From c72aba2dc2bc6bbe5e4f35e91d127fa714060cbd Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Fri, 23 May 2025 10:30:16 -0400
Subject: [PATCH] default to closed permission mode; replace '--closed' flag
 with '--open' (#971)

---
 cmd/zrok/reserve.go      | 23 ++++++++++++-----------
 cmd/zrok/sharePrivate.go | 19 ++++++++++---------
 cmd/zrok/sharePublic.go  | 23 ++++++++++++-----------
 3 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go
index 7aba8f6a..122fe78b 100644
--- a/cmd/zrok/reserve.go
+++ b/cmd/zrok/reserve.go
@@ -28,7 +28,7 @@ type reserveCommand struct {
 	oauthProvider             string
 	oauthEmailAddressPatterns []string
 	oauthCheckInterval        time.Duration
-	closed                    bool
+	open                      bool
 	accessGrants              []string
 	cmd                       *cobra.Command
 }
@@ -54,7 +54,7 @@ func newReserveCommand() *reserveCommand {
 	cmd.Flags().StringArrayVar(&command.oauthEmailAddressPatterns, "oauth-email-address-patterns", []string{}, "Allow only these email domains to authenticate via OAuth")
 	cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry")
 	cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider")
-	cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
+	cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
 	cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
 
 	cmd.Run = command.run
@@ -147,12 +147,14 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 	}
 
 	req := &sdk.ShareRequest{
-		Reserved:    true,
-		UniqueName:  cmd.uniqueName,
-		BackendMode: sdk.BackendMode(cmd.backendMode),
-		ShareMode:   shareMode,
-		BasicAuth:   cmd.basicAuth,
-		Target:      target,
+		Reserved:       true,
+		UniqueName:     cmd.uniqueName,
+		BackendMode:    sdk.BackendMode(cmd.backendMode),
+		ShareMode:      shareMode,
+		BasicAuth:      cmd.basicAuth,
+		Target:         target,
+		PermissionMode: sdk.ClosedPermissionMode,
+		AccessGrants:   cmd.accessGrants,
 	}
 	if shareMode == sdk.PublicShareMode {
 		req.Frontends = cmd.frontendSelection
@@ -165,9 +167,8 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 		req.OauthEmailAddressPatterns = cmd.oauthEmailAddressPatterns
 		req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval
 	}
-	if cmd.closed {
-		req.PermissionMode = sdk.ClosedPermissionMode
-		req.AccessGrants = cmd.accessGrants
+	if cmd.open {
+		req.PermissionMode = sdk.OpenPermissionMode
 	}
 	shr, err := sdk.CreateShare(env, req)
 	if err != nil {
diff --git a/cmd/zrok/sharePrivate.go b/cmd/zrok/sharePrivate.go
index 38a3fd33..dd0f0340 100644
--- a/cmd/zrok/sharePrivate.go
+++ b/cmd/zrok/sharePrivate.go
@@ -41,7 +41,7 @@ type sharePrivateCommand struct {
 	forceLocal   bool
 	forceAgent   bool
 	insecure     bool
-	closed       bool
+	open         bool
 	accessGrants []string
 	cmd          *cobra.Command
 }
@@ -65,7 +65,7 @@ func newSharePrivateCommand() *sharePrivateCommand {
 	cmd.Flags().BoolVar(&command.forceAgent, "force-agent", false, "Skip agent detection and force agent mode")
 	cmd.MarkFlagsMutuallyExclusive("force-local", "force-agent")
 	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
-	cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
+	cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
 	cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
 	cmd.Run = command.run
 	return command
@@ -184,13 +184,14 @@ func (cmd *sharePrivateCommand) shareLocal(args []string, root env_core.Root) {
 	}
 
 	req := &sdk.ShareRequest{
-		BackendMode: sdk.BackendMode(cmd.backendMode),
-		ShareMode:   sdk.PrivateShareMode,
-		Target:      target,
+		BackendMode:    sdk.BackendMode(cmd.backendMode),
+		ShareMode:      sdk.PrivateShareMode,
+		Target:         target,
+		PermissionMode: sdk.ClosedPermissionMode,
+		AccessGrants:   cmd.accessGrants,
 	}
-	if cmd.closed {
-		req.PermissionMode = sdk.ClosedPermissionMode
-		req.AccessGrants = cmd.accessGrants
+	if cmd.open {
+		req.PermissionMode = sdk.OpenPermissionMode
 	}
 	shr, err := sdk.CreateShare(root, req)
 	if err != nil {
@@ -548,7 +549,7 @@ func (cmd *sharePrivateCommand) shareAgent(args []string, root env_core.Root) {
 		Target:       target,
 		BackendMode:  cmd.backendMode,
 		Insecure:     cmd.insecure,
-		Closed:       cmd.closed,
+		Closed:       !cmd.open,
 		AccessGrants: cmd.accessGrants,
 	})
 	if err != nil {
diff --git a/cmd/zrok/sharePublic.go b/cmd/zrok/sharePublic.go
index 91de615d..c60e0895 100644
--- a/cmd/zrok/sharePublic.go
+++ b/cmd/zrok/sharePublic.go
@@ -43,7 +43,7 @@ type sharePublicCommand struct {
 	oauthProvider             string
 	oauthEmailAddressPatterns []string
 	oauthCheckInterval        time.Duration
-	closed                    bool
+	open                      bool
 	accessGrants              []string
 	cmd                       *cobra.Command
 }
@@ -73,7 +73,7 @@ func newSharePublicCommand() *sharePublicCommand {
 	cmd.Flags().BoolVar(&command.forceAgent, "force-agent", false, "Skip agent detection and force agent mode")
 	cmd.MarkFlagsMutuallyExclusive("force-local", "force-agent")
 	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
-	cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
+	cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
 	cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
 	cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
@@ -148,15 +148,16 @@ func (cmd *sharePublicCommand) shareLocal(args []string, root env_core.Root) {
 	}
 
 	req := &sdk.ShareRequest{
-		BackendMode: sdk.BackendMode(cmd.backendMode),
-		ShareMode:   sdk.PublicShareMode,
-		Frontends:   cmd.frontendSelection,
-		BasicAuth:   cmd.basicAuth,
-		Target:      target,
+		BackendMode:    sdk.BackendMode(cmd.backendMode),
+		ShareMode:      sdk.PublicShareMode,
+		Frontends:      cmd.frontendSelection,
+		BasicAuth:      cmd.basicAuth,
+		Target:         target,
+		PermissionMode: sdk.ClosedPermissionMode,
+		AccessGrants:   cmd.accessGrants,
 	}
-	if cmd.closed {
-		req.PermissionMode = sdk.ClosedPermissionMode
-		req.AccessGrants = cmd.accessGrants
+	if cmd.open {
+		req.PermissionMode = sdk.OpenPermissionMode
 	}
 	if cmd.oauthProvider != "" {
 		req.OauthProvider = cmd.oauthProvider
@@ -414,7 +415,7 @@ func (cmd *sharePublicCommand) shareAgent(args []string, root env_core.Root) {
 		OauthProvider:             cmd.oauthProvider,
 		OauthEmailAddressPatterns: cmd.oauthEmailAddressPatterns,
 		OauthCheckInterval:        cmd.oauthCheckInterval.String(),
-		Closed:                    cmd.closed,
+		Closed:                    !cmd.open,
 		AccessGrants:              cmd.accessGrants,
 	})
 	if err != nil {