feat: added options to specify a scope prefix and extra scopes to token request

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing to STIGMAN-Watcher
 
-**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIG Manager repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)**
+**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIGMAN-Watcher repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)**
 
 ## Policy
 

lib/args.js

@@ -78,6 +78,8 @@ program
 .requiredOption('--api <url>', 'Base URL of the STIG Manager API service (`WATCHER_API_BASE`).', pe.WATCHER_API_BASE)
 .requiredOption('--authority <url>', 'Base URL of the OIDC authentication service that issues OAuth2 tokens for the API (`WATCHER_AUTHORITY`)', pe.WATCHER_AUTHORITY)
 .requiredOption('--client-id <string>', 'OIDC clientId to authenticate (`WATCHER_CLIENT_ID`). You will be prompted for the client secret if `--client-key` is not present and `--prompt` is present, unless `WATCHER_CLIENT_SECRET` is set', pe.WATCHER_CLIENT_ID)
+.option('--scope-prefix <string>', 'String used as a prefix for default stig-manager scopes (except `openid`) when authenticating to the OIDC Provider.',  pe.WATCHER_SCOPE_PREFIX ?? '')
+.option('--extra-scopes <string>', 'Space separated OAuth2 scopes to request in addition to the default scopes. Will not be automatically prefixed with WATCHER_SCOPE_PREFIX value.',  pe.WATCHER_EXTRA_SCOPES)
 .option('--client-key <path>', 'Path to a PEM encoded private key (`WATCHER_CLIENT_KEY`). If the key is encrypted, you will be prompted for the passphrase if `--prompt` is present, unless `WATCHER_CLIENT_KEY_PASSPHRASE` is set.',  pe.WATCHER_CLIENT_KEY)
 .option('--add-existing', 'For `--mode events`, existing files in the path will generate an `add` event (`WATCHER_ADD_EXISTING=1`). Ignored if `--mode scan`, negate with `--no-add-existing`.',  getBoolean('WATCHER_ADD_EXISTING', false))
 .option('--no-add-existing', 'Ignore existing files in the watched path (`WATCHER_ADD_EXISTING=0`).')
@@ -87,10 +89,10 @@ program
 .option('--create-objects', 'Create Assets or STIG Assignments as needed (`WATCHER_CREATE_OBJECTS=1`). Negate with `--no-create-objects`.', getBoolean('WATCHER_CREATE_OBJECTS', true))
 .option('--no-create-objects', 'Do not create Assets or STIG Assignments (`WATCHER_CREATE_OBJECTS=0`).')
 .option('--ignore-dir [name...]', 'DEPRECATED, use --ignore-glob. Sub-directory name to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_DIRS=<csv>`)', pe.WATCHER_IGNORE_DIRS?.split(','))
-.option('--ignore-glob [glob...]', 'File or diectory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=<csv>`)', pe.WATCHER_IGNORE_GLOBS?.split(','))
+.option('--ignore-glob [glob...]', 'File or directory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=<csv>`)', pe.WATCHER_IGNORE_GLOBS?.split(','))
 .option('--event-polling', 'Use polling with `--mode events`, necessary for watching network files (`WATCHER_EVENT_POLLING=1`). Ignored if `--mode scan`, negate with `--no-event-polling`.', getBoolean('WATCHER_EVENT_POLLING', true))
 .option('--no-event-polling', 'Don\'t use polling with `--mode events`, reduces CPU usage (`WATCHER_EVENT_POLLING=0`).')
-.option('--stability-threshold <ms>', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Igonred with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0)
+.option('--stability-threshold <ms>', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Ignored with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0)
 .option('--one-shot', 'Process existing files in the path and exit. Sets `--add-existing`.', false)
 .option('--log-color', 'Colorize the console log output. Might confound downstream piped processes.', false)
 .option('-d, --debug', 'Shortcut for `--log-level debug --log-file-level debug`', false)
@@ -101,6 +103,7 @@ program
 .option('--no-strict-revision-check', 'For CKL, allow checklist of uninstalled STIG revision (`WATCHER_STRICT_REVISION_CHECK=0`). This is the default behavior.')
 
 // Parse ARGV and get the parsed options object
+// Options properties are created as camelCase versions of the long option name
 program.parse(process.argv)
 const options = program.opts()
 

lib/auth.js

@@ -9,11 +9,24 @@ const self = {}
 
 self.url = null
 self.threshold = 10
-self.scope = 'openid stig-manager:collection stig-manager:stig:read stig-manager:user:read'
 self.key = options.clientKey
 self.authenticateFn = options.clientKey ? authenticateSignedJwt : authenticateClientSecret
 self.authentication = options.clientKey ? 'signed-jwt' : 'client-secret'
 
+const scopePrefix = options.scopePrefix
+
+const scopeArray= [
+  `openid`,
+  `${scopePrefix}stig-manager:stig:read`,
+  `${scopePrefix}stig-manager:collection`,
+  `${scopePrefix}stig-manager:user:read`,
+]
+if (options.extraScopes) {
+  scopeArray.push(...options.extraScopes.split(" "))
+}
+
+self.scope = scopeArray.join(" ")
+
 let tokens, tokenDecoded
 /**
  * Fetches OpenID configuration from the specified authority URL.
@@ -93,7 +106,7 @@ async function authenticateClientSecret () {
   const parameters = {
     form: {
       grant_type: 'client_credentials',
-      scope: self.scope,
+      scope: self.scope
     },
     username: options.clientId,
     password: options.clientSecret,