1 files changed, 60 insertions, 0 deletions

diff --git a/pkg/authz/grpc.go b/pkg/authz/grpc.go
new file mode 100644
index 0000000..234208c
--- /dev/null
+++ b/pkg/authz/grpc.go
@@ -0,0 +1,60 @@
+package authz
+
+import (
+	"context"
+	"crypto/x509"
+	"net"
+
+	"github.com/authzed/authzed-go/v1"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func NewGrpcConnection(ctx context.Context, host string) *grpc.ClientConn {
+	connection, err := grpc.NewClient(
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
+	)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+	}
+
+	return connection
+}
+
+func NewSpiceDBClient(ctx context.Context, host string, presharedKey string) *authzed.Client {
+	client, err := authzed.NewClient(
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
+		grpc.WithPerRPCCredentials(NewBearerToken(presharedKey)),
+	)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+	}
+	return client
+}
+
+func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
+	if host == "" {
+		return insecure.NewCredentials()
+	}
+
+	_, port, err := net.SplitHostPort(host)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+		return insecure.NewCredentials()
+	}
+
+	if port != "443" {
+		return insecure.NewCredentials()
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return insecure.NewCredentials()
+	}
+
+	return credentials.NewClientTLSFromCert(pool, "")
+}