client.go

// Copyright 2020 StrongDM Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

// Package sdm implements an API client to strongDM restful API.
package sdm

// Code generated by protogen. DO NOT EDIT.

import (
	"context"
	"crypto/hmac"
	"crypto/sha256"
	"crypto/tls"
	"encoding/base64"
	"errors"
	"fmt"
	"math/rand"
	"net"
	"strings"
	"time"

	plumbing "github.com/strongdm/strongdm-sdk-go/v11/internal/v1"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/proto"
)

const (
	defaultAPIHost   = "api.strongdm.com:443"
	apiVersion       = "2024-03-28"
	defaultUserAgent = "strongdm-sdk-go/11.22.0"
	defaultPageLimit = 50
)

var _ = metadata.Pairs

type dialer func(ctx context.Context, addr string) (net.Conn, error)

// Client is the strongDM API client implementation.
type Client struct {
	apiHost               string
	apiToken              string
	apiSecret             []byte
	apiInsecureTransport  bool
	apiTLSConfig          *tls.Config
	exposeRateLimitErrors bool
	userAgent             string
	disableSigning        bool
	pageLimit             int
	snapshotAt            time.Time
	dialer                dialer

	grpcConn *grpc.ClientConn

	maxRetries                       int
	baseRetryDelay                   time.Duration
	maxRetryDelay                    time.Duration
	accessRequests                   *AccessRequests
	accessRequestEventsHistory       *AccessRequestEventsHistory
	accessRequestsHistory            *AccessRequestsHistory
	accountAttachments               *AccountAttachments
	accountAttachmentsHistory        *AccountAttachmentsHistory
	accountGrants                    *AccountGrants
	accountGrantsHistory             *AccountGrantsHistory
	accountPermissions               *AccountPermissions
	accountResources                 *AccountResources
	accountResourcesHistory          *AccountResourcesHistory
	accounts                         *Accounts
	accountsHistory                  *AccountsHistory
	activities                       *Activities
	approvalWorkflowApprovers        *ApprovalWorkflowApprovers
	approvalWorkflowApproversHistory *ApprovalWorkflowApproversHistory
	approvalWorkflowSteps            *ApprovalWorkflowSteps
	approvalWorkflowStepsHistory     *ApprovalWorkflowStepsHistory
	approvalWorkflows                *ApprovalWorkflows
	approvalWorkflowsHistory         *ApprovalWorkflowsHistory
	controlPanel                     *ControlPanel
	healthChecks                     *HealthChecks
	identityAliases                  *IdentityAliases
	identityAliasesHistory           *IdentityAliasesHistory
	identitySets                     *IdentitySets
	identitySetsHistory              *IdentitySetsHistory
	nodes                            *Nodes
	nodesHistory                     *NodesHistory
	organizationHistory              *OrganizationHistory
	peeringGroupNodes                *PeeringGroupNodes
	peeringGroupPeers                *PeeringGroupPeers
	peeringGroupResources            *PeeringGroupResources
	peeringGroups                    *PeeringGroups
	policies                         *Policies
	policiesHistory                  *PoliciesHistory
	proxyClusterKeys                 *ProxyClusterKeys
	queries                          *Queries
	remoteIdentities                 *RemoteIdentities
	remoteIdentitiesHistory          *RemoteIdentitiesHistory
	remoteIdentityGroups             *RemoteIdentityGroups
	remoteIdentityGroupsHistory      *RemoteIdentityGroupsHistory
	replays                          *Replays
	resources                        *Resources
	resourcesHistory                 *ResourcesHistory
	roleResources                    *RoleResources
	roleResourcesHistory             *RoleResourcesHistory
	roles                            *Roles
	rolesHistory                     *RolesHistory
	secretStores                     *SecretStores
	secretStoreHealths               *SecretStoreHealths
	secretStoresHistory              *SecretStoresHistory
	workflowApprovers                *WorkflowApprovers
	workflowApproversHistory         *WorkflowApproversHistory
	workflowAssignments              *WorkflowAssignments
	workflowAssignmentsHistory       *WorkflowAssignmentsHistory
	workflowRoles                    *WorkflowRoles
	workflowRolesHistory             *WorkflowRolesHistory
	workflows                        *Workflows
	workflowsHistory                 *WorkflowsHistory
}

// New creates a new strongDM API client.
func New(token, secret string, opts ...ClientOption) (*Client, error) {
	token = strings.TrimSpace(token)
	secret = strings.TrimSpace(secret)
	decodedSecret, err := base64.StdEncoding.DecodeString(secret)
	if err != nil {
		return nil, convertErrorToPorcelain(fmt.Errorf("invalid secret: %w", err))
	}

	client := &Client{
		apiHost:        defaultAPIHost,
		maxRetries:     defaultMaxRetries,
		baseRetryDelay: defaultBaseRetryDelay,
		maxRetryDelay:  defaultMaxRetryDelay,
		apiToken:       token,
		apiSecret:      decodedSecret,
		userAgent:      defaultUserAgent,
		pageLimit:      defaultPageLimit,
	}

	for _, opt := range opts {
		opt(client)
	}

	var dialOpts []grpc.DialOption
	if client.apiInsecureTransport {
		dialOpts = append(dialOpts, grpc.WithInsecure())
	} else if client.apiTLSConfig != nil {
		dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(client.apiTLSConfig)))
	} else {
		dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
			RootCAs:            nil,
			InsecureSkipVerify: false,
		})))
	}
	if client.dialer != nil {
		dialOpts = append(dialOpts, grpc.WithContextDialer(client.dialer))
	}
	cc, err := grpc.Dial(client.apiHost, dialOpts...)
	if err != nil {
		return nil, convertErrorToPorcelain(fmt.Errorf("cannot dial API server: %w", err))
	}
	client.grpcConn = cc
	client.accessRequests = &AccessRequests{
		client: plumbing.NewAccessRequestsClient(client.grpcConn),
		parent: client,
	}
	client.accessRequestEventsHistory = &AccessRequestEventsHistory{
		client: plumbing.NewAccessRequestEventsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.accessRequestsHistory = &AccessRequestsHistory{
		client: plumbing.NewAccessRequestsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.accountAttachments = &AccountAttachments{
		client: plumbing.NewAccountAttachmentsClient(client.grpcConn),
		parent: client,
	}
	client.accountAttachmentsHistory = &AccountAttachmentsHistory{
		client: plumbing.NewAccountAttachmentsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.accountGrants = &AccountGrants{
		client: plumbing.NewAccountGrantsClient(client.grpcConn),
		parent: client,
	}
	client.accountGrantsHistory = &AccountGrantsHistory{
		client: plumbing.NewAccountGrantsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.accountPermissions = &AccountPermissions{
		client: plumbing.NewAccountPermissionsClient(client.grpcConn),
		parent: client,
	}
	client.accountResources = &AccountResources{
		client: plumbing.NewAccountResourcesClient(client.grpcConn),
		parent: client,
	}
	client.accountResourcesHistory = &AccountResourcesHistory{
		client: plumbing.NewAccountResourcesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.accounts = &Accounts{
		client: plumbing.NewAccountsClient(client.grpcConn),
		parent: client,
	}
	client.accountsHistory = &AccountsHistory{
		client: plumbing.NewAccountsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.activities = &Activities{
		client: plumbing.NewActivitiesClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflowApprovers = &ApprovalWorkflowApprovers{
		client: plumbing.NewApprovalWorkflowApproversClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflowApproversHistory = &ApprovalWorkflowApproversHistory{
		client: plumbing.NewApprovalWorkflowApproversHistoryClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflowSteps = &ApprovalWorkflowSteps{
		client: plumbing.NewApprovalWorkflowStepsClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflowStepsHistory = &ApprovalWorkflowStepsHistory{
		client: plumbing.NewApprovalWorkflowStepsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflows = &ApprovalWorkflows{
		client: plumbing.NewApprovalWorkflowsClient(client.grpcConn),
		parent: client,
	}
	client.approvalWorkflowsHistory = &ApprovalWorkflowsHistory{
		client: plumbing.NewApprovalWorkflowsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.controlPanel = &ControlPanel{
		client: plumbing.NewControlPanelClient(client.grpcConn),
		parent: client,
	}
	client.healthChecks = &HealthChecks{
		client: plumbing.NewHealthChecksClient(client.grpcConn),
		parent: client,
	}
	client.identityAliases = &IdentityAliases{
		client: plumbing.NewIdentityAliasesClient(client.grpcConn),
		parent: client,
	}
	client.identityAliasesHistory = &IdentityAliasesHistory{
		client: plumbing.NewIdentityAliasesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.identitySets = &IdentitySets{
		client: plumbing.NewIdentitySetsClient(client.grpcConn),
		parent: client,
	}
	client.identitySetsHistory = &IdentitySetsHistory{
		client: plumbing.NewIdentitySetsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.nodes = &Nodes{
		client: plumbing.NewNodesClient(client.grpcConn),
		parent: client,
	}
	client.nodesHistory = &NodesHistory{
		client: plumbing.NewNodesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.organizationHistory = &OrganizationHistory{
		client: plumbing.NewOrganizationHistoryClient(client.grpcConn),
		parent: client,
	}
	client.peeringGroupNodes = &PeeringGroupNodes{
		client: plumbing.NewPeeringGroupNodesClient(client.grpcConn),
		parent: client,
	}
	client.peeringGroupPeers = &PeeringGroupPeers{
		client: plumbing.NewPeeringGroupPeersClient(client.grpcConn),
		parent: client,
	}
	client.peeringGroupResources = &PeeringGroupResources{
		client: plumbing.NewPeeringGroupResourcesClient(client.grpcConn),
		parent: client,
	}
	client.peeringGroups = &PeeringGroups{
		client: plumbing.NewPeeringGroupsClient(client.grpcConn),
		parent: client,
	}
	client.policies = &Policies{
		client: plumbing.NewPoliciesClient(client.grpcConn),
		parent: client,
	}
	client.policiesHistory = &PoliciesHistory{
		client: plumbing.NewPoliciesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.proxyClusterKeys = &ProxyClusterKeys{
		client: plumbing.NewProxyClusterKeysClient(client.grpcConn),
		parent: client,
	}
	client.queries = &Queries{
		client: plumbing.NewQueriesClient(client.grpcConn),
		parent: client,
	}
	client.remoteIdentities = &RemoteIdentities{
		client: plumbing.NewRemoteIdentitiesClient(client.grpcConn),
		parent: client,
	}
	client.remoteIdentitiesHistory = &RemoteIdentitiesHistory{
		client: plumbing.NewRemoteIdentitiesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.remoteIdentityGroups = &RemoteIdentityGroups{
		client: plumbing.NewRemoteIdentityGroupsClient(client.grpcConn),
		parent: client,
	}
	client.remoteIdentityGroupsHistory = &RemoteIdentityGroupsHistory{
		client: plumbing.NewRemoteIdentityGroupsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.replays = &Replays{
		client: plumbing.NewReplaysClient(client.grpcConn),
		parent: client,
	}
	client.resources = &Resources{
		client: plumbing.NewResourcesClient(client.grpcConn),
		parent: client,
	}
	client.resourcesHistory = &ResourcesHistory{
		client: plumbing.NewResourcesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.roleResources = &RoleResources{
		client: plumbing.NewRoleResourcesClient(client.grpcConn),
		parent: client,
	}
	client.roleResourcesHistory = &RoleResourcesHistory{
		client: plumbing.NewRoleResourcesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.roles = &Roles{
		client: plumbing.NewRolesClient(client.grpcConn),
		parent: client,
	}
	client.rolesHistory = &RolesHistory{
		client: plumbing.NewRolesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.secretStores = &SecretStores{
		client: plumbing.NewSecretStoresClient(client.grpcConn),
		parent: client,
	}
	client.secretStoreHealths = &SecretStoreHealths{
		client: plumbing.NewSecretStoreHealthsClient(client.grpcConn),
		parent: client,
	}
	client.secretStoresHistory = &SecretStoresHistory{
		client: plumbing.NewSecretStoresHistoryClient(client.grpcConn),
		parent: client,
	}
	client.workflowApprovers = &WorkflowApprovers{
		client: plumbing.NewWorkflowApproversClient(client.grpcConn),
		parent: client,
	}
	client.workflowApproversHistory = &WorkflowApproversHistory{
		client: plumbing.NewWorkflowApproversHistoryClient(client.grpcConn),
		parent: client,
	}
	client.workflowAssignments = &WorkflowAssignments{
		client: plumbing.NewWorkflowAssignmentsClient(client.grpcConn),
		parent: client,
	}
	client.workflowAssignmentsHistory = &WorkflowAssignmentsHistory{
		client: plumbing.NewWorkflowAssignmentsHistoryClient(client.grpcConn),
		parent: client,
	}
	client.workflowRoles = &WorkflowRoles{
		client: plumbing.NewWorkflowRolesClient(client.grpcConn),
		parent: client,
	}
	client.workflowRolesHistory = &WorkflowRolesHistory{
		client: plumbing.NewWorkflowRolesHistoryClient(client.grpcConn),
		parent: client,
	}
	client.workflows = &Workflows{
		client: plumbing.NewWorkflowsClient(client.grpcConn),
		parent: client,
	}
	client.workflowsHistory = &WorkflowsHistory{
		client: plumbing.NewWorkflowsHistoryClient(client.grpcConn),
		parent: client,
	}
	return client, nil
}

// Close will close the internal GRPC connection to strongDM. If the client is
// not initialized will return an error. Attempting to use the client after
// Close() may cause panics.
func (c *Client) Close() error {
	if c == nil {
		return &UnknownError{Wrapped: fmt.Errorf("cannot close nil client")}
	}
	if c.grpcConn == nil {
		return &UnknownError{Wrapped: fmt.Errorf("cannot close nil grpc client")}
	}
	return c.grpcConn.Close()
}

// A ClientOption is an optional argument to New that can override the created
// client's default behavior.
type ClientOption func(c *Client)

// WithHost causes a Client to make it's calls against the provided host instead
// of against api.strongdm.com.
func WithHost(host string) ClientOption {
	return func(c *Client) {
		c.apiHost = host
	}
}

// WithPageLimit will set the page limit used for list commands i.e. the number of results
// that list calls will return per request to the StrongDM control plane. The interface for
// listing does not directly expose this limit, but it may be useful to manipulate it to reduce
// network callouts, or optimize clients if expecting few results. If not provided, the default
// is 50.
func WithPageLimit(limit int) ClientOption {
	return func(c *Client) {
		c.pageLimit = limit
	}
}

// WithInsecure enables a Client to talk to an http server instead of an https
// server. This is potentially useful when communicating through a proxy, but
// should be used with care.
func WithInsecure() ClientOption {
	return func(c *Client) {
		c.apiInsecureTransport = true
	}
}

// WithTLSConfig allows customization of the TLS configuration used to
// communicate with the API server.
func WithTLSConfig(cfg *tls.Config) ClientOption {
	return func(c *Client) {
		c.apiTLSConfig = cfg
	}
}

// WithUserAgentExtra modifies the user agent string to include additional identifying
// information for server-side analytics. The intended use is by extension libraries,
// like a terraform provider wrapping this client.
func WithUserAgentExtra(userAgentExtra string) ClientOption {
	return func(c *Client) {
		c.userAgent += " " + userAgentExtra
	}
}

// WithRateLimitRetries configures whether encountered rate limit errors should
// cause this client to sleep and retry (if enabled), or whether those errors should be
// exposed to the code using this client (if disabled). By default, it is enabled.
func WithRateLimitRetries(enabled bool) ClientOption {
	return func(c *Client) {
		c.exposeRateLimitErrors = !enabled
	}
}

// AccessRequests are requests for access to a resource that may match a Workflow.
func (c *Client) AccessRequests() *AccessRequests {
	return c.accessRequests
}

// AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.
func (c *Client) AccessRequestEventsHistory() *AccessRequestEventsHistory {
	return c.accessRequestEventsHistory
}

// AccessRequestsHistory provides records of all changes to the state of an AccessRequest.
func (c *Client) AccessRequestsHistory() *AccessRequestsHistory {
	return c.accessRequestsHistory
}

// AccountAttachments assign an account to a role.
func (c *Client) AccountAttachments() *AccountAttachments {
	return c.accountAttachments
}

// AccountAttachmentsHistory records all changes to the state of an AccountAttachment.
func (c *Client) AccountAttachmentsHistory() *AccountAttachmentsHistory {
	return c.accountAttachmentsHistory
}

// AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
func (c *Client) AccountGrants() *AccountGrants {
	return c.accountGrants
}

// AccountGrantsHistory records all changes to the state of an AccountGrant.
func (c *Client) AccountGrantsHistory() *AccountGrantsHistory {
	return c.accountGrantsHistory
}

// AccountPermissions records the granular permissions accounts have, allowing them to execute
// relevant commands via StrongDM's APIs.
func (c *Client) AccountPermissions() *AccountPermissions {
	return c.accountPermissions
}

// AccountResources enumerates the resources to which accounts have access.
// The AccountResources service is read-only.
func (c *Client) AccountResources() *AccountResources {
	return c.accountResources
}

// AccountResourcesHistory records all changes to the state of a AccountResource.
func (c *Client) AccountResourcesHistory() *AccountResourcesHistory {
	return c.accountResourcesHistory
}

// Accounts are users that have access to strongDM. There are two types of accounts:
// 1. **Users:** humans who are authenticated through username and password or SSO.
// 2. **Service Accounts:** machines that are authenticated using a service token.
// 3. **Tokens** are access keys with permissions that can be used for authentication.
func (c *Client) Accounts() *Accounts {
	return c.accounts
}

// AccountsHistory records all changes to the state of an Account.
func (c *Client) AccountsHistory() *AccountsHistory {
	return c.accountsHistory
}

// An Activity is a record of an action taken against a strongDM deployment, e.g.
// a user creation, resource deletion, sso configuration change, etc. The Activities
// service is read-only.
func (c *Client) Activities() *Activities {
	return c.activities
}

// ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
func (c *Client) ApprovalWorkflowApprovers() *ApprovalWorkflowApprovers {
	return c.approvalWorkflowApprovers
}

// ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover.
func (c *Client) ApprovalWorkflowApproversHistory() *ApprovalWorkflowApproversHistory {
	return c.approvalWorkflowApproversHistory
}

// ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow
func (c *Client) ApprovalWorkflowSteps() *ApprovalWorkflowSteps {
	return c.approvalWorkflowSteps
}

// ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep.
func (c *Client) ApprovalWorkflowStepsHistory() *ApprovalWorkflowStepsHistory {
	return c.approvalWorkflowStepsHistory
}

// ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized
// approvers and be approved or denied.
func (c *Client) ApprovalWorkflows() *ApprovalWorkflows {
	return c.approvalWorkflows
}

// ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow.
func (c *Client) ApprovalWorkflowsHistory() *ApprovalWorkflowsHistory {
	return c.approvalWorkflowsHistory
}

// ControlPanel contains all administrative controls.
func (c *Client) ControlPanel() *ControlPanel {
	return c.controlPanel
}

// HealthChecks lists the last healthcheck between each node and resource.
// Note the unconventional capitalization here is to prevent having a collision with GRPC
func (c *Client) HealthChecks() *HealthChecks {
	return c.healthChecks
}

// IdentityAliases assign an alias to an account within an IdentitySet.
// The alias is used as the username when connecting to a identity supported resource.
func (c *Client) IdentityAliases() *IdentityAliases {
	return c.identityAliases
}

// IdentityAliasesHistory records all changes to the state of a IdentityAlias.
func (c *Client) IdentityAliasesHistory() *IdentityAliasesHistory {
	return c.identityAliasesHistory
}

// A IdentitySet is a named grouping of Identity Aliases for Accounts.
// An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
func (c *Client) IdentitySets() *IdentitySets {
	return c.identitySets
}

// IdentitySetsHistory records all changes to the state of a IdentitySet.
func (c *Client) IdentitySetsHistory() *IdentitySetsHistory {
	return c.identitySetsHistory
}

// Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
// - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
// - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
func (c *Client) Nodes() *Nodes {
	return c.nodes
}

// NodesHistory records all changes to the state of a Node.
func (c *Client) NodesHistory() *NodesHistory {
	return c.nodesHistory
}

// OrganizationHistory records all changes to the state of an Organization.
func (c *Client) OrganizationHistory() *OrganizationHistory {
	return c.organizationHistory
}

// PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.
func (c *Client) PeeringGroupNodes() *PeeringGroupNodes {
	return c.peeringGroupNodes
}

// PeeringGroupPeers provides the building blocks necessary to link two peering groups.
func (c *Client) PeeringGroupPeers() *PeeringGroupPeers {
	return c.peeringGroupPeers
}

// PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.
func (c *Client) PeeringGroupResources() *PeeringGroupResources {
	return c.peeringGroupResources
}

// PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.
func (c *Client) PeeringGroups() *PeeringGroups {
	return c.peeringGroups
}

// Policies are the collection of one or more statements that enforce fine-grained access
// control for the users of an organization.
func (c *Client) Policies() *Policies {
	return c.policies
}

// PoliciesHistory records all changes to the state of a Policy.
func (c *Client) PoliciesHistory() *PoliciesHistory {
	return c.policiesHistory
}

// Proxy Cluster Keys are authentication keys for all proxies within a cluster.
// The proxies within a cluster share the same key. One cluster can have
// multiple keys in order to facilitate key rotation.
func (c *Client) ProxyClusterKeys() *ProxyClusterKeys {
	return c.proxyClusterKeys
}

// A Query is a record of a single client request to a resource, such as a SQL query.
// Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries.
// The Queries service is read-only.
func (c *Client) Queries() *Queries {
	return c.queries
}

// RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
func (c *Client) RemoteIdentities() *RemoteIdentities {
	return c.remoteIdentities
}

// RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.
func (c *Client) RemoteIdentitiesHistory() *RemoteIdentitiesHistory {
	return c.remoteIdentitiesHistory
}

// A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts.
// An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
func (c *Client) RemoteIdentityGroups() *RemoteIdentityGroups {
	return c.remoteIdentityGroups
}

// RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.
func (c *Client) RemoteIdentityGroupsHistory() *RemoteIdentityGroupsHistory {
	return c.remoteIdentityGroupsHistory
}

// A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session
// (otherwise referred to as a query). The Replays service is read-only.
func (c *Client) Replays() *Replays {
	return c.replays
}

// Resources are databases, servers, clusters, websites, or clouds that strongDM
// delegates access to.
func (c *Client) Resources() *Resources {
	return c.resources
}

// ResourcesHistory records all changes to the state of a Resource.
func (c *Client) ResourcesHistory() *ResourcesHistory {
	return c.resourcesHistory
}

// RoleResources enumerates the resources to which roles have access.
// The RoleResources service is read-only.
func (c *Client) RoleResources() *RoleResources {
	return c.roleResources
}

// RoleResourcesHistory records all changes to the state of a RoleResource.
func (c *Client) RoleResourcesHistory() *RoleResourcesHistory {
	return c.roleResourcesHistory
}

// A Role has a list of access rules which determine which Resources the members
// of the Role have access to. An Account can be a member of multiple Roles via
// AccountAttachments.
func (c *Client) Roles() *Roles {
	return c.roles
}

// RolesHistory records all changes to the state of a Role.
func (c *Client) RolesHistory() *RolesHistory {
	return c.rolesHistory
}

// SecretStores are servers where resource secrets (passwords, keys) are stored.
func (c *Client) SecretStores() *SecretStores {
	return c.secretStores
}

// SecretStoreHealths exposes health states for secret stores.
func (c *Client) SecretStoreHealths() *SecretStoreHealths {
	return c.secretStoreHealths
}

// SecretStoresHistory records all changes to the state of a SecretStore.
func (c *Client) SecretStoresHistory() *SecretStoresHistory {
	return c.secretStoresHistory
}

// WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
func (c *Client) WorkflowApprovers() *WorkflowApprovers {
	return c.workflowApprovers
}

// WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.
func (c *Client) WorkflowApproversHistory() *WorkflowApproversHistory {
	return c.workflowApproversHistory
}

// WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request
// access to via the workflow.
func (c *Client) WorkflowAssignments() *WorkflowAssignments {
	return c.workflowAssignments
}

// WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment.
func (c *Client) WorkflowAssignmentsHistory() *WorkflowAssignmentsHistory {
	return c.workflowAssignmentsHistory
}

// WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of
// to request access to a resource via the workflow.
func (c *Client) WorkflowRoles() *WorkflowRoles {
	return c.workflowRoles
}

// WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole
func (c *Client) WorkflowRolesHistory() *WorkflowRolesHistory {
	return c.workflowRolesHistory
}

// Workflows are the collection of rules that define the resources to which access can be requested,
// the users that can request that access, and the mechanism for approving those requests which can either
// be automatic approval or a set of users authorized to approve the requests.
func (c *Client) Workflows() *Workflows {
	return c.workflows
}

// WorkflowsHistory provides records of all changes to the state of a Workflow.
func (c *Client) WorkflowsHistory() *WorkflowsHistory {
	return c.workflowsHistory
}

type SnapshotClient struct {
	client *Client
}

// SnapshotAt constructs a read-only client that will provide historical data
// from the provided timestamp.
func (c *Client) SnapshotAt(t time.Time) *SnapshotClient {
	clientCopy := *c
	snapshotClient := &SnapshotClient{&clientCopy}
	snapshotClient.client.snapshotAt = t
	snapshotClient.client.accessRequests = &AccessRequests{
		client: plumbing.NewAccessRequestsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.accountAttachments = &AccountAttachments{
		client: plumbing.NewAccountAttachmentsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.accountGrants = &AccountGrants{
		client: plumbing.NewAccountGrantsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.accountPermissions = &AccountPermissions{
		client: plumbing.NewAccountPermissionsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.accountResources = &AccountResources{
		client: plumbing.NewAccountResourcesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.accounts = &Accounts{
		client: plumbing.NewAccountsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.approvalWorkflowApprovers = &ApprovalWorkflowApprovers{
		client: plumbing.NewApprovalWorkflowApproversClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.approvalWorkflowSteps = &ApprovalWorkflowSteps{
		client: plumbing.NewApprovalWorkflowStepsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.approvalWorkflows = &ApprovalWorkflows{
		client: plumbing.NewApprovalWorkflowsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.identityAliases = &IdentityAliases{
		client: plumbing.NewIdentityAliasesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.identitySets = &IdentitySets{
		client: plumbing.NewIdentitySetsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.nodes = &Nodes{
		client: plumbing.NewNodesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.policies = &Policies{
		client: plumbing.NewPoliciesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.proxyClusterKeys = &ProxyClusterKeys{
		client: plumbing.NewProxyClusterKeysClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.remoteIdentities = &RemoteIdentities{
		client: plumbing.NewRemoteIdentitiesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.remoteIdentityGroups = &RemoteIdentityGroups{
		client: plumbing.NewRemoteIdentityGroupsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.resources = &Resources{
		client: plumbing.NewResourcesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.roleResources = &RoleResources{
		client: plumbing.NewRoleResourcesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.roles = &Roles{
		client: plumbing.NewRolesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.secretStores = &SecretStores{
		client: plumbing.NewSecretStoresClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.workflowApprovers = &WorkflowApprovers{
		client: plumbing.NewWorkflowApproversClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.workflowAssignments = &WorkflowAssignments{
		client: plumbing.NewWorkflowAssignmentsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.workflowRoles = &WorkflowRoles{
		client: plumbing.NewWorkflowRolesClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	snapshotClient.client.workflows = &Workflows{
		client: plumbing.NewWorkflowsClient(snapshotClient.client.grpcConn),
		parent: snapshotClient.client,
	}
	return snapshotClient
}

// AccessRequests are requests for access to a resource that may match a Workflow.
func (c *SnapshotClient) AccessRequests() SnapshotAccessRequests {
	return c.client.accessRequests
}

// AccountAttachments assign an account to a role.
func (c *SnapshotClient) AccountAttachments() SnapshotAccountAttachments {
	return c.client.accountAttachments
}

// AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
func (c *SnapshotClient) AccountGrants() SnapshotAccountGrants {
	return c.client.accountGrants
}

// AccountPermissions records the granular permissions accounts have, allowing them to execute
// relevant commands via StrongDM's APIs.
func (c *SnapshotClient) AccountPermissions() SnapshotAccountPermissions {
	return c.client.accountPermissions
}

// AccountResources enumerates the resources to which accounts have access.
// The AccountResources service is read-only.
func (c *SnapshotClient) AccountResources() SnapshotAccountResources {
	return c.client.accountResources
}

// Accounts are users that have access to strongDM. There are two types of accounts:
// 1. **Users:** humans who are authenticated through username and password or SSO.
// 2. **Service Accounts:** machines that are authenticated using a service token.
// 3. **Tokens** are access keys with permissions that can be used for authentication.
func (c *SnapshotClient) Accounts() SnapshotAccounts {
	return c.client.accounts
}

// ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
func (c *SnapshotClient) ApprovalWorkflowApprovers() SnapshotApprovalWorkflowApprovers {
	return c.client.approvalWorkflowApprovers
}

// ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow
func (c *SnapshotClient) ApprovalWorkflowSteps() SnapshotApprovalWorkflowSteps {
	return c.client.approvalWorkflowSteps
}

// ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized
// approvers and be approved or denied.
func (c *SnapshotClient) ApprovalWorkflows() SnapshotApprovalWorkflows {
	return c.client.approvalWorkflows
}

// IdentityAliases assign an alias to an account within an IdentitySet.
// The alias is used as the username when connecting to a identity supported resource.
func (c *SnapshotClient) IdentityAliases() SnapshotIdentityAliases {
	return c.client.identityAliases
}

// A IdentitySet is a named grouping of Identity Aliases for Accounts.
// An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
func (c *SnapshotClient) IdentitySets() SnapshotIdentitySets {
	return c.client.identitySets
}

// Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
// - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
// - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
func (c *SnapshotClient) Nodes() SnapshotNodes {
	return c.client.nodes
}

// Policies are the collection of one or more statements that enforce fine-grained access
// control for the users of an organization.
func (c *SnapshotClient) Policies() SnapshotPolicies {
	return c.client.policies
}

// Proxy Cluster Keys are authentication keys for all proxies within a cluster.
// The proxies within a cluster share the same key. One cluster can have
// multiple keys in order to facilitate key rotation.
func (c *SnapshotClient) ProxyClusterKeys() SnapshotProxyClusterKeys {
	return c.client.proxyClusterKeys
}

// RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
func (c *SnapshotClient) RemoteIdentities() SnapshotRemoteIdentities {
	return c.client.remoteIdentities
}

// A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts.
// An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
func (c *SnapshotClient) RemoteIdentityGroups() SnapshotRemoteIdentityGroups {
	return c.client.remoteIdentityGroups
}

// Resources are databases, servers, clusters, websites, or clouds that strongDM
// delegates access to.
func (c *SnapshotClient) Resources() SnapshotResources {
	return c.client.resources
}

// RoleResources enumerates the resources to which roles have access.
// The RoleResources service is read-only.
func (c *SnapshotClient) RoleResources() SnapshotRoleResources {
	return c.client.roleResources
}

// A Role has a list of access rules which determine which Resources the members
// of the Role have access to. An Account can be a member of multiple Roles via
// AccountAttachments.
func (c *SnapshotClient) Roles() SnapshotRoles {
	return c.client.roles
}

// SecretStores are servers where resource secrets (passwords, keys) are stored.
func (c *SnapshotClient) SecretStores() SnapshotSecretStores {
	return c.client.secretStores
}

// WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
func (c *SnapshotClient) WorkflowApprovers() SnapshotWorkflowApprovers {
	return c.client.workflowApprovers
}

// WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request
// access to via the workflow.
func (c *SnapshotClient) WorkflowAssignments() SnapshotWorkflowAssignments {
	return c.client.workflowAssignments
}

// WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of
// to request access to a resource via the workflow.
func (c *SnapshotClient) WorkflowRoles() SnapshotWorkflowRoles {
	return c.client.workflowRoles
}

// Workflows are the collection of rules that define the resources to which access can be requested,
// the users that can request that access, and the mechanism for approving those requests which can either
// be automatic approval or a set of users authorized to approve the requests.
func (c *SnapshotClient) Workflows() SnapshotWorkflows {
	return c.client.workflows
}

// Sign returns the signature for the given byte array
func (c *Client) Sign(methodName string, message []byte) string {
	if c.disableSigning {
		return ""
	}
	// Current UTC date
	y, m, d := time.Now().UTC().Date()
	currentUTCDate := fmt.Sprintf("%04d-%02d-%02d", y, m, d)

	signingKey := hmacHelper(c.apiSecret, []byte(currentUTCDate))
	signingKey = hmacHelper(signingKey, []byte("sdm_api_v1"))

	hash := sha256.New()
	hash.Write([]byte(methodName))
	hash.Write([]byte{'\n'})
	hash.Write(message)
	hashedMessage := hash.Sum(nil)

	return base64.StdEncoding.EncodeToString(hmacHelper(signingKey, hashedMessage))
}

func hmacHelper(key, msg []byte) []byte {
	mac := hmac.New(sha256.New, key)
	mac.Write(msg)
	return mac.Sum(nil)
}

func (c *Client) wrapContext(ctx context.Context, req proto.Message, methodName string) context.Context {
	msg, _ := proto.Marshal(req)
	return metadata.NewOutgoingContext(ctx, metadata.New(map[string]string{
		"x-sdm-authentication": c.apiToken,
		"x-sdm-signature":      c.Sign(methodName, msg),
		"x-sdm-api-version":    apiVersion,
		"x-sdm-user-agent":     c.userAgent,
	}))
}

// These defaults are taken from AWS. Customization of these values
// is a future step in the API.
const (
	defaultMaxRetries     = 3
	defaultBaseRetryDelay = 30 * time.Millisecond
	defaultMaxRetryDelay  = 300 * time.Second
)

func (c *Client) jitterSleep(iter int) {
	durMax := c.baseRetryDelay * time.Duration(2<<iter)
	if durMax > c.maxRetryDelay {
		durMax = c.maxRetryDelay
	}
	// This is a full jitter, ranging from no delay to the maximum
	// this jittering aims to prevent clients that start and conflict
	// at the same time from retrying at the same intervals
	dur := rand.Intn(int(durMax))
	// TODO: use resource.Retry instead of time.Sleep in Terraform provider
	// see https://github.com/bflad/tfproviderlint/tree/main/passes/R018
	time.Sleep(time.Duration(dur)) //lintignore:R018
}

func (c *Client) shouldRetry(iter int, err error) bool {
	if iter >= c.maxRetries-1 {
		return false
	}
	// Internal and unknown errors should be retried
	// Other error types are likely not brief temporary errors
	if s, ok := status.FromError(err); ok {
		if !c.exposeRateLimitErrors && s.Code() == codes.ResourceExhausted {
			var rateLimitError *RateLimitError
			if err != nil && errors.As(convertErrorToPorcelain(err), &rateLimitError) {
				waitFor := time.Until(rateLimitError.RateLimit.ResetAt)
				// If timezones or clock drift causes this calculation to fail,
				// wait at most one minute.
				if waitFor < 0 || waitFor > time.Minute {
					waitFor = time.Minute
				}
				// TODO: use resource.Retry instead of time.Sleep in Terraform provider
				// see https://github.com/bflad/tfproviderlint/tree/main/passes/R018
				time.Sleep(waitFor) //lintignore:R018
			}
			return true
		}
		return s.Code() == codes.Internal || s.Code() == codes.Unavailable
	}
	return true
}