summaryrefslogtreecommitdiff
path: root/tests/authorization
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-07-15 16:37:08 -0600
committermo khan <mo@mokhan.ca>2025-07-17 16:30:22 -0600
commit45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree1b99bf645035b58e0d6db08c7a83521f41f7a75b /tests/authorization
parentf94f79608393d4ab127db63cc41668445ef6b243 (diff)
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'tests/authorization')
-rw-r--r--tests/authorization/cedar_authorizer_test.rs149
-rw-r--r--tests/authorization/check_service_test.rs123
-rw-r--r--tests/authorization/mod.rs3
-rw-r--r--tests/authorization/server_test.rs46
4 files changed, 0 insertions, 321 deletions
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
deleted file mode 100644
index 58563832..00000000
--- a/tests/authorization/cedar_authorizer_test.rs
+++ /dev/null
@@ -1,149 +0,0 @@
-#[cfg(test)]
-mod tests {
- use crate::support::factory_bot::*;
- use crate::support::*;
- use authzd::Authorizer;
- use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
- use std::collections::HashMap;
-
- fn subject() -> authzd::CedarAuthorizer {
- common::setup();
- subject_with(cedar_policy::Entities::empty())
- }
-
- fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer {
- build_cedar_authorizer(entities)
- }
-
- #[test]
- fn test_cedar_authorizer_denies_missing_header() {
- assert!(
- !subject().authorize(build_request(|item: &mut HttpRequest| {
- item.headers = HashMap::new();
- }))
- );
- }
-
- #[test]
- fn test_unauthenticated_sparkle_endpoints() {
- let hosts = vec![
- "localhost:10000",
- "sparkle.runway.gitlab.net",
- "sparkle.staging.runway.gitlab.net",
- ];
-
- let routes = vec![
- ("GET", "/", true),
- ("GET", "/callback", true),
- ("GET", "/dashboard/nav", true),
- ("GET", "/health", true),
- ("GET", "/signout", true),
- ("GET", "/sparkles", true),
- ("POST", "/sparkles/restore", true),
- ("GET", "/dashboard", false),
- ("POST", "/sparkles", false),
- ];
-
- let authorizer = subject();
- for host in hosts {
- for (method, path, expected) in &routes {
- let request = build_request(|item: &mut HttpRequest| {
- item.method = method.to_string();
- item.path = path.to_string();
- item.host = host.to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), path.to_string()),
- (String::from(":method"), method.to_string()),
- (String::from(":authority"), host.to_string()),
- ]);
- });
-
- assert_eq!(
- authorizer.authorize(request),
- *expected,
- "{} {}",
- method,
- path
- );
- }
- }
- }
-
- // TODO:: Add entities to represent access to:
- // * list of sparkles: `:read, gid://sparkle/Sparkle/*`
- // * single sparkle: `:read, gid://sparkle/Sparkle/:id`
- // * create sparkle: `:create, gid://sparkle/Sparkle/*`
- // * update sparkles: `:update, gid://sparkle/Sparkle/*`
- // * update single sparkle: `:update, gid://sparkle/Sparkle/:id`
- // * delete sparkles: `:delete, gid://sparkle/Sparkle/*`
- // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id`
- #[test]
- fn test_authenticated_create_sparkle() {
- let request = build_request(|item: &mut HttpRequest| {
- item.method = "POST".to_string();
- item.path = "/sparkles".to_string();
- item.host = "sparkle.staging.runway.gitlab.net".to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), item.path.to_string()),
- (String::from(":method"), item.method.to_string()),
- (String::from(":authority"), item.host.to_string()),
- (String::from("x-jwt-claim-sub"), "1675940".to_string()),
- ]);
- });
-
- let mut attrs = std::collections::HashMap::new();
- attrs.insert(
- "username".to_string(),
- cedar_policy::RestrictedExpression::new_string("tanuki".to_string()),
- );
- let user = build_user("1675940", attrs);
- let entities = cedar_policy::Entities::from_entities([user], None).unwrap();
- let authorizer = subject_with(entities);
- assert!(authorizer.authorize(request.clone()));
-
- let mut attrs = std::collections::HashMap::new();
- attrs.insert(
- "username".to_string(),
- cedar_policy::RestrictedExpression::new_string("root".to_string()),
- );
- let user = build_user("1", attrs);
- let entities = cedar_policy::Entities::from_entities([user], None).unwrap();
- let authorizer = subject_with(entities);
- assert!(!authorizer.authorize(request.clone()));
- }
-
- #[test]
- fn test_sparkle_homepage() {
- let request = build_request(|item: &mut HttpRequest| {
- item.method = "GET".to_string();
- item.path = "/".to_string();
- item.host = "localhost:10000".to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), item.path.to_string()),
- (String::from(":method"), item.method.to_string()),
- (String::from(":authority"), item.host.to_string()),
- ]);
- });
-
- let authorizer = subject();
- assert_eq!(authorizer.authorize(request), true);
- }
-
- #[test]
- fn test_sparkle_dashboard() {
- let request = build_request(|item: &mut HttpRequest| {
- item.method = "GET".to_string();
- item.path = "/dashboard".to_string();
- item.host = "localhost:10000".to_string();
- item.headers = build_headers(vec![
- (String::from("x-jwt-claim-sub"), "1".to_string()),
- (String::from(":path"), item.path.to_string()),
- (String::from(":method"), item.method.to_string()),
- (String::from(":authority"), item.host.to_string()),
- ]);
- });
-
- let authorizer = subject();
- assert_eq!(authorizer.authorize(request), true);
- }
-}
diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
deleted file mode 100644
index 3db0ec9e..00000000
--- a/tests/authorization/check_service_test.rs
+++ /dev/null
@@ -1,123 +0,0 @@
-#[cfg(test)]
-mod tests {
- use crate::support::factory_bot::*;
- use authzd::CheckService;
- use envoy_types::ext_authz::v3::pb::Authorization;
- use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
- use std::sync::Arc;
-
- fn subject() -> CheckService {
- CheckService::new(Arc::new(build_cedar_authorizer(
- cedar_policy::Entities::empty(),
- )))
- }
-
- #[tokio::test]
- async fn test_no_headers() {
- let request = tonic::Request::new(build_request(|_http| {}));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- assert!(check_response.status.is_some());
-
- let status = check_response.status.unwrap();
- assert_eq!(
- tonic::Code::from_i32(status.code),
- tonic::Code::Unauthenticated
- );
- }
-
- #[tokio::test]
- async fn test_static_assets() {
- let routes = vec![
- ("GET", "/app.js", tonic::Code::Ok),
- ("GET", "/application.js", tonic::Code::Ok),
- ("GET", "/favicon.ico", tonic::Code::Ok),
- ("GET", "/favicon.png", tonic::Code::Ok),
- ("GET", "/image.jpg", tonic::Code::Ok),
- ("GET", "/assets/image.jpg", tonic::Code::Ok),
- ("GET", "/assets/style.css", tonic::Code::Ok),
- ("GET", "/assets/application.js", tonic::Code::Ok),
- ("GET", "/htmx.js", tonic::Code::Ok),
- ("GET", "/index.html", tonic::Code::Ok),
- ("GET", "/logo.png", tonic::Code::Ok),
- ("GET", "/pico.min.css", tonic::Code::Ok),
- ("GET", "/vue.global.js", tonic::Code::Ok),
- ];
-
- for (method, path, expected_status_code) in &routes {
- let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- item.method = method.to_string();
- item.path = path.to_string();
- item.host = "localhost:3000".to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), item.path.to_string()),
- (String::from(":method"), item.method.to_string()),
- (String::from(":authority"), item.host.to_string()),
- ]);
- }));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- assert!(check_response.status.is_some());
-
- let status = check_response.status.unwrap();
- assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code);
- }
- }
-
- #[tokio::test]
- async fn test_public_sparkle_endpoints() {
- let hosts = vec![
- "localhost:10000",
- "sparkle.runway.gitlab.net",
- "sparkle.staging.runway.gitlab.net",
- ];
-
- let routes = vec![
- ("GET", "/", tonic::Code::Ok),
- ("GET", "/callback", tonic::Code::Ok),
- ("GET", "/dashboard/nav", tonic::Code::Ok),
- ("GET", "/health", tonic::Code::Ok),
- ("GET", "/signout", tonic::Code::Ok),
- ("GET", "/sparkles", tonic::Code::Ok),
- ("POST", "/sparkles/restore", tonic::Code::Ok),
- ("GET", "/dashboard", tonic::Code::Unauthenticated),
- ("POST", "/sparkles", tonic::Code::Unauthenticated),
- ];
-
- for host in hosts {
- for (method, path, expected_status_code) in &routes {
- let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- item.method = method.to_string();
- item.path = path.to_string();
- item.host = host.to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), path.to_string()),
- (String::from(":method"), method.to_string()),
- (String::from(":authority"), host.to_string()),
- ]);
- }));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- assert!(check_response.status.is_some());
-
- let status = check_response.status.unwrap();
- assert_eq!(
- tonic::Code::from_i32(status.code),
- *expected_status_code,
- "{} {}",
- method,
- path
- );
- }
- }
- }
-}
diff --git a/tests/authorization/mod.rs b/tests/authorization/mod.rs
deleted file mode 100644
index 675247d4..00000000
--- a/tests/authorization/mod.rs
+++ /dev/null
@@ -1,3 +0,0 @@
-mod cedar_authorizer_test;
-mod check_service_test;
-mod server_test;
diff --git a/tests/authorization/server_test.rs b/tests/authorization/server_test.rs
deleted file mode 100644
index 5a92dcff..00000000
--- a/tests/authorization/server_test.rs
+++ /dev/null
@@ -1,46 +0,0 @@
-#[cfg(test)]
-mod tests {
- use crate::support::factory_bot::*;
- use std::net::SocketAddr;
- use tokio::net::TcpListener;
-
- async fn available_port() -> SocketAddr {
- let listener = TcpListener::bind("127.0.0.1:0")
- .await
- .expect("Failed to bind to random port");
- let addr = listener.local_addr().expect("Failed to get local address");
- drop(listener);
- addr
- }
-
- async fn start_server() -> (SocketAddr, tokio::task::JoinHandle<()>) {
- let addr = available_port().await;
- let server = authzd::authorization::Server::default();
-
- let handle = tokio::spawn(async move {
- server.serve(addr).await.expect("Failed to start server");
- });
-
- tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
-
- (addr, handle)
- }
-
- #[tokio::test]
- async fn test_health_ext_authz_service() {
- let (addr, server) = start_server().await;
-
- let mut client = build_rpc_client(
- addr,
- envoy_types::pb::envoy::service::auth::v3::authorization_client::AuthorizationClient::new,
- )
- .await;
-
- let request = tonic::Request::new(envoy_types::ext_authz::v3::pb::CheckRequest::default());
- let response = client.check(request).await;
-
- assert!(response.is_ok());
-
- server.abort();
- }
-}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 19:25:43 +0000