1 files changed, 51 insertions, 0 deletions

diff --git a/pkg/authz/client.go b/pkg/authz/client.go
new file mode 100644
index 00000000..eab1fe99
--- /dev/null
+++ b/pkg/authz/client.go
@@ -0,0 +1,51 @@
+package authz
+
+import (
+	"context"
+	"crypto/x509"
+	"net"
+
+	authzed "github.com/authzed/authzed-go/v1"
+	"github.com/authzed/grpcutil"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func NewClient(ctx context.Context, host string, token string) (*authzed.Client, error) {
+	tokenOption := grpcutil.WithInsecureBearerToken(token)
+	if isTLS(ctx, host) {
+		tokenOption = grpcutil.WithBearerToken(token)
+	}
+	return authzed.NewClient(
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
+		tokenOption,
+	)
+}
+func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
+	if isTLS(ctx, host) {
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			pls.LogErrorNow(ctx, err)
+			return insecure.NewCredentials()
+		}
+
+		return credentials.NewClientTLSFromCert(pool, "")
+	}
+
+	return insecure.NewCredentials()
+}
+
+func isTLS(ctx context.Context, host string) bool {
+	if host == "" {
+		return false
+	}
+	_, port, err := net.SplitHostPort(host)
+	if err != nil {
+		pls.LogError(ctx, err)
+		return false
+	}
+	return port == "443"
+}