fix: allow patching some /credentials sub-paths (#4277)

<!--
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request.

This text will be included in the changelog. If applicable, include
links to documentation or pieces of code.
If your change includes breaking changes please add a code block
documenting the breaking change:

```
BREAKING CHANGES: This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
behavior please do baz.
```
-->

## Related issue(s)

<!--
If this pull request

1. is a fix for a known bug, link the issue where the bug was reported
in the format of `#1234`;
2. is a fix for a previously unknown bug, explain the bug and how to
reproduce it in this pull request;
3. implements a new feature, link the issue containing the design
document in the format of `#1234`;
4. improves the documentation, no issue reference is required.

Pull requests introducing new features, which do not have a design
document linked are more likely to be rejected and take on average 2-8
weeks longer to
get merged.

You can discuss changes with maintainers either in the Github
Discussions in this repository or
join the [Ory Chat](https://www.ory.sh/chat).
-->

## Checklist

<!--
Put an `x` in the boxes that apply. You can also fill these out after
creating the PR.

Please be aware that pull requests must have all boxes ticked in order
to be merged.

If you're unsure about any of them, don't hesitate to ask. We're here to
help!
-->

- [ ] I have read the [contributing
guidelines](../blob/master/CONTRIBUTING.md).
- [ ] I have referenced an issue containing the design document if my
change
      introduces a new feature.
- [ ] I am following the
[contributing code
guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
- [ ] I have read the [security policy](../security/policy).
- [ ] I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability,
I
      confirm that I got the approval (please contact
[[email protected]](mailto:[email protected])) from the maintainers to push
      the changes.
- [ ] I have added tests that prove my fix is effective or that my
feature
      works.
- [ ] I have added or changed [the
documentation](https://github.com/ory/docs).

## Further Comments

<!--
If this is a relatively large or complex change, kick off the discussion
by explaining why you chose the solution
you did and what alternatives you considered, etc...
-->

identity/handler.go

@@ -916,7 +916,7 @@ func (h *Handler) patch(w http.ResponseWriter, r *http.Request, ps httprouter.Pa
 
 	patchedIdentity := WithAdminMetadataInJSON(*identity)
 
-	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/**"); err != nil {
+	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/oidc/**"); err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(
 			herodot.
 				ErrBadRequest.

identity/handler_test.go

@@ -1227,7 +1227,7 @@ func TestHandler(t *testing.T) {
 		}
 	})
 
-	t.Run("case=PATCH should fail to update credential password", func(t *testing.T) {
+	t.Run("case=PATCH should allow to update credential password", func(t *testing.T) {
 		uuid := x.NewUUID().String()
 		email := uuid + "@ory.sh"
 		password := "ljanf123akf"
@@ -1247,9 +1247,12 @@ func TestHandler(t *testing.T) {
 					{"op": "replace", "path": "/credentials/password/config/hashed_password", "value": "foo"},
 				}
 
-				res := send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusBadRequest, &patch)
+				send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusOK, &patch)
 
-				assert.EqualValues(t, "patch includes denied path: /credentials/password/config/hashed_password", res.Get("error.message").String(), "%s", res.Raw)
+				updated, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, i.ID)
+				require.NoError(t, err)
+				assert.Equal(t, "foo",
+					gjson.GetBytes(updated.Credentials[identity.CredentialsTypePassword].Config, "hashed_password").String())
 			})
 		}
 	})