diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /pkg/authz/client.go | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'pkg/authz/client.go')
| -rw-r--r-- | pkg/authz/client.go | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/pkg/authz/client.go b/pkg/authz/client.go new file mode 100644 index 00000000..eab1fe99 --- /dev/null +++ b/pkg/authz/client.go @@ -0,0 +1,51 @@ +package authz + +import ( + "context" + "crypto/x509" + "net" + + authzed "github.com/authzed/authzed-go/v1" + "github.com/authzed/grpcutil" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/credentials/insecure" +) + +func NewClient(ctx context.Context, host string, token string) (*authzed.Client, error) { + tokenOption := grpcutil.WithInsecureBearerToken(token) + if isTLS(ctx, host) { + tokenOption = grpcutil.WithBearerToken(token) + } + return authzed.NewClient( + host, + grpc.WithTransportCredentials(credentialsFor(ctx, host)), + tokenOption, + ) +} +func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials { + if isTLS(ctx, host) { + pool, err := x509.SystemCertPool() + if err != nil { + pls.LogErrorNow(ctx, err) + return insecure.NewCredentials() + } + + return credentials.NewClientTLSFromCert(pool, "") + } + + return insecure.NewCredentials() +} + +func isTLS(ctx context.Context, host string) bool { + if host == "" { + return false + } + _, port, err := net.SplitHostPort(host) + if err != nil { + pls.LogError(ctx, err) + return false + } + return port == "443" +} |