Merge pull request #1130 from GitGuardian/salomevoltz/handle-api-unknown-scope

agateau-gg · web-flow · commit f92b323037a2 · 2025-10-17T09:04:00.000+02:00
Handle unknow scopes in ggshield
diff --git a/changelog.d/20251014_145559_salome.voltz.md b/changelog.d/20251014_145559_salome.voltz.md
@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category.
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+
+### Fixed
+
+- Fixed crash when API returns scopes not yet recognized by py-gitguardian.
+
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->
diff --git a/ggshield/core/client.py b/ggshield/core/client.py
@@ -1,3 +1,4 @@
+import logging
 import os
 from typing import Optional
 
@@ -19,6 +20,9 @@
 from .ui.client_callbacks import ClientCallbacks
 
 
+logger = logging.getLogger(__name__)
+
+
 def create_client_from_config(config: Config) -> GGClient:
     """
     Create a GGClient using parameters from Config.
@@ -131,8 +135,14 @@ def check_client_api_key(client: GGClient, required_scopes: set[TokenScope]) ->
         elif isinstance(response, Detail):
             raise UnexpectedError(response.detail)
 
-        missing_scopes = required_scopes - set(
-            TokenScope(scope) for scope in response.scopes
-        )
+        # Build set of API scopes, ignoring unknown ones for forward compatibility
+        api_scopes = set()
+        for scope_str in response.scopes:
+            try:
+                api_scopes.add(TokenScope(scope_str))
+            except ValueError:
+                logger.debug("Ignoring unknown scope from API: '%s'", scope_str)
+
+        missing_scopes = required_scopes - api_scopes
         if missing_scopes:
             raise MissingScopesError(list(missing_scopes))
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -42,7 +42,7 @@ dependencies = [
     "marshmallow~=3.18.0",
     "marshmallow-dataclass~=8.5.8",
     "oauthlib~=3.2.1",
-    "pygitguardian~=1.25.0",
+    "pygitguardian @ git+https://github.com/GitGuardian/py-gitguardian.git@11aa57914dc9a3fb93db3579ddc4a0eab2fc8af2",
     "pyjwt~=2.6.0",
     "python-dotenv~=0.21.0",
     "pyyaml~=6.0.1",
diff --git a/tests/unit/core/test_client.py b/tests/unit/core/test_client.py
@@ -155,6 +155,31 @@ def test_check_client_api_key_without_source_uuid_no_token_check():
     client_mock.api_tokens.assert_not_called()
 
 
+def test_check_client_api_key_unknown_scope():
+    """
+    GIVEN a client with valid API key and API returns unknown scopes
+    WHEN check_client_api_key() is called with required scopes
+    THEN it ignores unknown scopes and validates only the required ones
+    """
+    client_mock = Mock(spec=GGClient)
+    client_mock.base_uri = "http://localhost"
+    client_mock.read_metadata.return_value = None  # Success
+    client_mock.api_tokens.return_value = APITokensResponse.from_dict(
+        {
+            "id": "5ddaad0c-5a0c-4674-beb5-1cd198d13360",
+            "name": "test-name",
+            "workspace_id": 1,
+            "type": "personal_access_token",
+            "status": "active",
+            "created_at": "2023-01-01T00:00:00Z",
+            "scopes": [TokenScope.SCAN_CREATE_INCIDENTS.value, "scope:unknown"],
+        }
+    )
+
+    # Should not raise any exception
+    check_client_api_key(client_mock, {TokenScope.SCAN_CREATE_INCIDENTS})
+
+
 def test_retrieve_client_invalid_api_url():
     """
     GIVEN a GITGUARDIAN_API_URL missing its https scheme
