Merge pull request #34 from auth0/explode-scopes-per-resource

Explode scopes per resource
auth0 · Jan 26, 2021 · 3479993 · 3479993
2 parents c668388 + 62e123f
commit 3479993
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 4 deletions.
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
@@ -32,11 +32,20 @@ const (
 	clientID           = "2iZo3Uczt5LFHacKdM0zzgUO2eG2uDjT"
 	deviceCodeEndpoint = "https://auth0.auth0.com/oauth/device/code"
 	oauthTokenEndpoint = "https://auth0.auth0.com/oauth/token"
-	// TODO(jfatta) extend the scope as we extend the CLI:
-	scope        = "openid create:actions create:clients create:resource_servers create:connections create:hooks create:rules delete:actions delete:clients delete:resource_servers delete:connections delete:hooks delete:rules read:actions read:clients read:resource_servers read:connections read:hooks read:logs read:rules update:actions update:clients update:resource_servers update:connections update:hooks update:rules"
-	audiencePath = "/api/v2/"
+	audiencePath       = "/api/v2/"
 )
 
+var requiredScopes = []string{
+	"openid",
+	"create:actions", "delete:actions", "read:actions", "update:actions",
+	"create:clients", "delete:clients", "read:clients", "update:clients",
+	"create:connections", "delete:connections", "read:connections", "update:connections",
+	"create:hooks", "delete:hooks", "read:hooks", "update:hooks",
+	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
+	"create:rules", "delete:rules", "read:rules", "update:rules",
+	"read:client_keys", "read:logs",
+}
+
 type Authenticator struct {
 }
 
@@ -124,7 +133,7 @@ func (a *Authenticator) Wait(ctx context.Context, state State) (Result, error) {
 func (a *Authenticator) getDeviceCode(ctx context.Context) (State, error) {
 	data := url.Values{
 		"client_id": {clientID},
-		"scope":     {scope},
+		"scope":     {strings.Join(requiredScopes, " ")},
 		"audience":  {"https://*.auth0.com/api/v2/"},
 	}
 	r, err := http.PostForm(deviceCodeEndpoint, data)

diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
@@ -0,0 +1,49 @@
+package auth
+
+import "testing"
+
+func TestRequiredScopes(t *testing.T) {
+	t.Run("verify CRUD", func(t *testing.T) {
+		crudResources := []string{
+			"actions",
+			"clients",
+			"connections",
+			"hooks",
+			"resource_servers",
+			"rules",
+		}
+		crudPrefixes := []string{"create:", "delete:", "read:", "update:"}
+
+		for _, resource := range crudResources {
+			for _, prefix := range crudPrefixes {
+				scope := prefix + resource
+
+				if !strInArray(requiredScopes, scope) {
+					t.Fatalf("wanted scope: %q, list: %+v", scope, requiredScopes)
+				}
+			}
+		}
+	})
+
+	t.Run("verify special scopes", func(t *testing.T) {
+		list := []string{
+			"read:client_keys", "read:logs",
+		}
+
+		for _, v := range list {
+			if !strInArray(requiredScopes, v) {
+				t.Fatalf("wanted scope: %q, list: %+v", v, requiredScopes)
+			}
+		}
+	})
+}
+
+func strInArray(haystack []string, needle string) bool {
+	for _, v := range haystack {
+		if v == needle {
+			return true
+		}
+	}
+
+	return false
+}