diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/digest/src/dev | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/digest/src/dev')
| -rw-r--r-- | vendor/digest/src/dev/fixed.rs | 65 | ||||
| -rw-r--r-- | vendor/digest/src/dev/mac.rs | 159 | ||||
| -rw-r--r-- | vendor/digest/src/dev/rng.rs | 38 | ||||
| -rw-r--r-- | vendor/digest/src/dev/variable.rs | 82 | ||||
| -rw-r--r-- | vendor/digest/src/dev/xof.rs | 51 |
5 files changed, 0 insertions, 395 deletions
diff --git a/vendor/digest/src/dev/fixed.rs b/vendor/digest/src/dev/fixed.rs deleted file mode 100644 index 24f38011..00000000 --- a/vendor/digest/src/dev/fixed.rs +++ /dev/null @@ -1,65 +0,0 @@ -use crate::{Digest, FixedOutput, FixedOutputReset, HashMarker, Update}; -use core::fmt::Debug; - -/// Fixed-output resettable digest test via the `Digest` trait -pub fn fixed_reset_test<D>(input: &[u8], output: &[u8]) -> Option<&'static str> -where - D: FixedOutputReset + Debug + Clone + Default + Update + HashMarker, -{ - let mut hasher = D::new(); - // Test that it works when accepting the message all at once - hasher.update(input); - let mut hasher2 = hasher.clone(); - if hasher.finalize()[..] != output[..] { - return Some("whole message"); - } - - // Test if reset works correctly - hasher2.reset(); - hasher2.update(input); - if hasher2.finalize_reset()[..] != output[..] { - return Some("whole message after reset"); - } - - // Test that it works when accepting the message in chunks - for n in 1..core::cmp::min(17, input.len()) { - let mut hasher = D::new(); - for chunk in input.chunks(n) { - hasher.update(chunk); - hasher2.update(chunk); - } - if hasher.finalize()[..] != output[..] { - return Some("message in chunks"); - } - if hasher2.finalize_reset()[..] != output[..] { - return Some("message in chunks"); - } - } - - None -} - -/// Variable-output resettable digest test -pub fn fixed_test<D>(input: &[u8], output: &[u8]) -> Option<&'static str> -where - D: FixedOutput + Default + Debug + Clone, -{ - let mut hasher = D::default(); - // Test that it works when accepting the message all at once - hasher.update(input); - if hasher.finalize_fixed()[..] != output[..] { - return Some("whole message"); - } - - // Test that it works when accepting the message in chunks - for n in 1..core::cmp::min(17, input.len()) { - let mut hasher = D::default(); - for chunk in input.chunks(n) { - hasher.update(chunk); - } - if hasher.finalize_fixed()[..] != output[..] { - return Some("message in chunks"); - } - } - None -} diff --git a/vendor/digest/src/dev/mac.rs b/vendor/digest/src/dev/mac.rs deleted file mode 100644 index 0d4a37df..00000000 --- a/vendor/digest/src/dev/mac.rs +++ /dev/null @@ -1,159 +0,0 @@ -/// Define MAC test -#[macro_export] -#[cfg(feature = "mac")] -#[cfg_attr(docsrs, doc(cfg(all(feature = "dev", feature = "mac"))))] -macro_rules! new_mac_test { - ($name:ident, $test_name:expr, $mac:ty $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, ""); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_left $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, "left"); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_right $(,)?) => { - digest::new_mac_test!($name, $test_name, $mac, "right"); - }; - ($name:ident, $test_name:expr, $mac:ty, $trunc:expr $(,)?) => { - #[test] - fn $name() { - use core::cmp::min; - use digest::dev::blobby::Blob3Iterator; - use digest::Mac; - - fn run_test(key: &[u8], input: &[u8], tag: &[u8]) -> Option<&'static str> { - let mac0 = <$mac as Mac>::new_from_slice(key).unwrap(); - - let mut mac = mac0.clone(); - mac.update(input); - let result = mac.finalize().into_bytes(); - let n = tag.len(); - let result_bytes = match $trunc { - "left" => &result[..n], - "right" => &result[result.len() - n..], - _ => &result[..], - }; - if result_bytes != tag { - return Some("whole message"); - } - - // test reading different chunk sizes - for chunk_size in 1..min(64, input.len()) { - let mut mac = mac0.clone(); - for chunk in input.chunks(chunk_size) { - mac.update(chunk); - } - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("chunked message"); - } - } - - None - } - - let data = include_bytes!(concat!("data/", $test_name, ".blb")); - - for (i, row) in Blob3Iterator::new(data).unwrap().enumerate() { - let [key, input, tag] = row.unwrap(); - if let Some(desc) = run_test(key, input, tag) { - panic!( - "\n\ - Failed test №{}: {}\n\ - key:\t{:?}\n\ - input:\t{:?}\n\ - tag:\t{:?}\n", - i, desc, key, input, tag, - ); - } - } - } - }; -} - -/// Define resettable MAC test -#[macro_export] -#[cfg(feature = "mac")] -#[cfg_attr(docsrs, doc(cfg(all(feature = "dev", feature = "mac"))))] -macro_rules! new_resettable_mac_test { - ($name:ident, $test_name:expr, $mac:ty $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, ""); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_left $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, "left"); - }; - ($name:ident, $test_name:expr, $mac:ty, trunc_right $(,)?) => { - digest::new_resettable_mac_test!($name, $test_name, $mac, "right"); - }; - ($name:ident, $test_name:expr, $mac:ty, $trunc:expr $(,)?) => { - #[test] - fn $name() { - use core::cmp::min; - use digest::dev::blobby::Blob3Iterator; - use digest::Mac; - - fn run_test(key: &[u8], input: &[u8], tag: &[u8]) -> Option<&'static str> { - let mac0 = <$mac as Mac>::new_from_slice(key).unwrap(); - - let mut mac = mac0.clone(); - mac.update(input); - let result = mac.finalize_reset().into_bytes(); - let n = tag.len(); - let result_bytes = match $trunc { - "left" => &result[..n], - "right" => &result[result.len() - n..], - _ => &result[..], - }; - if result_bytes != tag { - return Some("whole message"); - } - - // test if reset worked correctly - mac.update(input); - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("after reset"); - } - - // test reading different chunk sizes - for chunk_size in 1..min(64, input.len()) { - let mut mac = mac0.clone(); - for chunk in input.chunks(chunk_size) { - mac.update(chunk); - } - let res = match $trunc { - "left" => mac.verify_truncated_left(tag), - "right" => mac.verify_truncated_right(tag), - _ => mac.verify_slice(tag), - }; - if res.is_err() { - return Some("chunked message"); - } - } - None - } - - let data = include_bytes!(concat!("data/", $test_name, ".blb")); - - for (i, row) in Blob3Iterator::new(data).unwrap().enumerate() { - let [key, input, tag] = row.unwrap(); - if let Some(desc) = run_test(key, input, tag) { - panic!( - "\n\ - Failed test №{}: {}\n\ - key:\t{:?}\n\ - input:\t{:?}\n\ - tag:\t{:?}\n", - i, desc, key, input, tag, - ); - } - } - } - }; -} diff --git a/vendor/digest/src/dev/rng.rs b/vendor/digest/src/dev/rng.rs deleted file mode 100644 index d34a1cf3..00000000 --- a/vendor/digest/src/dev/rng.rs +++ /dev/null @@ -1,38 +0,0 @@ -//! Xorshift RNG used for tests. Based on the `rand_xorshift` crate. -use core::num::Wrapping; - -/// Initial RNG state used in tests. -// chosen by fair dice roll. guaranteed to be random. -pub(crate) const RNG: XorShiftRng = XorShiftRng { - x: Wrapping(0x0787_3B4A), - y: Wrapping(0xFAAB_8FFE), - z: Wrapping(0x1745_980F), - w: Wrapping(0xB0AD_B4F3), -}; - -/// Xorshift RNG instance/ -pub(crate) struct XorShiftRng { - x: Wrapping<u32>, - y: Wrapping<u32>, - z: Wrapping<u32>, - w: Wrapping<u32>, -} - -impl XorShiftRng { - pub(crate) fn fill(&mut self, buf: &mut [u8; 1024]) { - for chunk in buf.chunks_exact_mut(4) { - chunk.copy_from_slice(&self.next_u32().to_le_bytes()); - } - } - - fn next_u32(&mut self) -> u32 { - let x = self.x; - let t = x ^ (x << 11); - self.x = self.y; - self.y = self.z; - self.z = self.w; - let w = self.w; - self.w = w ^ (w >> 19) ^ (t ^ (t >> 8)); - self.w.0 - } -} diff --git a/vendor/digest/src/dev/variable.rs b/vendor/digest/src/dev/variable.rs deleted file mode 100644 index ed8ff882..00000000 --- a/vendor/digest/src/dev/variable.rs +++ /dev/null @@ -1,82 +0,0 @@ -use crate::{VariableOutput, VariableOutputReset}; -use core::fmt::Debug; - -/// Variable-output resettable digest test -pub fn variable_reset_test<D>(input: &[u8], output: &[u8]) -> Option<&'static str> -where - D: VariableOutputReset + Debug + Clone, -{ - let mut hasher = D::new(output.len()).unwrap(); - let mut buf = [0u8; 128]; - let buf = &mut buf[..output.len()]; - // Test that it works when accepting the message all at once - hasher.update(input); - let mut hasher2 = hasher.clone(); - hasher.finalize_variable(buf).unwrap(); - if buf != output { - return Some("whole message"); - } - buf.iter_mut().for_each(|b| *b = 0); - - // Test if reset works correctly - hasher2.reset(); - hasher2.update(input); - hasher2.finalize_variable_reset(buf).unwrap(); - if buf != output { - return Some("whole message after reset"); - } - buf.iter_mut().for_each(|b| *b = 0); - - // Test that it works when accepting the message in chunks - for n in 1..core::cmp::min(17, input.len()) { - let mut hasher = D::new(output.len()).unwrap(); - for chunk in input.chunks(n) { - hasher.update(chunk); - hasher2.update(chunk); - } - hasher.finalize_variable(buf).unwrap(); - if buf != output { - return Some("message in chunks"); - } - buf.iter_mut().for_each(|b| *b = 0); - - hasher2.finalize_variable_reset(buf).unwrap(); - if buf != output { - return Some("message in chunks"); - } - buf.iter_mut().for_each(|b| *b = 0); - } - - None -} - -/// Variable-output resettable digest test -pub fn variable_test<D>(input: &[u8], output: &[u8]) -> Option<&'static str> -where - D: VariableOutput + Debug + Clone, -{ - let mut hasher = D::new(output.len()).unwrap(); - let mut buf = [0u8; 128]; - let buf = &mut buf[..output.len()]; - // Test that it works when accepting the message all at once - hasher.update(input); - hasher.finalize_variable(buf).unwrap(); - if buf != output { - return Some("whole message"); - } - buf.iter_mut().for_each(|b| *b = 0); - - // Test that it works when accepting the message in chunks - for n in 1..core::cmp::min(17, input.len()) { - let mut hasher = D::new(output.len()).unwrap(); - for chunk in input.chunks(n) { - hasher.update(chunk); - } - hasher.finalize_variable(buf).unwrap(); - if buf != output { - return Some("message in chunks"); - } - buf.iter_mut().for_each(|b| *b = 0); - } - None -} diff --git a/vendor/digest/src/dev/xof.rs b/vendor/digest/src/dev/xof.rs deleted file mode 100644 index 9e5d07a0..00000000 --- a/vendor/digest/src/dev/xof.rs +++ /dev/null @@ -1,51 +0,0 @@ -use crate::ExtendableOutputReset; -use core::fmt::Debug; - -/// Resettable XOF test -pub fn xof_reset_test<D>(input: &[u8], output: &[u8]) -> Option<&'static str> -where - D: ExtendableOutputReset + Default + Debug + Clone, -{ - let mut hasher = D::default(); - let mut buf = [0u8; 1024]; - let buf = &mut buf[..output.len()]; - // Test that it works when accepting the message all at once - hasher.update(input); - let mut hasher2 = hasher.clone(); - hasher.finalize_xof_into(buf); - if buf != output { - return Some("whole message"); - } - buf.iter_mut().for_each(|b| *b = 0); - - // Test if reset works correctly - hasher2.reset(); - hasher2.update(input); - hasher2.finalize_xof_reset_into(buf); - if buf != output { - return Some("whole message after reset"); - } - buf.iter_mut().for_each(|b| *b = 0); - - // Test that it works when accepting the message in chunks - for n in 1..core::cmp::min(17, input.len()) { - let mut hasher = D::default(); - for chunk in input.chunks(n) { - hasher.update(chunk); - hasher2.update(chunk); - } - hasher.finalize_xof_into(buf); - if buf != output { - return Some("message in chunks"); - } - buf.iter_mut().for_each(|b| *b = 0); - - hasher2.finalize_xof_reset_into(buf); - if buf != output { - return Some("message in chunks"); - } - buf.iter_mut().for_each(|b| *b = 0); - } - - None -} |