diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/github.com/authzed/grpcutil/reflection.go | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/github.com/authzed/grpcutil/reflection.go')
| -rw-r--r-- | vendor/github.com/authzed/grpcutil/reflection.go | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/vendor/github.com/authzed/grpcutil/reflection.go b/vendor/github.com/authzed/grpcutil/reflection.go new file mode 100644 index 00000000..092b5680 --- /dev/null +++ b/vendor/github.com/authzed/grpcutil/reflection.go @@ -0,0 +1,51 @@ +package grpcutil + +import ( + "google.golang.org/grpc" + "google.golang.org/grpc/reflection" + rpbv1 "google.golang.org/grpc/reflection/grpc_reflection_v1" + "google.golang.org/grpc/reflection/grpc_reflection_v1alpha" +) + +// NewAuthlessReflectionInterceptor creates a proxy GRPCServer which automatically converts +// ServerReflectionServer instances to ones that skip grpc auth middleware. +// +// change: +// reflection.Register(srv) +// to: +// reflection.Register(grpcutil.NewAuthlessReflectionInterceptor(srv)) +func NewAuthlessReflectionInterceptor(srv reflection.GRPCServer) reflection.GRPCServer { + return interceptingRegistrar{srv} +} + +type interceptingRegistrar struct { + delegate reflection.GRPCServer +} + +func (ir interceptingRegistrar) GetServiceInfo() map[string]grpc.ServiceInfo { + return ir.delegate.GetServiceInfo() +} + +func (ir interceptingRegistrar) RegisterService(desc *grpc.ServiceDesc, impl interface{}) { + reflectionSrvv1, ok := impl.(rpbv1.ServerReflectionServer) + if ok { + ir.delegate.RegisterService(desc, &authlessReflectionV1{ServerReflectionServer: reflectionSrvv1}) + } + + reflectionSrvv1alpha, ok := impl.(grpc_reflection_v1alpha.ServerReflectionServer) + if ok { + ir.delegate.RegisterService(desc, &authlessReflectionV1Alpha{ServerReflectionServer: reflectionSrvv1alpha}) + } +} + +type authlessReflectionV1 struct { + IgnoreAuthMixin + + rpbv1.ServerReflectionServer +} + +type authlessReflectionV1Alpha struct { + IgnoreAuthMixin + + grpc_reflection_v1alpha.ServerReflectionServer +} |