and streamlined identity fetching for more consistent form behavior.

[coderabbitai]

Walkthrough

Adds a role-annotated identity type to API models and migrates application identity handling from kind-based refs to role-based RefWithRole. Updates form logic, fetching hook usage, defaults/validation, and patching to preserve non-managed identities; one modal file only has an import reorder.

Changes

Cohort / File(s)	Summary of changes
API models: role-annotated identities client/src/app/api/models.ts	Adds RefWithRole<RoleType = string> extending Ref with optional role. Adds ManagedIdentityRole and IdentityRole type aliases. Changes Application.identities from Ref[] to RefWithRole<IdentityRole>[].
Application identity form: role-based refactor client/src/app/pages/applications/application-identity-form/application-identity-form.tsx	Replaces kind-based identity handling with role-based (RefWithRole). Uses application.identities instead of direct.identities. Introduces helpers (identityToRefWithRole, firstIdentityOfRole, hasIdentityOfRole), adjusts hook usage to return { identities, identitiesByKind }, updates defaults/validation/options, and patches identities while preserving non-managed identities via otherIdentitiesPerApplication. Adds/changes several imports (HookFormPFGroupController, NotificationsContext, SimpleSelect, getAxiosErrorMessage, yupResolver).
Modal import tidy-up client/src/app/pages/applications/application-identity-form/application-identity-modal.tsx	Reorders import of ApplicationIdentityForm; no behavioral or API changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Form as ApplicationIdentityForm
  participant Hook as useFetchIdentities
  participant API as Backend API

  User->>Form: Open identity form
  Form->>Hook: fetch identities
  Hook-->>Form: identities, identitiesByKind

  Note over Form: Compute defaults using firstIdentityOfRole\n(options derived from identitiesByKind)

  User->>Form: Select source/maven/asset
  Form->>Form: Validate via hasIdentityOfRole

  User->>Form: Submit
  Form->>Form: Build updatedIdentities (RefWithRole[])
  Form->>Form: Merge with otherIdentitiesPerApplication (preserve non-managed)
  Form->>API: PATCH Application.identities
  API-->>Form: Success / Error
  Form-->>User: Notify result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• ✨ Add a slot for "asset repository credentials" to the application manage credentials modal #2579 — touches application identity model and Manage Credentials UI, likely related to role/kind identity changes and associated UI flows.

Suggested reviewers

• ibolton336
• rszwajko

Poem

A rabbit hops through models and forms,
I add a role where each ref warms.
Source, maven, asset — in tidy rows,
I patch and keep the extras close.
Thump—identities snug as carrots 🥕🐇

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly identifies the primary change—adding identity role handling for the application's Manage Credentials flow—and correctly uses the repository's 🐛 prefix; it maps directly to the changes in models and the credentials UI and is neither misleading nor overly broad. A minor grammatical tweak could improve readability but does not reduce clarity about the main change.
Description Check	✅ Passed	The PR description clearly states the purpose (adding a role field to application.identities to enable using kind=source for asset repos), references the related issue and hub PR, and summarizes scope and user-visible behavior (including that this is Part 1 of 2), giving reviewers sufficient technical and migration context. It documents important details about the manage-credentials modal, the intended follow-up work, and the hub dependency, so the description is actionable for reviewers. The repository template only prescribes a PR title prefix (emoji alias) which cannot be validated from the description body, therefore the description content itself is acceptable.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 622b0d1 and 582306b.

📒 Files selected for processing (3)

• client/src/app/api/models.ts (2 hunks)
• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (7 hunks)
• client/src/app/pages/applications/application-identity-form/application-identity-modal.tsx (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (4)

client/src/app/api/models.ts (4)

• Identity (223-237)
• RefWithRole (93-95)
• Ref (85-88)
• Application (142-167)

client/src/app/utils/model-utils.tsx (2)

• toRef (238-244)
• toRefs (256-260)

client/src/app/pages/applications/useDecoratedApplications.ts (1)

• DecoratedApplication (39-69)

client/src/app/queries/identities.ts (1)

• useFetchIdentities (58-78)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: unit-test
• GitHub Check: build-and-upload-for-global-ci

🔇 Additional comments (9)

client/src/app/api/models.ts (1)

93-96: Good addition: role-aware ref wrapper

Optional role keeps backward compatibility. No issues.

client/src/app/pages/applications/application-identity-form/application-identity-modal.tsx (1)

6-7: Import reorder only

No behavioral change. Looks fine.

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (7)

56-65: Helper is correct

identityToRefWithRole builds the correct payload shape and tolerates nulls.

---

66-79: Role-based lookups/readiness checks look good

firstIdentityOfRole and hasIdentityOfRole are straightforward and efficient.

---

87-87: Fetching identities by kind

No issues; memoized identitiesByKind aligns with usage below.

---

91-91: Intentional: asset options sourced from kind=source

Matches PR objective (asset role uses source identities).

If HUB ever exposes dedicated asset kind again, confirm this still matches product behavior.

---

135-139: Building managed-role updates is correct

Type and filtering are appropriate.

---

199-203: Defaults derived from role: OK

Good UX, selecting the first available role assignment.

---

211-212: Multi-edit warning logic: OK

Warns only when batch-editing apps that already have managed roles.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (4)

45-49: Make MANAGED_IDENTITY_ROLES truly readonly (current as const is redundant)

Type the constant as readonly; the current annotation widens it to a mutable array.

-const MANAGED_IDENTITY_ROLES: ManagedIdentityRole[] = [
-  "source",
-  "maven",
-  "asset",
-] as const;
+const MANAGED_IDENTITY_ROLES: readonly ManagedIdentityRole[] = [
+  "source",
+  "maven",
+  "asset",
+] as const;

---

63-71: Helper is correct; consider minor signature tweak

If desired, make id be number | undefined to avoid passing null, but current behavior is fine.

---

73-75: Narrow the role type for better safety

Use the union type for roles.

-function firstIdentityOfRole(application: DecoratedApplication, role: string) {
+function firstIdentityOfRole(
+  application: DecoratedApplication,
+  role: ManagedIdentityRole
+) {

---

77-86: Type safety and small perf nit

Type the parameter as ManagedIdentityRole | ManagedIdentityRole[] and use a Set to avoid repeated includes.

-export function hasIdentityOfRole(
-  applications: DecoratedApplication | DecoratedApplication[],
-  role: string | string[]
-) {
-  const roles = Array.isArray(role) ? role : [role];
+export function hasIdentityOfRole(
+  applications: DecoratedApplication | DecoratedApplication[],
+  role: ManagedIdentityRole | ManagedIdentityRole[]
+) {
+  const roles = Array.isArray(role) ? role : [role];
+  const roleSet = new Set<ManagedIdentityRole>(roles);
   const apps = Array.isArray(applications) ? applications : [applications];
   return apps.some((app) =>
-    app.identities?.some((i) => i.role && roles.includes(i.role))
+    app.identities?.some((i) => i.role && roleSet.has(i.role as ManagedIdentityRole))
   );
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 582306b and 3f838c4.

📒 Files selected for processing (2)

• client/src/app/api/models.ts (3 hunks)
• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (7 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• client/src/app/api/models.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-29T16:01:04.207Z

Learnt from: sjd78
PR: konveyor/tackle2-ui#2583
File: client/src/app/pages/identities/components/identity-form/kind-source-form.tsx:17-26
Timestamp: 2025-08-29T16:01:04.207Z
Learning: Skip i18n/internationalization suggestions for the file client/src/app/pages/identities/components/identity-form/kind-source-form.tsx - hardcoded strings like "Username/Password" and "Private Key/Passphrase" should remain as-is.

Applied to files:

• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: unit-test
• GitHub Check: build-and-upload-for-global-ci

🔇 Additional comments (3)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (3)

2-2: LGTM: role-based model wiring and imports

Imports align with the role-based identities shift; dead toRefs removed; new hooks/components correctly referenced.

Also applies to: 5-5, 19-25, 26-29, 34-35

---

101-104: Asset options sourced from “source” identities: OK

Matches the PR intent to use kind=source identities for asset repositories.

---

153-167: Preservation of non-managed/unknown roles: good recovery from earlier issue

The filter now keeps role-less and unknown roles and avoids toRefs, so roles are preserved on patch. Nice.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (1)

147-152: Uniform bulk-apply of managed roles

Building the three role-tagged refs is correct for the intended multi-edit behavior (apply form state across all apps). Acknowledging prior discussion/learning that this overwrite is intentional.

🧹 Nitpick comments (4)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (4)

45-49: Type the managed-role set more narrowly

Use a readonly tuple plus a ReadonlySet typed to ManagedIdentityRole for stronger checks and reuse elsewhere.

Apply:

-const MANAGED_IDENTITY_SET: Set<IdentityRole> = new Set([
-  "source",
-  "maven",
-  "asset",
-]);
+const MANAGED_IDENTITY_ROLES = ["source", "maven", "asset"] as const;
+const MANAGED_IDENTITY_SET: ReadonlySet<ManagedIdentityRole> = new Set(
+  MANAGED_IDENTITY_ROLES
+);

---

63-71: Helper correctly preserves role on refs

Looks good and avoids stripping the role. Micro: if this is called often, consider prebuilding a Map<number, Identity> once, but not required here.

---

80-87: Minor simplification in managed-role presence check

You can drop the extra truthy check; Set.has(undefined) is false, preserving behavior.

Apply:

-  return apps.some((app) =>
-    app.identities?.some((i) => i.role && MANAGED_IDENTITY_SET.has(i.role))
-  );
+  return apps.some((app) =>
+    app.identities?.some((i) => MANAGED_IDENTITY_SET.has(i.role as ManagedIdentityRole))
+  );

---

319-326: Consider enabling Save in multi-edit even when not dirty

Right now, Save is disabled until a change is made. For bulk standardization, users may want to open the modal and immediately apply the first app’s defaults to the rest. Allow submit when applications.length > 1 even if the form is pristine.

Apply:

-          isDisabled={!isValid || isSubmitting || isValidating || !isDirty}
+          isDisabled={
+            !isValid ||
+            isSubmitting ||
+            isValidating ||
+            (!isDirty && applications.length === 1)
+          }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f838c4 and c7af155.

📒 Files selected for processing (1)

• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (7 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-29T16:01:04.207Z

Learnt from: sjd78
PR: konveyor/tackle2-ui#2583
File: client/src/app/pages/identities/components/identity-form/kind-source-form.tsx:17-26
Timestamp: 2025-08-29T16:01:04.207Z
Learning: Skip i18n/internationalization suggestions for the file client/src/app/pages/identities/components/identity-form/kind-source-form.tsx - hardcoded strings like "Username/Password" and "Private Key/Passphrase" should remain as-is.

Applied to files:

• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx

📚 Learning: 2025-09-12T18:54:17.513Z

Learnt from: sjd78
PR: konveyor/tackle2-ui#2610
File: client/src/app/pages/applications/application-identity-form/application-identity-form.tsx:146-151
Timestamp: 2025-09-12T18:54:17.513Z
Learning: In ApplicationIdentityForm multi-edit mode, the form state is intentionally applied as-is across all selected applications. This means that even untouched form fields will overwrite existing values across all applications, which is the expected bulk-edit behavior for standardizing identity credentials across multiple applications.

Applied to files:

• client/src/app/pages/applications/application-identity-form/application-identity-form.tsx

🧬 Code graph analysis (1)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (5)

client/src/app/api/models.ts (5)

• IdentityRole (143-143)
• Identity (226-240)
• ManagedIdentityRole (142-142)
• RefWithRole (93-95)
• Application (145-170)

client/src/app/utils/model-utils.tsx (1)

• toRef (238-244)

client/src/app/pages/applications/useDecoratedApplications.ts (1)

• DecoratedApplication (39-69)

client/src/app/components/NotificationsContext.tsx (1)

• NotificationsContext (31-33)

client/src/app/queries/identities.ts (1)

• useFetchIdentities (58-78)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: unit-test
• GitHub Check: build-and-upload-for-global-ci

🔇 Additional comments (7)

client/src/app/pages/applications/application-identity-form/application-identity-form.tsx (7)

19-25: Imports updated correctly for role-aware identities

Good switch to RefWithRole/IdentityRole and removal of toRefs; HookFormPF, NotificationsContext, and SimpleSelect imports look right.

Also applies to: 26-28, 34-34

---

73-78: Role-based lookup aligns with the new model

Simple and correct replacement for kind-based defaults.

---

100-105: Asset options sourced from source-kind identities

This matches the PR objective to use kind=source identities for asset repositories. Good catch on switching only the asset list.

---

155-166: Correct retention of non-managed or role-less identities

The filter now preserves entries with unknown/undefined roles and keeps their role field intact (no toRefs). This aligns with “retain any identities that do not have a role of source, maven, or asset.”

---

168-175: Patch construction is safe and order-stable enough

Merges updated managed roles with preserved others per application. Looks good.

---

213-216: Defaults from first app are fine for bulk-edit

Consistent with the intended multi-edit semantics: form initializes from applications[0] and applies uniformly.

---

221-225: Good UX: warning for multi-edit overrides

The check properly warns when editing multiple apps and any has managed identities already.