From 7a8f2e1f5b6ca88bc6635d2568960753ec90e36e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20=22decko=22=20de=20Brito?= <decko@redhat.com>
Date: Mon, 26 Aug 2024 20:42:42 -0300
Subject: [PATCH] Fix sending an empty scope on OAuth2ClientCredentialsAuth

According to the section 3.3 of RFC 6749 OAuth2 Access Token Scope,
this is the notation that defines how the scope should be send to the
IdentityProvider:
     `scope = scope-token *( SP scope-token )`

Basically it should be omitted if it's empty.
---
 CHANGES/pulp-glue/1050.bugfix                |  1 +
 pulp-glue/pulp_glue/common/authentication.py |  6 ++--
 pulp-glue/tests/test_authentication.py       | 29 ++++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 CHANGES/pulp-glue/1050.bugfix
 create mode 100644 pulp-glue/tests/test_authentication.py

diff --git a/CHANGES/pulp-glue/1050.bugfix b/CHANGES/pulp-glue/1050.bugfix
new file mode 100644
index 000000000..0184ad86c
--- /dev/null
+++ b/CHANGES/pulp-glue/1050.bugfix
@@ -0,0 +1 @@
+Fixed sending no scope instead an empty scope when using the `OAuth2ClientCredentialsAuth` authentication class.
diff --git a/pulp-glue/pulp_glue/common/authentication.py b/pulp-glue/pulp_glue/common/authentication.py
index 646ee5306..4e198b4b8 100644
--- a/pulp-glue/pulp_glue/common/authentication.py
+++ b/pulp-glue/pulp_glue/common/authentication.py
@@ -15,7 +15,7 @@ def __init__(
         client_id: str,
         client_secret: str,
         token_url: str,
-        scopes: t.List[str],
+        scopes: t.Optional[t.List[str]] = None,
     ):
         self.client_id = client_id
         self.client_secret = client_secret
@@ -78,10 +78,12 @@ def retrieve_token(self) -> None:
         data = {
             "client_id": self.client_id,
             "client_secret": self.client_secret,
-            "scope": " ".join(self.scopes),
             "grant_type": "client_credentials",
         }
 
+        if self.scopes:
+            data["scope"] = " ".join(self.scopes)
+
         response: requests.Response = requests.post(self.token_url, data=data)
 
         response.raise_for_status()
diff --git a/pulp-glue/tests/test_authentication.py b/pulp-glue/tests/test_authentication.py
new file mode 100644
index 000000000..6a1f1f08c
--- /dev/null
+++ b/pulp-glue/tests/test_authentication.py
@@ -0,0 +1,29 @@
+import typing as t
+
+import pytest
+
+from pulp_glue.common.authentication import OAuth2ClientCredentialsAuth
+
+pytestmark = pytest.mark.glue
+
+
+def test_sending_no_scope_when_empty(monkeypatch: pytest.MonkeyPatch) -> None:
+
+    class OAuth2MockResponse:
+        def raise_for_status(self):
+            return None
+
+        def json(self):
+            return {"expires_in": 1, "access_token": "aaa"}
+
+    def _requests_post_mocked(url: str, data: t.Dict[str, t.Any]):
+        assert "scope" not in data
+        return OAuth2MockResponse()
+
+    monkeypatch.setattr("requests.post", _requests_post_mocked)
+
+    OAuth2ClientCredentialsAuth(token_url="", client_id="", client_secret="").retrieve_token()
+
+    OAuth2ClientCredentialsAuth(
+        token_url="", client_id="", client_secret="", scopes=[]
+    ).retrieve_token()