From 20973869b91bfcceed767e228ac8c44c7773f6a9 Mon Sep 17 00:00:00 2001
From: Mike Mason <mimason@equinix.com>
Date: Fri, 2 Feb 2024 17:02:25 +0000
Subject: [PATCH] permit unconfigured permission checks

Easily permit permission checks when the permission library doesn't have
a proper url configured.

This simplifies local development for service which implement
permissions checks allowing them to skip calling out to a permissions
service while developing locally by simply enabling `DefaultAllow`.

Signed-off-by: Mike Mason <mimason@equinix.com>
---
 pkg/permissions/config.go           | 10 +++++++++-
 pkg/permissions/permissions.go      |  4 ++++
 pkg/permissions/permissions_test.go | 12 ++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/pkg/permissions/config.go b/pkg/permissions/config.go
index 9db6f830..0a6ffeb6 100644
--- a/pkg/permissions/config.go
+++ b/pkg/permissions/config.go
@@ -8,11 +8,16 @@ import (
 
 // Config defines the permissions configuration structure
 type Config struct {
-	// URL is the URL checks should be executed against
+	// URL should point to a permissions-api authorization API route, such as https://example.com/api/v1/allow.
+	// If not set, all permissions checks will be denied by default. To override this behavior, set DefaultAllow
+	// to true.
 	URL string
 
 	// IgnoreNoResponders will ignore no responder errors when auth relationship requests are published.
 	IgnoreNoResponders bool
+
+	// DefaultAllow if set to true, will allow all permissions checks when URL is not set.
+	DefaultAllow bool
 }
 
 // MustViperFlags adds permissions config flags and viper bindings
@@ -22,4 +27,7 @@ func MustViperFlags(v *viper.Viper, flags *pflag.FlagSet) {
 
 	flags.Bool("permissions-ignore-no-responders", false, "ignores no responder errors when auth relationship requests are published")
 	viperx.MustBindFlag(v, "permissions.ignoreNoResponders", flags.Lookup("permissions-ignore-no-responders"))
+
+	flags.Bool("permissions-default-allow", false, "grant permission checks when url is not set")
+	viperx.MustBindFlag(v, "permissions.defaultAllow", flags.Lookup("permissions-default-allow"))
 }
diff --git a/pkg/permissions/permissions.go b/pkg/permissions/permissions.go
index 132b8b1f..b4b815db 100644
--- a/pkg/permissions/permissions.go
+++ b/pkg/permissions/permissions.go
@@ -201,6 +201,10 @@ func New(config Config, options ...Option) (*Permissions, error) {
 		p.url = uri
 	}
 
+	if config.URL == "" && config.DefaultAllow {
+		p.defaultChecker = DefaultAllowChecker
+	}
+
 	for _, opt := range options {
 		if err := opt(p); err != nil {
 			return nil, err
diff --git a/pkg/permissions/permissions_test.go b/pkg/permissions/permissions_test.go
index 0867d0a1..91bec18a 100644
--- a/pkg/permissions/permissions_test.go
+++ b/pkg/permissions/permissions_test.go
@@ -109,6 +109,18 @@ func TestPermissions(t *testing.T) {
 			nil,
 			nil,
 		},
+		{
+			"allow unconfigured checks",
+			permissions.Config{
+				DefaultAllow: true,
+			},
+			nil,
+			"",
+			"somersc-abc123",
+			"some-action",
+			nil,
+			nil,
+		},
 		{
 			"check allowed",
 			permissions.Config{