1 files changed, 31 insertions, 0 deletions

diff --git a/go/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go b/go/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go
index cbe94c2..c35cd4d 100644
--- a/go/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go
+++ b/go/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go
@@ -2,6 +2,9 @@ package gitalyauth
 
 import (
 	"encoding/base64"
+	"fmt"
+	"strconv"
+	"time"
 
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/credentials"
@@ -23,3 +26,31 @@ func (*rpcCredentials) RequireTransportSecurity() bool { return false }
 func (rc *rpcCredentials) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
 	return map[string]string{"authorization": "Bearer " + rc.token}, nil
 }
+
+// RPCCredentialsV2 can be used with grpc.WithPerRPCCredentials to create a
+// grpc.DialOption that inserts an HMAC token with the current timestamp
+// for authentication with a Gitaly server.
+func RPCCredentialsV2(token string) credentials.PerRPCCredentials {
+	return &rpcCredentialsV2{token: token}
+}
+
+type rpcCredentialsV2 struct {
+	token string
+}
+
+func (*rpcCredentialsV2) RequireTransportSecurity() bool { return false }
+
+func (rc *rpcCredentialsV2) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
+	return map[string]string{"authorization": "Bearer " + rc.hmacToken()}, nil
+}
+
+func (rc *rpcCredentialsV2) hmacToken() string {
+	return hmacToken("v2", []byte(rc.token), time.Now())
+}
+
+func hmacToken(version string, secret []byte, timestamp time.Time) string {
+	intTime := timestamp.Unix()
+	signedTimestamp := hmacSign(secret, strconv.FormatInt(intTime, 10))
+
+	return fmt.Sprintf("%s.%x.%d", version, signedTimestamp, intTime)
+}