calypr
diff --git a/‎cmd/auth.go‎
Lines changed: 167 additions & 43 deletions b/‎cmd/auth.go‎
Lines changed: 167 additions & 43 deletions
diff --git a/‎cmd/auth_test.go‎
Lines changed: 81 additions & 0 deletions b/‎cmd/auth_test.go‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎cmd/configure.go‎
Lines changed: 13 additions & 6 deletions b/‎cmd/configure.go‎
Lines changed: 13 additions & 6 deletions
@@ -3,77 +3,201 @@ package cmd
 import (
 	"context"
 	"encoding/json"
-	"log"
+	"fmt"
+	"io"
 	"sort"
+	"strings"
 
 	"github.com/calypr/data-client/g3client"
 	"github.com/calypr/data-client/logs"
 	"github.com/spf13/cobra"
 )
 
+const authSummaryResourceLimit = 10
+
 func init() {
 	var profile string
+	var showAll bool
+	var jsonOutput bool
 	var authCmd = &cobra.Command{
-		Use:     "auth",
-		Short:   "Return resource access privileges from profile",
-		Long:    `Gets resource access privileges for specified profile.`,
-		Example: `./data-client auth --profile=<profile-name>`,
-		Run: func(cmd *cobra.Command, args []string) {
+		Use:   "auth",
+		Short: "Return resource access privileges from profile",
+		Long:  `Gets resource access privileges for specified profile.`,
+		Example: `./data-client auth --profile=<profile-name>
+./data-client auth --profile=<profile-name> --all
+./data-client auth --profile=<profile-name> --json`,
+		RunE: func(cmd *cobra.Command, args []string) error {
 			// don't initialize transmission logs for non-uploading related commands
 
-			logger, logCloser := logs.New(profile, logs.WithConsole())
+			logger, logCloser := logs.New(profile, logs.WithNoConsole())
 			defer logCloser()
 
 			g3i, err := g3client.NewGen3Interface(
 				profile, logger,
 				g3client.WithClients(g3client.FenceClient),
 			)
 			if err != nil {
-				log.Fatalf("Fatal NewGen3Interface error: %s\n", err)
+				return fmt.Errorf("new Gen3 interface: %w", err)
 			}
 
 			resourceAccess, err := g3i.FenceClient().CheckPrivileges(context.Background())
 			if err != nil {
-				g3i.Logger().Fatalf("Fatal authentication error: %s\n", err)
-			} else {
-				if len(resourceAccess) == 0 {
-					g3i.Logger().Printf("\nYou don't currently have access to any resources at %s\n", g3i.Credentials().Current().APIEndpoint)
-				} else {
-					g3i.Logger().Printf("\nYou have access to the following resource(s) at %s:\n", g3i.Credentials().Current().APIEndpoint)
-
-					// Sort by resource name
-					resources := make([]string, 0, len(resourceAccess))
-					for resource := range resourceAccess {
-						resources = append(resources, resource)
-					}
-					sort.Strings(resources)
-
-					for _, project := range resources {
-						// Sort by access name if permissions are from Fence
-						permissions := resourceAccess[project].([]any)
-						_, isFencePermission := permissions[0].(string)
-						if isFencePermission {
-							access := make([]string, 0, len(permissions))
-							for _, permission := range permissions {
-								access = append(access, permission.(string))
-							}
-							sort.Strings(access)
-							g3i.Logger().Printf("%s %s\n", project, access)
-						} else {
-							// Permissions from Arborist already sorted, just pretty print them
-							marshalledPermissions, err := json.MarshalIndent(permissions, "", "  ")
-							if err != nil {
-								g3i.Logger().Printf("%s (error occurred when marshalling permissions): %s\n", project, err)
-							}
-							g3i.Logger().Printf("%s %s\n", project, marshalledPermissions)
-						}
-					}
-				}
+				return fmt.Errorf("authentication: %w", err)
+			}
+
+			if jsonOutput {
+				encoder := json.NewEncoder(cmd.OutOrStdout())
+				encoder.SetIndent("", "  ")
+				return encoder.Encode(resourceAccess)
 			}
+
+			writeAuthSummary(cmd.OutOrStdout(), g3i.Credentials().Current().APIEndpoint, resourceAccess, showAll)
+			return nil
 		},
 	}
 
 	authCmd.Flags().StringVar(&profile, "profile", "", "Specify the profile to check your access privileges")
+	authCmd.Flags().BoolVar(&showAll, "all", false, "Show every resource in each permission group")
+	authCmd.Flags().BoolVar(&jsonOutput, "json", false, "Output raw resource access JSON")
 	authCmd.MarkFlagRequired("profile") // nolint: errcheck
 	RootCmd.AddCommand(authCmd)
 }
+
+func writeAuthSummary(w io.Writer, endpoint string, resourceAccess map[string]any, showAll bool) {
+	if len(resourceAccess) == 0 {
+		fmt.Fprintf(w, "No resource access found for %s\n", endpoint)
+		return
+	}
+
+	groups := make(map[string][]string)
+	for resource, permissions := range resourceAccess {
+		signature := authPermissionSignature(permissions)
+		groups[signature] = append(groups[signature], resource)
+	}
+
+	type accessGroup struct {
+		signature string
+		resources []string
+	}
+
+	orderedGroups := make([]accessGroup, 0, len(groups))
+	for signature, resources := range groups {
+		sort.Strings(resources)
+		orderedGroups = append(orderedGroups, accessGroup{
+			signature: signature,
+			resources: resources,
+		})
+	}
+
+	sort.Slice(orderedGroups, func(i, j int) bool {
+		if len(orderedGroups[i].resources) != len(orderedGroups[j].resources) {
+			return len(orderedGroups[i].resources) > len(orderedGroups[j].resources)
+		}
+		return orderedGroups[i].signature < orderedGroups[j].signature
+	})
+
+	fmt.Fprintf(w, "Access for %s\n", endpoint)
+	fmt.Fprintf(w, "%d resources in %d permission groups\n\n", len(resourceAccess), len(orderedGroups))
+
+	for _, group := range orderedGroups {
+		fmt.Fprintf(w, "%d %s: %s\n", len(group.resources), pluralize("resource", len(group.resources)), group.signature)
+
+		limit := len(group.resources)
+		if !showAll && limit > authSummaryResourceLimit {
+			limit = authSummaryResourceLimit
+		}
+
+		for _, resource := range group.resources[:limit] {
+			fmt.Fprintf(w, "  %s\n", resource)
+		}
+		if !showAll && len(group.resources) > limit {
+			fmt.Fprintf(w, "  ... %d more (use --all to show every resource)\n", len(group.resources)-limit)
+		}
+		fmt.Fprintln(w)
+	}
+}
+
+func pluralize(word string, count int) string {
+	if count == 1 {
+		return word
+	}
+	return word + "s"
+}
+
+func authPermissionSignature(value any) string {
+	permissions, ok := value.([]any)
+	if !ok {
+		return compactJSON(value)
+	}
+	if len(permissions) == 0 {
+		return "no permissions"
+	}
+
+	if _, ok := permissions[0].(string); ok {
+		access := make([]string, 0, len(permissions))
+		for _, permission := range permissions {
+			access = append(access, fmt.Sprint(permission))
+		}
+		sort.Strings(access)
+		return strings.Join(access, ", ")
+	}
+
+	serviceMethods := make(map[string]map[string]struct{})
+	unknown := make([]string, 0)
+
+	for _, permission := range permissions {
+		method, service, ok := authPermissionFields(permission)
+		if !ok {
+			unknown = append(unknown, compactJSON(permission))
+			continue
+		}
+
+		if serviceMethods[service] == nil {
+			serviceMethods[service] = make(map[string]struct{})
+		}
+		serviceMethods[service][method] = struct{}{}
+	}
+
+	parts := make([]string, 0, len(serviceMethods)+len(unknown))
+	services := make([]string, 0, len(serviceMethods))
+	for service := range serviceMethods {
+		services = append(services, service)
+	}
+	sort.Strings(services)
+
+	for _, service := range services {
+		methods := make([]string, 0, len(serviceMethods[service]))
+		for method := range serviceMethods[service] {
+			methods = append(methods, method)
+		}
+		sort.Strings(methods)
+		parts = append(parts, fmt.Sprintf("%s: %s", service, strings.Join(methods, ", ")))
+	}
+
+	sort.Strings(unknown)
+	parts = append(parts, unknown...)
+	return strings.Join(parts, "; ")
+}
+
+func authPermissionFields(value any) (method string, service string, ok bool) {
+	switch permission := value.(type) {
+	case map[string]any:
+		method, methodOK := permission["method"].(string)
+		service, serviceOK := permission["service"].(string)
+		return method, service, methodOK && serviceOK
+	case map[string]string:
+		method, methodOK := permission["method"]
+		service, serviceOK := permission["service"]
+		return method, service, methodOK && serviceOK
+	default:
+		return "", "", false
+	}
+}
+
+func compactJSON(value any) string {
+	data, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Sprint(value)
+	}
+	return string(data)
+}
@@ -0,0 +1,81 @@
+package cmd
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func TestAuthPermissionSignatureGroupsArboristPermissions(t *testing.T) {
+	signature := authPermissionSignature([]any{
+		map[string]any{"method": "read", "service": "*"},
+		map[string]any{"method": "create", "service": "*"},
+		map[string]any{"method": "*", "service": "indexd"},
+		map[string]any{"method": "read", "service": "requestor"},
+	})
+
+	want := "*: create, read; indexd: *; requestor: read"
+	if signature != want {
+		t.Fatalf("signature = %q, want %q", signature, want)
+	}
+}
+
+func TestAuthPermissionSignatureGroupsFenceProjectAccess(t *testing.T) {
+	signature := authPermissionSignature([]any{"write", "read", "read"})
+
+	want := "read, read, write"
+	if signature != want {
+		t.Fatalf("signature = %q, want %q", signature, want)
+	}
+}
+
+func TestWriteAuthSummaryCondensesRepeatedPermissionSets(t *testing.T) {
+	resourceAccess := map[string]any{
+		"/programs/a/projects/one": []any{
+			map[string]any{"method": "read", "service": "*"},
+			map[string]any{"method": "create", "service": "*"},
+		},
+		"/programs/a/projects/two": []any{
+			map[string]any{"method": "create", "service": "*"},
+			map[string]any{"method": "read", "service": "*"},
+		},
+		"/data_file": []any{
+			map[string]any{"method": "*", "service": "indexd"},
+		},
+	}
+
+	var out bytes.Buffer
+	writeAuthSummary(&out, "https://example.org", resourceAccess, false)
+	got := out.String()
+
+	for _, want := range []string{
+		"Access for https://example.org",
+		"3 resources in 2 permission groups",
+		"2 resources: *: create, read",
+		"  /programs/a/projects/one",
+		"  /programs/a/projects/two",
+		"1 resource: indexd: *",
+		"  /data_file",
+	} {
+		if !strings.Contains(got, want) {
+			t.Fatalf("summary missing %q:\n%s", want, got)
+		}
+	}
+}
+
+func TestWriteAuthSummaryCapsLongGroups(t *testing.T) {
+	resourceAccess := make(map[string]any)
+	for i := 0; i < authSummaryResourceLimit+2; i++ {
+		resourceAccess[string(rune('a'+i))] = []any{
+			map[string]any{"method": "read", "service": "*"},
+		}
+	}
+
+	var out bytes.Buffer
+	writeAuthSummary(&out, "https://example.org", resourceAccess, false)
+	got := out.String()
+
+	if !strings.Contains(got, "... 2 more (use --all to show every resource)") {
+		t.Fatalf("summary did not cap long group:\n%s", got)
+	}
+}
@@ -10,6 +10,18 @@ import (
 	"github.com/spf13/cobra"
 )
 
+func mergeImportedCredential(target *conf.Credential, imported *conf.Credential) {
+	if target == nil || imported == nil {
+		return
+	}
+	target.KeyID = imported.KeyID
+	target.APIKey = imported.APIKey
+	if target.APIEndpoint == "" && imported.APIEndpoint != "" {
+		target.APIEndpoint = imported.APIEndpoint
+	}
+	target.AccessToken = ""
+}
+
 func init() {
 	var profile string
 	var credFile string
@@ -41,12 +53,7 @@ func init() {
 				if err != nil {
 					logger.Fatal(err) // or return proper error
 				}
-				cred.KeyID = readCred.KeyID
-				cred.APIKey = readCred.APIKey
-				if readCred.APIEndpoint != "" {
-					cred.APIEndpoint = readCred.APIEndpoint
-				}
-				cred.AccessToken = ""
+				mergeImportedCredential(cred, readCred)
 			}
 
 			g3i := g3client.NewGen3InterfaceFromCredential(cred, logger, g3client.WithClients())