From c7860408138d215ac0d9ec6b26626845dcadb828 Mon Sep 17 00:00:00 2001
From: Cyril David <cyril.david@auth0.com>
Date: Mon, 25 Jan 2021 16:24:03 -0800
Subject: [PATCH 1/2] Explode scopes per resource

This ideally makes the diffs more readable, but makes it clear which
resources we're trying to ask permissions for the future reader.
---
 internal/auth/auth.go | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 5495d1e43..49afdfff3 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -32,11 +32,20 @@ const (
 	clientID           = "2iZo3Uczt5LFHacKdM0zzgUO2eG2uDjT"
 	deviceCodeEndpoint = "https://auth0.auth0.com/oauth/device/code"
 	oauthTokenEndpoint = "https://auth0.auth0.com/oauth/token"
-	// TODO(jfatta) extend the scope as we extend the CLI:
-	scope        = "openid create:actions create:clients create:resource_servers create:connections create:hooks create:rules delete:actions delete:clients delete:resource_servers delete:connections delete:hooks delete:rules read:actions read:clients read:resource_servers read:connections read:hooks read:logs read:rules update:actions update:clients update:resource_servers update:connections update:hooks update:rules"
-	audiencePath = "/api/v2/"
+	audiencePath       = "/api/v2/"
 )
 
+var requiredScopes = []string{
+	"openid",
+	"create:actions", "delete:actions", "read:actions", "update:actions",
+	"create:clients", "delete:clients", "read:clients", "update:clients",
+	"create:connections", "delete:connections", "read:connections", "update:connections",
+	"create:hooks", "delete:hooks", "read:hooks", "update:hooks",
+	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
+	"create:rules", "delete:rules", "read:rules", "update:rules",
+	"read:logs",
+}
+
 type Authenticator struct {
 }
 
@@ -124,7 +133,7 @@ func (a *Authenticator) Wait(ctx context.Context, state State) (Result, error) {
 func (a *Authenticator) getDeviceCode(ctx context.Context) (State, error) {
 	data := url.Values{
 		"client_id": {clientID},
-		"scope":     {scope},
+		"scope":     {strings.Join(requiredScopes, " ")},
 		"audience":  {"https://*.auth0.com/api/v2/"},
 	}
 	r, err := http.PostForm(deviceCodeEndpoint, data)

From 62e123fc87972d61b13f2537e36738416ce59ec4 Mon Sep 17 00:00:00 2001
From: Cyril David <cyril.david@auth0.com>
Date: Mon, 25 Jan 2021 16:40:21 -0800
Subject: [PATCH 2/2] Add a simple unit test to catch regressions

---
 internal/auth/auth.go      |  2 +-
 internal/auth/auth_test.go | 49 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 internal/auth/auth_test.go

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 49afdfff3..0504dd881 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -43,7 +43,7 @@ var requiredScopes = []string{
 	"create:hooks", "delete:hooks", "read:hooks", "update:hooks",
 	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
 	"create:rules", "delete:rules", "read:rules", "update:rules",
-	"read:logs",
+	"read:client_keys", "read:logs",
 }
 
 type Authenticator struct {
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
new file mode 100644
index 000000000..61132d058
--- /dev/null
+++ b/internal/auth/auth_test.go
@@ -0,0 +1,49 @@
+package auth
+
+import "testing"
+
+func TestRequiredScopes(t *testing.T) {
+	t.Run("verify CRUD", func(t *testing.T) {
+		crudResources := []string{
+			"actions",
+			"clients",
+			"connections",
+			"hooks",
+			"resource_servers",
+			"rules",
+		}
+		crudPrefixes := []string{"create:", "delete:", "read:", "update:"}
+
+		for _, resource := range crudResources {
+			for _, prefix := range crudPrefixes {
+				scope := prefix + resource
+
+				if !strInArray(requiredScopes, scope) {
+					t.Fatalf("wanted scope: %q, list: %+v", scope, requiredScopes)
+				}
+			}
+		}
+	})
+
+	t.Run("verify special scopes", func(t *testing.T) {
+		list := []string{
+			"read:client_keys", "read:logs",
+		}
+
+		for _, v := range list {
+			if !strInArray(requiredScopes, v) {
+				t.Fatalf("wanted scope: %q, list: %+v", v, requiredScopes)
+			}
+		}
+	})
+}
+
+func strInArray(haystack []string, needle string) bool {
+	for _, v := range haystack {
+		if v == needle {
+			return true
+		}
+	}
+
+	return false
+}