Merge branch 'main' into carl/feedback-2--login-profile-ignored

carl-adams-planet · carl-adams-planet · commit e111fe74a9bb · 2025-05-27T19:33:53.000-07:00
diff --git a/src/planet_auth_utils/commands/cli/main.py b/src/planet_auth_utils/commands/cli/main.py
@@ -185,9 +185,12 @@ def cmd_plauth_login(
     yes,
 ):
     """
-    Perform an initial login, obtain user authorization, and save access
-    tokens for the selected authentication profile.  The specific process
-    used depends on the selected options and authentication profile.
+    Perform an initial login.
+
+    This command performs an initial login, obtains user authorization,
+    and saves access tokens for the selected authentication profile.
+    The specific process used depends on the selected options and
+    authentication profile.
     """
     extra = {}
     if project:
diff --git a/src/planet_auth_utils/commands/cli/oauth_cmd.py b/src/planet_auth_utils/commands/cli/oauth_cmd.py
@@ -164,6 +164,8 @@ def cmd_oauth_refresh(ctx, scope):
     It is possible to request a refresh token with scopes that are different
     from what is currently possessed, but you will never be granted
     more scopes than what the user has authorized.
+
+    This command only applies to auth profiles that use OAuth access tokens.
     """
     _check_auth_client_type_for_click_ctx(ctx)
     saved_token = FileBackedOidcCredential(None, ctx.obj["AUTH"].token_file_path())
@@ -376,7 +378,8 @@ def cmd_oauth_revoke_refresh_token(ctx):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_oauth_userinfo(ctx):
     """
-    Look up user information from the auth server using the access token.
+    Look up user information for the current user.  Look up is performed by
+    querying the authorization server using the current access token.
     """
     _check_auth_client_type_for_click_ctx(ctx)
     saved_token = FileBackedOidcCredential(None, ctx.obj["AUTH"].token_file_path())
@@ -395,6 +398,7 @@ def cmd_oauth_userinfo(ctx):
 def cmd_oauth_print_access_token(ctx, refresh):
     """
     Show the current OAuth access token.  Stale tokens will be automatically refreshed.
+    This command only applies to auth profiles that use OAuth access tokens.
     """
     _check_auth_client_type_for_click_ctx(ctx)
     saved_token = FileBackedOidcCredential(None, ctx.obj["AUTH"].token_file_path())
@@ -428,8 +432,8 @@ def cmd_oauth_print_access_token(ctx, refresh):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_oauth_decode_jwt_access_token(ctx, human_readable):
     """
-    Decode a JWT access token locally and display its contents.  NO
-    VALIDATION IS PERFORMED.  This function is intended for local
+    Decode a JWT access token locally.
+    NO VALIDATION IS PERFORMED.  This function is intended for local
     debugging purposes.  Note: Access tokens need not be JWTs.
     This function will not work for authorization servers that issue
     access tokens in other formats.
@@ -445,8 +449,8 @@ def cmd_oauth_decode_jwt_access_token(ctx, human_readable):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_oauth_decode_jwt_id_token(ctx, human_readable):
     """
-    Decode a JWT ID token locally and display its contents.  NO
-    VALIDATION IS PERFORMED.  This function is intended for local
+    Decode a JWT ID token locally.
+    NO VALIDATION IS PERFORMED.  This function is intended for local
     debugging purposes.
     """
     _check_auth_client_type_for_click_ctx(ctx)
@@ -460,8 +464,8 @@ def cmd_oauth_decode_jwt_id_token(ctx, human_readable):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_oauth_decode_jwt_refresh_token(ctx, human_readable):
     """
-    Decode a JWT refresh token locally and display its contents.  NO
-    VALIDATION IS PERFORMED.  This function is intended for local
+    Decode a JWT refresh token locally.
+    NO VALIDATION IS PERFORMED.  This function is intended for local
     debugging purposes.  Note: Refresh tokens need not be JWTs.
     This function will not work for authorization servers that issue
     refresh tokens in other formats.
diff --git a/src/planet_auth_utils/commands/cli/planet_legacy_auth_cmd.py b/src/planet_auth_utils/commands/cli/planet_legacy_auth_cmd.py
@@ -121,7 +121,8 @@ def cmd_pllegacy_login(ctx, auth_profile, username, password, sops, yes):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_pllegacy_print_api_key(ctx):
     """
-    Show the API Key used by the currently selected authentication profile.
+    Show the current API Key.  This command only applies to auth profiles
+    that use simple API keys.
     """
     # We also support StaticApiKeyAuthClient in some cases where the user
     # directly provides an API key.  Such clients can use the legacy API
@@ -151,7 +152,7 @@ def cmd_pllegacy_print_api_key(ctx):
 @recast_exceptions_to_click(AuthException, FileNotFoundError)
 def cmd_pllegacy_print_access_token(ctx):
     """
-    Show the legacy JWT currently held by the selected authentication profile.
+    Show the current legacy JWT access token.
     """
     _check_client_type_pllegacy_for_click_ctx(ctx)
     saved_token = FileBackedPlanetLegacyApiKey(api_key_file=ctx.obj["AUTH"].token_file_path())
diff --git a/src/planet_auth_utils/commands/cli/profile_cmd.py b/src/planet_auth_utils/commands/cli/profile_cmd.py
@@ -70,7 +70,9 @@ def _dialogue_choose_auth_profile():
             filtered_builtin_profile_names.append(profile_name)
 
     filtered_builtin_profile_names.sort()
-    sorted_on_disk_profile_names = Profile.list_on_disk_profiles().copy()
+
+    # Loading filters out invalid profile configurations that may be on disk
+    sorted_on_disk_profile_names = list(_load_all_on_disk_profiles().keys())
     sorted_on_disk_profile_names.sort()
     all_profile_names = filtered_builtin_profile_names + sorted_on_disk_profile_names
     choices = []
@@ -133,38 +135,30 @@ def cmd_profile_list(long):
     """
     List auth profiles.
     """
+    click.echo("Built-in profiles:")
+    profile_names = Builtins.builtin_profile_names().copy()
+    profile_names.sort()
+    display_dicts = OrderedDict()
+    display_names = []
+    for profile_name in profile_names:
+        config_dict = Builtins.builtin_profile_auth_client_config_dict(profile_name)
+        # The idea of a "hidden" profile currently only applies to built-in profiles.
+        # This is largely so we can have partial SKEL profiles.
+        if not config_dict.get("_hidden", False):
+            display_dicts[profile_name] = config_dict
+            display_names.append(profile_name)
     if long:
-        click.echo("Built-in profiles:")
-        profile_names = Builtins.builtin_profile_names().copy()
-        profile_names.sort()
-        display_object = OrderedDict()
-        for profile_name in profile_names:
-            config_dict = Builtins.builtin_profile_auth_client_config_dict(profile_name)
-            # The idea of a "hidden" profile currently only applies to built-in profiles.
-            # This is largely so we can have partial SKEL profiles.
-            if not config_dict.get("_hidden", False):
-                display_object[profile_name] = config_dict
-        print_obj(display_object)
-
-        click.echo("\nLocally defined profiles:")
-        print_obj(_load_all_on_disk_profiles())
+        print_obj(display_dicts)
+    else:
+        print_obj(display_names)
 
+    click.echo("\nLocally defined profiles:")
+    profile_dicts = _load_all_on_disk_profiles()
+    profile_names = list(profile_dicts.keys())
+    if long:
+        print_obj(profile_dicts)
     else:
-        click.echo("Built-in profiles:")
-        display_profile_names = []
-        for profile_name in Builtins.builtin_profile_names():
-            config_dict = Builtins.builtin_profile_auth_client_config_dict(profile_name)
-            # The idea of a "hidden" profile currently only applies to built-in profiles.
-            # This is largely so we can have partial SKEL profiles.
-            if not config_dict.get("_hidden", False):
-                display_profile_names.append(profile_name)
-        display_profile_names.sort()
-        print_obj(display_profile_names)
-
-        click.echo("\nLocally defined profiles:")
-        display_profile_names = Profile.list_on_disk_profiles()
-        display_profile_names.sort()
-        print_obj(display_profile_names)
+        print_obj(profile_names)
 
 
 @cmd_profile.command("create")
@@ -271,10 +265,16 @@ def cmd_profile_copy(sops, src, dst):
 @recast_exceptions_to_click(AuthException, FileNotFoundError, PermissionError)
 def cmd_profile_set(selected_profile):
     """
-    Configure the default authentication profile to use when one is not otherwise specified.
+    Configure the default authentication profile. Preference will be saved to disk
+    and will be used when one is not otherwise specified.  Command line options
+    and environment variables override on-disk preferences.
     """
     if not selected_profile:
         selected_profile = _dialogue_choose_auth_profile()
+    else:
+        # Validate user input.  Dialogue selected profiles should be pre-vetted.
+        normalized_profile_name, _ = PlanetAuthFactory.load_auth_client_config_from_profile(selected_profile)
+        selected_profile = normalized_profile_name
 
     try:
         user_profile_config_file = PlanetAuthUserConfig()
