feat(jans-cli-tui): add arguments --auth-url, --config-url, --scim-url

[devrimyatar]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13308

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Added CLI options to specify Auth, Config, and SCIM server URLs.
  • Added server selection and endpoint-building helpers to route requests to the appropriate server.

• Improvements

  • Normalizes trailing slashes and provides sensible defaults when URLs are omitted.
  • All request URLs are composed from resolved base servers for consistent routing.
  • Expanded debug logging showing resolved server URLs and each constructed request URL.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds CLI options --auth-url, --config-url, and --scim-url; normalizes supplied URLs and derives service base URLs; introduces server_url and get_url_for_endpoint() helpers; refactors request helpers to compose URLs via urljoin and logs constructed endpoints.

Changes

Cohort / File(s)

Summary

URL Endpoint Configuration & Request URL Resolution jans-cli-tui/cli_tui/cli/config_cli.py

Adds CLI args --auth-url, --config-url, --scim-url. Performs URL normalization (trailing slashes), exposes auth_url, config_url, scim_url (defaults from idp_host), and derived properties (auth_url_token_endpoint_postfix, jwt_validation_url). Adds server_url property and get_url_for_endpoint() utility. Refactors GET/POST/DELETE/PATCH request helpers to use urljoin-based composition instead of hard-coded https://{host} constructions and adds debug logging for constructed request URLs and server endpoints.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• yuriyzz
• yuriyz
• duttarnab

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.88% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding three new CLI arguments (--auth-url, --config-url, --scim-url) to jans-cli-tui.
Description check	✅ Passed	The PR description follows the template with a target issue reference (#13308) and confirms no documentation impact, but lacks detailed implementation information.
Linked Issues check	✅ Passed	The code changes implement the required --auth-url, --config-url, --scim-url parameters with backwards compatibility and URL normalization as specified in issue #13308.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the custom URL parameters and supporting infrastructure (URL normalization, routing, logging) specified in the linked issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jans-cli-tui-custom-janssen-urls-13308

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Jans authentication server parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

jans-cli-tui/cli_tui/cli/config_cli.py (1)

321-328: ⚠️ Potential issue | 🟡 Minor

Property can return None implicitly for unexpected my_op_mode values.

If my_op_mode is not 'jca', 'scim', or 'auth', the property returns None implicitly, which would cause urljoin to fail downstream.

🛡️ Proposed fix to handle unexpected modes

     `@property`
     def server_url(self):
         if self.my_op_mode == 'jca':
             return self.config_url
         elif self.my_op_mode == 'scim':
             return self.scim_url
         elif self.my_op_mode == 'auth':
             return self.auth_url
+        else:
+            raise ValueError(f"Unknown operation mode: {self.my_op_mode}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 321 - 328, The
server_url property can implicitly return None for unexpected my_op_mode values;
update the server_url property (method server_url) to handle unknown modes
explicitly by either raising a clear exception or returning a safe default URL
(e.g., empty string) and include the offending my_op_mode in the message;
reference the symbols my_op_mode, server_url, config_url, scim_url, and auth_url
when making the change so callers using urljoin never receive None.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 292-304: The constructor is mutating the global args by appending
slashes; instead, avoid changing args and normalize when assigning instance
attributes: create a small helper (e.g., normalize_url) or use local variables
to compute normalized_auth = args.auth_url.rstrip('/') + '/' (or use fallback)
and assign to self.auth_url, self.config_url, self.scim_url inside __init__
without modifying args; reference the existing normalization block and the
attributes self.auth_url / self.config_url / self.scim_url so reviewers can
replace the in-place args mutations with instance-level normalization.
- Around line 292-304: The constructor for JCA_CLI currently always prefers
module-level args.auth_url/config_url/scim_url over the provided host, causing
plugin-instantiated hosts to be ignored; update JCA_CLI.__init__ to accept
optional auth_url, config_url, and scim_url parameters and change the assignment
logic so the precedence is: constructor parameter (if not None) > args.* (if
present) > default built from self.idp_host, and ensure you normalize trailing
slashes for the chosen URL (add '/' if missing) the same way the current code
does for args.* to avoid duplicate or missing slashes.
- Around line 515-516: Extract the repeated literal 'restv1/token' into a single
constant (e.g. TOKEN_ENDPOINT) defined near the top of the class that contains
the methods using it, then replace all four occurrences where url =
urljoin(self.auth_url, 'restv1/token') (and any similar urljoin uses) with url =
urljoin(self.auth_url, TOKEN_ENDPOINT); update references in methods that use
self.auth_url, urljoin, and self.cli_logger to use the new TOKEN_ENDPOINT to
improve maintainability.
- Around line 1042-1045: The debug log references an undefined variable `url`;
compute the URL first by calling self.get_url_for_endpoint(url_path) into a
local variable (e.g., url) and then call self.cli_logger.debug("Delete request:
%s", url) before calling session.delete, and pass that same `url` variable into
session.delete instead of calling get_url_for_endpoint inline; update references
around the delete call in the method that contains get_url_for_endpoint and
session.delete to use the new local `url`.

---

Duplicate comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 321-328: The server_url property can implicitly return None for
unexpected my_op_mode values; update the server_url property (method server_url)
to handle unknown modes explicitly by either raising a clear exception or
returning a safe default URL (e.g., empty string) and include the offending
my_op_mode in the message; reference the symbols my_op_mode, server_url,
config_url, scim_url, and auth_url when making the change so callers using
urljoin never receive None.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 844242a6-f951-4e79-a4fe-bc9d398e4348

📥 Commits

Reviewing files that changed from the base of the PR and between f041fa0 and 75c53ee.

📒 Files selected for processing (1)

• jans-cli-tui/cli_tui/cli/config_cli.py

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

jans-cli-tui/cli_tui/cli/config_cli.py (1)

516-560: ⚠️ Potential issue | 🔴 Critical

Discovery fetch still bypasses custom auth base URL.

check_connection() now validates token via self.auth_url, but then Line 558 calls get_openid_configuration(), which still uses https://{self.idp_host} (Line 497). For custom --auth-url deployments on different scheme/host/path, connection checks can fail despite valid token endpoint connectivity.

🐛 Proposed fix (derive discovery endpoint from auth base URL)

     def get_openid_configuration(self):
 
         try:
+            discovery_url = urljoin(self.auth_url, self.discovery_endpoint.lstrip('/'))
             response = session.get(
-                    url = 'https://{}{}'.format(self.idp_host, self.discovery_endpoint),
+                    url=discovery_url,
                     headers=self.get_request_header({'Accept': 'application/json'}),
                     verify=self.verify_ssl,
                     cert=self.mtls_client_cert
                 )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 516 - 560,
check_connection() currently validates against self.auth_url but then calls
get_openid_configuration(), which still builds discovery using self.idp_host;
update get_openid_configuration() to derive the OpenID discovery URL from the
configured auth base (self.auth_url) instead of hardcoding
https://{self.idp_host}, and ensure it preserves scheme, host, and path
components (use urljoin or equivalent) so custom --auth-url values are honored;
adjust any callers (e.g., check_connection) to pass/expect the discovery URL
from self.auth_url if needed and remove reliance on idp_host for discovery
resolution.

♻️ Duplicate comments (3)

jans-cli-tui/cli_tui/cli/config_cli.py (3)

1043-1047: ⚠️ Potential issue | 🔴 Critical

url is referenced before assignment in delete flow.

Line 1043 logs url before it is created, causing a runtime NameError (matches Ruff/flake F821).

🐛 Proposed fix

-        self.cli_logger.debug("Delete request: %s", url)
+        url = self.get_url_for_endpoint(url_path)
+        self.cli_logger.debug("Delete request: %s", url)
 
         response = session.delete(
-            url=self.get_url_for_endpoint(url_path),
+            url=url,
             headers=self.get_request_header({'Accept': 'application/json'}),
             verify=self.verify_ssl,
             cert=self.mtls_client_cert
             )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 1043 - 1047, The debug
log references url before it's defined, causing a NameError; fix by resolving
the endpoint URL before logging and then reuse it for the delete call: call
self.get_url_for_endpoint(url_path) and assign it to a local variable (e.g.,
url) prior to self.cli_logger.debug, then pass that url to session.delete (and
keep get_request_header usage unchanged). Update the code paths that call
self.cli_logger.debug("Delete request: %s", url) and session.delete(...) to use
this same url variable, referencing the methods self.get_url_for_endpoint and
self.get_request_header to locate the change.

---

292-304: ⚠️ Potential issue | 🟠 Major

JCA_CLI URL resolution still over-couples instance behavior to global args.

Line 302-304 always prefer module-level args.*_url, so plugin-created instances that pass a different host can still resolve to unrelated global URLs. This also mutates global args (Line 292-300), creating cross-instance side effects.

♻️ Proposed fix (instance-level normalization + explicit precedence)

-    def __init__(self, host, client_id, client_secret, access_token, test_client=False, op_mode=None, wrapped=None):
+    def __init__(self, host, client_id, client_secret, access_token, test_client=False, op_mode=None, wrapped=None,
+                 auth_url=None, config_url=None, scim_url=None):
         self.host = self.idp_host = host
@@
-        if args.auth_url and not args.auth_url.endswith('/'):
-            args.auth_url += '/'
-
-        if args.config_url and not args.config_url.endswith('/'):
-            args.config_url += '/'
-
-        if args.scim_url and not args.scim_url.endswith('/'):
-            args.scim_url += '/'
-
-        # URLs
-        self.auth_url = args.auth_url or f'https://{self.idp_host}/jans-auth/'
-        self.config_url = args.config_url or f'https://{self.idp_host}/jans-config-api/'
-        self.scim_url = args.scim_url or f'https://{self.idp_host}/jans-scim/restv1/v2/'
+        def normalize_url(url):
+            return f"{url.rstrip('/')}/" if url else None
+
+        # URLs (precedence: explicit param > CLI args > host-derived default)
+        self.auth_url = normalize_url(auth_url) or normalize_url(args.auth_url) or f'https://{self.idp_host}/jans-auth/'
+        self.config_url = normalize_url(config_url) or normalize_url(args.config_url) or f'https://{self.idp_host}/jans-config-api/'
+        self.scim_url = normalize_url(scim_url) or normalize_url(args.scim_url) or f'https://{self.idp_host}/jans-scim/restv1/v2/'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 292 - 304, The
constructor currently mutates the global args and always prefers module-level
args.*_url when resolving URLs, causing cross-instance coupling; change
resolution to first check for an explicit instance parameter (e.g., a passed
auth_url/config_url/scim_url or self.* attributes), normalize those local values
(ensure trailing slash) without mutating the global args object, then fall back
to constructing from self.idp_host, and only use args.*_url as the final
fallback; update the code paths that set self.auth_url, self.config_url, and
self.scim_url (and any pre-normalization that currently does args.auth_url +=
'/') to operate on local variables or self properties so global args is never
mutated and instance-specific URLs take precedence.

---

516-787: 🧹 Nitpick | 🔵 Trivial

Extract 'restv1/token' into a class constant to remove repeated literals.

The same literal is repeated in four changed call sites, which SonarCloud is already flagging.

🧹 Proposed refactor

 class JCA_CLI:
+    TOKEN_ENDPOINT = 'restv1/token'
@@
-        url = urljoin(self.auth_url, 'restv1/token')
+        url = urljoin(self.auth_url, self.TOKEN_ENDPOINT)
@@
-        url = urljoin(self.auth_url, 'restv1/token')
+        url = urljoin(self.auth_url, self.TOKEN_ENDPOINT)
@@
-            url=urljoin(self.auth_url, 'restv1/token'),
+            url=urljoin(self.auth_url, self.TOKEN_ENDPOINT),
@@
-            url=urljoin(self.auth_url, 'restv1/token'),
+            url=urljoin(self.auth_url, self.TOKEN_ENDPOINT),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 516 - 787, The literal
'restv1/token' is duplicated; define a class constant (e.g. TOKEN_ENDPOINT =
'restv1/token') on the CLI class in config_cli.py and replace all hard-coded
occurrences with that constant (use urljoin(self.auth_url,
self.TOKEN_ENDPOINT)). Update the call sites in the methods that post to the
token endpoint: the connection check block (where session.post(...) uses
urljoin(self.auth_url, 'restv1/token')), get_scoped_access_token, and
get_jwt_access_token (both places that build token requests). Ensure you
reference the constant as self.TOKEN_ENDPOINT so existing urljoin usage
continues to work.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 516-560: check_connection() currently validates against
self.auth_url but then calls get_openid_configuration(), which still builds
discovery using self.idp_host; update get_openid_configuration() to derive the
OpenID discovery URL from the configured auth base (self.auth_url) instead of
hardcoding https://{self.idp_host}, and ensure it preserves scheme, host, and
path components (use urljoin or equivalent) so custom --auth-url values are
honored; adjust any callers (e.g., check_connection) to pass/expect the
discovery URL from self.auth_url if needed and remove reliance on idp_host for
discovery resolution.

---

Duplicate comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 1043-1047: The debug log references url before it's defined,
causing a NameError; fix by resolving the endpoint URL before logging and then
reuse it for the delete call: call self.get_url_for_endpoint(url_path) and
assign it to a local variable (e.g., url) prior to self.cli_logger.debug, then
pass that url to session.delete (and keep get_request_header usage unchanged).
Update the code paths that call self.cli_logger.debug("Delete request: %s", url)
and session.delete(...) to use this same url variable, referencing the methods
self.get_url_for_endpoint and self.get_request_header to locate the change.
- Around line 292-304: The constructor currently mutates the global args and
always prefers module-level args.*_url when resolving URLs, causing
cross-instance coupling; change resolution to first check for an explicit
instance parameter (e.g., a passed auth_url/config_url/scim_url or self.*
attributes), normalize those local values (ensure trailing slash) without
mutating the global args object, then fall back to constructing from
self.idp_host, and only use args.*_url as the final fallback; update the code
paths that set self.auth_url, self.config_url, and self.scim_url (and any
pre-normalization that currently does args.auth_url += '/') to operate on local
variables or self properties so global args is never mutated and
instance-specific URLs take precedence.
- Around line 516-787: The literal 'restv1/token' is duplicated; define a class
constant (e.g. TOKEN_ENDPOINT = 'restv1/token') on the CLI class in
config_cli.py and replace all hard-coded occurrences with that constant (use
urljoin(self.auth_url, self.TOKEN_ENDPOINT)). Update the call sites in the
methods that post to the token endpoint: the connection check block (where
session.post(...) uses urljoin(self.auth_url, 'restv1/token')),
get_scoped_access_token, and get_jwt_access_token (both places that build token
requests). Ensure you reference the constant as self.TOKEN_ENDPOINT so existing
urljoin usage continues to work.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fa9298c0-6cd9-454b-bd55-4e8c524ce653

📥 Commits

Reviewing files that changed from the base of the PR and between 75c53ee and b572d2c.

📒 Files selected for processing (1)

• jans-cli-tui/cli_tui/cli/config_cli.py

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 329-336: server_url currently returns None for unexpected
self.my_op_mode which defers failure; change server_url to raise a clear
exception (e.g., raise ValueError(f"Unsupported op_mode: {self.my_op_mode}"))
instead of returning None, and ensure the error message includes the bad mode;
also apply the same fail-fast change to the other occurrence of the op_mode
dispatch used by get_url_for_endpoint so callers get an immediate, descriptive
error rather than a None propagating.
- Around line 305-321: get_openid_configuration still builds the discovery URL
from idp_host, bypassing the normalized/custom auth URL set by
url_normalizations; update get_openid_configuration to use self.auth_url as the
base and construct the discovery URL with urljoin (e.g., urljoin(self.auth_url,
'.well-known/openid-configuration')) so that custom host/port/path for auth is
respected; ensure self.auth_url always ends with a slash (url_normalizations
already does this) before joining and update any hardcoded discovery references
to use the new joined URL.
- Around line 152-154: The CLI flags use only dashed names (--auth-url,
--config-url, --scim-url) but callers expect underscore aliases; update the
parser.add_argument calls that register these flags (the parser.add_argument
invocations for "--auth-url", "--config-url", and "--scim-url") to include
underscore aliases as well (e.g. add "--auth_url", "--config_url", "--scim_url")
so argparse accepts both forms and maps them to the same destination.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 52b103d6-d1cc-47a7-8231-8fc493a4a47d

📥 Commits

Reviewing files that changed from the base of the PR and between b572d2c and 4db6610.

📒 Files selected for processing (1)

• jans-cli-tui/cli_tui/cli/config_cli.py

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

jans-cli-tui/cli_tui/cli/config_cli.py (1)

1070-1087: ⚠️ Potential issue | 🔴 Critical

Critical: PATCH query param assignment leaks request internals and can expose bearer tokens.

patch_params['params'] = patch_params serializes the entire request dict into query parameters (including headers), which can leak Authorization values into URLs/logs and corrupt PATCH behavior.

🐛 Proposed fix

     def patch_requests(self, endpoint, url_param_dict, data):
         url = self.get_url_for_endpoint(endpoint.path.format(**url_param_dict))
         security = self.get_scope_for_endpoint(endpoint)
         self.get_access_token(security)
         mime_type = self.get_mime_for_endpoint(endpoint)
         headers = self.get_request_header({'Accept': 'application/json', 'Content-Type': mime_type})

         self.cli_logger.debug("Patch request: %s", url)

         patch_params = {
             'url': url,
             'headers': headers,
             'verify': self.verify_ssl,
             'cert': self.mtls_client_cert,
             }

-        if url_param_dict:
-            patch_params['params'] = patch_params
+        if url_param_dict:
+            url_param_name = self.get_url_param(endpoint.path)
+            query_params = {k: v for k, v in url_param_dict.items() if k != url_param_name}
+            if query_params:
+                patch_params['params'] = query_params

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 1070 - 1087, The
assignment patch_params['params'] = patch_params mistakenly injects the entire
request dict (including headers/Authorization) into the query string; change it
to assign only the intended query parameters (e.g. patch_params['params'] =
url_param_dict or a dedicated query dict) and ensure you never place headers or
the Authorization token into params; update the block around the patch_params
variable in the function using url_param_dict (and verify that
get_url_for_endpoint or the calling code supplies only safe query values).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 297-303: Move logger setup to run before any URL diagnostics: call
self.set_logging() (and ensure any handler/level configuration it performs)
before invoking self.url_normalizations(...) so those debug/info messages are
emitted; update both places where url_normalizations is called (the block with
auth_url_/config_url_/scim_url_ and the later occurrence around lines 323-326)
to invoke set_logging() first, then call url_normalizations(...), then proceed
to ssl_settings() as before.

---

Outside diff comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 1070-1087: The assignment patch_params['params'] = patch_params
mistakenly injects the entire request dict (including headers/Authorization)
into the query string; change it to assign only the intended query parameters
(e.g. patch_params['params'] = url_param_dict or a dedicated query dict) and
ensure you never place headers or the Authorization token into params; update
the block around the patch_params variable in the function using url_param_dict
(and verify that get_url_for_endpoint or the calling code supplies only safe
query values).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c2354026-bd8f-4b89-832b-481f06b31791

📥 Commits

Reviewing files that changed from the base of the PR and between 4db6610 and 0eabaae.

📒 Files selected for processing (1)

• jans-cli-tui/cli_tui/cli/config_cli.py

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

jans-cli-tui/cli_tui/cli/config_cli.py (2)

1086-1088: ⚠️ Potential issue | 🔴 Critical

PATCH query params are assigned from the wrong object.

Line 1087 assigns patch_params['params'] = patch_params instead of url_param_dict. This can serialize transport metadata (url, headers, cert, etc.) into the query string and break PATCH requests.

🔧 Proposed fix

-        if url_param_dict:
-            patch_params['params'] = patch_params
+        if url_param_dict:
+            patch_params['params'] = url_param_dict

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 1086 - 1088, The PATCH
query params are being set from the wrong object: change the assignment that
currently sets patch_params['params'] = patch_params to use the actual URL param
dict (url_param_dict) so query params come from url_param_dict; locate the block
where patch_params and url_param_dict are prepared (search for patch_params,
url_param_dict in config_cli.py, e.g., inside the PATCH handling function) and
replace the incorrect assignment with one that assigns the url_param_dict into
patch_params['params'] (ensuring patch_params exists before assignment).

---

1041-1051: ⚠️ Potential issue | 🟠 Major

Delete path-param cleanup is incorrect and can leak path values into query params.

At Line 1043, url_params is a single string (e.g., "inum"), but the loop iterates character-by-character. That means the actual path parameter key is not removed from url_param_dict, and it can be appended again in the query string at Line 1050.

🔧 Proposed fix

-        if url_params:
-            url_path = endpoint.path.format(**url_param_dict)
-            for param in url_params:
-                if param in url_param_dict:
-                    del url_param_dict[param]
+        if url_params:
+            url_path = endpoint.path.format(**url_param_dict)
+            if url_params in url_param_dict:
+                del url_param_dict[url_params]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 1041 - 1051, The cleanup
loop treats url_params as an iterable of characters when it's a string, so path
param keys aren't removed from url_param_dict and get leaked into the query
string; update the logic around url_params (used together with endpoint.path and
url_param_dict) to normalize url_params to an iterable of parameter names (e.g.,
if isinstance(url_params, str) wrap it into a one-element list) and then iterate
that normalized list to delete each param from url_param_dict before building
the query string.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 1086-1088: The PATCH query params are being set from the wrong
object: change the assignment that currently sets patch_params['params'] =
patch_params to use the actual URL param dict (url_param_dict) so query params
come from url_param_dict; locate the block where patch_params and url_param_dict
are prepared (search for patch_params, url_param_dict in config_cli.py, e.g.,
inside the PATCH handling function) and replace the incorrect assignment with
one that assigns the url_param_dict into patch_params['params'] (ensuring
patch_params exists before assignment).
- Around line 1041-1051: The cleanup loop treats url_params as an iterable of
characters when it's a string, so path param keys aren't removed from
url_param_dict and get leaked into the query string; update the logic around
url_params (used together with endpoint.path and url_param_dict) to normalize
url_params to an iterable of parameter names (e.g., if isinstance(url_params,
str) wrap it into a one-element list) and then iterate that normalized list to
delete each param from url_param_dict before building the query string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a42b44d5-9204-436b-be9b-efb5e64596c0

📥 Commits

Reviewing files that changed from the base of the PR and between 0eabaae and c503f84.

📒 Files selected for processing (1)

• jans-cli-tui/cli_tui/cli/config_cli.py

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[devrimyatar]

Actionable comments posted: 4

♻️ Duplicate comments (1)

jans-cli-tui/cli_tui/cli/config_cli.py (1)> 321-328: ⚠️ Potential issue | 🟡 Minor

Property can return None implicitly for unexpected my_op_mode values.
If my_op_mode is not 'jca', 'scim', or 'auth', the property returns None implicitly, which would cause urljoin to fail downstream.

🛡️ Proposed fix to handle unexpected modes

     `@property`
     def server_url(self):
         if self.my_op_mode == 'jca':
             return self.config_url
         elif self.my_op_mode == 'scim':
             return self.scim_url
         elif self.my_op_mode == 'auth':
             return self.auth_url
+        else:
+            raise ValueError(f"Unknown operation mode: {self.my_op_mode}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 321 - 328, The
server_url property can implicitly return None for unexpected my_op_mode values;
update the server_url property (method server_url) to handle unknown modes
explicitly by either raising a clear exception or returning a safe default URL
(e.g., empty string) and include the offending my_op_mode in the message;
reference the symbols my_op_mode, server_url, config_url, scim_url, and auth_url
when making the change so callers using urljoin never receive None.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 292-304: The constructor is mutating the global args by appending
slashes; instead, avoid changing args and normalize when assigning instance
attributes: create a small helper (e.g., normalize_url) or use local variables
to compute normalized_auth = args.auth_url.rstrip('/') + '/' (or use fallback)
and assign to self.auth_url, self.config_url, self.scim_url inside __init__
without modifying args; reference the existing normalization block and the
attributes self.auth_url / self.config_url / self.scim_url so reviewers can
replace the in-place args mutations with instance-level normalization.
- Around line 292-304: The constructor for JCA_CLI currently always prefers
module-level args.auth_url/config_url/scim_url over the provided host, causing
plugin-instantiated hosts to be ignored; update JCA_CLI.__init__ to accept
optional auth_url, config_url, and scim_url parameters and change the assignment
logic so the precedence is: constructor parameter (if not None) > args.* (if
present) > default built from self.idp_host, and ensure you normalize trailing
slashes for the chosen URL (add '/' if missing) the same way the current code
does for args.* to avoid duplicate or missing slashes.
- Around line 515-516: Extract the repeated literal 'restv1/token' into a single
constant (e.g. TOKEN_ENDPOINT) defined near the top of the class that contains
the methods using it, then replace all four occurrences where url =
urljoin(self.auth_url, 'restv1/token') (and any similar urljoin uses) with url =
urljoin(self.auth_url, TOKEN_ENDPOINT); update references in methods that use
self.auth_url, urljoin, and self.cli_logger to use the new TOKEN_ENDPOINT to
improve maintainability.
- Around line 1042-1045: The debug log references an undefined variable `url`;
compute the URL first by calling self.get_url_for_endpoint(url_path) into a
local variable (e.g., url) and then call self.cli_logger.debug("Delete request:
%s", url) before calling session.delete, and pass that same `url` variable into
session.delete instead of calling get_url_for_endpoint inline; update references
around the delete call in the method that contains get_url_for_endpoint and
session.delete to use the new local `url`.

---

Duplicate comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 321-328: The server_url property can implicitly return None for
unexpected my_op_mode values; update the server_url property (method server_url)
to handle unknown modes explicitly by either raising a clear exception or
returning a safe default URL (e.g., empty string) and include the offending
my_op_mode in the message; reference the symbols my_op_mode, server_url,
config_url, scim_url, and auth_url when making the change so callers using
urljoin never receive None.

ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 844242a6-f951-4e79-a4fe-bc9d398e4348

📥 Commits
Reviewing files that changed from the base of the PR and between f041fa0 and 75c53ee.

📒 Files selected for processing (1)

Actionable comments posted: 4

♻️ Duplicate comments (1)

jans-cli-tui/cli_tui/cli/config_cli.py (1)> 321-328: ⚠️ Potential issue | 🟡 Minor

Property can return None implicitly for unexpected my_op_mode values.
If my_op_mode is not 'jca', 'scim', or 'auth', the property returns None implicitly, which would cause urljoin to fail downstream.

🛡️ Proposed fix to handle unexpected modes

     `@property`
     def server_url(self):
         if self.my_op_mode == 'jca':
             return self.config_url
         elif self.my_op_mode == 'scim':
             return self.scim_url
         elif self.my_op_mode == 'auth':
             return self.auth_url
+        else:
+            raise ValueError(f"Unknown operation mode: {self.my_op_mode}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jans-cli-tui/cli_tui/cli/config_cli.py` around lines 321 - 328, The
server_url property can implicitly return None for unexpected my_op_mode values;
update the server_url property (method server_url) to handle unknown modes
explicitly by either raising a clear exception or returning a safe default URL
(e.g., empty string) and include the offending my_op_mode in the message;
reference the symbols my_op_mode, server_url, config_url, scim_url, and auth_url
when making the change so callers using urljoin never receive None.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 292-304: The constructor is mutating the global args by appending
slashes; instead, avoid changing args and normalize when assigning instance
attributes: create a small helper (e.g., normalize_url) or use local variables
to compute normalized_auth = args.auth_url.rstrip('/') + '/' (or use fallback)
and assign to self.auth_url, self.config_url, self.scim_url inside __init__
without modifying args; reference the existing normalization block and the
attributes self.auth_url / self.config_url / self.scim_url so reviewers can
replace the in-place args mutations with instance-level normalization.
- Around line 292-304: The constructor for JCA_CLI currently always prefers
module-level args.auth_url/config_url/scim_url over the provided host, causing
plugin-instantiated hosts to be ignored; update JCA_CLI.__init__ to accept
optional auth_url, config_url, and scim_url parameters and change the assignment
logic so the precedence is: constructor parameter (if not None) > args.* (if
present) > default built from self.idp_host, and ensure you normalize trailing
slashes for the chosen URL (add '/' if missing) the same way the current code
does for args.* to avoid duplicate or missing slashes.
- Around line 515-516: Extract the repeated literal 'restv1/token' into a single
constant (e.g. TOKEN_ENDPOINT) defined near the top of the class that contains
the methods using it, then replace all four occurrences where url =
urljoin(self.auth_url, 'restv1/token') (and any similar urljoin uses) with url =
urljoin(self.auth_url, TOKEN_ENDPOINT); update references in methods that use
self.auth_url, urljoin, and self.cli_logger to use the new TOKEN_ENDPOINT to
improve maintainability.
- Around line 1042-1045: The debug log references an undefined variable `url`;
compute the URL first by calling self.get_url_for_endpoint(url_path) into a
local variable (e.g., url) and then call self.cli_logger.debug("Delete request:
%s", url) before calling session.delete, and pass that same `url` variable into
session.delete instead of calling get_url_for_endpoint inline; update references
around the delete call in the method that contains get_url_for_endpoint and
session.delete to use the new local `url`.

---

Duplicate comments:
In `@jans-cli-tui/cli_tui/cli/config_cli.py`:
- Around line 321-328: The server_url property can implicitly return None for
unexpected my_op_mode values; update the server_url property (method server_url)
to handle unknown modes explicitly by either raising a clear exception or
returning a safe default URL (e.g., empty string) and include the offending
my_op_mode in the message; reference the symbols my_op_mode, server_url,
config_url, scim_url, and auth_url when making the change so callers using
urljoin never receive None.

ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 844242a6-f951-4e79-a4fe-bc9d398e4348

📥 Commits
Reviewing files that changed from the base of the PR and between f041fa0 and 75c53ee.

📒 Files selected for processing (1)

@coderabbitai
This was fixed

jans/jans-cli-tui/cli_tui/cli/config_cli.py

Line 337 in f2f9ef2

raise ValueError(f"Unsupported operation mode: {self.my_op_mode}")

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current state of the server_url property around line 337 in the file on the PR branch
curl -s "https://raw.githubusercontent.com/JanssenProject/jans/f2f9ef2347965132044ffcb348fdfe91a91da554/jans-cli-tui/cli_tui/cli/config_cli.py" | sed -n '325,350p'

Length of output: 1199

---

@devrimyatar Thanks for pointing that out! I've confirmed the fix at Line 337 — the server_url property now raises a ValueError with a descriptive message for any unsupported my_op_mode value, rather than implicitly returning None. This correctly addresses the concern. ✅

`@property`
def server_url(self):
    if self.my_op_mode == 'jca':
        return self.config_url
    elif self.my_op_mode == 'scim':
        return self.scim_url
    elif self.my_op_mode == 'auth':
        return self.auth_url
    raise ValueError(f"Unsupported operation mode: {self.my_op_mode}")

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!