From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- src/bin/cli.rs | 94 ---------------------------------------------------------- 1 file changed, 94 deletions(-) delete mode 100644 src/bin/cli.rs (limited to 'src/bin/cli.rs') diff --git a/src/bin/cli.rs b/src/bin/cli.rs deleted file mode 100644 index 78aa1ba1..00000000 --- a/src/bin/cli.rs +++ /dev/null @@ -1,94 +0,0 @@ -use authzd::EntitiesRepository; -use authzd::gitlab::Api; -use clap::{Parser, Subcommand}; - -#[derive(Parser, Debug)] -#[command( - author, - version, - about = "Authorization CLI for managing Cedar entities and policies" -)] -struct Args { - #[command(subcommand)] - command: Commands, -} - -#[derive(Subcommand, Debug)] -enum Commands { - /// Generate entities from GitLab API - Generate { - /// Project ID or path (e.g., gitlab-org/gitlab) - #[arg(short, long)] - project: String, - - /// Output file path - #[arg(short, long, default_value = "entities.json")] - output: String, - - /// GitLab API token - #[arg(short, long, env = "GITLAB_TOKEN")] - token: String, - - /// GitLab instance URL - #[arg( - short = 'H', - long, - env = "GITLAB_HOST", - default_value = "https://gitlab.com" - )] - host: String, - }, - Server { - /// Address to bind to - #[arg(short, long, env = "BIND_ADDR", default_value = "127.0.0.1:50052")] - addr: String, - }, -} - -#[tokio::main] -async fn main() -> Result<(), Box> { - let args = Args::parse(); - - match args.command { - Commands::Generate { - project, - output, - token, - host, - } => { - let repository = EntitiesRepository::new(Api::new(token, host)); - let entities = repository.all(project).await?; - EntitiesRepository::is_valid(&entities)?; - let json = serde_json::to_string_pretty(&entities)?; - std::fs::write(&output, json)?; - - println!( - "Successfully generated {} entities to {}", - entities.len(), - output - ); - } - Commands::Server { addr } => { - tracing_subscriber::fmt() - .json() - .with_ansi(false) - .with_current_span(true) - .with_file(true) - .with_level(false) - .with_line_number(true) - .with_max_level(tracing::Level::INFO) - .with_span_list(true) - .with_target(false) - .with_thread_ids(false) - .with_thread_names(false) - .init(); - - tracing::info!(address = %addr, "Starting"); - authzd::authorization::Server::new(authzd::authorization::CedarAuthorizer::default())? - .serve(addr.parse().unwrap()) - .await?; - } - } - - Ok(()) -} -- cgit v1.2.3