// WithPerRPCCredentials returns a DialOption which sets credentials and places
// auth state on each outbound RPC.
func WithPerRPCCredentials(creds credentials.PerRPCCredentials) DialOption {
    ...
}

// PerRPCCredentials defines the common interface for the credentials which need to
// attach security information to every RPC (e.g., oauth2).
type PerRPCCredentials interface {
    // GetRequestMetadata gets the current request metadata, refreshing
    // tokens if required. This should be called by the transport layer on
    // each request, and the data should be populated in headers or other
    // context. If a status code is returned, it will be used as the status
    // for the RPC. uri is the URI of the entry point for the request.
    // When supported by the underlying implementation, ctx can be used for
    // timeout and cancellation.
    // TODO(zhaoq): Define the set of the qualified keys instead of leaving
    // it as an arbitrary string.
    GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
    // RequireTransportSecurity indicates whether the credentials requires
    // transport security.
    RequireTransportSecurity() bool
}

type tokenAuth struct {
    token string
}

// Return value is mapped to request headers.
func (t *tokenAuth) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
    return map[string]string{
        "authorization": "Bearer " + t.token,
    }, nil
}

// 是否使用 TLS 安全加密
func (t *tokenAuth) RequireTransportSecurity() bool {
    return true
}

// Package main implements a client for Echo service.
package main

import (
    "context"
    "flag"
    "fmt"
    "log"

    "google.golang.org/grpc/credentials"

    pb "github.com/wangy8961/grpc-go-tutorial/features/echopb"
    "google.golang.org/grpc"
)

type tokenAuth struct {
    token string
}

// Return value is mapped to request headers.
func (t *tokenAuth) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
    return map[string]string{
        "authorization": "Bearer " + t.token,
    }, nil
}

// 是否使用 TLS 安全加密
func (t *tokenAuth) RequireTransportSecurity() bool {
    return true
}

func main() {
    addr := flag.String("addr", "localhost:50051", "the address to connect to")
    certFile := flag.String("cacert", "cacert.pem", "CA root certificate")
    flag.Parse()

    creds, err := credentials.NewClientTLSFromFile(*certFile, "")
    if err != nil {
        log.Fatalf("failed to load CA root certificate: %v", err)
    }

    opts := []grpc.DialOption{
        // 1. TLS 认证
        grpc.WithTransportCredentials(creds),
        // 2. token 认证
        grpc.WithPerRPCCredentials(&tokenAuth{
            token: "some-secret-token",
        }),
    }

    // Set up a connection to the server.
    conn, err := grpc.Dial(*addr, opts...) // To call service methods, we first need to create a gRPC channel to communicate with the server. We create this by passing the server address and port number to grpc.Dial()
    if err != nil {
        log.Fatalf("did not connect: %v", err)
    }
    defer conn.Close()

    c := pb.NewEchoClient(conn) // Once the gRPC channel is setup, we need a client stub to perform RPCs. We get this using the NewEchoClient method provided in the pb package we generated from our .proto.

    // Contact the server and print out its response.
    msg := "madmalls.com"
    resp, err := c.UnaryEcho(context.Background(), &pb.EchoRequest{Message: msg}) // Now let’s look at how we call our service methods. Note that in gRPC-Go, RPCs operate in a blocking/synchronous mode, which means that the RPC call waits for the server to respond, and will either return a response or an error.
    if err != nil {
        log.Fatalf("failed to call UnaryEcho: %v", err)
    }
    fmt.Printf("response:\n")
    fmt.Printf(" - %q\n", resp.GetMessage())
}

// FromIncomingContext returns the incoming metadata in ctx if it exists.  The
// returned MD should not be modified. Writing to it may cause races.
// Modification should be made to copies of the returned MD.
func FromIncomingContext(ctx context.Context) (md MD, ok bool) {
    ...
}

// MD is a mapping from metadata keys to values.
type MD map[string][]string

// Package main implements a server for Echo service.
package main

import (
    "context"
    "flag"
    "fmt"
    "log"
    "net"
    "strings"

    pb "github.com/wangy8961/grpc-go-tutorial/features/echopb"
    "google.golang.org/grpc"
    "google.golang.org/grpc/codes"
    "google.golang.org/grpc/credentials"
    "google.golang.org/grpc/metadata"
    "google.golang.org/grpc/status"
)

// server is used to implement echopb.EchoServer.
type server struct{}

/*
func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
    return nil, status.Errorf(codes.Unimplemented, "method UnaryEcho not implemented")
}
*/
func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
    fmt.Printf("--- gRPC Unary RPC ---\n")
    fmt.Printf("request received: %v\n", req)

    // md 的值类似于: map[:authority:[192.168.40.123:50051] authorization:[Bearer some-secret-token] content-type:[application/grpc] user-agent:[grpc-go/1.20.1]]
    md, ok := metadata.FromIncomingContext(ctx)
    if !ok {
        return nil, status.Errorf(codes.InvalidArgument, "missing metadata")
    }
    fmt.Printf("Type of 'metadata.MD' is %T, and its value is %v \n", md, md)

    // 1. 判断是否存在 authorization 请求头
    authorization, ok := md["authorization"]
    if !ok {
        return nil, status.Errorf(codes.Unauthenticated, `missing "Authorization" header`)
    }
    fmt.Printf("Type of 'authorization' is %T, and its value is %v \n", authorization, authorization)

    const prefix = "Bearer "