feat: persist CLI credentials for client creation

core/cli/configure.go

@@ -94,6 +94,16 @@ func validateFlags(cmd *cobra.Command, args []string) error {
 	return err
 }
 
+func buildConfig(url, tenant, token, certPath, certKey string) config.CoreConfig {
+	return config.CoreConfig{
+		PermifyURL: url,
+		Tenant:     tenant,
+		Token:      token,
+		CertPath:   certPath,
+		CertKey:    certKey,
+	}
+}
+
 func runE(cmd *cobra.Command, _ []string) error {
 	configFile, _ := cmd.Flags().GetString("config")
 
@@ -117,13 +127,24 @@ func runE(cmd *cobra.Command, _ []string) error {
 		tenantNames = append(tenantNames, nameID)
 		tenantIds[nameID] = tenant.Id
 	}
-	
+
 	tenant, err := tui.Choice("Select a tenant: ", tenantNames)
 	if err != nil {
 		logger.Log.Error(err)
 	}
-	config.CliConfig.PermifyURL = url
-	config.CliConfig.Tenant = tenantIds[tenant]
+	token, err := tui.StringPrompt("enter API token (optional)", "", config.CliConfig.Token)
+	if err != nil {
+		return err
+	}
+	certPath, err := tui.StringPrompt("enter TLS cert path (optional)", "", config.CliConfig.CertPath)
+	if err != nil {
+		return err
+	}
+	certKey, err := tui.StringPrompt("enter TLS cert key path (optional)", "", config.CliConfig.CertKey)
+	if err != nil {
+		return err
+	}
+	config.CliConfig = buildConfig(url, tenantIds[tenant], token, certPath, certKey)
 	err = config.Write()
 	if err != nil {
 		logger.Log.Error(err)

core/cli/configure_test.go

@@ -0,0 +1,29 @@
+package cli
+
+import (
+	"testing"
+
+	"github.com/Permify/permify-cli/core/config"
+)
+
+func TestBuildConfigPreservesCredentialFields(t *testing.T) {
+	cfg := buildConfig("https://permify.example.com", "tenant-1", "token-1", "/tmp/client.crt", "/tmp/client.key")
+
+	if cfg.PermifyURL != "https://permify.example.com" {
+		t.Fatalf("expected permify url to be stored, got %q", cfg.PermifyURL)
+	}
+	if cfg.Tenant != "tenant-1" {
+		t.Fatalf("expected tenant to be stored, got %q", cfg.Tenant)
+	}
+	if cfg.Token != "token-1" {
+		t.Fatalf("expected token to be stored, got %q", cfg.Token)
+	}
+	if cfg.CertPath != "/tmp/client.crt" {
+		t.Fatalf("expected cert path to be stored, got %q", cfg.CertPath)
+	}
+	if cfg.CertKey != "/tmp/client.key" {
+		t.Fatalf("expected cert key to be stored, got %q", cfg.CertKey)
+	}
+}
+
+var _ config.CoreConfig = buildConfig("", "", "", "", "")

core/client/grpc.go

@@ -2,19 +2,91 @@
 package client
 
 import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"strings"
+
+	"github.com/Permify/permify-cli/core/config"
 	permify "github.com/Permify/permify-go/v1"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-// New initializes a new permify client
+type permifyConfig = permify.Config
+type permifyClient = *permify.Client
+
+type clientFactory func(permifyConfig, ...grpc.DialOption) (permifyClient, error)
+
+type bearerTokenCredentials struct {
+	token                    string
+	requireTransportSecurity bool
+}
+
+func (c bearerTokenCredentials) GetRequestMetadata(_ context.Context, _ ...string) (map[string]string, error) {
+	return map[string]string{"authorization": "Bearer " + c.token}, nil
+}
+
+func (c bearerTokenCredentials) RequireTransportSecurity() bool {
+	return c.requireTransportSecurity
+}
+
+// DialOptions builds gRPC dial options from the persisted CLI configuration.
+func DialOptions(cfg config.CoreConfig) ([]grpc.DialOption, error) {
+	requireTransportSecurity := strings.HasPrefix(cfg.PermifyURL, "https") || cfg.SslEnabled
+
+	opts := []grpc.DialOption{}
+	transportCredentials, err := transportCredentials(cfg, requireTransportSecurity)
+	if err != nil {
+		return nil, err
+	}
+	opts = append(opts, grpc.WithTransportCredentials(transportCredentials))
+
+	if cfg.Token != "" {
+		opts = append(opts, grpc.WithPerRPCCredentials(bearerTokenCredentials{
+			token:                    cfg.Token,
+			requireTransportSecurity: requireTransportSecurity,
+		}))
+	}
+
+	return opts, nil
+}
+
+func transportCredentials(cfg config.CoreConfig, secure bool) (credentials.TransportCredentials, error) {
+	if !secure {
+		return insecure.NewCredentials(), nil
+	}
+
+	tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12}
+	if cfg.CertPath != "" || cfg.CertKey != "" {
+		if cfg.CertPath == "" || cfg.CertKey == "" {
+			return nil, fmt.Errorf("both cert path and cert key must be configured for TLS client certificates")
+		}
+		cert, err := tls.LoadX509KeyPair(cfg.CertPath, cfg.CertKey)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	return credentials.NewTLS(tlsConfig), nil
+}
+
+func newFromConfig(cfg config.CoreConfig, factory clientFactory) (*permify.Client, error) {
+	opts, err := DialOptions(cfg)
+	if err != nil {
+		return nil, err
+	}
+	return factory(permify.Config{Endpoint: cfg.PermifyURL}, opts...)
+}
+
+// New initializes a new permify client with an explicit endpoint.
 func New(endpoint string) (*permify.Client, error) {
-	client, err := permify.NewClient(
-		permify.Config{
-			Endpoint: endpoint,
-		},
-		// Todo: Implement secure call with tls certificate
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-	)
-	return client, err
+	return NewFromConfig(config.CoreConfig{PermifyURL: endpoint})
+}
+
+// NewFromConfig initializes a new permify client from persisted CLI configuration.
+func NewFromConfig(cfg config.CoreConfig) (*permify.Client, error) {
+	return newFromConfig(cfg, permify.NewClient)
 }

core/client/grpc_test.go

@@ -0,0 +1,58 @@
+package client
+
+import (
+	"context"
+	"testing"
+
+	"github.com/Permify/permify-cli/core/config"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func TestDialOptionsUseInsecureCredentialsForHTTP(t *testing.T) {
+	opts, err := DialOptions(config.CoreConfig{PermifyURL: "http://localhost:3478"})
+	if err != nil {
+		t.Fatalf("DialOptions returned error: %v", err)
+	}
+	if len(opts) != 1 {
+		t.Fatalf("expected only transport credentials option, got %d", len(opts))
+	}
+}
+
+func TestDialOptionsAddBearerTokenPerRPCCredentials(t *testing.T) {
+	opts, err := DialOptions(config.CoreConfig{PermifyURL: "http://localhost:3478", Token: "secret-token"})
+	if err != nil {
+		t.Fatalf("DialOptions returned error: %v", err)
+	}
+	if len(opts) != 2 {
+		t.Fatalf("expected transport credentials and token credentials options, got %d", len(opts))
+	}
+
+	creds := bearerTokenCredentials{token: "secret-token", requireTransportSecurity: false}
+	metadata, err := creds.GetRequestMetadata(context.Background())
+	if err != nil {
+		t.Fatalf("GetRequestMetadata returned error: %v", err)
+	}
+	if metadata["authorization"] != "Bearer secret-token" {
+		t.Fatalf("expected bearer token authorization metadata, got %q", metadata["authorization"])
+	}
+}
+
+func TestNewFromConfigUsesConfiguredEndpoint(t *testing.T) {
+	factory := func(c permifyConfig, opts ...grpc.DialOption) (permifyClient, error) {
+		if c.Endpoint != "localhost:3478" {
+			t.Fatalf("expected configured endpoint, got %q", c.Endpoint)
+		}
+		if len(opts) != 1 {
+			t.Fatalf("expected generated dial options to be passed to client factory")
+		}
+		return nil, nil
+	}
+
+	_, err := newFromConfig(config.CoreConfig{PermifyURL: "localhost:3478"}, factory)
+	if err != nil {
+		t.Fatalf("newFromConfig returned error: %v", err)
+	}
+}
+
+var _ grpc.DialOption = grpc.WithTransportCredentials(insecure.NewCredentials())

core/cmd/data/client.go

@@ -10,10 +10,10 @@ import (
 )
 
 func Client() v1.DataClient {
-	c, err := client.New(config.CliConfig.PermifyURL)
+	c, err := client.NewFromConfig(config.CliConfig)
 	if err != nil {
 		log.Error("Error initializing permify client. Check the configuration or rerun `permify configure`")
-		os.Exit(-1)	
+		os.Exit(-1)
 	}
 	return c.Data
-}
+}

core/cmd/permission/client.go

@@ -10,10 +10,10 @@ import (
 )
 
 func Client() v1.PermissionClient {
-	c, err := client.New(config.CliConfig.PermifyURL)
+	c, err := client.NewFromConfig(config.CliConfig)
 	if err != nil {
 		log.Error("Error initializing permify client. Check the configuration or rerun `permify configure`")
-		os.Exit(-1)	
+		os.Exit(-1)
 	}
 	return c.Permission
-}
+}

core/cmd/schema/client.go

@@ -10,10 +10,10 @@ import (
 )
 
 func Client() v1.SchemaClient {
-	c, err := client.New(config.CliConfig.PermifyURL)
+	c, err := client.NewFromConfig(config.CliConfig)
 	if err != nil {
 		log.Error("Error initializing permify client. Check the configuration or rerun `permify configure`")
-		os.Exit(-1)	
+		os.Exit(-1)
 	}
 	return c.Schema
-}
+}

core/cmd/tenancy/client.go

@@ -10,10 +10,10 @@ import (
 )
 
 func Client() v1.TenancyClient {
-	c, err := client.New(config.CliConfig.PermifyURL)
+	c, err := client.NewFromConfig(config.CliConfig)
 	if err != nil {
 		log.Error("Error initializing permify client. Check the configuration or rerun `permify configure`")
-		os.Exit(-1)	
+		os.Exit(-1)
 	}
 	return c.Tenancy
-}
+}

core/config/config.go

@@ -25,9 +25,12 @@ type ProfileConfigs struct {
 
 // CoreConfig is the config struct
 type CoreConfig struct {
-	PermifyURL			 string  `yaml:"permify_url"`
-	Tenant 				 string  `yaml:"tenant"`
-	SslEnabled           bool    `yaml:"-"`
+	PermifyURL string `yaml:"permify_url"`
+	Tenant     string `yaml:"tenant"`
+	Token      string `yaml:"token,omitempty"`
+	CertPath   string `yaml:"cert_path,omitempty"`
+	CertKey    string `yaml:"cert_key,omitempty"`
+	SslEnabled bool   `yaml:"-"`
 }
 
 // IsConfigured checks if permctl cli has been configured
@@ -84,10 +87,17 @@ func New(file string, profile string) error {
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(file, newConfigDataByte, fs.FileMode(0644))
+	err = writeConfigFile(file, newConfigDataByte)
 	return err
 }
 
+func writeConfigFile(file string, data []byte) error {
+	if err := os.WriteFile(file, data, fs.FileMode(0600)); err != nil {
+		return err
+	}
+	return os.Chmod(file, fs.FileMode(0600))
+}
+
 // Write the config file
 func Write() error {
 	_, err := os.Stat(profileConfigs.File)
@@ -100,6 +110,6 @@ func Write() error {
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(profileConfigs.File, newConfigDataByte, fs.FileMode(0644))
+	err = writeConfigFile(profileConfigs.File, newConfigDataByte)
 	return err
 }