From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 15 Jul 2025 16:37:08 -0600
Subject: feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
---
 src/authorization/check_service.rs | 33 ---------------------------------
 1 file changed, 33 deletions(-)
 delete mode 100644 src/authorization/check_service.rs

(limited to 'src/authorization/check_service.rs')

diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs
deleted file mode 100644
index f8c7577f..00000000
--- a/src/authorization/check_service.rs
+++ /dev/null
@@ -1,33 +0,0 @@
-use envoy_types::ext_authz::v3::CheckResponseExt;
-use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
-use std::sync::Arc;
-use tonic::{Request, Response, Status};
-
-use super::authorizer::Authorizer;
-
-#[derive(Debug)]
-pub struct CheckService {
-    authorizer: Arc<dyn Authorizer + Send + Sync>,
-}
-
-impl CheckService {
-    pub fn new(authorizer: Arc<dyn Authorizer + Send + Sync>) -> Self {
-        Self { authorizer }
-    }
-}
-
-#[tonic::async_trait]
-impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
-    async fn check(
-        &self,
-        request: Request<CheckRequest>,
-    ) -> Result<Response<CheckResponse>, Status> {
-        if self.authorizer.authorize(request.into_inner()) {
-            Ok(Response::new(CheckResponse::with_status(Status::ok("OK"))))
-        } else {
-            Ok(Response::new(CheckResponse::with_status(
-                Status::unauthenticated("Unauthorized"),
-            )))
-        }
-    }
-}
-- 
cgit v1.2.3