From 463f70262202720e8890d359cb6b9bda43dad3cf Mon Sep 17 00:00:00 2001
From: gillmd <devin.gillman@pointclickcare.com>
Date: Tue, 25 Jul 2023 09:53:45 -0500
Subject: [PATCH] Updates to support using active directory for API
 authentication.

---
 .../test/java/io/apicurio/registry/auth/MojoAuthTest.java  | 3 +++
 ...tifact-references-automatically-using-maven-plugin.adoc | 1 +
 ...ng-artifact-references-manually-using-maven-plugin.adoc | 1 +
 .../proc-adding-artifacts-using-maven-plugin.adoc          | 1 +
 .../proc-downloading-artifacts-using-maven-plugin.adoc     | 3 ++-
 .../proc-testing-artifacts-using-maven-plugin.adoc         | 1 +
 .../apicurio/registry/resolver/AbstractSchemaResolver.java | 4 +++-
 .../apicurio/registry/resolver/SchemaResolverConfig.java   | 5 +++++
 .../resolver/config/DefaultSchemaResolverConfig.java       | 4 ++++
 .../registry/resolver/config/ConfigurationTest.java        | 3 +++
 .../io/apicurio/registry/maven/AbstractRegistryMojo.java   | 7 ++++++-
 11 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
index f6e8a5588a..1d12a41a0b 100644
--- a/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
+++ b/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
@@ -55,6 +55,8 @@ public class MojoAuthTest extends RegistryMojoTestBase {
 
     String clientSecret = "test1";
 
+    String clientScope = "testScope";
+
     String testUsername = "sr-test-user";
     String testPassword = "sr-test-password";
 
@@ -88,6 +90,7 @@ public void testRegister() throws IOException, MojoFailureException, MojoExecuti
         registerRegistryMojo.setAuthServerUrl(authServerUrlConfigured);
         registerRegistryMojo.setClientId(JWKSMockServer.ADMIN_CLIENT_ID);
         registerRegistryMojo.setClientSecret(clientSecret);
+        registerRegistryMojo.setClientScope(clientScope);
 
         super.testRegister(registerRegistryMojo, "testRegister");
     }
diff --git a/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-automatically-using-maven-plugin.adoc b/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-automatically-using-maven-plugin.adoc
index 3c5c343ba6..8c826789a4 100644
--- a/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-automatically-using-maven-plugin.adoc
+++ b/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-automatically-using-maven-plugin.adoc
@@ -66,6 +66,7 @@ This section shows a simple example of using the Maven plug-in to register an Av
                 <authServerUrl>MY-AUTH-SERVER</authServerUrl> 
                 <clientId>MY-CLIENT-ID</clientId>
                 <clientSecret>MY-CLIENT-SECRET</clientSecret> <3>
+                <clientScope>MY-CLIENT-SCOPE</clientScope>
                 <artifacts>
                     <artifact>
                         <groupId>test-group</groupId> <4>
diff --git a/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-manually-using-maven-plugin.adoc b/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-manually-using-maven-plugin.adoc
index 3edf403bca..b91e31c219 100644
--- a/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-manually-using-maven-plugin.adoc
+++ b/docs/modules/ROOT/partials/getting-started/proc-adding-artifact-references-manually-using-maven-plugin.adoc
@@ -66,6 +66,7 @@ This example then creates a `TradeKey` schema artifact, which includes a referen
                 <authServerUrl>MY-AUTH-SERVER</authServerUrl> 
                 <clientId>MY-CLIENT-ID</clientId>
                 <clientSecret>MY-CLIENT-SECRET</clientSecret> <3>
+                <clientScope>MY-CLIENT-SCOPE</clientScope>
                 <artifacts>
                     <artifact>
                         <groupId>test-group</groupId> <4>
diff --git a/docs/modules/ROOT/partials/getting-started/proc-adding-artifacts-using-maven-plugin.adoc b/docs/modules/ROOT/partials/getting-started/proc-adding-artifacts-using-maven-plugin.adoc
index 756cc51b0c..27e06d4b2d 100644
--- a/docs/modules/ROOT/partials/getting-started/proc-adding-artifacts-using-maven-plugin.adoc
+++ b/docs/modules/ROOT/partials/getting-started/proc-adding-artifacts-using-maven-plugin.adoc
@@ -30,6 +30,7 @@ The most common use case for the Maven plug-in is adding artifacts during a buil
             <authServerUrl>MY-AUTH-SERVER</authServerUrl> 
             <clientId>MY-CLIENT-ID</clientId>
             <clientSecret>MY-CLIENT-SECRET</clientSecret> <3>
+            <clientScope>MY-CLIENT-SCOPE</clientScope>
             <artifacts>
                 <artifact>
                     <groupId>TestGroup</groupId> <4>
diff --git a/docs/modules/ROOT/partials/getting-started/proc-downloading-artifacts-using-maven-plugin.adoc b/docs/modules/ROOT/partials/getting-started/proc-downloading-artifacts-using-maven-plugin.adoc
index 801f27a436..e4e29323c7 100644
--- a/docs/modules/ROOT/partials/getting-started/proc-downloading-artifacts-using-maven-plugin.adoc
+++ b/docs/modules/ROOT/partials/getting-started/proc-downloading-artifacts-using-maven-plugin.adoc
@@ -30,6 +30,7 @@ You can use the Maven plug-in to download artifacts from {registry}. This is oft
           <authServerUrl>MY-AUTH-SERVER</authServerUrl> 
           <clientId>MY-CLIENT-ID</clientId>
           <clientSecret>MY-CLIENT-SECRET</clientSecret> <3>
+          <clientScope>MY-CLIENT-SCOPE</clientScope>
           <artifacts>
               <artifact>
                   <groupId>TestGroup</groupId> <4>
@@ -60,7 +61,7 @@ ifdef::rh-openshift-sr[]
 <3> Specify your service account ID and secret and {org-name} Single Sign-On authentication server: `{sso-token-url}`
 endif::[]
 <4> Specify the {registry} artifact group ID. You can specify the `default` group if you do not want to use a unique group.
-<5> You can download multiple artifacts to a specified directory using the artifact ID. 
+<5> You can download multiple artifacts to a specified directory using the artifact ID.
 
 . Build your Maven project, for example, by using the `mvn package` command. 
 
diff --git a/docs/modules/ROOT/partials/getting-started/proc-testing-artifacts-using-maven-plugin.adoc b/docs/modules/ROOT/partials/getting-started/proc-testing-artifacts-using-maven-plugin.adoc
index 740c37b16d..21db031d5e 100644
--- a/docs/modules/ROOT/partials/getting-started/proc-testing-artifacts-using-maven-plugin.adoc
+++ b/docs/modules/ROOT/partials/getting-started/proc-testing-artifacts-using-maven-plugin.adoc
@@ -33,6 +33,7 @@ NOTE: When testing artifacts using the Maven plug-in, even if the artifact passe
             <authServerUrl>MY-AUTH-SERVER</authServerUrl> 
             <clientId>MY-CLIENT-ID</clientId>
             <clientSecret>MY-CLIENT-SECRET</clientSecret> <3>
+            <clientScope>MY-CLIENT-SCOPE</clientScope>
             <artifacts>
                 <artifact>
                     <groupId>TestGroup</groupId> <4>
diff --git a/schema-resolver/src/main/java/io/apicurio/registry/resolver/AbstractSchemaResolver.java b/schema-resolver/src/main/java/io/apicurio/registry/resolver/AbstractSchemaResolver.java
index a8c8109b6d..4bf0addae3 100644
--- a/schema-resolver/src/main/java/io/apicurio/registry/resolver/AbstractSchemaResolver.java
+++ b/schema-resolver/src/main/java/io/apicurio/registry/resolver/AbstractSchemaResolver.java
@@ -289,8 +289,10 @@ private OidcAuth configureAuthWithUrl(DefaultSchemaResolverConfig config, String
             throw new IllegalArgumentException("Missing registry auth secret, set " + SchemaResolverConfig.AUTH_CLIENT_SECRET);
         }
 
+        final String clientScope = config.getAuthClientScope();
+
         authClient = ApicurioHttpClientFactory.create(tokenEndpoint, new AuthErrorHandler());
-        return new OidcAuth(authClient, clientId, clientSecret);
+        return new OidcAuth(authClient, clientId, clientSecret, null, clientScope);
     }
 
     private RegistryClient configureClientWithBasicAuth(DefaultSchemaResolverConfig config, String registryUrl, String username) {
diff --git a/schema-resolver/src/main/java/io/apicurio/registry/resolver/SchemaResolverConfig.java b/schema-resolver/src/main/java/io/apicurio/registry/resolver/SchemaResolverConfig.java
index cf5fb4cd15..46489fcbc9 100644
--- a/schema-resolver/src/main/java/io/apicurio/registry/resolver/SchemaResolverConfig.java
+++ b/schema-resolver/src/main/java/io/apicurio/registry/resolver/SchemaResolverConfig.java
@@ -115,6 +115,11 @@ public class SchemaResolverConfig {
      */
     public static final String AUTH_CLIENT_SECRET = "apicurio.auth.client.secret";
 
+    /**
+     * The Scope of the Auth Service.
+     */
+    public static final String AUTH_CLIENT_SCOPE = "apicurio.auth.client.scope";
+
     /**
      * The Username of the Auth Service.
      */
diff --git a/schema-resolver/src/main/java/io/apicurio/registry/resolver/config/DefaultSchemaResolverConfig.java b/schema-resolver/src/main/java/io/apicurio/registry/resolver/config/DefaultSchemaResolverConfig.java
index ab0a210f30..2c6c5a9ecb 100644
--- a/schema-resolver/src/main/java/io/apicurio/registry/resolver/config/DefaultSchemaResolverConfig.java
+++ b/schema-resolver/src/main/java/io/apicurio/registry/resolver/config/DefaultSchemaResolverConfig.java
@@ -72,6 +72,10 @@ public String getAuthClientSecret() {
         return getString(AUTH_CLIENT_SECRET);
     }
 
+    public String getAuthClientScope() {
+        return getString(AUTH_CLIENT_SCOPE);
+    }
+
     public String getAuthUsername() {
         return getString(AUTH_USERNAME);
     }
diff --git a/schema-resolver/src/test/java/io/apicurio/registry/resolver/config/ConfigurationTest.java b/schema-resolver/src/test/java/io/apicurio/registry/resolver/config/ConfigurationTest.java
index e7fe076ede..4feb65e50e 100644
--- a/schema-resolver/src/test/java/io/apicurio/registry/resolver/config/ConfigurationTest.java
+++ b/schema-resolver/src/test/java/io/apicurio/registry/resolver/config/ConfigurationTest.java
@@ -51,6 +51,9 @@ void testDefaultConfiguration() {
         assertEquals(null, config.getAuthClientSecret());
         assertEquals(null, config.getObject("apicurio.auth.client.secret"));
 
+        assertEquals(null, config.getAuthClientScope());
+        assertEquals(null, config.getObject("apicurio.auth.client.scope"));
+
         assertEquals(null, config.getAuthPassword());
         assertEquals(null, config.getObject("apicurio.auth.password"));
 
diff --git a/utils/maven-plugin/src/main/java/io/apicurio/registry/maven/AbstractRegistryMojo.java b/utils/maven-plugin/src/main/java/io/apicurio/registry/maven/AbstractRegistryMojo.java
index 54f22fdcdc..ec81df3589 100644
--- a/utils/maven-plugin/src/main/java/io/apicurio/registry/maven/AbstractRegistryMojo.java
+++ b/utils/maven-plugin/src/main/java/io/apicurio/registry/maven/AbstractRegistryMojo.java
@@ -61,6 +61,9 @@ public abstract class AbstractRegistryMojo extends AbstractMojo {
     @Parameter(property = "client.secret")
     String clientSecret;
 
+    @Parameter(property = "client.scope")
+    String clientScope;
+
     @Parameter(property = "username")
     String username;
 
@@ -74,7 +77,7 @@ protected RegistryClient getClient() {
         if (client == null) {
             if (authServerUrl != null && clientId != null && clientSecret != null) {
                 httpClient = ApicurioHttpClientFactory.create(authServerUrl, new AuthErrorHandler());
-                Auth auth = new OidcAuth(httpClient, clientId, clientSecret);
+                Auth auth = new OidcAuth(httpClient, clientId, clientSecret, null, clientScope);
                 client = RegistryClientFactory.create(registryUrl, Collections.emptyMap(), auth);
             } else if (username != null && password != null) {
                 Auth auth = new BasicAuth(username, password);
@@ -151,6 +154,8 @@ public void setClientSecret(String clientSecret) {
         this.clientSecret = clientSecret;
     }
 
+    public void setClientScope(String clientScope) { this.clientScope = clientScope; }
+
     public void setUsername(String username) {
         this.username = username;
     }