diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /tests/authorization/cedar_authorizer_test.rs | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'tests/authorization/cedar_authorizer_test.rs')
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 149 |
1 files changed, 0 insertions, 149 deletions
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs deleted file mode 100644 index 58563832..00000000 --- a/tests/authorization/cedar_authorizer_test.rs +++ /dev/null @@ -1,149 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::support::factory_bot::*; - use crate::support::*; - use authzd::Authorizer; - use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::collections::HashMap; - - fn subject() -> authzd::CedarAuthorizer { - common::setup(); - subject_with(cedar_policy::Entities::empty()) - } - - fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { - build_cedar_authorizer(entities) - } - - #[test] - fn test_cedar_authorizer_denies_missing_header() { - assert!( - !subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - })) - ); - } - - #[test] - fn test_unauthenticated_sparkle_endpoints() { - let hosts = vec![ - "localhost:10000", - "sparkle.runway.gitlab.net", - "sparkle.staging.runway.gitlab.net", - ]; - - let routes = vec![ - ("GET", "/", true), - ("GET", "/callback", true), - ("GET", "/dashboard/nav", true), - ("GET", "/health", true), - ("GET", "/signout", true), - ("GET", "/sparkles", true), - ("POST", "/sparkles/restore", true), - ("GET", "/dashboard", false), - ("POST", "/sparkles", false), - ]; - - let authorizer = subject(); - for host in hosts { - for (method, path, expected) in &routes { - let request = build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method.to_string()), - (String::from(":authority"), host.to_string()), - ]); - }); - - assert_eq!( - authorizer.authorize(request), - *expected, - "{} {}", - method, - path - ); - } - } - } - - // TODO:: Add entities to represent access to: - // * list of sparkles: `:read, gid://sparkle/Sparkle/*` - // * single sparkle: `:read, gid://sparkle/Sparkle/:id` - // * create sparkle: `:create, gid://sparkle/Sparkle/*` - // * update sparkles: `:update, gid://sparkle/Sparkle/*` - // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` - // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` - // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` - #[test] - fn test_authenticated_create_sparkle() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "POST".to_string(); - item.path = "/sparkles".to_string(); - item.host = "sparkle.staging.runway.gitlab.net".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - (String::from("x-jwt-claim-sub"), "1675940".to_string()), - ]); - }); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), - ); - let user = build_user("1675940", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(authorizer.authorize(request.clone())); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("root".to_string()), - ); - let user = build_user("1", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(!authorizer.authorize(request.clone())); - } - - #[test] - fn test_sparkle_homepage() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } - - #[test] - fn test_sparkle_dashboard() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/dashboard".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from("x-jwt-claim-sub"), "1".to_string()), - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } -} |