fix(groups): add required labels filter for list query

Author: salmonumbrella

internal/cmd/execute_groups_test.go

@@ -18,6 +18,13 @@ func TestExecute_GroupsList_JSON(t *testing.T) {
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if strings.Contains(r.URL.Path, "groups/-/memberships:searchTransitiveGroups") && r.Method == http.MethodGet {
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, "'"+groupLabelDiscussionForum+"' in labels") {
+				t.Fatalf("missing discussion label filter in query: %q", query)
+			}
+			if !strings.Contains(query, "member_key_id == 'a@b.com'") {
+				t.Fatalf("missing member_key_id filter in query: %q", query)
+			}
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(map[string]any{
 				"memberships": []map[string]any{
@@ -159,6 +166,13 @@ func TestExecute_GroupsList_Text(t *testing.T) {
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if strings.Contains(r.URL.Path, "groups/-/memberships:searchTransitiveGroups") && r.Method == http.MethodGet {
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, "'"+groupLabelDiscussionForum+"' in labels") {
+				t.Fatalf("missing discussion label filter in query: %q", query)
+			}
+			if !strings.Contains(query, "member_key_id == 'a@b.com'") {
+				t.Fatalf("missing member_key_id filter in query: %q", query)
+			}
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(map[string]any{
 				"memberships": []map[string]any{

internal/cmd/groups.go

@@ -21,6 +21,9 @@ const (
 	groupRoleOwner   = "OWNER"
 	groupRoleManager = "MANAGER"
 	groupRoleMember  = "MEMBER"
+
+	groupLabelDiscussionForum = "cloudidentity.googleapis.com/groups.discussion_forum"
+	groupLabelDynamic         = "cloudidentity.googleapis.com/groups.dynamic"
 )
 
 type GroupsCmd struct {
@@ -51,7 +54,7 @@ func (c *GroupsListCmd) Run(ctx context.Context, flags *RootFlags) error {
 	// Using "groups/-" as parent searches across all groups
 	fetch := func(pageToken string) ([]*cloudidentity.GroupRelation, string, error) {
 		call := svc.Groups.Memberships.SearchTransitiveGroups("groups/-").
-			Query("member_key_id == '" + account + "'").
+			Query(searchTransitiveGroupsQuery(account)).
 			PageSize(c.Max).
 			Context(ctx)
 		if strings.TrimSpace(pageToken) != "" {
@@ -148,6 +151,16 @@ func wrapCloudIdentityError(err error, account string) error {
 	return err
 }
 
+func searchTransitiveGroupsQuery(memberKeyID string) string {
+	memberKeyID = strings.ReplaceAll(strings.TrimSpace(memberKeyID), "'", "\\'")
+	return fmt.Sprintf(
+		"member_key_id == '%s' && ('%s' in labels || '%s' in labels)",
+		memberKeyID,
+		groupLabelDiscussionForum,
+		groupLabelDynamic,
+	)
+}
+
 // getRelationType returns a human-readable relation type.
 func getRelationType(relationType string) string {
 	switch relationType {

internal/cmd/groups_test.go

@@ -74,3 +74,23 @@ func TestTruncate(t *testing.T) {
 		t.Fatalf("unexpected truncate: %q", got)
 	}
 }
+
+func TestSearchTransitiveGroupsQuery(t *testing.T) {
+	got := searchTransitiveGroupsQuery("person@example.com")
+	if !strings.Contains(got, "member_key_id == 'person@example.com'") {
+		t.Fatalf("missing member_key_id clause: %q", got)
+	}
+	if !strings.Contains(got, "'"+groupLabelDiscussionForum+"' in labels") {
+		t.Fatalf("missing discussion label clause: %q", got)
+	}
+	if !strings.Contains(got, "'"+groupLabelDynamic+"' in labels") {
+		t.Fatalf("missing dynamic label clause: %q", got)
+	}
+}
+
+func TestSearchTransitiveGroupsQuery_EscapesSingleQuote(t *testing.T) {
+	got := searchTransitiveGroupsQuery("o'connor@example.com")
+	if !strings.Contains(got, "member_key_id == 'o\\'connor@example.com'") {
+		t.Fatalf("expected escaped single quote: %q", got)
+	}
+}