From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- pkg/authz/server_test.go | 67 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 pkg/authz/server_test.go (limited to 'pkg/authz/server_test.go') diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go new file mode 100644 index 00000000..47f22191 --- /dev/null +++ b/pkg/authz/server_test.go @@ -0,0 +1,67 @@ +package authz + +import ( + "context" + "net" + "testing" + + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/test/bufconn" +) + +type HTTPRequest = auth.AttributeContext_HttpRequest + +func TestServer(t *testing.T) { + socket := bufconn.Listen(1024 * 1024) + srv := New(t.Context()) + + defer srv.GracefulStop() + go func() { + require.NoError(t, srv.Serve(socket)) + }() + + connection, err := grpc.DialContext( + t.Context(), + "bufnet", + grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { + return socket.Dial() + }), + grpc.WithTransportCredentials(insecure.NewCredentials()), + ) + require.NoError(t, err) + defer connection.Close() + + client := auth.NewAuthorizationClient(connection) + + t.Run("CheckRequest", func(t *testing.T) { + tt := []struct { + http *HTTPRequest + status codes.Code + }{ + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.css"}}, + } + + for _, example := range tt { + t.Run(example.http.Path, func(t *testing.T) { + response, err := client.Check(t.Context(), &auth.CheckRequest{ + Attributes: &auth.AttributeContext{ + Request: &auth.AttributeContext_Request{ + Http: example.http, + }, + }, + }) + require.NoError(t, err) + assert.Equal(t, int32(example.status), response.Status.Code) + }) + } + }) +} -- cgit v1.2.3