chore(cli): print groups when retrieving roles info (#24522)

Signed-off-by: nitishfy <justnitish06@gmail.com>

pkg/apis/application/v1alpha1/app_project_types.go

@@ -139,7 +139,12 @@ func (proj AppProject) RemoveJWTToken(roleIndex int, issuedAt int64, id string)
 	return err2
 }
 
-// TODO: document this method
+// ValidateJWTTokenID checks whether a given JWT token ID is already associated with the specified role.
+//
+// If the provided id is empty, the method returns nil (no validation error).
+// If a token with the same id already exists in the role, an error of type
+// codes.InvalidArgument is returned to indicate the token ID has been used.
+// Otherwise, it returns nil.
 func (proj *AppProject) ValidateJWTTokenID(roleName string, id string) error {
 	role, _, err := proj.GetRoleByName(roleName)
 	if err != nil {
@@ -156,6 +161,30 @@ func (proj *AppProject) ValidateJWTTokenID(roleName string, id string) error {
 	return nil
 }
 
+// ValidateProject performs a set of consistency and validation checks on the AppProject specification.
+//
+// The validation rules include:
+//   - Destinations:
+//   - Rejects invalid wildcard formats like "!*"
+//   - Ensures uniqueness of (server/namespace) or (name/namespace) combinations
+//   - SourceNamespaces:
+//   - Must be unique
+//   - SourceRepos:
+//   - Rejects invalid wildcard formats like "!*"
+//   - Must be unique
+//   - Roles:
+//   - Role names must be unique and valid
+//   - Policies within a role must be unique and valid for the project/role
+//   - Groups within a role must be unique and have valid names
+//   - SyncWindows:
+//   - Each window must have a unique identity hash
+//   - Each window must validate successfully
+//   - A window must target at least one of applications, clusters, or namespaces
+//   - DestinationServiceAccounts:
+//   - Server and namespace fields must not contain invalid characters or "!"
+//   - Default service account must not be empty or contain disallowed characters
+//   - Server/namespace values must compile as valid glob patterns
+//   - Each (server/namespace) combination must be unique
 func (proj *AppProject) ValidateProject() error {
 	destKeys := make(map[string]bool)
 	for _, dest := range proj.Spec.Destinations {
@@ -292,6 +321,11 @@ func (proj *AppProject) ValidateProject() error {
 	return nil
 }
 
+// RoleGroupExists checks if a group exists in the role
+func RoleGroupExists(role *ProjectRole) bool {
+	return len(role.Groups) != 0
+}
+
 // AddGroupToRole adds an OIDC group to a role
 func (proj *AppProject) AddGroupToRole(roleName, group string) (bool, error) {
 	role, roleIndex, err := proj.GetRoleByName(roleName)

pkg/apis/application/v1alpha1/types_test.go

@@ -925,6 +925,42 @@ func TestAppProject_ValidPolicyRules(t *testing.T) {
 	}
 }
 
+// TestRoleGroupExists tests if a group has been defined in the Project role
+func TestRoleGroupExists(t *testing.T) {
+	tests := []struct {
+		name     string
+		role     *ProjectRole
+		expected bool
+	}{
+		{
+			name: "Project role group exists",
+			role: &ProjectRole{
+				Name:        "custom-project-role",
+				Description: "The \"custom-project-role\" will be applied to the `some-user` group.",
+				Groups:      []string{"some-user"},
+				Policies:    []string{"roj:sample-test-project:custom-project-role, applications, *, *, allow"},
+			},
+			expected: true,
+		},
+		{
+			name: "Project role group doesn't exist",
+			role: &ProjectRole{
+				Name:        "custom-project-role",
+				Description: "The \"custom-project-role\" will be applied to the `some-user` group.",
+				Policies:    []string{"roj:sample-test-project:custom-project-role, applications, *, *, allow"},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := RoleGroupExists(tt.role)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
+
 func TestExplicitType(t *testing.T) {
 	src := ApplicationSource{
 		Kustomize: &ApplicationSourceKustomize{