Skip to content

fix(auth): add missing sbomGroup permissions to auth config#96

Open
mrrajan wants to merge 1 commit into
guacsec:mainfrom
mrrajan:main
Open

fix(auth): add missing sbomGroup permissions to auth config#96
mrrajan wants to merge 1 commit into
guacsec:mainfrom
mrrajan:main

Conversation

@mrrajan

@mrrajan mrrajan commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Add create.sbomGroup, read.sbomGroup, update.sbomGroup, and delete.sbomGroup to Keycloak and Cognito scope/group mappings in _auth.tpl to match the backend's default scope mappings.

Without these, /api/v3/group/sbom endpoints return 403 Forbidden.

Implements TC-5039

Summary by Sourcery

Bug Fixes:

  • Add missing sbomGroup CRUD permissions to Cognito and Keycloak scope/group mappings so sbom group APIs are authorized correctly.

Add create.sbomGroup, read.sbomGroup, update.sbomGroup, and
delete.sbomGroup to Keycloak and Cognito scope/group mappings
in _auth.tpl to match the backend's default scope mappings.

Without these, /api/v3/group/sbom endpoints return 403 Forbidden.

Implements TC-5039
@sourcery-ai

sourcery-ai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Aligns auth scope/group mappings for SBOM groups with backend defaults by adding create/read/update/delete.sbomGroup permissions to Cognito group mappings and Keycloak scope mappings, fixing 403s on /api/v3/group/sbom endpoints.

Sequence diagram for sbomGroup authorization flow with updated scopes

sequenceDiagram
  actor User
  participant Frontend
  participant OIDCProvider
  participant Backend

  User->>Frontend: Request SBOM groups
  Frontend->>OIDCProvider: OAuth2 authorize read:document
  OIDCProvider-->>Frontend: access_token with read.sbomGroup
  Frontend->>Backend: GET /api/v3/group/sbom
  Backend->>Backend: [token has read.sbomGroup]
  Backend-->>Frontend: 200 OK SBOM group list
  Frontend-->>User: Display SBOM groups
Loading

File-Level Changes

Change Details Files
Add sbomGroup permissions to Cognito group-based scope mappings to mirror existing sbom permissions.
  • Extend Cognito read scope list to include read.sbomGroup alongside read.sbom.
  • Extend Cognito create scope list to include create.sbomGroup alongside create.sbom.
  • Extend Cognito update scope list to include update.sbomGroup alongside update.sbom.
  • Extend Cognito delete scope list to include delete.sbomGroup alongside delete.sbom.
charts/trustify/templates/helpers/_auth.tpl
Add sbomGroup permissions to Keycloak client scope mappings to align with backend default scopes.
  • Extend trustify/sbom resource mapping to include create.sbomGroup, read.sbomGroup, update.sbomGroup, and delete.sbomGroup.
  • Extend Keycloak create:document scope mapping to include create.sbomGroup.
  • Extend Keycloak read:document scope mapping to include read.sbomGroup.
  • Extend Keycloak update:document scope mapping to include update.sbomGroup.
  • Extend Keycloak delete:document scope mapping to include delete.sbomGroup.
charts/trustify/templates/helpers/_auth.tpl

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants