feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema.
author: mo khan <mo@mokhan.ca> 2025-07-15 16:37:08 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-17 16:30:22 -0600
commit: 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree: 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/security-framework-sys/src/cms.rs
parent: f94f79608393d4ab127db63cc41668445ef6b243 (diff)
1 files changed, 0 insertions, 250 deletions
diff --git a/vendor/security-framework-sys/src/cms.rs b/vendor/security-framework-sys/src/cms.rs
deleted file mode 100644
index 6da3702e..00000000
--- a/vendor/security-framework-sys/src/cms.rs
+++ /dev/null
@@ -1,250 +0,0 @@
-//! Cryptographic Message Syntax support
-
-use std::os::raw::c_void;
-
-use core_foundation_sys::array::CFArrayRef;
-use core_foundation_sys::base::{Boolean, CFTypeID, CFTypeRef, OSStatus};
-use core_foundation_sys::data::CFDataRef;
-use core_foundation_sys::date::CFAbsoluteTime;
-use core_foundation_sys::string::CFStringRef;
-
-use crate::base::SecCertificateRef;
-use crate::trust::SecTrustRef;
-
-pub enum OpaqueCMSEncoderRef {}
-pub type CMSEncoderRef = *mut OpaqueCMSEncoderRef;
-
-pub enum OpaqueCMSDecoderRef {}
-pub type CMSDecoderRef = *mut OpaqueCMSEncoderRef;
-
-#[repr(i32)]
-#[derive(Copy, Clone, Eq, PartialEq, Debug)]
-pub enum CMSSignerStatus {
-    kCMSSignerUnsigned = 0,
-    kCMSSignerValid = 1,
-    kCMSSignerNeedsDetachedContent = 2,
-    kCMSSignerInvalidSignature = 3,
-    kCMSSignerInvalidCert = 4,
-    kCMSSignerInvalidIndex = 5,
-}
-
-pub type CMSSignedAttributes = u32;
-pub const kCMSAttrNone: CMSSignedAttributes = 0x0000;
-pub const kCMSAttrSmimeCapabilities: CMSSignedAttributes = 0x0001;
-pub const kCMSAttrSmimeEncryptionKeyPrefs: CMSSignedAttributes = 0x0002;
-pub const kCMSAttrSmimeMSEncryptionKeyPrefs: CMSSignedAttributes = 0x0004;
-pub const kCMSAttrSigningTime: CMSSignedAttributes = 0x0008;
-pub const kCMSAttrAppleCodesigningHashAgility: CMSSignedAttributes = 0x0010;
-pub const kCMSAttrAppleCodesigningHashAgilityV2: CMSSignedAttributes = 0x0020;
-pub const kCMSAttrAppleExpirationTime: CMSSignedAttributes = 0x0040;
-
-#[repr(i32)]
-#[derive(Copy, Clone, Eq, PartialEq, Debug)]
-pub enum CMSCertificateChainMode {
-    kCMSCertificateNone = 0,
-    kCMSCertificateSignerOnly = 1,
-    kCMSCertificateChain = 2,
-    kCMSCertificateChainWithRoot = 3,
-    kCMSCertificateChainWithRootOrFail = 4,
-}
-
-extern "C" {
-
-    // CMS decoder
-
-    pub fn CMSDecoderGetTypeID() -> CFTypeID;
-
-    pub fn CMSDecoderCreate(output: *mut CMSDecoderRef) -> OSStatus;
-
-    pub fn CMSDecoderUpdateMessage(
-        decoder: CMSDecoderRef,
-        msg_bytes: *const c_void,
-        msg_bytes_len: usize,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderFinalizeMessage(decoder: CMSDecoderRef) -> OSStatus;
-
-    pub fn CMSDecoderSetDetachedContent(
-        decoder: CMSDecoderRef,
-        detached_content: CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopyDetachedContent(
-        decoder: CMSDecoderRef,
-        detached_content_out: *mut CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderGetNumSigners(
-        decoder: CMSDecoderRef,
-        num_signers_out: *mut usize,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerStatus(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        policy_or_array: CFTypeRef,
-        evaluate_sec_trust: Boolean,
-        signer_status_out: *mut CMSSignerStatus,
-        sec_trust_out: *mut SecTrustRef,
-        cert_verify_result_code_out: *mut OSStatus,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerEmailAddress(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        signer_email_address_out: *mut CFStringRef,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerCert(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        signer_cert_out: *mut SecCertificateRef,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderIsContentEncrypted(
-        decoder: CMSDecoderRef,
-        is_encrypted_out: *mut Boolean,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopyEncapsulatedContentType(
-        decoder: CMSDecoderRef,
-        content_type_out: *mut CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopyAllCerts(decoder: CMSDecoderRef, certs_out: *mut CFArrayRef) -> OSStatus;
-
-    pub fn CMSDecoderCopyContent(decoder: CMSDecoderRef, content_out: *mut CFDataRef) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerSigningTime(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        sign_time_out: *mut CFAbsoluteTime,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerTimestamp(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        timestamp: *mut CFAbsoluteTime,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerTimestampWithPolicy(
-        decoder: CMSDecoderRef,
-        timestamp_policy: CFTypeRef,
-        signer_index: usize,
-        timestamp: *mut CFAbsoluteTime,
-    ) -> OSStatus;
-
-    pub fn CMSDecoderCopySignerTimestampCertificates(
-        decoder: CMSDecoderRef,
-        signer_index: usize,
-        certificate_refs: *mut CFArrayRef,
-    ) -> OSStatus;
-
-    // CMS encoder
-
-    pub static kCMSEncoderDigestAlgorithmSHA1: CFStringRef;
-    pub static kCMSEncoderDigestAlgorithmSHA256: CFStringRef;
-
-    pub fn CMSEncoderGetTypeID() -> CFTypeID;
-
-    pub fn CMSEncoderCreate(encoder_out: *mut CMSEncoderRef) -> OSStatus;
-
-    pub fn CMSEncoderSetSignerAlgorithm(
-        encoder: CMSEncoderRef,
-        digest_alogrithm: CFStringRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderAddSigners(encoder: CMSEncoderRef, signer_or_array: CFTypeRef) -> OSStatus;
-
-    pub fn CMSEncoderCopySigners(encoder: CMSEncoderRef, signers_out: *mut CFArrayRef) -> OSStatus;
-
-    pub fn CMSEncoderAddRecipients(
-        encoder: CMSEncoderRef,
-        recipient_or_array: CFTypeRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopyRecipients(
-        encoder: CMSEncoderRef,
-        recipients_out: *mut CFArrayRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderSetHasDetachedContent(
-        encoder: CMSEncoderRef,
-        detached_content: Boolean,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderGetHasDetachedContent(
-        encoder: CMSEncoderRef,
-        detached_content_out: *mut Boolean,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderSetEncapsulatedContentTypeOID(
-        encoder: CMSEncoderRef,
-        content_type_oid: CFTypeRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopyEncapsulatedContentType(
-        encoder: CMSEncoderRef,
-        content_type_out: *mut CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderAddSupportingCerts(
-        encoder: CMSEncoderRef,
-        cert_or_array: CFTypeRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopySupportingCerts(
-        encoder: CMSEncoderRef,
-        certs_out: *mut CFArrayRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderAddSignedAttributes(
-        encoder: CMSEncoderRef,
-        signed_attributes: CMSSignedAttributes,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderSetCertificateChainMode(
-        encoder: CMSEncoderRef,
-        chain_mode: CMSCertificateChainMode,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderGetCertificateChainMode(
-        encoder: CMSEncoderRef,
-        chain_mode_out: *mut CMSCertificateChainMode,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderUpdateContent(
-        encoder: CMSEncoderRef,
-        content: *const c_void,
-        content_len: usize,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopyEncodedContent(
-        encoder: CMSEncoderRef,
-        encoded_content_out: *mut CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncodeContent(
-        signers: CFTypeRef,
-        recipients: CFTypeRef,
-        content_type_oid: CFTypeRef,
-        detached_content: Boolean,
-        signed_attributes: CMSSignedAttributes,
-        content: *const c_void,
-        content_len: usize,
-        encoded_content_out: *mut CFDataRef,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopySignerTimestamp(
-        encoder: CMSEncoderRef,
-        signer_index: usize,
-        timestamp: *mut CFAbsoluteTime,
-    ) -> OSStatus;
-
-    pub fn CMSEncoderCopySignerTimestampWithPolicy(
-        encoder: CMSEncoderRef,
-        timestamp_policy: CFTypeRef,
-        signer_index: usize,
-        timestamp: *mut CFAbsoluteTime,
-    ) -> OSStatus;
-}
author	mo khan <mo@mokhan.ca>	2025-07-15 16:37:08 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-17 16:30:22 -0600
commit	45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree	1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/security-framework-sys/src/cms.rs
parent	f94f79608393d4ab127db63cc41668445ef6b243 (diff)