Add support for multiple scope parameters on V2 auth requests

Fixes https://jira.coreos.com/browse/QUAY-892

endpoints/v2/test/test_v2auth.py

@@ -4,7 +4,7 @@ from flask import url_for
 
 from app import instance_keys, app as original_app
 from endpoints.test.shared import conduct_call
-from util.security.registry_jwt import decode_bearer_token
+from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS
 
 from test.fixtures import *
 
@@ -34,6 +34,8 @@ from test.fixtures import *
   ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
    ['buynlarge/orgrepo:push,pull,*']),
 
+  ('', 'devtable', 'password', 200, []),
+
   # No credentials, non-public repo.
   ('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),
 
@@ -51,6 +53,20 @@ from test.fixtures import *
   # Unknown repository in another namespace.
   ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
    ['somenamespace/unknownrepo:']),
+
+  # Multiple scopes.
+  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'devtable/complex:pull']),
+
+  # Multiple scopes with restricted behavior.
+  (['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'public/publicrepo:pull']),
+
+  (['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull,*', 'public/publicrepo:pull']),
 ])
 def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
                                app, client):
@@ -86,3 +102,4 @@ def test_generate_registry_jwt(scope, username, password, expected_code, expecte
     })
 
   assert decoded['access'] == expected_access
+  assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)