From 2f7154436aac307f4836dc9116db3c1c520b9f88 Mon Sep 17 00:00:00 2001
From: divyajose <divyajose@google.com>
Date: Thu, 9 Oct 2025 17:52:07 +0530
Subject: [PATCH 1/3] Fix for scope issue using service

---
 .../apigee_edge_teams.services.yml            |  4 ++
 .../src/Service/AppGroupScopeManager.php      | 65 +++++++++++++++++++
 .../AppCredentialControllerBase.php           |  7 ++
 3 files changed, 76 insertions(+)
 create mode 100644 modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php

diff --git a/modules/apigee_edge_teams/apigee_edge_teams.services.yml b/modules/apigee_edge_teams/apigee_edge_teams.services.yml
index 638c85406..ef4cabc43 100644
--- a/modules/apigee_edge_teams/apigee_edge_teams.services.yml
+++ b/modules/apigee_edge_teams/apigee_edge_teams.services.yml
@@ -157,3 +157,7 @@ services:
     class: Drupal\apigee_edge_teams\User\RemoveTeamRolesOfUserSynchronousPostUserDeleteActionPerformer
     decorates: apigee_edge.post_user_delete_action_performer
     arguments: [ '@apigee_edge_teams.post_user_delete_action_performer.inner', '@entity_type.manager', '@logger.channel.apigee_edge_teams' ]
+
+  apigee_edge_teams.app_group_scope_manager:
+    class: Drupal\apigee_edge_teams\Service\AppGroupScopeManager
+    arguments: ['@apigee_edge.sdk_connector', '@apigee_edge.controller.organization']
diff --git a/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
new file mode 100644
index 000000000..98cc7e641
--- /dev/null
+++ b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace Drupal\apigee_edge_teams\Service;
+
+use Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface;
+use Drupal\apigee_edge\SDKConnectorInterface;
+use Apigee\Edge\Api\ApigeeX\Controller\AppGroupAppCredentialController;
+use Apigee\Edge\Api\Management\Entity\AppCredentialInterface;
+
+/**
+ * Handles AppGroup scopes after API products have been added to a credential.
+ */
+class AppGroupScopeManager {
+
+  /**
+   * The SDK connector.
+   *
+   * @var \Drupal\apigee_edge\SDKConnectorInterface
+   */
+  protected $sdkConnector;
+
+  /**
+   * The organization controller.
+   *
+   * @var \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface
+   */
+  protected $organizationController;
+
+  /**
+   * AppGroupScopeManager constructor.
+   *
+   * @param \Drupal\apigee_edge\SDKConnectorInterface $sdkConnector
+   *   The SDK connector.
+   * @param \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface $organizationController
+   *   The organization controller.
+   */
+  public function __construct(SDKConnectorInterface $sdkConnector, OrganizationControllerInterface $organizationController) {
+    $this->sdkConnector = $sdkConnector;
+    $this->organizationController = $organizationController;
+  }
+
+  /**
+   * Overrides AppGroup scopes if necessary.
+   *
+   * @param array $originalScopes
+   *   The original scopes.
+   * @param \Apigee\Edge\Api\Management\Entity\AppCredentialInterface $credential
+   *   The credential.
+   * @param string $ownerId
+   *   The owner id.
+   * @param string $appName
+   *   The app name.
+   */
+  public function overrideScopes(array $originalScopes, AppCredentialInterface $credential, string $ownerId, string $appName): void {
+    if (!$this->organizationController->isOrganizationApigeeX()) {
+      return;
+    }
+
+    $client = $this->sdkConnector->getClient();
+    $organization = $this->sdkConnector->getOrganization();
+    $controller = new AppGroupAppCredentialController($organization, $ownerId, $appName, $client);
+    $controller->overrideAppGroupScopes($credential->getConsumerKey(), $originalScopes);
+  }
+
+}
diff --git a/src/Entity/Controller/AppCredentialControllerBase.php b/src/Entity/Controller/AppCredentialControllerBase.php
index 804a21e71..823c60056 100644
--- a/src/Entity/Controller/AppCredentialControllerBase.php
+++ b/src/Entity/Controller/AppCredentialControllerBase.php
@@ -116,7 +116,14 @@ public function __construct(string $owner, string $app_name, SDKConnectorInterfa
    * {@inheritdoc}
    */
   public function addProducts(string $consumer_key, array $api_products): AppCredentialInterface {
+    // Keep the original scopes from before the products are added.
+    $originalScopes = $this->load($consumer_key)->getScopes();
     $credential = $this->decorated()->addProducts($consumer_key, $api_products);
+    if ($this->getAppType() === 'team' && !empty($originalScopes) && \Drupal::hasService('apigee_edge_teams.app_group_scope_manager')) {
+      $app_group_scope_manager = \Drupal::service('apigee_edge_teams.app_group_scope_manager');
+      $app_group_scope_manager->overrideScopes($originalScopes, $credential, $this->owner, $this->appName);
+    }
+
     $this->eventDispatcher->dispatch(
       new AppCredentialAddApiProductEvent($this->getAppType(), $this->owner, $this->appName, $credential, $api_products),
       AppCredentialAddApiProductEvent::EVENT_NAME

From 89487b52132f1f954a951671e9bba3011859859f Mon Sep 17 00:00:00 2001
From: divyajose <divyajose@google.com>
Date: Mon, 10 Nov 2025 14:43:45 +0530
Subject: [PATCH 2/3] Get scope only for teams

---
 src/Entity/Controller/AppCredentialControllerBase.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Entity/Controller/AppCredentialControllerBase.php b/src/Entity/Controller/AppCredentialControllerBase.php
index 823c60056..addd769f9 100644
--- a/src/Entity/Controller/AppCredentialControllerBase.php
+++ b/src/Entity/Controller/AppCredentialControllerBase.php
@@ -117,7 +117,10 @@ public function __construct(string $owner, string $app_name, SDKConnectorInterfa
    */
   public function addProducts(string $consumer_key, array $api_products): AppCredentialInterface {
     // Keep the original scopes from before the products are added.
-    $originalScopes = $this->load($consumer_key)->getScopes();
+    $originalScopes = [];
+    if ($this->getAppType() === 'team') {
+      $originalScopes = $this->load($consumer_key)->getScopes();
+    }
     $credential = $this->decorated()->addProducts($consumer_key, $api_products);
     if ($this->getAppType() === 'team' && !empty($originalScopes) && \Drupal::hasService('apigee_edge_teams.app_group_scope_manager')) {
       $app_group_scope_manager = \Drupal::service('apigee_edge_teams.app_group_scope_manager');

From ce810bcf056b45fc4ab3b2307ce28a088129c08d Mon Sep 17 00:00:00 2001
From: divyajose <divyajose@google.com>
Date: Mon, 10 Nov 2025 18:22:12 +0530
Subject: [PATCH 3/3] added copyright

---
 .../src/Service/AppGroupScopeManager.php       | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
index 98cc7e641..357287e96 100644
--- a/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
+++ b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
@@ -1,5 +1,23 @@
 <?php
 
+/**
+ * Copyright 2025 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+
 namespace Drupal\apigee_edge_teams\Service;
 
 use Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface;