feat: add scopes to RegisterPublicKeyRequest

This will allow registering a public key with a specific (e.g. reduced) set of scopes.
We also add a new flag "skip_user_scopes" to the RegisterPublicKeyRequest. If it is set to true and the scopes on the request are empty, this flag will prevent the user scopes from being set on the public key as the default behavior.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>

api/auth/auth.proto

@@ -17,6 +17,10 @@ message Identity {
 message RegisterPublicKeyRequest {
   PublicKey public_key = 1;
   Identity identity = 2;
+  repeated string scopes = 3;
+
+  // If true and the scopes are empty, the user scopes will not be added to the public key.
+  bool skip_user_scopes = 4;
 }
 
 message RegisterPublicKeyResponse {

pkg/client/auth/auth.go

@@ -27,12 +27,15 @@ func NewClient(conn *grpc.ClientConn) *Client {
 
 // RegisterPGPPublicKey registers a PGP public key for the given identity and returns the login URL.
 // Registered public key will need to be verified before it can be used for signing.
-func (client *Client) RegisterPGPPublicKey(ctx context.Context, email string, publicKey []byte) (string, error) {
+// If no scopes are specified and skipUserScopes is false, the scopes of the user are assigned to the public key by the server.
+func (client *Client) RegisterPGPPublicKey(ctx context.Context, email string, publicKey []byte, skipUserScopes bool, scopes ...string) (string, error) {
 	resp, err := client.conn.RegisterPublicKey(ctx, &authpb.RegisterPublicKeyRequest{
 		Identity: &authpb.Identity{Email: email},
 		PublicKey: &authpb.PublicKey{
 			PgpData: publicKey,
 		},
+		Scopes:         scopes,
+		SkipUserScopes: skipUserScopes,
 	})
 	if err != nil {
 		return "", err