feat/enterpiseportal: add checks bypass toggle as escape hatch (#64517)

The existing handler has a similar escape hatch - when enabled, all
checks return healthy.

## Test plan

unit tests

Author: bobheadxi

cmd/enterprise-portal/internal/subscriptionlicensechecksservice/mocks_test.go

@@ -60,10 +60,19 @@ func (h *handlerV1) CheckLicenseKey(ctx context.Context, req *connect.Request[su
 			errors.New("instance_id is required"))
 	}
 
+	tr := trace.FromContext(ctx)
 	logger := trace.Logger(ctx, h.logger).With(
 		log.String("instanceID", instanceID))
 
-	tr := trace.FromContext(ctx)
+	if h.store.BypassAllLicenseChecks() {
+		logger.Warn("bypassing license check")
+		tr.SetAttributes(attribute.Bool("bypass", true))
+		return &connect.Response[subscriptionlicensechecksv1.CheckLicenseKeyResponse]{
+			Msg: &subscriptionlicensechecksv1.CheckLicenseKeyResponse{
+				Valid: true,
+			},
+		}, nil
+	}
 
 	// HACK: For back-compat with old license check, try to look for a format
 	// that looks like a license key hash token. Remove in Sourcegraph 5.8

cmd/enterprise-portal/internal/subscriptionlicensechecksservice/v1.go

@@ -22,6 +22,11 @@ import (
 type StoreV1 interface {
 	Now() time.Time
 
+	// BypassAllLicenseChecks, if true, indicates that all license checks should
+	// return valid. It is an escape hatch to ensure nobody is bricked in an
+	// incident.
+	BypassAllLicenseChecks() bool
+
 	// GetByLicenseKey returns the SubscriptionLicense with the given license key.
 	// If no such SubscriptionLicense exists, it returns (nil, nil).
 	//
@@ -48,29 +53,37 @@ type NewStoreV1Options struct {
 	// LicenseKeySigner is the SSH signer to use for signing license keys. It is
 	// used here for validation only.
 	LicenseKeySigner ssh.Signer
+	// BypassAllLicenseChecks, if true, indicates that all license checks should
+	// return valid. It is an escape hatch to ensure nobody is bricked in an
+	// incident.
+	BypassAllLicenseChecks bool
 }
 
 // NewStoreV1 returns a new StoreV1 using the given resource handles.
 func NewStoreV1(logger log.Logger, opts NewStoreV1Options) StoreV1 {
 	return &storeV1{
-		logger:           logger,
-		licenses:         opts.DB.Subscriptions().Licenses(),
-		subscriptions:    opts.DB.Subscriptions(),
-		slackWebhookURL:  opts.SlackWebhookURL,
-		licensePublicKey: opts.LicenseKeySigner.PublicKey(),
+		logger:                 logger,
+		licenses:               opts.DB.Subscriptions().Licenses(),
+		subscriptions:          opts.DB.Subscriptions(),
+		slackWebhookURL:        opts.SlackWebhookURL,
+		licensePublicKey:       opts.LicenseKeySigner.PublicKey(),
+		bypassAllLicenseChecks: opts.BypassAllLicenseChecks,
 	}
 }
 
 type storeV1 struct {
-	logger           log.Logger
-	licenses         *subscriptions.LicensesStore
-	subscriptions    *subscriptions.Store
-	slackWebhookURL  *string
-	licensePublicKey ssh.PublicKey
+	logger                 log.Logger
+	licenses               *subscriptions.LicensesStore
+	subscriptions          *subscriptions.Store
+	slackWebhookURL        *string
+	licensePublicKey       ssh.PublicKey
+	bypassAllLicenseChecks bool
 }
 
 func (s *storeV1) Now() time.Time { return time.Now() }
 
+func (s *storeV1) BypassAllLicenseChecks() bool { return s.bypassAllLicenseChecks }
+
 var errInvalidLicensekey = errors.New("key is invalid")
 
 func (s *storeV1) GetByLicenseKey(ctx context.Context, licenseKey string) (*subscriptions.SubscriptionLicense, error) {

cmd/enterprise-portal/internal/subscriptionlicensechecksservice/v1_store.go

@@ -100,14 +100,24 @@ func TestCheckLicenseKey(t *testing.T) {
 	})
 
 	for _, tc := range []struct {
-		name       string
-		req        *subscriptionlicensechecksv1.CheckLicenseKeyRequest
+		name   string
+		req    *subscriptionlicensechecksv1.CheckLicenseKeyRequest
+		bypass bool
+
 		wantResult autogold.Value
 		wantErr    autogold.Value
 
 		wantSetDetectedInstance autogold.Value
 		wantPostToSlack         autogold.Value
 	}{{
+		name: "bypass enabled",
+		req: &subscriptionlicensechecksv1.CheckLicenseKeyRequest{
+			InstanceId: "instance-id",
+			LicenseKey: "license-key",
+		},
+		bypass:     true,
+		wantResult: autogold.Expect(map[string]interface{}{"reason": "", "valid": true}),
+	}, {
 		name: "instance_id required",
 		req: &subscriptionlicensechecksv1.CheckLicenseKeyRequest{
 			InstanceId: "",
@@ -174,6 +184,7 @@ func TestCheckLicenseKey(t *testing.T) {
 			// Clone the underlying mock store, to avoid polluting other test
 			// cases
 			store := NewMockStoreV1From(store)
+			store.BypassAllLicenseChecksFunc.SetDefaultReturn(tc.bypass)
 
 			h := &handlerV1{
 				logger: logtest.Scoped(t),

cmd/enterprise-portal/internal/subscriptionlicensechecksservice/v1_test.go

@@ -43,7 +43,10 @@ type Config struct {
 		RequiredTags []string
 	}
 
-	SubscriptionLicenseChecksSlackWebhookURL *string
+	SubscriptionLicenseChecks struct {
+		BypassAllChecks bool
+		SlackWebhookURL *string
+	}
 
 	LicenseExpirationChecker licenseexpiration.Config
 
@@ -117,7 +120,10 @@ func (c *Config) Load(env *runtime.Env) {
 		return strings.Split(*tags, ",")
 	}()
 
-	c.SubscriptionLicenseChecksSlackWebhookURL = env.GetOptional(
+	c.SubscriptionLicenseChecks.BypassAllChecks = env.GetBool(
+		"SUBSCRIPTION_LICENSE_CHECKS_BYPASS_ALL_CHECKS", "false",
+		"Set to true to bypass all checks for subscription licenses.")
+	c.SubscriptionLicenseChecks.SlackWebhookURL = env.GetOptional(
 		"SUBSCRIPTION_LICENSE_CHECKS_SLACK_WEBHOOK_URL",
 		"Destination webhook for subscription license check messages. If not set, messages are logged.")
 

cmd/enterprise-portal/service/config.go

@@ -139,9 +139,10 @@ func (Service) Initialize(ctx context.Context, logger log.Logger, contract runti
 		subscriptionlicensechecksservice.NewStoreV1(
 			logger,
 			subscriptionlicensechecksservice.NewStoreV1Options{
-				DB:               dbHandle,
-				SlackWebhookURL:  config.SubscriptionLicenseChecksSlackWebhookURL,
-				LicenseKeySigner: config.LicenseKeys.Signer,
+				DB:                     dbHandle,
+				SlackWebhookURL:        config.SubscriptionLicenseChecks.SlackWebhookURL,
+				LicenseKeySigner:       config.LicenseKeys.Signer,
+				BypassAllLicenseChecks: config.SubscriptionLicenseChecks.BypassAllChecks,
 			},
 		),
 		connect.WithInterceptors(otelConnectInterceptor),