From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 15 Jul 2025 16:37:08 -0600
Subject: feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
---
 vendor/base64/tests/encode.rs |  77 --------------------
 vendor/base64/tests/tests.rs  | 161 ------------------------------------------
 2 files changed, 238 deletions(-)
 delete mode 100644 vendor/base64/tests/encode.rs
 delete mode 100644 vendor/base64/tests/tests.rs

(limited to 'vendor/base64/tests')

diff --git a/vendor/base64/tests/encode.rs b/vendor/base64/tests/encode.rs
deleted file mode 100644
index 9d694474..00000000
--- a/vendor/base64/tests/encode.rs
+++ /dev/null
@@ -1,77 +0,0 @@
-use base64::{
-    alphabet::URL_SAFE, engine::general_purpose::PAD, engine::general_purpose::STANDARD, *,
-};
-
-fn compare_encode(expected: &str, target: &[u8]) {
-    assert_eq!(expected, STANDARD.encode(target));
-}
-
-#[test]
-fn encode_all_ascii() {
-    let ascii: Vec<u8> = (0..=127).collect();
-
-    compare_encode(
-        "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7P\
-         D0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8\
-         =",
-        &ascii,
-    );
-}
-
-#[test]
-fn encode_all_bytes() {
-    let bytes: Vec<u8> = (0..=255).collect();
-
-    compare_encode(
-        "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7P\
-         D0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn\
-         +AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6\
-         /wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/w==",
-        &bytes,
-    );
-}
-
-#[test]
-fn encode_all_bytes_url() {
-    let bytes: Vec<u8> = (0..=255).collect();
-
-    assert_eq!(
-        "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0\
-         -P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn\
-         -AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq\
-         -wsbKztLW2t7i5uru8vb6_wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t_g4eLj5OXm5-jp6uvs7e7v8PHy\
-         8_T19vf4-fr7_P3-_w==",
-        &engine::GeneralPurpose::new(&URL_SAFE, PAD).encode(bytes)
-    );
-}
-
-#[test]
-fn encoded_len_unpadded() {
-    assert_eq!(0, encoded_len(0, false).unwrap());
-    assert_eq!(2, encoded_len(1, false).unwrap());
-    assert_eq!(3, encoded_len(2, false).unwrap());
-    assert_eq!(4, encoded_len(3, false).unwrap());
-    assert_eq!(6, encoded_len(4, false).unwrap());
-    assert_eq!(7, encoded_len(5, false).unwrap());
-    assert_eq!(8, encoded_len(6, false).unwrap());
-    assert_eq!(10, encoded_len(7, false).unwrap());
-}
-
-#[test]
-fn encoded_len_padded() {
-    assert_eq!(0, encoded_len(0, true).unwrap());
-    assert_eq!(4, encoded_len(1, true).unwrap());
-    assert_eq!(4, encoded_len(2, true).unwrap());
-    assert_eq!(4, encoded_len(3, true).unwrap());
-    assert_eq!(8, encoded_len(4, true).unwrap());
-    assert_eq!(8, encoded_len(5, true).unwrap());
-    assert_eq!(8, encoded_len(6, true).unwrap());
-    assert_eq!(12, encoded_len(7, true).unwrap());
-}
-#[test]
-fn encoded_len_overflow() {
-    let max_size = usize::MAX / 4 * 3 + 2;
-    assert_eq!(2, max_size % 3);
-    assert_eq!(Some(usize::MAX), encoded_len(max_size, false));
-    assert_eq!(None, encoded_len(max_size + 1, false));
-}
diff --git a/vendor/base64/tests/tests.rs b/vendor/base64/tests/tests.rs
deleted file mode 100644
index eceff40d..00000000
--- a/vendor/base64/tests/tests.rs
+++ /dev/null
@@ -1,161 +0,0 @@
-use rand::{Rng, SeedableRng};
-
-use base64::engine::{general_purpose::STANDARD, Engine};
-use base64::*;
-
-use base64::engine::general_purpose::{GeneralPurpose, NO_PAD};
-
-// generate random contents of the specified length and test encode/decode roundtrip
-fn roundtrip_random<E: Engine>(
-    byte_buf: &mut Vec<u8>,
-    str_buf: &mut String,
-    engine: &E,
-    byte_len: usize,
-    approx_values_per_byte: u8,
-    max_rounds: u64,
-) {
-    // let the short ones be short but don't let it get too crazy large
-    let num_rounds = calculate_number_of_rounds(byte_len, approx_values_per_byte, max_rounds);
-    let mut r = rand::rngs::SmallRng::from_entropy();
-    let mut decode_buf = Vec::new();
-
-    for _ in 0..num_rounds {
-        byte_buf.clear();
-        str_buf.clear();
-        decode_buf.clear();
-        while byte_buf.len() < byte_len {
-            byte_buf.push(r.gen::<u8>());
-        }
-
-        engine.encode_string(&byte_buf, str_buf);
-        engine.decode_vec(&str_buf, &mut decode_buf).unwrap();
-
-        assert_eq!(byte_buf, &decode_buf);
-    }
-}
-
-fn calculate_number_of_rounds(byte_len: usize, approx_values_per_byte: u8, max: u64) -> u64 {
-    // don't overflow
-    let mut prod = approx_values_per_byte as u64;
-
-    for _ in 0..byte_len {
-        if prod > max {
-            return max;
-        }
-
-        prod = prod.saturating_mul(prod);
-    }
-
-    prod
-}
-
-#[test]
-fn roundtrip_random_short_standard() {
-    let mut byte_buf: Vec<u8> = Vec::new();
-    let mut str_buf = String::new();
-
-    for input_len in 0..40 {
-        roundtrip_random(&mut byte_buf, &mut str_buf, &STANDARD, input_len, 4, 10000);
-    }
-}
-
-#[test]
-fn roundtrip_random_with_fast_loop_standard() {
-    let mut byte_buf: Vec<u8> = Vec::new();
-    let mut str_buf = String::new();
-
-    for input_len in 40..100 {
-        roundtrip_random(&mut byte_buf, &mut str_buf, &STANDARD, input_len, 4, 1000);
-    }
-}
-
-#[test]
-fn roundtrip_random_short_no_padding() {
-    let mut byte_buf: Vec<u8> = Vec::new();
-    let mut str_buf = String::new();
-
-    let engine = GeneralPurpose::new(&alphabet::STANDARD, NO_PAD);
-    for input_len in 0..40 {
-        roundtrip_random(&mut byte_buf, &mut str_buf, &engine, input_len, 4, 10000);
-    }
-}
-
-#[test]
-fn roundtrip_random_no_padding() {
-    let mut byte_buf: Vec<u8> = Vec::new();
-    let mut str_buf = String::new();
-
-    let engine = GeneralPurpose::new(&alphabet::STANDARD, NO_PAD);
-
-    for input_len in 40..100 {
-        roundtrip_random(&mut byte_buf, &mut str_buf, &engine, input_len, 4, 1000);
-    }
-}
-
-#[test]
-fn roundtrip_decode_trailing_10_bytes() {
-    // This is a special case because we decode 8 byte blocks of input at a time as much as we can,
-    // ideally unrolled to 32 bytes at a time, in stages 1 and 2. Since we also write a u64's worth
-    // of bytes (8) to the output, we always write 2 garbage bytes that then will be overwritten by
-    // the NEXT block. However, if the next block only contains 2 bytes, it will decode to 1 byte,
-    // and therefore be too short to cover up the trailing 2 garbage bytes. Thus, we have stage 3
-    // to handle that case.
-
-    for num_quads in 0..25 {
-        let mut s: String = "ABCD".repeat(num_quads);
-        s.push_str("EFGHIJKLZg");
-
-        let engine = GeneralPurpose::new(&alphabet::STANDARD, NO_PAD);
-        let decoded = engine.decode(&s).unwrap();
-        assert_eq!(num_quads * 3 + 7, decoded.len());
-
-        assert_eq!(s, engine.encode(&decoded));
-    }
-}
-
-#[test]
-fn display_wrapper_matches_normal_encode() {
-    let mut bytes = Vec::<u8>::with_capacity(256);
-
-    for i in 0..255 {
-        bytes.push(i);
-    }
-    bytes.push(255);
-
-    assert_eq!(
-        STANDARD.encode(&bytes),
-        format!("{}", display::Base64Display::new(&bytes, &STANDARD))
-    );
-}
-
-#[test]
-fn encode_engine_slice_error_when_buffer_too_small() {
-    for num_triples in 1..100 {
-        let input = "AAA".repeat(num_triples);
-        let mut vec = vec![0; (num_triples - 1) * 4];
-        assert_eq!(
-            EncodeSliceError::OutputSliceTooSmall,
-            STANDARD.encode_slice(&input, &mut vec).unwrap_err()
-        );
-        vec.push(0);
-        assert_eq!(
-            EncodeSliceError::OutputSliceTooSmall,
-            STANDARD.encode_slice(&input, &mut vec).unwrap_err()
-        );
-        vec.push(0);
-        assert_eq!(
-            EncodeSliceError::OutputSliceTooSmall,
-            STANDARD.encode_slice(&input, &mut vec).unwrap_err()
-        );
-        vec.push(0);
-        assert_eq!(
-            EncodeSliceError::OutputSliceTooSmall,
-            STANDARD.encode_slice(&input, &mut vec).unwrap_err()
-        );
-        vec.push(0);
-        assert_eq!(
-            num_triples * 4,
-            STANDARD.encode_slice(&input, &mut vec).unwrap()
-        );
-    }
-}
-- 
cgit v1.2.3