tokenserver: Allow customizing list of OAuth scopes to use for CRL fetch.

tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go

 // Copyright 2016 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 17 matching lines @@
         ds "github.com/luci/gae/service/datastore"
         "github.com/luci/luci-go/common/clock"
         "github.com/luci/luci-go/common/errors"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/common/retry/transient"
         "github.com/luci/luci-go/server/auth"
 
         "github.com/luci/luci-go/tokenserver/api/admin/v1"
 )
 
-// List of OAuth scopes to use for token sent to CRL endpoint.
-var crlFetchScopes = []string{
+// List of OAuth scopes to use for token sent to CRL endpoint if config doesn't
+// specify 'oauth_scopes' field.
+var crlFetchDefaultScopes = []string{
         "https://www.googleapis.com/auth/userinfo.email",
 }
 
 // FetchCRLRPC implements CertificateAuthorities.FetchCRL RPC method.
 type FetchCRLRPC struct {
 }
 
 // FetchCRL makes the server fetch a CRL for some CA.
 func (r *FetchCRLRPC) FetchCRL(c context.Context, req *admin.FetchCRLRequest) (*admin.FetchCRLResponse, error) {
         // Grab a corresponding CA entity. It contains URL of CRL to fetch.
@@ skipping 55 matching lines @@
 ////////////////////////////////////////////////////////////////////////////////
 
 // fetchCRL fetches a blob with der-encoded CRL from the CRL endpoint.
 //
 // It knows how to use ETag headers to avoid fetching already known data.
 // May return transient and fatal errors.
 func fetchCRL(c context.Context, cfg *admin.CertificateAuthorityConfig, knownETag string) (blob []byte, etag string, err error) {
         // Pick auth or non-auth transport.
         var transport http.RoundTripper
         if cfg.UseOauth {
-                transport, err = auth.GetRPCTransport(c, auth.AsSelf, auth.WithScopes(crlFetchScopes...))
+                var scopes []string
+                if len(cfg.OauthScopes) != 0 {
+                        scopes = cfg.OauthScopes
+                } else {
+                        scopes = crlFetchDefaultScopes
+                }
+                transport, err = auth.GetRPCTransport(c, auth.AsSelf, auth.WithScopes(scopes...))
         } else {
                 transport, err = auth.GetRPCTransport(c, auth.NoAuth)
         }
         if err != nil {
                 return nil, "", err
         }
 
         // Send the request with ETag related headers.
         req, err := http.NewRequest("GET", cfg.CrlUrl, nil)
         if err != nil {
@@ skipping 98 matching lines @@
                 }
                 return ds.Put(c, toPut)
         }, nil)
         if err != nil {
                 return nil, transient.Tag.Apply(err)
         }
 
         logging.Infof(c, "CRL for %q is updated, entity version is %d", ca.CN, updated.EntityVersion)
         return updated, nil
 }