diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /pkg/authz/server_test.go | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'pkg/authz/server_test.go')
| -rw-r--r-- | pkg/authz/server_test.go | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go new file mode 100644 index 00000000..47f22191 --- /dev/null +++ b/pkg/authz/server_test.go @@ -0,0 +1,67 @@ +package authz + +import ( + "context" + "net" + "testing" + + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/test/bufconn" +) + +type HTTPRequest = auth.AttributeContext_HttpRequest + +func TestServer(t *testing.T) { + socket := bufconn.Listen(1024 * 1024) + srv := New(t.Context()) + + defer srv.GracefulStop() + go func() { + require.NoError(t, srv.Serve(socket)) + }() + + connection, err := grpc.DialContext( + t.Context(), + "bufnet", + grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { + return socket.Dial() + }), + grpc.WithTransportCredentials(insecure.NewCredentials()), + ) + require.NoError(t, err) + defer connection.Close() + + client := auth.NewAuthorizationClient(connection) + + t.Run("CheckRequest", func(t *testing.T) { + tt := []struct { + http *HTTPRequest + status codes.Code + }{ + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.css"}}, + } + + for _, example := range tt { + t.Run(example.http.Path, func(t *testing.T) { + response, err := client.Check(t.Context(), &auth.CheckRequest{ + Attributes: &auth.AttributeContext{ + Request: &auth.AttributeContext_Request{ + Http: example.http, + }, + }, + }) + require.NoError(t, err) + assert.Equal(t, int32(example.status), response.Status.Code) + }) + } + }) +} |