From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- .../github.com/google/yamlfmt/content_analyzer.go | 90 ++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 vendor/github.com/google/yamlfmt/content_analyzer.go (limited to 'vendor/github.com/google/yamlfmt/content_analyzer.go') diff --git a/vendor/github.com/google/yamlfmt/content_analyzer.go b/vendor/github.com/google/yamlfmt/content_analyzer.go new file mode 100644 index 00000000..4083e6b8 --- /dev/null +++ b/vendor/github.com/google/yamlfmt/content_analyzer.go @@ -0,0 +1,90 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package yamlfmt + +import ( + "os" + "regexp" + + "github.com/google/yamlfmt/internal/collections" +) + +type ContentAnalyzer interface { + ExcludePathsByContent(paths []string) ([]string, []string, error) +} + +type BasicContentAnalyzer struct { + RegexPatterns []*regexp.Regexp +} + +func NewBasicContentAnalyzer(patterns []string) (BasicContentAnalyzer, error) { + analyzer := BasicContentAnalyzer{RegexPatterns: []*regexp.Regexp{}} + compileErrs := collections.Errors{} + for _, pattern := range patterns { + re, err := regexp.Compile(pattern) + if err != nil { + compileErrs = append(compileErrs, err) + continue + } + analyzer.RegexPatterns = append(analyzer.RegexPatterns, re) + } + return analyzer, compileErrs.Combine() +} + +func (a BasicContentAnalyzer) ExcludePathsByContent(paths []string) ([]string, []string, error) { + pathsToFormat := collections.SliceToSet(paths) + pathsExcluded := []string{} + pathErrs := collections.Errors{} + + for _, path := range paths { + content, err := os.ReadFile(path) + if err != nil { + pathErrs = append(pathErrs, err) + continue + } + + // Search metadata for ignore + metadata, mdErrs := ReadMetadata(content, path) + if len(mdErrs) != 0 { + pathErrs = append(pathErrs, mdErrs...) + } + ignoreFound := false + for md := range metadata { + if md.Type == MetadataIgnore { + ignoreFound = true + break + } + } + if ignoreFound { + pathsExcluded = append(pathsExcluded, path) + pathsToFormat.Remove(path) + continue + } + + // Check if content matches any regex + matched := false + for _, pattern := range a.RegexPatterns { + if pattern.Match(content) { + matched = true + } + } + if matched { + pathsExcluded = append(pathsExcluded, path) + pathsToFormat.Remove(path) + } + } + + return pathsToFormat.ToSlice(), pathsExcluded, pathErrs.Combine() +} -- cgit v1.2.3