feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema.
author: mo khan <mo@mokhan.ca> 2025-07-15 16:37:08 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-17 16:30:22 -0600
commit: 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree: 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/security-framework-sys/src/authorization.rs
parent: f94f79608393d4ab127db63cc41668445ef6b243 (diff)
1 files changed, 0 insertions, 145 deletions
diff --git a/vendor/security-framework-sys/src/authorization.rs b/vendor/security-framework-sys/src/authorization.rs
deleted file mode 100644
index 07f9a3e0..00000000
--- a/vendor/security-framework-sys/src/authorization.rs
+++ /dev/null
@@ -1,145 +0,0 @@
-use core_foundation_sys::base::CFTypeRef;
-use core_foundation_sys::base::OSStatus;
-use core_foundation_sys::bundle::CFBundleRef;
-use core_foundation_sys::dictionary::CFDictionaryRef;
-use core_foundation_sys::string::CFStringRef;
-use std::os::raw::{c_char, c_void};
-
-pub const errAuthorizationSuccess: OSStatus = 0;
-pub const errAuthorizationInvalidSet: OSStatus = -60001;
-pub const errAuthorizationInvalidRef: OSStatus = -60002;
-pub const errAuthorizationInvalidTag: OSStatus = -60003;
-pub const errAuthorizationInvalidPointer: OSStatus = -60004;
-pub const errAuthorizationDenied: OSStatus = -60005;
-pub const errAuthorizationCanceled: OSStatus = -60006;
-pub const errAuthorizationInteractionNotAllowed: OSStatus = -60007;
-pub const errAuthorizationInternal: OSStatus = -60008;
-pub const errAuthorizationExternalizeNotAllowed: OSStatus = -60009;
-pub const errAuthorizationInternalizeNotAllowed: OSStatus = -60010;
-pub const errAuthorizationInvalidFlags: OSStatus = -60011;
-pub const errAuthorizationToolExecuteFailure: OSStatus = -60031;
-pub const errAuthorizationToolEnvironmentError: OSStatus = -60032;
-pub const errAuthorizationBadAddress: OSStatus = -60033;
-
-pub type AuthorizationFlags = u32;
-pub const kAuthorizationFlagDefaults: AuthorizationFlags = 0;
-pub const kAuthorizationFlagInteractionAllowed: AuthorizationFlags = 1;
-pub const kAuthorizationFlagExtendRights: AuthorizationFlags = 2;
-pub const kAuthorizationFlagPartialRights: AuthorizationFlags = 4;
-pub const kAuthorizationFlagDestroyRights: AuthorizationFlags = 8;
-pub const kAuthorizationFlagPreAuthorize: AuthorizationFlags = 16;
-
-pub type AuthorizationRef = *mut c_void;
-pub type AuthorizationString = *const c_char;
-
-#[repr(C)]
-#[derive(Copy, Clone, Debug)]
-pub struct AuthorizationItem {
-    pub name: AuthorizationString,
-    pub valueLength: usize,
-    pub value: *mut c_void,
-    pub flags: u32,
-}
-
-#[repr(C)]
-#[derive(Copy, Clone, Debug)]
-pub struct AuthorizationItemSet {
-    pub count: u32,
-    pub items: *mut AuthorizationItem,
-}
-
-pub const kAuthorizationExternalFormLength: usize = 32;
-
-#[repr(C)]
-#[derive(Copy, Clone, Debug)]
-pub struct AuthorizationExternalForm {
-    pub bytes: [c_char; kAuthorizationExternalFormLength],
-}
-
-pub type AuthorizationRights = AuthorizationItemSet;
-pub type AuthorizationEnvironment = AuthorizationItemSet;
-
-pub type AuthorizationAsyncCallback =
-    unsafe extern "C" fn(err: OSStatus, blockAuthorizedRights: *mut AuthorizationRights);
-
-extern "C" {
-    pub fn AuthorizationCreate(
-        rights: *const AuthorizationRights,
-        environment: *const AuthorizationEnvironment,
-        flags: AuthorizationFlags,
-        authorization: *mut AuthorizationRef,
-    ) -> OSStatus;
-
-    pub fn AuthorizationFree(
-        authorization: AuthorizationRef,
-        flags: AuthorizationFlags,
-    ) -> OSStatus;
-
-    pub fn AuthorizationCopyRights(
-        authorization: AuthorizationRef,
-        rights: *const AuthorizationRights,
-        environment: *const AuthorizationEnvironment,
-        flags: AuthorizationFlags,
-        authorizedRights: *mut *mut AuthorizationRights,
-    ) -> OSStatus;
-
-    pub fn AuthorizationCopyRightsAsync(
-        authorization: AuthorizationRef,
-        rights: *const AuthorizationRights,
-        environment: *const AuthorizationEnvironment,
-        flags: AuthorizationFlags,
-        callbackBlock: AuthorizationAsyncCallback,
-    );
-
-    pub fn AuthorizationCopyInfo(
-        authorization: AuthorizationRef,
-        tag: AuthorizationString,
-        info: *mut *mut AuthorizationItemSet,
-    ) -> OSStatus;
-
-    pub fn AuthorizationMakeExternalForm(
-        authorization: AuthorizationRef,
-        extForm: *mut AuthorizationExternalForm,
-    ) -> OSStatus;
-
-    pub fn AuthorizationCreateFromExternalForm(
-        extForm: *const AuthorizationExternalForm,
-        authorization: *mut AuthorizationRef,
-    ) -> OSStatus;
-
-    pub fn AuthorizationFreeItemSet(set: *mut AuthorizationItemSet) -> OSStatus;
-
-    pub fn AuthorizationRightGet(
-        rightName: *const c_char,
-        rightDefinition: *mut CFDictionaryRef,
-    ) -> OSStatus;
-
-    pub fn AuthorizationRightSet(
-        authorization: AuthorizationRef,
-        rightName: *const c_char,
-        rightDefinition: CFTypeRef,
-        descriptionKey: CFStringRef,
-        bundle: CFBundleRef,
-        localeTableName: CFStringRef,
-    ) -> OSStatus;
-
-    pub fn AuthorizationRightRemove(
-        authorization: AuthorizationRef,
-        rightName: *const c_char,
-    ) -> OSStatus;
-
-    #[cfg(target_os = "macos")]
-    pub fn AuthorizationExecuteWithPrivileges(
-        authorization: AuthorizationRef,
-        pathToTool: *const c_char,
-        options: AuthorizationFlags,
-        arguments: *const *mut c_char,
-        communicationsPipe: *mut *mut libc::FILE,
-    ) -> OSStatus;
-
-    #[cfg(target_os = "macos")]
-    pub fn AuthorizationCopyPrivilegedReference(
-        authorization: *mut AuthorizationRef,
-        flags: AuthorizationFlags,
-    ) -> OSStatus;
-}
author	mo khan <mo@mokhan.ca>	2025-07-15 16:37:08 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-17 16:30:22 -0600
commit	45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree	1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/security-framework-sys/src/authorization.rs
parent	f94f79608393d4ab127db63cc41668445ef6b243 (diff)