|
| 1 | +from typing import Callable, Any |
1 | 2 | import asyncio |
2 | 3 |
|
3 | 4 | import grpc |
4 | 5 | import grpc.aio |
5 | 6 |
|
| 7 | +from grpc_interceptor import ClientCallDetails, ClientInterceptor |
| 8 | + |
6 | 9 | from authzed.api.v1.core_pb2 import ( |
7 | 10 | AlgebraicSubjectSet, |
8 | 11 | ContextualizedCaveat, |
@@ -70,47 +73,95 @@ class Client(SchemaServiceStub, PermissionsServiceStub, ExperimentalServiceStub, |
70 | 73 | """ |
71 | 74 |
|
72 | 75 | def __init__(self, target, credentials, options=None, compression=None): |
| 76 | + channel = self.create_channel(target, credentials, options, compression) |
| 77 | + self.init_stubs(channel) |
| 78 | + |
| 79 | + def init_stubs(self, channel): |
| 80 | + SchemaServiceStub.__init__(self, channel) |
| 81 | + PermissionsServiceStub.__init__(self, channel) |
| 82 | + ExperimentalServiceStub.__init__(self, channel) |
| 83 | + WatchServiceStub.__init__(self, channel) |
| 84 | + |
| 85 | + def create_channel(self, target, credentials, options=None, compression=None): |
73 | 86 | try: |
74 | 87 | asyncio.get_running_loop() |
75 | 88 | channelfn = grpc.aio.secure_channel |
76 | 89 | except RuntimeError: |
77 | 90 | channelfn = grpc.secure_channel |
78 | 91 |
|
79 | | - channel = channelfn(target, credentials, options, compression) |
80 | | - SchemaServiceStub.__init__(self, channel) |
81 | | - PermissionsServiceStub.__init__(self, channel) |
82 | | - ExperimentalServiceStub.__init__(self, channel) |
83 | | - WatchServiceStub.__init__(self, channel) |
| 92 | + return channelfn(target, credentials, options, compression) |
84 | 93 |
|
85 | 94 |
|
86 | | -class AsyncClient( |
87 | | - SchemaServiceStub, PermissionsServiceStub, ExperimentalServiceStub, WatchServiceStub |
88 | | -): |
| 95 | +class AsyncClient(Client): |
89 | 96 | """ |
90 | 97 | v1 Authzed gRPC API client, for use with asyncio. |
91 | 98 | """ |
92 | 99 |
|
93 | 100 | def __init__(self, target, credentials, options=None, compression=None): |
94 | 101 | channel = grpc.aio.secure_channel(target, credentials, options, compression) |
95 | | - SchemaServiceStub.__init__(self, channel) |
96 | | - PermissionsServiceStub.__init__(self, channel) |
97 | | - ExperimentalServiceStub.__init__(self, channel) |
98 | | - WatchServiceStub.__init__(self, channel) |
| 102 | + self.init_stubs(channel) |
99 | 103 |
|
100 | 104 |
|
101 | | -class SyncClient( |
102 | | - SchemaServiceStub, PermissionsServiceStub, ExperimentalServiceStub, WatchServiceStub |
103 | | -): |
| 105 | +class SyncClient(Client): |
104 | 106 | """ |
105 | 107 | v1 Authzed gRPC API client, running synchronously. |
106 | 108 | """ |
107 | 109 |
|
108 | 110 | def __init__(self, target, credentials, options=None, compression=None): |
109 | 111 | channel = grpc.secure_channel(target, credentials, options, compression) |
110 | | - SchemaServiceStub.__init__(self, channel) |
111 | | - PermissionsServiceStub.__init__(self, channel) |
112 | | - ExperimentalServiceStub.__init__(self, channel) |
113 | | - WatchServiceStub.__init__(self, channel) |
| 112 | + self.init_stubs(channel) |
| 113 | + |
| 114 | + |
| 115 | +class TokenAuthorization(ClientInterceptor): |
| 116 | + def __init__(self, token: str): |
| 117 | + self._token = token |
| 118 | + |
| 119 | + def intercept( |
| 120 | + self, |
| 121 | + method: Callable, |
| 122 | + request_or_iterator: Any, |
| 123 | + call_details: grpc.ClientCallDetails, |
| 124 | + ): |
| 125 | + metadata: list[tuple[str, str | bytes]] = [("authorization", f"Bearer {self._token}")] |
| 126 | + if call_details.metadata is not None: |
| 127 | + metadata = [*metadata, *call_details.metadata] |
| 128 | + |
| 129 | + new_details = ClientCallDetails( |
| 130 | + call_details.method, |
| 131 | + call_details.timeout, |
| 132 | + metadata, |
| 133 | + call_details.credentials, |
| 134 | + call_details.wait_for_ready, |
| 135 | + call_details.compression, |
| 136 | + ) |
| 137 | + |
| 138 | + return method(request_or_iterator, new_details) |
| 139 | + |
| 140 | + |
| 141 | +class InsecureClient(Client): |
| 142 | + """ |
| 143 | + An insecure client variant for non-TLS contexts. |
| 144 | +
|
| 145 | + The default behavior of the python gRPC client is to restrict non-TLS |
| 146 | + calls to `localhost` only, which is frustrating in contexts like docker-compose, |
| 147 | + so we provide this as a convenience. |
| 148 | + """ |
| 149 | + |
| 150 | + def __init__( |
| 151 | + self, |
| 152 | + target: str, |
| 153 | + token: str, |
| 154 | + options=None, |
| 155 | + compression=None, |
| 156 | + ): |
| 157 | + fake_credentials = grpc.local_channel_credentials() |
| 158 | + channel = self.create_channel(target, fake_credentials, options, compression) |
| 159 | + auth_interceptor = TokenAuthorization(token) |
| 160 | + |
| 161 | + insecure_channel = grpc.insecure_channel(target, options, compression) |
| 162 | + channel = grpc.intercept_channel(insecure_channel, auth_interceptor) |
| 163 | + |
| 164 | + self.init_stubs(channel) |
114 | 165 |
|
115 | 166 |
|
116 | 167 | __all__ = [ |
|
0 commit comments