From 1853d767689386283a2a52f92f958142e6494c1e Mon Sep 17 00:00:00 2001
From: Alex Hung <alexh@jfrog.com>
Date: Mon, 3 Jun 2024 11:00:43 -0700
Subject: [PATCH 1/2] Fix actions validation in scopes attribute

---
 .../resource_artifactory_scoped_token.go      |   2 +-
 .../resource_artifactory_scoped_token_test.go | 140 ++++++++++++++++++
 2 files changed, 141 insertions(+), 1 deletion(-)

diff --git a/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go b/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go
index 9151fa729..a1d24e963 100644
--- a/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go
+++ b/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go
@@ -196,7 +196,7 @@ func (r *ScopedTokenResource) Schema(ctx context.Context, req resource.SchemaReq
 							),
 							stringvalidator.RegexMatches(regexp.MustCompile(`^applied-permissions\/groups:.+$`), "must be 'applied-permissions/groups:<group-name>[,<group-name>...]'"),
 							stringvalidator.RegexMatches(regexp.MustCompile(`^applied-permissions\/roles:.+:.+$`), "must be 'applied-permissions/roles:<project-key>:<role-name>[,<role-name>...]'"),
-							stringvalidator.RegexMatches(regexp.MustCompile(`^artifact:.+:([rwdamxs*]|([rwdamxs]+(,[rwdamxs]+)))$`), "must be '<resource-type>:<target>[/<sub-resource>]:<actions>'"),
+							stringvalidator.RegexMatches(regexp.MustCompile(`^artifact:(?:.+):(?:(?:[rwdamxs*]+)|(?:[rwdamxs]+)(?:,[rwdamxs]+)+)$`), "must be '<resource-type>:<target>[/<sub-resource>]:<actions>'"),
 						),
 					),
 				},
diff --git a/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go b/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go
index 58682433b..cae9a3997 100644
--- a/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go
+++ b/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go
@@ -624,6 +624,146 @@ func TestAccScopedToken_WithRoleScope(t *testing.T) {
 	})
 }
 
+func TestAccScopedToken_WithActionsScope(t *testing.T) {
+	_, fqrn, name := testutil.MkNames("test-access-token", "artifactory_scoped_token")
+	_, _, projectName := testutil.MkNames("test-project", "project")
+	_, _, projectUserName := testutil.MkNames("test-projecuser", "project_user")
+	_, _, username := testutil.MkNames("test-user", "artifactory_managed_user")
+
+	email := username + "@tempurl.org"
+
+	accessTokenConfig := util.ExecuteTemplate(
+		"TestAccScopedToken",
+		`resource "artifactory_managed_user" "{{ .username }}" {
+			name              = "{{ .username }}"
+		    email             = "{{ .email }}"
+			admin             = true
+			disable_ui_access = false
+			groups            = ["readers"]
+			password          = "Passw0rd!"
+		}
+
+		resource "project" "{{ .projectName }}" {
+			key = "{{ .projectName }}"
+			display_name = "{{ .projectName }}"
+			admin_privileges {
+				manage_members = true
+				manage_resources = true
+				index_resources = true
+			}
+		}
+
+		resource "project_user" "{{ .projectUserName }}" {
+			name = artifactory_managed_user.{{ .username }}.name
+			project_key = project.{{ .projectName }}.key
+			roles = ["Developer"]
+		}
+
+		resource "artifactory_scoped_token" "{{ .name }}" {
+			username = artifactory_managed_user.{{ .username }}.name
+			scopes   = [
+				"artifact:generic-local-1:r",
+				"artifact:generic-local-2:r,w,d,a,m",
+			]
+		}`,
+		map[string]interface{}{
+			"name":            name,
+			"username":        username,
+			"email":           email,
+			"projectName":     projectName,
+			"projectUserName": projectUserName,
+		},
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { acctest.PreCheck(t) },
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"project": {
+				Source: "jfrog/project",
+			},
+		},
+		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: accessTokenConfig,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(fqrn, "username", username),
+					resource.TestCheckResourceAttr(fqrn, "scopes.#", "2"),
+					resource.TestCheckTypeSetElemAttr(fqrn, "scopes.*", "artifact:generic-local-1:r"),
+					resource.TestCheckTypeSetElemAttr(fqrn, "scopes.*", "artifact:generic-local-2:r,w,d,a,m"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccScopedToken_InvalidActionsScope(t *testing.T) {
+	_, _, name := testutil.MkNames("test-access-token", "artifactory_scoped_token")
+	_, _, projectName := testutil.MkNames("test-project", "project")
+	_, _, projectUserName := testutil.MkNames("test-projecuser", "project_user")
+	_, _, username := testutil.MkNames("test-user", "artifactory_managed_user")
+
+	email := username + "@tempurl.org"
+
+	accessTokenConfig := util.ExecuteTemplate(
+		"TestAccScopedToken",
+		`resource "artifactory_managed_user" "{{ .username }}" {
+			name              = "{{ .username }}"
+		    email             = "{{ .email }}"
+			admin             = true
+			disable_ui_access = false
+			groups            = ["readers"]
+			password          = "Passw0rd!"
+		}
+
+		resource "project" "{{ .projectName }}" {
+			key = "{{ .projectName }}"
+			display_name = "{{ .projectName }}"
+			admin_privileges {
+				manage_members = true
+				manage_resources = true
+				index_resources = true
+			}
+		}
+
+		resource "project_user" "{{ .projectUserName }}" {
+			name = artifactory_managed_user.{{ .username }}.name
+			project_key = project.{{ .projectName }}.key
+			roles = ["Developer"]
+		}
+
+		resource "artifactory_scoped_token" "{{ .name }}" {
+			username = artifactory_managed_user.{{ .username }}.name
+			scopes   = [
+				"artifact:generic-local-1:t",
+			]
+		}`,
+		map[string]interface{}{
+			"name":            name,
+			"username":        username,
+			"email":           email,
+			"projectName":     projectName,
+			"projectUserName": projectUserName,
+		},
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { acctest.PreCheck(t) },
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"project": {
+				Source: "jfrog/project",
+			},
+		},
+		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      accessTokenConfig,
+				ExpectError: regexp.MustCompile(`.*'<resource-type>:<target>\[\/<sub-resource>\]:<actions>'.*`),
+			},
+		},
+	})
+}
+
 func TestAccScopedToken_WithInvalidScopes(t *testing.T) {
 	_, _, name := testutil.MkNames("test-scoped-token", "artifactory_scoped_token")
 

From ba6f640c15b37b3d3ecec926b75cc19e9e6ab5a9 Mon Sep 17 00:00:00 2001
From: Alex Hung <alexh@jfrog.com>
Date: Mon, 3 Jun 2024 11:01:39 -0700
Subject: [PATCH 2/2] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af361325f..3df1d055e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## 10.8.3 (June 3, 2024)
 
+BUG FIXES:
+
+* resource/artifactory_scoped_token: Fix incorrect validation with actions values for `scopes` attribute. Issue: [#985](https://github.com/jfrog/terraform-provider-artifactory/issues/985) PR: [#986](https://github.com/jfrog/terraform-provider-artifactory/pull/986)
+
 IMPROVEMENTS:
 
 * Documentation: Move `metadata_retrieval_timeout_secs` attribute documentation from `artifactory_remote_maven_repository` to "Artifactory Remote Repository Common Arguments" documentation. Issue: [#983](https://github.com/jfrog/terraform-provider-artifactory/issues/983) PR: [#984](https://github.com/jfrog/terraform-provider-artifactory/pull/984)