From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- tests/support/common.rs | 12 ------- tests/support/factory_bot.rs | 74 -------------------------------------------- tests/support/mod.rs | 2 -- 3 files changed, 88 deletions(-) delete mode 100644 tests/support/common.rs delete mode 100644 tests/support/factory_bot.rs delete mode 100644 tests/support/mod.rs (limited to 'tests/support') diff --git a/tests/support/common.rs b/tests/support/common.rs deleted file mode 100644 index 8db5c52b..00000000 --- a/tests/support/common.rs +++ /dev/null @@ -1,12 +0,0 @@ -use std::sync::Once; - -static INIT: Once = Once::new(); - -pub fn setup() { - INIT.call_once(|| { - tracing_subscriber::fmt() - .with_test_writer() - .with_max_level(tracing::Level::WARN) - .init(); - }); -} diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs deleted file mode 100644 index ba0d9c38..00000000 --- a/tests/support/factory_bot.rs +++ /dev/null @@ -1,74 +0,0 @@ -use envoy_types::ext_authz::v3::pb::CheckRequest; -use envoy_types::pb::envoy::service::auth::v3::AttributeContext; -use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; -use std::collections::HashMap; -use std::net::SocketAddr; -use std::str::FromStr; -use tonic::transport::Channel; - -#[allow(dead_code)] -pub fn build() -> T { - please::build() -} - -pub fn build_with(initializer: F) -> T -where - T: Default, - F: std::ops::FnOnce(&mut T), -{ - please::build_with(initializer) -} - -pub fn build_request(f: impl std::ops::FnOnce(&mut HttpRequest)) -> CheckRequest { - build_with(|item: &mut CheckRequest| { - item.attributes = Some(please::build_with(|item: &mut AttributeContext| { - item.request = Some(please::build_with(|item: &mut Request| { - item.http = Some(please::build_with(|item: &mut HttpRequest| f(item))); - })); - })); - }) -} - -pub fn build_headers(headers: Vec<(String, String)>) -> HashMap { - build_with(|item: &mut HashMap| { - for (key, value) in headers { - item.insert(key, value); - } - }) -} - -pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { - let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); - let path = realpath.as_path(); - authzd::CedarAuthorizer::new_from(path, entities) -} - -pub async fn build_channel(addr: SocketAddr) -> Channel { - Channel::from_shared(format!("http://{}", addr)) - .expect("Failed to create channel") - .connect() - .await - .expect("Failed to connect to server") -} - -pub async fn build_rpc_client(addr: SocketAddr, f: F) -> T -where - F: FnOnce(Channel) -> T, -{ - f(build_channel(addr).await) -} - -pub fn build_user( - id: &str, - attrs: std::collections::HashMap, -) -> cedar_policy::Entity { - cedar_policy::Entity::new( - cedar_policy::EntityUid::from_type_name_and_id( - cedar_policy::EntityTypeName::from_str("User").unwrap(), - cedar_policy::EntityId::from_str(id).unwrap(), - ), - attrs, - std::collections::HashSet::new(), - ) - .unwrap() -} diff --git a/tests/support/mod.rs b/tests/support/mod.rs deleted file mode 100644 index c46f39e5..00000000 --- a/tests/support/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -pub mod common; -pub mod factory_bot; -- cgit v1.2.3