diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/digest/src/dev/mac.rs | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/digest/src/dev/mac.rs')
| -rw-r--r-- | vendor/digest/src/dev/mac.rs | 159 |
1 files changed, 0 insertions, 159 deletions
diff --git a/vendor/digest/src/dev/mac.rs b/vendor/digest/src/dev/mac.rs deleted file mode 100644 index 0d4a37df..00000000 --- a/vendor/digest/src/dev/mac.rs +++ /dev/null @@ -1,159 +0,0 @@ -/// Define MAC test -#[macro_export] -#[cfg(feature = "mac")] -#[cfg_attr(docsrs, doc(cfg(all(feature = "dev", feature = "mac"))))] -macro_rules! new_mac_test { - ($name:ident, $test_name:expr, $mac:ty $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, ""); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_left $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, "left"); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_right $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, "right"); - }; - ($name:ident, $test_name:expr, $mac:ty, $trunc:expr $(,)?) => { - #[test] - fn $name() { - use core::cmp::min; - use digest::dev::blobby::Blob3Iterator; - use digest::Mac; - - fn run_test(key: &[u8], input: &[u8], tag: &[u8]) -> Option<&'static str> { - let mac0 = <$mac as Mac>::new_from_slice(key).unwrap(); - - let mut mac = mac0.clone(); - mac.update(input); - let result = mac.finalize().into_bytes(); - let n = tag.len(); - let result_bytes = match $trunc { - "left" => &result[..n], - "right" => &result[result.len() - n..], - _ => &result[..], - }; - if result_bytes != tag { - return Some("whole message"); - } - - // test reading different chunk sizes - for chunk_size in 1..min(64, input.len()) { - let mut mac = mac0.clone(); - for chunk in input.chunks(chunk_size) { - mac.update(chunk); - } - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("chunked message"); - } - } - - None - } - - let data = include_bytes!(concat!("data/", $test_name, ".blb")); - - for (i, row) in Blob3Iterator::new(data).unwrap().enumerate() { - let [key, input, tag] = row.unwrap(); - if let Some(desc) = run_test(key, input, tag) { - panic!( - "\n\ - Failed test №{}: {}\n\ - key:\t{:?}\n\ - input:\t{:?}\n\ - tag:\t{:?}\n", - i, desc, key, input, tag, - ); - } - } - } - }; -} - -/// Define resettable MAC test -#[macro_export] -#[cfg(feature = "mac")] -#[cfg_attr(docsrs, doc(cfg(all(feature = "dev", feature = "mac"))))] -macro_rules! new_resettable_mac_test { - ($name:ident, $test_name:expr, $mac:ty $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, ""); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_left $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, "left"); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_right $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, "right"); - }; - ($name:ident, $test_name:expr, $mac:ty, $trunc:expr $(,)?) => { - #[test] - fn $name() { - use core::cmp::min; - use digest::dev::blobby::Blob3Iterator; - use digest::Mac; - - fn run_test(key: &[u8], input: &[u8], tag: &[u8]) -> Option<&'static str> { - let mac0 = <$mac as Mac>::new_from_slice(key).unwrap(); - - let mut mac = mac0.clone(); - mac.update(input); - let result = mac.finalize_reset().into_bytes(); - let n = tag.len(); - let result_bytes = match $trunc { - "left" => &result[..n], - "right" => &result[result.len() - n..], - _ => &result[..], - }; - if result_bytes != tag { - return Some("whole message"); - } - - // test if reset worked correctly - mac.update(input); - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("after reset"); - } - - // test reading different chunk sizes - for chunk_size in 1..min(64, input.len()) { - let mut mac = mac0.clone(); - for chunk in input.chunks(chunk_size) { - mac.update(chunk); - } - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("chunked message"); - } - } - None - } - - let data = include_bytes!(concat!("data/", $test_name, ".blb")); - - for (i, row) in Blob3Iterator::new(data).unwrap().enumerate() { - let [key, input, tag] = row.unwrap(); - if let Some(desc) = run_test(key, input, tag) { - panic!( - "\n\ - Failed test №{}: {}\n\ - key:\t{:?}\n\ - input:\t{:?}\n\ - tag:\t{:?}\n", - i, desc, key, input, tag, - ); - } - } - } - }; -} |