From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- vendor/security-framework/src/lib.rs | 93 ------------------------------------ 1 file changed, 93 deletions(-) delete mode 100644 vendor/security-framework/src/lib.rs (limited to 'vendor/security-framework/src/lib.rs') diff --git a/vendor/security-framework/src/lib.rs b/vendor/security-framework/src/lib.rs deleted file mode 100644 index 81631afe..00000000 --- a/vendor/security-framework/src/lib.rs +++ /dev/null @@ -1,93 +0,0 @@ -//! Wrappers around the OSX Security Framework. -#![warn(missing_docs)] -#![allow(non_upper_case_globals)] -#![allow(clippy::manual_non_exhaustive)] // MSRV -#![allow(clippy::bad_bit_mask)] // bitflags - -#[macro_use] -extern crate core_foundation; - -use core_foundation_sys::base::OSStatus; -use security_framework_sys::base::errSecSuccess; - -use crate::base::{Error, Result}; -#[cfg(target_os = "macos")] -use crate::os::macos::access::SecAccess; -#[cfg(target_os = "macos")] -use crate::os::macos::keychain::SecKeychain; - -#[cfg(test)] -macro_rules! p { - ($e:expr) => { - match $e { - Ok(s) => s, - Err(e) => panic!("{:?}", e), - } - }; -} - -#[cfg(all(not(feature = "OSX_10_13"), any(feature = "alpn", feature = "session-tickets")))] -#[macro_use] -mod dlsym; - -pub mod access_control; -#[cfg(target_os = "macos")] -pub mod authorization; -pub mod base; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod certificate; -pub mod cipher_suite; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod identity; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod import_export; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod item; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod key; -pub mod os; -pub mod passwords; -pub mod passwords_options; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod policy; -pub mod random; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod secure_transport; -#[cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))] -pub mod trust; -#[cfg(target_os = "macos")] -pub mod trust_settings; - -#[cfg(target_os = "macos")] -trait Pkcs12ImportOptionsInternals { - fn keychain(&mut self, keychain: SecKeychain) -> &mut Self; - fn access(&mut self, access: SecAccess) -> &mut Self; -} - -#[cfg(target_os = "macos")] -trait ItemSearchOptionsInternals { - fn keychains(&mut self, keychains: &[SecKeychain]) -> &mut Self; -} - -trait AsInner { - type Inner; - fn as_inner(&self) -> Self::Inner; -} - -#[inline(always)] -fn cvt(err: OSStatus) -> Result<()> { - match err { - errSecSuccess => Ok(()), - err => Err(Error::from_code(err)), - } -} - -#[cfg(test)] -mod test { - use crate::certificate::SecCertificate; - - pub fn certificate() -> SecCertificate { - let certificate = include_bytes!("../test/server.der"); - p!(SecCertificate::from_der(certificate)) - } -} -- cgit v1.2.3