From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- vendor/security-framework/src/os/macos/mod.rs | 52 --------------------------- 1 file changed, 52 deletions(-) delete mode 100644 vendor/security-framework/src/os/macos/mod.rs (limited to 'vendor/security-framework/src/os/macos/mod.rs') diff --git a/vendor/security-framework/src/os/macos/mod.rs b/vendor/security-framework/src/os/macos/mod.rs deleted file mode 100644 index 3e468fc3..00000000 --- a/vendor/security-framework/src/os/macos/mod.rs +++ /dev/null @@ -1,52 +0,0 @@ -//! OSX specific extensions. - -pub mod access; -pub mod certificate; -pub mod certificate_oids; -pub mod code_signing; -pub mod digest_transform; -pub mod encrypt_transform; -pub mod identity; -pub mod import_export; -pub mod item; -pub mod key; -pub mod keychain; -pub mod keychain_item; -pub mod passwords; -pub mod secure_transport; -pub mod transform; - -#[cfg(test)] -pub mod test { - use crate::identity::SecIdentity; - use crate::item::{ItemClass, ItemSearchOptions, Reference, SearchResult}; - use crate::os::macos::item::ItemSearchOptionsExt; - use crate::os::macos::keychain::SecKeychain; - use std::fs::File; - use std::io::prelude::*; - use std::path::Path; - - #[must_use] pub fn identity(dir: &Path) -> SecIdentity { - // FIXME https://github.com/rust-lang/rust/issues/30018 - let keychain = keychain(dir); - let mut items = p!(ItemSearchOptions::new() - .class(ItemClass::identity()) - .keychains(&[keychain]) - .search()); - match items.pop().unwrap() { - SearchResult::Ref(Reference::Identity(identity)) => identity, - _ => panic!("expected identity"), - } - } - - #[must_use] pub fn keychain(dir: &Path) -> SecKeychain { - let path = dir.join("server.keychain"); - let mut file = p!(File::create(&path)); - p!(file.write_all(include_bytes!("../../../test/server.keychain"))); - drop(file); - - let mut keychain = p!(SecKeychain::open(&path)); - p!(keychain.unlock(Some("password123"))); - keychain - } -} -- cgit v1.2.3