diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/security-framework-sys/src/code_signing.rs | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/security-framework-sys/src/code_signing.rs')
| -rw-r--r-- | vendor/security-framework-sys/src/code_signing.rs | 96 |
1 files changed, 0 insertions, 96 deletions
diff --git a/vendor/security-framework-sys/src/code_signing.rs b/vendor/security-framework-sys/src/code_signing.rs deleted file mode 100644 index bd4abc76..00000000 --- a/vendor/security-framework-sys/src/code_signing.rs +++ /dev/null @@ -1,96 +0,0 @@ -use core_foundation_sys::base::CFTypeID; -use core_foundation_sys::base::OSStatus; -use core_foundation_sys::dictionary::CFDictionaryRef; -use core_foundation_sys::string::CFStringRef; -use core_foundation_sys::url::CFURLRef; - -pub enum OpaqueSecRequirementRef {} -pub type SecRequirementRef = *mut OpaqueSecRequirementRef; - -pub enum OpaqueSecCodeRef {} -pub type SecCodeRef = *mut OpaqueSecCodeRef; - -pub enum OpaqueSecStaticCodeRef {} -pub type SecStaticCodeRef = *mut OpaqueSecStaticCodeRef; - -pub type SecCSFlags = u32; -pub const kSecCSCheckAllArchitectures: SecCSFlags = 1 << 0; -pub const kSecCSDoNotValidateExecutable: SecCSFlags = 1 << 1; -pub const kSecCSDoNotValidateResources: SecCSFlags = 1 << 2; -pub const kSecCSBasicValidateOnly: SecCSFlags = - kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources; -pub const kSecCSCheckNestedCode: SecCSFlags = 1 << 3; -pub const kSecCSStrictValidate: SecCSFlags = 1 << 4; -pub const kSecCSFullReport: SecCSFlags = 1 << 5; -pub const kSecCSCheckGatekeeperArchitectures: SecCSFlags = (1 << 6) | kSecCSCheckAllArchitectures; -pub const kSecCSRestrictSymlinks: SecCSFlags = 1 << 7; -pub const kSecCSRestrictToAppLike: SecCSFlags = 1 << 8; -pub const kSecCSRestrictSidebandData: SecCSFlags = 1 << 9; -pub const kSecCSUseSoftwareSigningCert: SecCSFlags = 1 << 10; -pub const kSecCSValidatePEH: SecCSFlags = 1 << 11; -pub const kSecCSSingleThreaded: SecCSFlags = 1 << 12; -// 13 - 15 are unused -// This is only available in macOS 11.3: -// pub const kSecCSAllowNetworkAccess: SecCSFlags = 1 << 16; -// 17 - 25 are unused -pub const kSecCSQuickCheck: SecCSFlags = 1 << 26; -pub const kSecCSCheckTrustedAnchors: SecCSFlags = 1 << 27; -pub const kSecCSReportProgress: SecCSFlags = 1 << 28; -pub const kSecCSNoNetworkAccess: SecCSFlags = 1 << 29; -pub const kSecCSEnforceRevocationChecks: SecCSFlags = 1 << 30; -pub const kSecCSConsiderExpiration: SecCSFlags = 1 << 31; - -extern "C" { - pub static kSecGuestAttributeArchitecture: CFStringRef; - pub static kSecGuestAttributeAudit: CFStringRef; - pub static kSecGuestAttributeCanonical: CFStringRef; - pub static kSecGuestAttributeDynamicCode: CFStringRef; - pub static kSecGuestAttributeDynamicCodeInfoPlist: CFStringRef; - pub static kSecGuestAttributeHash: CFStringRef; - pub static kSecGuestAttributeMachPort: CFStringRef; - pub static kSecGuestAttributePid: CFStringRef; - pub static kSecGuestAttributeSubarchitecture: CFStringRef; - - pub fn SecCodeGetTypeID() -> CFTypeID; - pub fn SecStaticCodeGetTypeID() -> CFTypeID; - pub fn SecRequirementGetTypeID() -> CFTypeID; - - pub fn SecCodeCheckValidity( - code: SecCodeRef, - flags: SecCSFlags, - requirement: SecRequirementRef, - ) -> OSStatus; - - pub fn SecCodeCopyGuestWithAttributes( - host: SecCodeRef, - attrs: CFDictionaryRef, - flags: SecCSFlags, - guest: *mut SecCodeRef, - ) -> OSStatus; - - pub fn SecCodeCopyPath( - code: SecStaticCodeRef, - flags: SecCSFlags, - path: *mut CFURLRef, - ) -> OSStatus; - - pub fn SecCodeCopySelf(flags: SecCSFlags, out: *mut SecCodeRef) -> OSStatus; - - pub fn SecRequirementCreateWithString( - text: CFStringRef, - flags: SecCSFlags, - requirement: *mut SecRequirementRef, - ) -> OSStatus; - - pub fn SecStaticCodeCheckValidity( - code: SecStaticCodeRef, - flags: SecCSFlags, - requirement: SecRequirementRef, - ) -> OSStatus; - - pub fn SecStaticCodeCreateWithPath( - path: CFURLRef, - flags: SecCSFlags, - code: *mut SecStaticCodeRef, - ) -> OSStatus; -} |