3 files changed, 90 insertions, 0 deletions

diff --git a/pkg/authz/bearer_token_credentials.go b/pkg/authz/bearer_token_credentials.go
new file mode 100644
index 0000000..5db0eee
--- /dev/null
+++ b/pkg/authz/bearer_token_credentials.go
@@ -0,0 +1,27 @@
+package authz
+
+import (
+	"context"
+
+	"google.golang.org/grpc/credentials"
+)
+
+type BearerTokenCredentials struct {
+	token string
+}
+
+func NewBearerToken(token string) credentials.PerRPCCredentials {
+	return &BearerTokenCredentials{
+		token: token,
+	}
+}
+
+func (b BearerTokenCredentials) GetRequestMetadata(ctx context.Context, _ ...string) (map[string]string, error) {
+	return map[string]string{
+		"authorization": "Bearer " + b.token,
+	}, nil
+}
+
+func (b BearerTokenCredentials) RequireTransportSecurity() bool {
+	return false
+}
diff --git a/pkg/authz/grpc.go b/pkg/authz/grpc.go
new file mode 100644
index 0000000..234208c
--- /dev/null
+++ b/pkg/authz/grpc.go
@@ -0,0 +1,60 @@
+package authz
+
+import (
+	"context"
+	"crypto/x509"
+	"net"
+
+	"github.com/authzed/authzed-go/v1"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func NewGrpcConnection(ctx context.Context, host string) *grpc.ClientConn {
+	connection, err := grpc.NewClient(
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
+	)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+	}
+
+	return connection
+}
+
+func NewSpiceDBClient(ctx context.Context, host string, presharedKey string) *authzed.Client {
+	client, err := authzed.NewClient(
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
+		grpc.WithPerRPCCredentials(NewBearerToken(presharedKey)),
+	)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+	}
+	return client
+}
+
+func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
+	if host == "" {
+		return insecure.NewCredentials()
+	}
+
+	_, port, err := net.SplitHostPort(host)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+		return insecure.NewCredentials()
+	}
+
+	if port != "443" {
+		return insecure.NewCredentials()
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return insecure.NewCredentials()
+	}
+
+	return credentials.NewClientTLSFromCert(pool, "")
+}
diff --git a/pkg/authz/server.go b/pkg/authz/server.go
index c54077b..6fb0f99 100644
--- a/pkg/authz/server.go
+++ b/pkg/authz/server.go
@@ -3,6 +3,7 @@ package authz
 import (
 	"context"
 
+	"github.com/authzed/authzed-go/v1"
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	xcontext "github.com/xlgmokha/x/pkg/context"
 	"github.com/xlgmokha/x/pkg/log"
@@ -13,6 +14,7 @@ import (
 )
 
 var Connection xcontext.Key[*grpc.ClientConn] = xcontext.Key[*grpc.ClientConn]("grpc_client")
+var Client xcontext.Key[*authzed.Client] = xcontext.Key[*authzed.Client]("authzed_client")
 
 type Server struct {
 	*grpc.Server
@@ -38,6 +40,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server {
 func authorizationServiceFor(ctx context.Context) auth.AuthorizationServer {
 	connection := Connection.From(ctx)
 	svcs := []auth.AuthorizationServer{NewLocalCheckService()}
+
 	if x.IsPresent(connection) {
 		pls.LogNow(ctx, log.Fields{"authzd": map[string]string{
 			"target": connection.CanonicalTarget(),