From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- pkg/authz/client.go | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pkg/authz/client.go (limited to 'pkg/authz/client.go') diff --git a/pkg/authz/client.go b/pkg/authz/client.go new file mode 100644 index 00000000..eab1fe99 --- /dev/null +++ b/pkg/authz/client.go @@ -0,0 +1,51 @@ +package authz + +import ( + "context" + "crypto/x509" + "net" + + authzed "github.com/authzed/authzed-go/v1" + "github.com/authzed/grpcutil" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/credentials/insecure" +) + +func NewClient(ctx context.Context, host string, token string) (*authzed.Client, error) { + tokenOption := grpcutil.WithInsecureBearerToken(token) + if isTLS(ctx, host) { + tokenOption = grpcutil.WithBearerToken(token) + } + return authzed.NewClient( + host, + grpc.WithTransportCredentials(credentialsFor(ctx, host)), + tokenOption, + ) +} +func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials { + if isTLS(ctx, host) { + pool, err := x509.SystemCertPool() + if err != nil { + pls.LogErrorNow(ctx, err) + return insecure.NewCredentials() + } + + return credentials.NewClientTLSFromCert(pool, "") + } + + return insecure.NewCredentials() +} + +func isTLS(ctx context.Context, host string) bool { + if host == "" { + return false + } + _, port, err := net.SplitHostPort(host) + if err != nil { + pls.LogError(ctx, err) + return false + } + return port == "443" +} -- cgit v1.2.3