From c5d7a87e61d9d9a785b4dba85930ecf2cdf40fdf Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 4 May 2023 14:44:24 -0400
Subject: [PATCH] added config to specify the absolute path to a permissions
 yaml file so a different one can be set outside of the app repo w/ burnettk

---
 .../spiffworkflow_backend/config/__init__.py  | 24 +++++++++----------
 .../spiffworkflow_backend/config/default.py   |  3 +++
 .../openid_blueprint/openid_blueprint.py      |  2 +-
 .../services/authorization_service.py         |  2 +-
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index 7711c36f9..d61fa0850 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -88,18 +88,18 @@ def setup_config(app: Flask) -> None:
     else:
         app.config.from_pyfile(f"{app.instance_path}/config.py", silent=True)
 
-    app.config["PERMISSIONS_FILE_FULLPATH"] = None
-    permissions_file_name = app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"]
-    if permissions_file_name is not None:
-        app.config["PERMISSIONS_FILE_FULLPATH"] = os.path.join(
-            app.root_path,
-            "config",
-            "permissions",
-            permissions_file_name,
-        )
-        print(f"base_permissions: loaded permissions file: {permissions_file_name}")
-    else:
-        print("base_permissions: no permissions file loaded")
+    if app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH"] is None:
+        permissions_file_name = app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"]
+        if permissions_file_name is not None:
+            app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH"] = os.path.join(
+                app.root_path,
+                "config",
+                "permissions",
+                permissions_file_name,
+            )
+            print(f"base_permissions: loaded permissions file: {permissions_file_name}")
+        else:
+            print("base_permissions: no permissions file loaded")
 
     # unversioned (see .gitignore) config that can override everything and include secrets.
     # src/spiffworkflow_backend/config/secrets.py
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index addab68fc..f6a1a897b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -78,6 +78,9 @@ SPIFFWORKFLOW_BACKEND_ENCRYPTION_LIB = environ.get(
 
 SPIFFWORKFLOW_BACKEND_LOG_TO_FILE = environ.get("SPIFFWORKFLOW_BACKEND_LOG_TO_FILE", default="false") == "true"
 
+SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH"
+)
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get("SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME")
 
 # Sentry Configuration
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index 08be9ff1f..c2741d6ed 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -141,7 +141,7 @@ def get_users() -> Any:
     """Load users from a local configuration file."""
     global permission_cache
     if not permission_cache:
-        with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
+        with open(current_app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH"]) as file:
             permission_cache = yaml.safe_load(file)
     if "users" in permission_cache:
         return permission_cache["users"]
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index 68f99636d..d5842d317 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -197,7 +197,7 @@ class AuthorizationService:
             )
 
         permission_configs = None
-        with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
+        with open(current_app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH"]) as file:
             permission_configs = yaml.safe_load(file)
 
         default_group = None