diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/github.com/authzed/authzed-go/v1/client.go | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/github.com/authzed/authzed-go/v1/client.go')
| -rw-r--r-- | vendor/github.com/authzed/authzed-go/v1/client.go | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/vendor/github.com/authzed/authzed-go/v1/client.go b/vendor/github.com/authzed/authzed-go/v1/client.go new file mode 100644 index 00000000..ce1cd01c --- /dev/null +++ b/vendor/github.com/authzed/authzed-go/v1/client.go @@ -0,0 +1,75 @@ +package authzed + +import ( + "github.com/jzelinskie/stringz" + "google.golang.org/grpc" + + v1 "github.com/authzed/authzed-go/proto/authzed/api/v1" +) + +// Client represents an open connection to Authzed. +// +// Clients are backed by a gRPC client and as such are thread-safe. +type Client struct { + // Provide a handle on the underlying connection to enable cleanup + // behaviors (among others) + conn *grpc.ClientConn + v1.SchemaServiceClient + v1.PermissionsServiceClient + v1.WatchServiceClient +} + +func (c *Client) Close() error { + return c.conn.Close() +} + +// ClientWithExperimental represents and open connection to Authzed with +// experimental services available. +// +// Clients are backed by a gRPC client and as such are thread-safe. +type ClientWithExperimental struct { + Client + + v1.ExperimentalServiceClient +} + +// NewClient initializes a brand new client for interacting with Authzed. +func NewClient(endpoint string, opts ...grpc.DialOption) (*Client, error) { + conn, err := newConn(endpoint, opts...) + if err != nil { + return nil, err + } + + return &Client{ + conn, + v1.NewSchemaServiceClient(conn), + v1.NewPermissionsServiceClient(conn), + v1.NewWatchServiceClient(conn), + }, nil +} + +// NewClientWithExperimentalAPIs initializes a brand new client for interacting +// with Authzed. +func NewClientWithExperimentalAPIs(endpoint string, opts ...grpc.DialOption) (*ClientWithExperimental, error) { + conn, err := newConn(endpoint, opts...) + if err != nil { + return nil, err + } + + return &ClientWithExperimental{ + Client{ + conn, + v1.NewSchemaServiceClient(conn), + v1.NewPermissionsServiceClient(conn), + v1.NewWatchServiceClient(conn), + }, + v1.NewExperimentalServiceClient(conn), + }, nil +} + +func newConn(endpoint string, opts ...grpc.DialOption) (*grpc.ClientConn, error) { + return grpc.NewClient( + stringz.DefaultEmpty(endpoint, "grpc.authzed.com:443"), + opts..., + ) +} |