chore(cli): print groups when retrieving roles info (#24522)

Signed-off-by: nitishfy <justnitish06@gmail.com>
2026-04-21 17:07:16 +00:00 · 2025-09-11 20:20:39 +05:30 · 2025-09-11 20:20:39 +05:30 · 2e5601f932
commit 2e5601f932
parent 7ae14c89d9
3 changed files with 81 additions and 2 deletions
--- a/cmd/argocd/commands/project_role.go
+++ b/cmd/argocd/commands/project_role.go
@ -605,8 +605,17 @@ ID          ISSUED-AT                                  EXPIRES-AT
 			fmt.Printf(printRoleFmtStr, "Description:", role.Description)
 			fmt.Printf("Policies:\n")
 			fmt.Printf("%s\n", proj.ProjectPoliciesString())
+			fmt.Printf("Groups:\n")
+			// if the group exists in the role
+			// range over each group and print it
+			if v1alpha1.RoleGroupExists(role) {
+				for _, group := range role.Groups {
+					fmt.Printf("  - %s\n", group)
+				}
+			} else {
+				fmt.Println("<none>")
+			}
 			fmt.Printf("JWT Tokens:\n")
-			// TODO(jessesuen): print groups
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
 			fmt.Fprintf(w, "ID\tISSUED-AT\tEXPIRES-AT\n")
 			for _, token := range proj.Status.JWTTokensByRole[roleName].Items {
--- a/pkg/apis/application/v1alpha1/app_project_types.go
+++ b/pkg/apis/application/v1alpha1/app_project_types.go
@ -139,7 +139,12 @@ func (proj AppProject) RemoveJWTToken(roleIndex int, issuedAt int64, id string)
 	return err2
 }

-// TODO: document this method
+// ValidateJWTTokenID checks whether a given JWT token ID is already associated with the specified role.
+//
+// If the provided id is empty, the method returns nil (no validation error).
+// If a token with the same id already exists in the role, an error of type
+// codes.InvalidArgument is returned to indicate the token ID has been used.
+// Otherwise, it returns nil.
 func (proj *AppProject) ValidateJWTTokenID(roleName string, id string) error {
 	role, _, err := proj.GetRoleByName(roleName)
 	if err != nil {
@ -156,6 +161,30 @@ func (proj *AppProject) ValidateJWTTokenID(roleName string, id string) error {
 	return nil
 }

+// ValidateProject performs a set of consistency and validation checks on the AppProject specification.
+//
+// The validation rules include:
+//   - Destinations:
+//   - Rejects invalid wildcard formats like "!*"
+//   - Ensures uniqueness of (server/namespace) or (name/namespace) combinations
+//   - SourceNamespaces:
+//   - Must be unique
+//   - SourceRepos:
+//   - Rejects invalid wildcard formats like "!*"
+//   - Must be unique
+//   - Roles:
+//   - Role names must be unique and valid
+//   - Policies within a role must be unique and valid for the project/role
+//   - Groups within a role must be unique and have valid names
+//   - SyncWindows:
+//   - Each window must have a unique identity hash
+//   - Each window must validate successfully
+//   - A window must target at least one of applications, clusters, or namespaces
+//   - DestinationServiceAccounts:
+//   - Server and namespace fields must not contain invalid characters or "!"
+//   - Default service account must not be empty or contain disallowed characters
+//   - Server/namespace values must compile as valid glob patterns
+//   - Each (server/namespace) combination must be unique
 func (proj *AppProject) ValidateProject() error {
 	destKeys := make(map[string]bool)
 	for _, dest := range proj.Spec.Destinations {
@ -292,6 +321,11 @@ func (proj *AppProject) ValidateProject() error {
 	return nil
 }

+// RoleGroupExists checks if a group exists in the role
+func RoleGroupExists(role *ProjectRole) bool {
+	return len(role.Groups) != 0
+}
+
 // AddGroupToRole adds an OIDC group to a role
 func (proj *AppProject) AddGroupToRole(roleName, group string) (bool, error) {
 	role, roleIndex, err := proj.GetRoleByName(roleName)
--- a/pkg/apis/application/v1alpha1/types_test.go
+++ b/pkg/apis/application/v1alpha1/types_test.go
@ -925,6 +925,42 @@ func TestAppProject_ValidPolicyRules(t *testing.T) {
 	}
 }

+// TestRoleGroupExists tests if a group has been defined in the Project role
+func TestRoleGroupExists(t *testing.T) {
+	tests := []struct {
+		name     string
+		role     *ProjectRole
+		expected bool
+	}{
+		{
+			name: "Project role group exists",
+			role: &ProjectRole{
+				Name:        "custom-project-role",
+				Description: "The \"custom-project-role\" will be applied to the `some-user` group.",
+				Groups:      []string{"some-user"},
+				Policies:    []string{"roj:sample-test-project:custom-project-role, applications, *, *, allow"},
+			},
+			expected: true,
+		},
+		{
+			name: "Project role group doesn't exist",
+			role: &ProjectRole{
+				Name:        "custom-project-role",
+				Description: "The \"custom-project-role\" will be applied to the `some-user` group.",
+				Policies:    []string{"roj:sample-test-project:custom-project-role, applications, *, *, allow"},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := RoleGroupExists(tt.role)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
+
 func TestExplicitType(t *testing.T) {
 	src := ApplicationSource{
 		Kustomize: &ApplicationSourceKustomize{