fix: apply scopes from argocd-rbac-cm to project jwt group searches

[Erog38]

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Optional. My organization is added to USERS.md.
• I've signed the CLA and my build is green (troubleshooting builds).

[CLAassistant]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #3508 into master will increase coverage by 0.28%.
The diff coverage is 70.58%.

@@            Coverage Diff             @@
##           master    #3508      +/-   ##
==========================================
+ Coverage   40.99%   41.28%   +0.28%     
==========================================
  Files         114      114              
  Lines       16403    16447      +44     
==========================================
+ Hits         6725     6790      +65     
+ Misses       8797     8776      -21     
  Partials      881      881              

Impacted Files	Coverage Δ
server/rbacpolicy/rbacpolicy.go	78.87% <0.00%> (-2.29%)	⬇️
server/session/session.go	0.00% <0.00%> (ø)
server/project/project.go	61.40% <100.00%> (ø)
server/server.go	55.47% <100.00%> (ø)
util/jwt/jwt.go	58.06% <100.00%> (ø)
util/session/sessionmanager.go	68.11% <100.00%> (ø)
server/application/application.go	27.97% <0.00%> (-0.35%)	⬇️
pkg/apis/application/v1alpha1/types.go	62.03% <0.00%> (+2.89%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 991ee9b...65092c4. Read the comment docs.

[Erog38]

I definitely signed the CLA and updated my git email for the commit, so I'm not sure what to do for it to recognize it was signed.

[jannfis]

Hi @Erog38, thanks a lot for your contribution!

The changes look good from a technical perspective to me, I just have a small request: Is there an existing issue describing the problem this PR is solving? If yes, can you please link it. If not, can you please elaborate a little on the use case of this PR?

Thank you!

[Erog38]

Thanks @jannfis, this fixes the TODO here:

argo-cd/util/jwt/jwt.go

Line 98 in 8ad9283

// TODO: groups is hard-wired but we should really be honoring the 'scopes' section in argocd-rbac-cm.

[dirtycajunrice]

@jannfis For a little more perspective, we use amazon cognito which does not allow using a groups scope whatsoever and cognito:groups is only in the JWT. This will allow us to specify any jwt claim as what holds the groups scope. (This also unblocks us from completely adopting ArgoCD)

[Erog38]

@jannfis Is there any more information I can help provide for you?

[jannfis]

@Erog38 Sorry for the delay, I will start reviewing this PR now :)

[jannfis]

Thanks for your submission and sorry for the delay in review.

I have reviewed your change and manually tested for regression, it looks good so far to me. I have some minor comments (see below), I feel you should run make lint over your code, maybe I have missed some white space issue ;)

[jannfis]

@jessesuen Maybe you want to take a look at this change because it's OAuth related, and I think you're the one knowing it inside-out.

[Erog38]

I adjusted the whitespace issues , please let me know if I can adjust anything else, I want to get this out to our integration environment soon so we can start going production ready 😃

[jannfis]

Hi @Erog38, as the gitops-engine PRs (#3066 and #3599) were just merged, I think you need to resync your PR with master branch again and merge any required changes manually.

This change was very intrusive, and probably requires manual rework of most pending PRs in the queue. Sorry for that, but we couldn't wait any longer with that change.

[Erog38]

@jannfis no worries, I know how these things are. I've brought the branch up to date. it looks like the workflow is failing on an unauthorized error from Sonarcloud. Do you know anything about this?

[jannfis]

LGTM, thanks for going the extra mile!

[jannfis]

it looks like the workflow is failing on an unauthorized error from Sonarcloud. Do you know anything about this?

We're still unsure why this step works for some users while it won't work for others. I think it's some bug (or feature?) with CircleCI.

[Erog38]

Sorry @jannfis but is there another step I can get here for this to be merged as well?

[jannfis]

Hey @Erog38, all is fine from my side. I was just thinking that @jessesuen might want to take a look too before merging this.