Fix for scope issue using service

modules/apigee_edge_teams/apigee_edge_teams.services.yml

@@ -157,3 +157,7 @@ services:
     class: Drupal\apigee_edge_teams\User\RemoveTeamRolesOfUserSynchronousPostUserDeleteActionPerformer
     decorates: apigee_edge.post_user_delete_action_performer
     arguments: [ '@apigee_edge_teams.post_user_delete_action_performer.inner', '@entity_type.manager', '@logger.channel.apigee_edge_teams' ]
+
+  apigee_edge_teams.app_group_scope_manager:
+    class: Drupal\apigee_edge_teams\Service\AppGroupScopeManager
+    arguments: ['@apigee_edge.sdk_connector', '@apigee_edge.controller.organization']

modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace Drupal\apigee_edge_teams\Service;
+
+use Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface;
+use Drupal\apigee_edge\SDKConnectorInterface;
+use Apigee\Edge\Api\ApigeeX\Controller\AppGroupAppCredentialController;
+use Apigee\Edge\Api\Management\Entity\AppCredentialInterface;
+
+/**
+ * Handles AppGroup scopes after API products have been added to a credential.
+ */
+class AppGroupScopeManager {
+
+  /**
+   * The SDK connector.
+   *
+   * @var \Drupal\apigee_edge\SDKConnectorInterface
+   */
+  protected $sdkConnector;
+
+  /**
+   * The organization controller.
+   *
+   * @var \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface
+   */
+  protected $organizationController;
+
+  /**
+   * AppGroupScopeManager constructor.
+   *
+   * @param \Drupal\apigee_edge\SDKConnectorInterface $sdkConnector
+   *   The SDK connector.
+   * @param \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface $organizationController
+   *   The organization controller.
+   */
+  public function __construct(SDKConnectorInterface $sdkConnector, OrganizationControllerInterface $organizationController) {
+    $this->sdkConnector = $sdkConnector;
+    $this->organizationController = $organizationController;
+  }
+
+  /**
+   * Overrides AppGroup scopes if necessary.
+   *
+   * @param array $originalScopes
+   *   The original scopes.
+   * @param \Apigee\Edge\Api\Management\Entity\AppCredentialInterface $credential
+   *   The credential.
+   * @param string $ownerId
+   *   The owner id.
+   * @param string $appName
+   *   The app name.
+   */
+  public function overrideScopes(array $originalScopes, AppCredentialInterface $credential, string $ownerId, string $appName): void {
+    if (!$this->organizationController->isOrganizationApigeeX()) {
+      return;
+    }
+
+    $client = $this->sdkConnector->getClient();
+    $organization = $this->sdkConnector->getOrganization();
+    $controller = new AppGroupAppCredentialController($organization, $ownerId, $appName, $client);
+    $controller->overrideAppGroupScopes($credential->getConsumerKey(), $originalScopes);
+  }
+
+}

src/Entity/Controller/AppCredentialControllerBase.php

@@ -116,7 +116,14 @@ public function __construct(string $owner, string $app_name, SDKConnectorInterfa
    * {@inheritdoc}
    */
   public function addProducts(string $consumer_key, array $api_products): AppCredentialInterface {
+    // Keep the original scopes from before the products are added.
+    $originalScopes = $this->load($consumer_key)->getScopes();
     $credential = $this->decorated()->addProducts($consumer_key, $api_products);
+    if ($this->getAppType() === 'team' && !empty($originalScopes) && \Drupal::hasService('apigee_edge_teams.app_group_scope_manager')) {
+      $app_group_scope_manager = \Drupal::service('apigee_edge_teams.app_group_scope_manager');
+      $app_group_scope_manager->overrideScopes($originalScopes, $credential, $this->owner, $this->appName);
+    }
+
     $this->eventDispatcher->dispatch(
       new AppCredentialAddApiProductEvent($this->getAppType(), $this->owner, $this->appName, $credential, $api_products),
       AppCredentialAddApiProductEvent::EVENT_NAME