fix(jans-cedarling): cedarling adapter should provide API with generic data types

[haileyesus2433]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13595

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Support for multi-issuer JWT/token-based authorization and more flexible token input handling.

• Documentation

  • Sample updated to demonstrate migration to Cedarling v17 and the new multi-issuer JWT requirements.

• Tests

  • Expanded test coverage and added fixtures for multi-issuer JWT scenarios, single-token and multi-token inputs.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replace v16 token/principals flows with Cedarling v17 multi‑issuer JWT support: add Map/JSON overloads in CedarlingAdapter, update sample to post‑authn JWT flow using authorizeMultiIssuer, and add tests + fixtures for multi‑issuer scenarios.

Changes

Cohort / File(s)	Summary
Sample Code jans-cedarling/bindings/cedarling-java/docs/sample_cedarling_post_authn.java	Migrated sample to post‑authn flow: swapped ExternalScriptContext→ExternalPostAuthnContext, removed principals parsing/authorizeUnsigned path, read access_token/id_token into a Map<String,String> keyed by Cedar entity types and call authorizeMultiIssuer(...), added guard when adapter uninitialized, and inverted return mapping on decision.
Adapter API & Logic jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java	Added authorizeMultiIssuer(Map<String,String>,...), authorizeUnsigned(String,...), and authorizeUnsignedFromJson(List<String>,...); validated inputs, convert map/json entries to TokenInput/EntityData, and normalize null context to "{}" while rejecting null resource.
Unit Tests jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java	Added multi‑issuer test constants and tests for JSON-string/list authorizeUnsigned, null‑context handling, null token rejection, and authorizeMultiIssuer Map conversion; removed unused import and minor comment cleanup.
Test Fixtures jans-cedarling/bindings/cedarling-java/src/test/resources/config/... bootstrap-multi-issuer.json, multi_issuer_access_token_payload.json, multi_issuer_resource.json	Added multi‑issuer bootstrap config and JWT/resource payload fixtures used by new tests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat(jans-cedarling): add authorize_multi_issuer to bindings #12431: Adds/updates multi‑issuer authorization API (authorizeMultiIssuer) in Cedarling bindings that this change builds on.

Suggested reviewers

• olehbozhok
• duttarnab
• dagregi

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.58% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main change: providing a CedarlingAdapter API with generic data types instead of uniffi-specific types.
Description check	✅ Passed	The description includes required sections: target issue (#13595) is linked, implementation details are referenced, and testing/documentation checklists are completed.
Linked Issues check	✅ Passed	The PR fully implements the requirements from #13595: new methods accepting generic data types (Map<String, String>, List), hidden uniffi types, and support for both single-principal and multi-issuer authorization workflows.
Out of Scope Changes check	✅ Passed	All changes are within scope: new adapter methods with generic types, corresponding tests, test resources, and updated sample code all directly support the #13595 objectives with no extraneous modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jans-cedarling-13595

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java`:
- Around line 143-151: The authorizeUnsigned method currently calls
context.toString() without a null check which can throw NPE; update the call
that passes the context to cedarling.authorizeUnsigned to mirror
authorizeMultiIssuer's null-safe pattern (i.e., compute a String ctx = (context
== null ? null : context.toString()) and pass that instead), touching the
authorizeUnsigned method and the cedarling.authorizeUnsigned invocation to
ensure null contexts are handled safely.
- Around line 59-70: Add a null-safety guard at the start of the
authorizeMultiIssuer(Map<String,String> tokens, String action, JSONObject
resource, JSONObject context) method: check if tokens is null and throw an
IllegalArgumentException (or AuthorizeException if preferred) with a clear
message like "tokens must not be null" before constructing TokenInput instances,
so TokenInput creation and the for loop are never executed with a null map.

In
`@jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java`:
- Around line 96-121: The test creates a CedarlingAdapter (multiIssuerAdapter)
in testAuthorizeMultiIssuerWithMapConversion but never closes it; wrap the
adapter instantiation in a try-with-resources (or explicitly call close()) so
CedarlingAdapter (which implements AutoCloseable) is closed after use to prevent
resource leaks; modify the testAuthorizeMultiIssuerWithMapConversion method to
construct multiIssuerAdapter in a try (...) { ... } block that contains the
existing test logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bd0dd163-24cb-45a8-8562-46ef109b97c7

📥 Commits

Reviewing files that changed from the base of the PR and between 56bec0a and bc8061a.

📒 Files selected for processing (6)

• jans-cedarling/bindings/cedarling-java/docs/sample_cedarling_post_authn.java
• jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java
• jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java
• jans-cedarling/bindings/cedarling-java/src/test/resources/config/bootstrap-multi-issuer.json
• jans-cedarling/bindings/cedarling-java/src/test/resources/config/multi_issuer_access_token_payload.json
• jans-cedarling/bindings/cedarling-java/src/test/resources/config/multi_issuer_resource.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java`:
- Around line 68-71: In CedarlingAdapter, validate inputs in the generic wrapper
overloads before looping or calling the UniFFI parser: check that the
Map<String,String> tokens is non-null and that no key or value in tokens is null
(throw IllegalArgumentException with a clear message), and likewise validate
principalJson is non-null and each element of principalsJson (if present) is
non-null; perform these null checks in the same methods where TokenInput is
constructed (referencing TokenInput and the tokens variable) and in the other
overloads that handle principalJson/principalsJson (the methods covering the
104-137 range), and fail fast with IllegalArgumentException rather than letting
an NPE surface from the UniFFI parser.

In
`@jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java`:
- Around line 63-94: Add two focused tests in CedarlingAdapterTest to cover the
null-handling branches: (1) call adapter.authorizeUnsigned(principalsString,
action, resource, null) and assert it does not throw (result != null,
result.getPrincipals() != null, expected decision false) to ensure
authorizeUnsigned stays NPE-free when context is null; (2) call
adapter.authorizeMultiIssuer(null, action, resource, context) and assert it
throws IllegalArgumentException to ensure the multi-issuer null check remains
enforced. Use the existing fixture setup (action/resource/context/principals
strings) and the same assertion style as the other tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c223ec8d-a935-4d93-8175-37ac9f85e9a3

📥 Commits

Reviewing files that changed from the base of the PR and between bc8061a and 6c276a2.

📒 Files selected for processing (2)

• jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java
• jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java`:
- Around line 82-94: The authorizeMultiIssuer method (and the other overload
around the authorize delegate at lines ~163-171) currently calls
resource.toString() without null checks; change both delegate overloads (e.g.,
authorizeMultiIssuer(List<TokenInput>, String, JSONObject, JSONObject) and the
similar authorize(...) overload) to validate that resource is not null and throw
an IllegalArgumentException with a clear message (e.g., "resource must not be
null") before calling resource.toString(), so callers receive the consistent
IllegalArgumentException pattern instead of a NullPointerException.

In
`@jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java`:
- Around line 63-148: Add focused negative unit tests for the remaining
null-guard branches: create tests that call
CedarlingAdapter.authorizeUnsigned(principalsString...) with principalJson ==
null and with a principals list containing a null element (covering
authorizeUnsignedFromJson null-element behavior), tests that call
CedarlingAdapter.authorizeMultiIssuer(tokens...) with tokens == null keys/values
(null key or null value entry) and a test that calls
authorizeMultiIssuer(tokens, action, resource, null) to ensure the null-context
branch is exercised; each test should assert the proper exception or result
shape using AuthorizeResult / MultiIssuerAuthorizeResult as appropriate to lock
the new compatibility contracts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: adddc336-269a-4229-9a9a-a6dd9812baf8

📥 Commits

Reviewing files that changed from the base of the PR and between 6c276a2 and 751fc7f.

📒 Files selected for processing (2)

• jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java
• jans-cedarling/bindings/cedarling-java/src/test/java/io/jans/cedarling/binding/wrapper/CedarlingAdapterTest.java

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java`:
- Around line 87-98: In CedarlingAdapter.add fast null-checks to the public list
overloads: in authorizeMultiIssuer(List<TokenInput> tokens, ...) validate tokens
!= null and that none of tokens' elements are null (throw
IllegalArgumentException with a clear message) before calling
cedarling.authorizeMultiIssuer; do the same in
authorizeUnsigned(List<EntityData> entities, ...) — check the list and each
element for null and throw IllegalArgumentException early so both API surfaces
fail consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5de7afc5-707a-4403-9d7e-e01abeaf63aa

📥 Commits

Reviewing files that changed from the base of the PR and between 751fc7f and fe76c1e.

📒 Files selected for processing (1)

• jans-cedarling/bindings/cedarling-java/src/main/java/io/jans/cedarling/binding/wrapper/CedarlingAdapter.java