From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- vendor/indexmap/src/set/slice.rs | 379 --------------------------------------- 1 file changed, 379 deletions(-) delete mode 100644 vendor/indexmap/src/set/slice.rs (limited to 'vendor/indexmap/src/set/slice.rs') diff --git a/vendor/indexmap/src/set/slice.rs b/vendor/indexmap/src/set/slice.rs deleted file mode 100644 index faa9041a..00000000 --- a/vendor/indexmap/src/set/slice.rs +++ /dev/null @@ -1,379 +0,0 @@ -use super::{Bucket, Entries, IndexSet, IntoIter, Iter}; -use crate::util::{slice_eq, try_simplify_range}; - -use alloc::boxed::Box; -use alloc::vec::Vec; -use core::cmp::Ordering; -use core::fmt; -use core::hash::{Hash, Hasher}; -use core::ops::{self, Bound, Index, RangeBounds}; - -/// A dynamically-sized slice of values in an [`IndexSet`]. -/// -/// This supports indexed operations much like a `[T]` slice, -/// but not any hashed operations on the values. -/// -/// Unlike `IndexSet`, `Slice` does consider the order for [`PartialEq`] -/// and [`Eq`], and it also implements [`PartialOrd`], [`Ord`], and [`Hash`]. -#[repr(transparent)] -pub struct Slice { - pub(crate) entries: [Bucket], -} - -// SAFETY: `Slice` is a transparent wrapper around `[Bucket]`, -// and reference lifetimes are bound together in function signatures. -#[allow(unsafe_code)] -impl Slice { - pub(super) const fn from_slice(entries: &[Bucket]) -> &Self { - unsafe { &*(entries as *const [Bucket] as *const Self) } - } - - pub(super) fn from_boxed(entries: Box<[Bucket]>) -> Box { - unsafe { Box::from_raw(Box::into_raw(entries) as *mut Self) } - } - - fn into_boxed(self: Box) -> Box<[Bucket]> { - unsafe { Box::from_raw(Box::into_raw(self) as *mut [Bucket]) } - } -} - -impl Slice { - pub(crate) fn into_entries(self: Box) -> Vec> { - self.into_boxed().into_vec() - } - - /// Returns an empty slice. - pub const fn new<'a>() -> &'a Self { - Self::from_slice(&[]) - } - - /// Return the number of elements in the set slice. - pub const fn len(&self) -> usize { - self.entries.len() - } - - /// Returns true if the set slice contains no elements. - pub const fn is_empty(&self) -> bool { - self.entries.is_empty() - } - - /// Get a value by index. - /// - /// Valid indices are `0 <= index < self.len()`. - pub fn get_index(&self, index: usize) -> Option<&T> { - self.entries.get(index).map(Bucket::key_ref) - } - - /// Returns a slice of values in the given range of indices. - /// - /// Valid indices are `0 <= index < self.len()`. - pub fn get_range>(&self, range: R) -> Option<&Self> { - let range = try_simplify_range(range, self.entries.len())?; - self.entries.get(range).map(Self::from_slice) - } - - /// Get the first value. - pub fn first(&self) -> Option<&T> { - self.entries.first().map(Bucket::key_ref) - } - - /// Get the last value. - pub fn last(&self) -> Option<&T> { - self.entries.last().map(Bucket::key_ref) - } - - /// Divides one slice into two at an index. - /// - /// ***Panics*** if `index > len`. - pub fn split_at(&self, index: usize) -> (&Self, &Self) { - let (first, second) = self.entries.split_at(index); - (Self::from_slice(first), Self::from_slice(second)) - } - - /// Returns the first value and the rest of the slice, - /// or `None` if it is empty. - pub fn split_first(&self) -> Option<(&T, &Self)> { - if let [first, rest @ ..] = &self.entries { - Some((&first.key, Self::from_slice(rest))) - } else { - None - } - } - - /// Returns the last value and the rest of the slice, - /// or `None` if it is empty. - pub fn split_last(&self) -> Option<(&T, &Self)> { - if let [rest @ .., last] = &self.entries { - Some((&last.key, Self::from_slice(rest))) - } else { - None - } - } - - /// Return an iterator over the values of the set slice. - pub fn iter(&self) -> Iter<'_, T> { - Iter::new(&self.entries) - } - - /// Search over a sorted set for a value. - /// - /// Returns the position where that value is present, or the position where it can be inserted - /// to maintain the sort. See [`slice::binary_search`] for more details. - /// - /// Computes in **O(log(n))** time, which is notably less scalable than looking the value up in - /// the set this is a slice from using [`IndexSet::get_index_of`], but this can also position - /// missing values. - pub fn binary_search(&self, x: &T) -> Result - where - T: Ord, - { - self.binary_search_by(|p| p.cmp(x)) - } - - /// Search over a sorted set with a comparator function. - /// - /// Returns the position where that value is present, or the position where it can be inserted - /// to maintain the sort. See [`slice::binary_search_by`] for more details. - /// - /// Computes in **O(log(n))** time. - #[inline] - pub fn binary_search_by<'a, F>(&'a self, mut f: F) -> Result - where - F: FnMut(&'a T) -> Ordering, - { - self.entries.binary_search_by(move |a| f(&a.key)) - } - - /// Search over a sorted set with an extraction function. - /// - /// Returns the position where that value is present, or the position where it can be inserted - /// to maintain the sort. See [`slice::binary_search_by_key`] for more details. - /// - /// Computes in **O(log(n))** time. - #[inline] - pub fn binary_search_by_key<'a, B, F>(&'a self, b: &B, mut f: F) -> Result - where - F: FnMut(&'a T) -> B, - B: Ord, - { - self.binary_search_by(|k| f(k).cmp(b)) - } - - /// Returns the index of the partition point of a sorted set according to the given predicate - /// (the index of the first element of the second partition). - /// - /// See [`slice::partition_point`] for more details. - /// - /// Computes in **O(log(n))** time. - #[must_use] - pub fn partition_point

(&self, mut pred: P) -> usize - where - P: FnMut(&T) -> bool, - { - self.entries.partition_point(move |a| pred(&a.key)) - } -} - -impl<'a, T> IntoIterator for &'a Slice { - type IntoIter = Iter<'a, T>; - type Item = &'a T; - - fn into_iter(self) -> Self::IntoIter { - self.iter() - } -} - -impl IntoIterator for Box> { - type IntoIter = IntoIter; - type Item = T; - - fn into_iter(self) -> Self::IntoIter { - IntoIter::new(self.into_entries()) - } -} - -impl Default for &'_ Slice { - fn default() -> Self { - Slice::from_slice(&[]) - } -} - -impl Default for Box> { - fn default() -> Self { - Slice::from_boxed(Box::default()) - } -} - -impl Clone for Box> { - fn clone(&self) -> Self { - Slice::from_boxed(self.entries.to_vec().into_boxed_slice()) - } -} - -impl From<&Slice> for Box> { - fn from(slice: &Slice) -> Self { - Slice::from_boxed(Box::from(&slice.entries)) - } -} - -impl fmt::Debug for Slice { - fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { - f.debug_list().entries(self).finish() - } -} - -impl PartialEq> for Slice -where - T: PartialEq, -{ - fn eq(&self, other: &Slice) -> bool { - slice_eq(&self.entries, &other.entries, |b1, b2| b1.key == b2.key) - } -} - -impl PartialEq<[U]> for Slice -where - T: PartialEq, -{ - fn eq(&self, other: &[U]) -> bool { - slice_eq(&self.entries, other, |b, o| b.key == *o) - } -} - -impl PartialEq> for [T] -where - T: PartialEq, -{ - fn eq(&self, other: &Slice) -> bool { - slice_eq(self, &other.entries, |o, b| *o == b.key) - } -} - -impl PartialEq<[U; N]> for Slice -where - T: PartialEq, -{ - fn eq(&self, other: &[U; N]) -> bool { - >::eq(self, other) - } -} - -impl PartialEq> for [T; N] -where - T: PartialEq, -{ - fn eq(&self, other: &Slice) -> bool { - <[T] as PartialEq>>::eq(self, other) - } -} - -impl Eq for Slice {} - -impl PartialOrd for Slice { - fn partial_cmp(&self, other: &Self) -> Option { - self.iter().partial_cmp(other) - } -} - -impl Ord for Slice { - fn cmp(&self, other: &Self) -> Ordering { - self.iter().cmp(other) - } -} - -impl Hash for Slice { - fn hash(&self, state: &mut H) { - self.len().hash(state); - for value in self { - value.hash(state); - } - } -} - -impl Index for Slice { - type Output = T; - - fn index(&self, index: usize) -> &Self::Output { - &self.entries[index].key - } -} - -// We can't have `impl> Index` because that conflicts with `Index`. -// Instead, we repeat the implementations for all the core range types. -macro_rules! impl_index { - ($($range:ty),*) => {$( - impl Index<$range> for IndexSet { - type Output = Slice; - - fn index(&self, range: $range) -> &Self::Output { - Slice::from_slice(&self.as_entries()[range]) - } - } - - impl Index<$range> for Slice { - type Output = Self; - - fn index(&self, range: $range) -> &Self::Output { - Slice::from_slice(&self.entries[range]) - } - } - )*} -} -impl_index!( - ops::Range, - ops::RangeFrom, - ops::RangeFull, - ops::RangeInclusive, - ops::RangeTo, - ops::RangeToInclusive, - (Bound, Bound) -); - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn slice_index() { - fn check(vec_slice: &[i32], set_slice: &Slice, sub_slice: &Slice) { - assert_eq!(set_slice as *const _, sub_slice as *const _); - itertools::assert_equal(vec_slice, set_slice); - } - - let vec: Vec = (0..10).map(|i| i * i).collect(); - let set: IndexSet = vec.iter().cloned().collect(); - let slice = set.as_slice(); - - // RangeFull - check(&vec[..], &set[..], &slice[..]); - - for i in 0usize..10 { - // Index - assert_eq!(vec[i], set[i]); - assert_eq!(vec[i], slice[i]); - - // RangeFrom - check(&vec[i..], &set[i..], &slice[i..]); - - // RangeTo - check(&vec[..i], &set[..i], &slice[..i]); - - // RangeToInclusive - check(&vec[..=i], &set[..=i], &slice[..=i]); - - // (Bound, Bound) - let bounds = (Bound::Excluded(i), Bound::Unbounded); - check(&vec[i + 1..], &set[bounds], &slice[bounds]); - - for j in i..=10 { - // Range - check(&vec[i..j], &set[i..j], &slice[i..j]); - } - - for j in i..10 { - // RangeInclusive - check(&vec[i..=j], &set[i..=j], &slice[i..=j]); - } - } - } -} -- cgit v1.2.3