feat: hashicorp-grpc plugin implementation

Signed-off-by: Jimil Desai <[email protected]>

Author: jimil749

go.mod

@@ -8,4 +8,6 @@ require (
 	github.com/hashicorp/go-hclog v0.14.1
 	github.com/hashicorp/go-plugin v1.4.2
 	github.com/natefinch/pie v0.0.0-20170715172608-9a0d72014007
+	google.golang.org/grpc v1.37.0
+	google.golang.org/protobuf v1.26.0
 )

hashicorp-plugin-grpc

@@ -21,7 +21,7 @@ func main() {
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: shared.Handshake,
 		Plugins:         shared.PluginMap,
-		Cmd:             exec.Command("./hashicorp-plugin"),
+		Cmd:             exec.Command("./hashicorp-plugin-grpc"),
 		AllowedProtocols: []plugin.Protocol{
 			plugin.ProtocolNetRPC, plugin.ProtocolGRPC},
 	})
@@ -35,7 +35,7 @@ func main() {
 	}
 
 	// Request the plugin
-	raw, err := rpcClient.Dispense("json")
+	raw, err := rpcClient.Dispense("json_grpc")
 	if err != nil {
 		fmt.Println("Error:", err.Error())
 		os.Exit(1)

main.go

@@ -0,0 +1,108 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"strings"
+
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/hashicorp/go-plugin"
+	"github.com/jimil749/reva-plugin-benchmark/pkg/shared"
+)
+
+// Here is a real implementation of Manager
+type Manager struct {
+	users []*userpb.User
+}
+
+func (m *Manager) OnLoad(userFile string) error {
+	f, err := ioutil.ReadFile(userFile)
+	if err != nil {
+		return err
+	}
+
+	users := []*userpb.User{}
+
+	err = json.Unmarshal(f, &users)
+	if err != nil {
+		return err
+	}
+
+	m.users = users
+
+	return nil
+}
+
+func (m *Manager) GetUser(uid *userpb.UserId) (*userpb.User, error) {
+	for _, u := range m.users {
+		if (u.Id.GetOpaqueId() == uid.OpaqueId || u.Username == uid.OpaqueId) && (uid.Idp == "" || uid.Idp == u.Id.GetIdp()) {
+			return u, nil
+		}
+	}
+	return nil, nil
+}
+
+func (m *Manager) GetUserByClaim(claim, value string) (*userpb.User, error) {
+	for _, u := range m.users {
+		if userClaim, err := extractClaim(u, claim); err == nil && value == userClaim {
+			return u, nil
+		}
+	}
+	return nil, errtypes.NotFound(value)
+}
+
+func extractClaim(u *userpb.User, claim string) (string, error) {
+	switch claim {
+	case "mail":
+		return u.Mail, nil
+	case "username":
+		return u.Username, nil
+	case "uid":
+		if u.Opaque != nil && u.Opaque.Map != nil {
+			if uidObj, ok := u.Opaque.Map["uid"]; ok {
+				if uidObj.Decoder == "plain" {
+					return string(uidObj.Value), nil
+				}
+			}
+		}
+	}
+	return "", errors.New("json: invalid field")
+}
+
+// TODO(jfd) search Opaque? compare sub?
+func userContains(u *userpb.User, query string) bool {
+	query = strings.ToLower(query)
+	return strings.Contains(strings.ToLower(u.Username), query) || strings.Contains(strings.ToLower(u.DisplayName), query) ||
+		strings.Contains(strings.ToLower(u.Mail), query) || strings.Contains(strings.ToLower(u.Id.OpaqueId), query)
+}
+
+func (m *Manager) FindUsers(query string) ([]*userpb.User, error) {
+	users := []*userpb.User{}
+	for _, u := range m.users {
+		if userContains(u, query) {
+			users = append(users, u)
+		}
+	}
+	return users, nil
+}
+
+func (m *Manager) GetUserGroups(uid *userpb.UserId) ([]string, error) {
+	user, err := m.GetUser(uid)
+	if err != nil {
+		return nil, err
+	}
+	return user.Groups, nil
+}
+
+func main() {
+	plugin.Serve(&plugin.ServeConfig{
+		HandshakeConfig: shared.Handshake,
+		Plugins: map[string]plugin.Plugin{
+			"json_grpc": &shared.JSONPluginGRPC{Impl: &Manager{}},
+		},
+
+		GRPCServer: plugin.DefaultGRPCServer,
+	})
+}

pkg/plugins/hashicorp/grpc/main.go

@@ -0,0 +1,350 @@
+syntax = "proto3";
+package proto;
+
+option go_package="github.com/jimil749/reva-plugin-benchmark/pkg/proto/manager";
+
+// A UserId represents a user.
+message UserId {
+  // REQUIRED.
+  // The identity provider for the user.
+  string idp = 1;
+  // REQUIRED.
+  // the unique identifier for the user in the scope of
+  // the identity provider.
+  string opaque_id = 2;
+  // REQUIRED.
+  // The type of user.
+  UserType type = 3;
+}
+
+// Represents a user of the system.
+message User {
+  UserId id = 1;
+  string username = 2;
+  string mail = 3;
+  bool mail_verified = 4;
+  string display_name = 5;
+  repeated string groups = 6;
+  Opaque opaque = 7;
+  int64 uid_number = 8;
+  int64 gid_number = 9;
+}
+
+message Opaque {
+  // REQUIRED.
+  map<string, OpaqueEntry> map = 1;
+}
+
+message Status {
+  // REQUIRED.
+  // The status code, which should be an enum value of [cs3.rpc.code][cs3.rpc.code].
+  Code code = 1;
+  // OPTIONAL.
+  // A developer-facing error message, which should be in English. Any
+  // user-facing error message should be localized and sent in the
+  string message = 2;
+  // OPTIONAL.
+  // A trace added to the response for helping support to identify client problems.
+  string trace = 3;
+  // OPTIONAL.
+  // A target URI as per RFC3986 to redirect requests to another location.
+  // A Status message with CODE_REDIRECT MUST always set the target_uri.
+  // https://golang.org/pkg/net/url/#URL provides a quick view of the format.
+  string target_uri = 4;
+}
+
+enum Code {
+  // A programmer would not intentionally set the code to CODE_INVALID.
+  // This code exists to force service implementors to set
+  // a specific code for the API call and to not rely on defaults.
+  //
+  // HTTP Mapping: 500 Internal Server Error
+  CODE_INVALID = 0;
+  // Not an error; returned on success
+  //
+  // HTTP Mapping: 200 OK
+  CODE_OK = 1;
+  // The operation was cancelled, typically by the caller.
+  //
+  // HTTP Mapping: 499 Client Closed Request
+  CODE_CANCELLED = 2;
+  // Unknown error.  For example, this error may be returned when
+  // a `Status` value received from another address space belongs to
+  // an error space that is not known in this address space.  Also
+  // errors raised by APIs that do not return enough error information
+  // may be converted to this error.
+  //
+  // HTTP Mapping: 500 Internal Server Error
+  CODE_UNKNOWN = 3;
+  // The client specified an invalid argument.  Note that this differs
+  // from `FAILED_PRECONDITION`.  `INVALID_ARGUMENT` indicates arguments
+  // that are problematic regardless of the state of the system
+  // (e.g., a malformed file name).
+  //
+  // HTTP Mapping: 400 Bad Request
+  CODE_INVALID_ARGUMENT = 4;
+  // The deadline expired before the operation could complete. For operations
+  // that change the state of the system, this error may be returned
+  // even if the operation has completed successfully.  For example, a
+  // successful response from a server could have been delayed long
+  // enough for the deadline to expire.
+  //
+  // HTTP Mapping: 504 Gateway Timeout
+  CODE_DEADLINE_EXCEEDED = 5;
+  // Some requested entity (e.g., file or directory) was not found.
+  //
+  // Note to server developers: if a request is denied for an entire class
+  // of users, such as gradual feature rollout or undocumented whitelist,
+  // `NOT_FOUND` may be used. If a request is denied for some users within
+  // a class of users, such as user-based access control, `PERMISSION_DENIED`
+  // must be used.
+  //
+  // HTTP Mapping: 404 Not Found
+  CODE_NOT_FOUND = 6;
+  // The entity that a client attempted to create (e.g., file or directory)
+  // already exists.
+  //
+  // HTTP Mapping: 409 Conflict
+  CODE_ALREADY_EXISTS = 7;
+  // The caller does not have permission to execute the specified
+  // operation. `PERMISSION_DENIED` must not be used for rejections
+  // caused by exhausting some resource (use `RESOURCE_EXHAUSTED`
+  // instead for those errors). `PERMISSION_DENIED` must not be
+  // used if the caller can not be identified (use `UNAUTHENTICATED`
+  // instead for those errors). This error code does not imply the
+  // request is valid or the requested entity exists or satisfies
+  // other pre-conditions.
+  //
+  // HTTP Mapping: 403 Forbidden
+  CODE_PERMISSION_DENIED = 8;
+  // The request does not have valid authentication credentials for the
+  // operation.
+  //
+  // HTTP Mapping: 401 Unauthorized
+  CODE_UNAUTHENTICATED = 9;
+  // Some resource has been exhausted, perhaps a per-user quota, or
+  // perhaps the entire file system is out of space.
+  //
+  // HTTP Mapping: 429 Too Many Requests
+  CODE_RESOURCE_EXHAUSTED = 10;
+  // The operation was rejected because the system is not in a state
+  // required for the operation's execution.  For example, the directory
+  // to be deleted is non-empty, an rmdir operation is applied to
+  // a non-directory, etc.
+  //
+  // Service implementors can use the following guidelines to decide
+  // between `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`:
+  //  (a) Use `UNAVAILABLE` if the client can retry just the failing call.
+  //  (b) Use `ABORTED` if the client should retry at a higher level
+  //      (e.g., when a client-specified test-and-set fails, indicating the
+  //      client should restart a read-modify-write sequence).
+  //  (c) Use `FAILED_PRECONDITION` if the client should not retry until
+  //      the system state has been explicitly fixed.  E.g., if an "rmdir"
+  //      fails because the directory is non-empty, `FAILED_PRECONDITION`
+  //      should be returned since the client should not retry unless
+  //      the files are deleted from the directory.
+  //
+  // HTTP Mapping: 400 Bad Request
+  CODE_FAILED_PRECONDITION = 11;
+  // The operation was aborted, typically due to a concurrency issue such as
+  // a sequencer check failure or transaction abort.
+  //
+  // See the guidelines above for deciding between `FAILED_PRECONDITION`,
+  // `ABORTED`, and `UNAVAILABLE`.
+  //
+  // HTTP Mapping: 409 Conflict
+  CODE_ABORTED = 12;
+  // The operation was attempted past the valid range.  E.g., seeking or
+  // reading past end-of-file.
+  //
+  // Unlike `INVALID_ARGUMENT`, this error indicates a problem that may
+  // be fixed if the system state changes. For example, a 32-bit file
+  // system will generate `INVALID_ARGUMENT` if asked to read at an
+  // offset that is not in the range [0,2^32-1], but it will generate
+  // `OUT_OF_RANGE` if asked to read from an offset past the current
+  // file size.
+  //
+  // There is a fair bit of overlap between `FAILED_PRECONDITION` and
+  // `OUT_OF_RANGE`.  We recommend using `OUT_OF_RANGE` (the more specific
+  // error) when it applies so that callers who are iterating through
+  // a space can easily look for an `OUT_OF_RANGE` error to detect when
+  // they are done.
+  //
+  // HTTP Mapping: 400 Bad Request
+  CODE_OUT_OF_RANGE = 13;
+  // The operation is not implemented or is not supported/enabled in this
+  // service.
+  //
+  // HTTP Mapping: 501 Not Implemented
+  CODE_UNIMPLEMENTED = 14;
+  // Internal errors.  This means that some invariants expected by the
+  // underlying system have been broken.  This error code is reserved
+  // for serious errors.
+  //
+  // HTTP Mapping: 500 Internal Server Error
+  CODE_INTERNAL = 15;
+  // The service is currently unavailable.  This is most likely a
+  // transient condition, which can be corrected by retrying with
+  // a backoff.
+  //
+  // See the guidelines above for deciding between `FAILED_PRECONDITION`,
+  // `ABORTED`, and `UNAVAILABLE`.
+  //
+  // HTTP Mapping: 503 Service Unavailable
+  CODE_UNAVAILABLE = 16;
+  // Unrecoverable data loss or corruption.
+  //
+  // HTTP Mapping: 500 Internal Server Error
+  CODE_DATA_LOSS = 17;
+  // Redirects the operation to another location.
+  // Used in a Status reponse with a reference to the target URI.
+  CODE_REDIRECTION = 18;
+  //
+  // The operation could not be performed because there is not enough
+  // storage available. This can be because of lack of real storage
+  // space or because of the exceeding of a quota associated to a
+  // storage.
+  //
+  // HTTP Mapping: 507 Insufficient Storage
+  CODE_INSUFFICIENT_STORAGE = 19;
+}
+
+// OpaqueEntry represents the encoded
+// opaque value.
+message OpaqueEntry {
+  // REQUIRED.
+  // The decoder to use: json, xml, toml, ...
+  // TODO(labkode): make encoder a fixed set using a enum type?
+  string decoder = 1;
+  // REQUIRED.
+  // The encoded value.
+  bytes value = 2;
+}
+
+// The type of user.
+enum UserType {
+  // The user is invalid, for example, is missing primary attributes.
+  USER_TYPE_INVALID = 0;
+  // A primary user.
+  USER_TYPE_PRIMARY = 1;
+  // A secondary user for cases with multiple identities.
+  USER_TYPE_SECONDARY = 2;
+  // A user catering to specific services.
+  USER_TYPE_SERVICE = 3;
+  // A user to be used by specific applications.
+  USER_TYPE_APPLICATION = 4;
+  // A guest user not affiliated to the IDP.
+  USER_TYPE_GUEST = 5;
+  // A federated user provided by external IDPs.
+  USER_TYPE_FEDERATED = 6;
+  // A lightweight user account without access to various major functionalities.
+  USER_TYPE_LIGHTWEIGHT = 7;
+}
+
+// Provides an API for managing users.
+service UserAPI {
+  // Load the plugin
+  rpc OnLoad(OnLoadRequest) returns (OnLoadResponse);
+  // Gets the information about a user by the user id.
+  rpc GetUser(GetUserRequest) returns (GetUserResponse);
+  // Gets the information about a user based on a specified claim.
+  rpc GetUserByClaim(GetUserByClaimRequest) returns (GetUserByClaimResponse);
+  // Gets the groups of a user.
+  rpc GetUserGroups(GetUserGroupsRequest) returns (GetUserGroupsResponse);
+  // Finds users by any attribute of the user.
+  // TODO(labkode): to define the filters that make more sense.
+  rpc FindUsers(FindUsersRequest) returns (FindUsersResponse);
+}
+
+message OnLoadRequest {
+  string UserFile = 1;
+}
+
+message OnLoadResponse{}
+
+message GetUserRequest {
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 1;
+  // REQUIRED.
+  // The id of the user.
+  UserId user_id = 2;
+}
+
+message GetUserResponse {
+  // REQUIRED.
+  // The response status.
+  Status status = 1;
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 2;
+  // REQUIRED.
+  // The user information.
+  User user = 3;
+}
+
+message GetUserByClaimRequest {
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 1;
+  // REQUIRED.
+  // The claim on the basis of which users will be filtered.
+  string claim = 2;
+  // REQUIRED.
+  // The value of the claim to find the specific user.
+  string value = 3;
+}
+
+message GetUserByClaimResponse {
+  // REQUIRED.
+  // The response status.
+  Status status = 1;
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 2;
+  // REQUIRED.
+  // The user information.
+  User user = 3;
+}
+
+message GetUserGroupsRequest {
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 1;
+  // REQUIRED.
+  // The id of the user.
+  UserId user_id = 2;
+}
+
+message GetUserGroupsResponse {
+  // REQUIRED.
+  // The response status.
+  Status status = 1;
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 2;
+  // REQUIRED.
+  // The groups for the user.
+  repeated string groups = 3;
+}
+
+message FindUsersRequest {
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 1;
+  // REQUIRED. TODO(labkode): create proper filters for most common searches.
+  // The filter to apply.
+  string filter = 2;
+}
+
+message FindUsersResponse {
+  // REQUIRED.
+  // The response status.
+  Status status = 1;
+  // OPTIONAL.
+  // Opaque information.
+  Opaque opaque = 2;
+  // REQUIRED.
+  // The users matching the specified filter.
+  repeated User users = 3;
+}

pkg/proto/manager.pb.go

@@ -0,0 +1,157 @@
+package shared
+
+import (
+	"context"
+
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	proto "github.com/jimil749/reva-plugin-benchmark/pkg/proto"
+)
+
+type GRPCClient struct{ client proto.UserAPIClient }
+
+func (m *GRPCClient) OnLoad(userFile string) error {
+	_, err := m.client.OnLoad(context.Background(), &proto.OnLoadRequest{
+		UserFile: userFile,
+	})
+	return err
+}
+
+func (m *GRPCClient) GetUser(uid *userpb.UserId) (*userpb.User, error) {
+	resp, err := m.client.GetUser(context.Background(), &proto.GetUserRequest{
+		UserId: &proto.UserId{
+			Idp:      uid.Idp,
+			OpaqueId: uid.OpaqueId,
+			Type:     proto.UserType(uid.Type),
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	// unmarshal the manager user to userpb.User
+	user := UnmarshalUser(resp.User)
+	return user, nil
+}
+
+func (m *GRPCClient) GetUserByClaim(claim, value string) (*userpb.User, error) {
+	resp, err := m.client.GetUserByClaim(context.Background(), &proto.GetUserByClaimRequest{
+		Value: value,
+		Claim: claim,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	user := UnmarshalUser(resp.User)
+	return user, nil
+}
+
+func (m *GRPCClient) GetUserGroups(uid *userpb.UserId) ([]string, error) {
+	resp, err := m.client.GetUserGroups(context.Background(), &proto.GetUserGroupsRequest{
+		UserId: &proto.UserId{
+			Idp:      uid.Idp,
+			OpaqueId: uid.OpaqueId,
+			Type:     proto.UserType(uid.Type),
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return resp.Groups, nil
+}
+
+func (m *GRPCClient) FindUsers(filter string) ([]*userpb.User, error) {
+	resp, err := m.client.FindUsers(context.Background(), &proto.FindUsersRequest{
+		Filter: filter,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var users []*userpb.User
+	for _, user := range resp.Users {
+		users = append(users, UnmarshalUser(user))
+	}
+	return users, nil
+}
+
+// gRPC server that gRPC client talks to.
+type GRPCServer struct {
+	Impl Manager
+	proto.UnimplementedUserAPIServer
+}
+
+func (m *GRPCServer) OnLoad(ctx context.Context, req *proto.OnLoadRequest) (*proto.OnLoadResponse, error) {
+	return &proto.OnLoadResponse{}, m.Impl.OnLoad(req.UserFile)
+}
+
+func (m *GRPCServer) GetUser(ctx context.Context, req *proto.GetUserRequest) (*proto.GetUserResponse, error) {
+	userpb, err := m.Impl.GetUser(UnmarshalUserId(req.UserId))
+	user := MarshalUser(userpb)
+	return &proto.GetUserResponse{User: user}, err
+}
+
+func (m *GRPCServer) GetUserByClaim(ctx context.Context, req *proto.GetUserByClaimRequest) (*proto.GetUserByClaimResponse, error) {
+	userpb, err := m.Impl.GetUserByClaim(req.Claim, req.Value)
+	user := MarshalUser(userpb)
+	return &proto.GetUserByClaimResponse{User: user}, err
+}
+
+func (m *GRPCServer) GetUserGroups(ctx context.Context, req *proto.GetUserGroupsRequest) (*proto.GetUserGroupsResponse, error) {
+	groups, err := m.Impl.GetUserGroups(UnmarshalUserId(req.UserId))
+	return &proto.GetUserGroupsResponse{Groups: groups}, err
+}
+
+func (m *GRPCServer) FindUsers(ctx context.Context, req *proto.FindUsersRequest) (*proto.FindUsersResponse, error) {
+	userspb, err := m.Impl.FindUsers(req.Filter)
+	var users []*proto.User
+	for _, user := range userspb {
+		users = append(users, MarshalUser(user))
+	}
+	return &proto.FindUsersResponse{Users: users}, err
+}
+
+// UnmarshalUserId "unmarshals" the proto.UserId to *userpb.UserId
+func UnmarshalUserId(uid *proto.UserId) *userpb.UserId {
+	return &userpb.UserId{
+		Idp:      uid.Idp,
+		OpaqueId: uid.OpaqueId,
+		Type:     userpb.UserType(uid.Type),
+	}
+}
+
+// UnmarshalUser "unmarshals" the proto.User type to *userpb.User
+func UnmarshalUser(user *proto.User) *userpb.User {
+	return &userpb.User{
+		Id: &userpb.UserId{
+			Idp:      user.Id.Idp,
+			OpaqueId: user.Id.OpaqueId,
+			Type:     userpb.UserType(user.Id.Type),
+		},
+		Username:     user.Username,
+		Mail:         user.Mail,
+		MailVerified: user.MailVerified,
+		DisplayName:  user.DisplayName,
+		Groups:       user.Groups,
+		UidNumber:    user.UidNumber,
+		GidNumber:    user.GidNumber,
+	}
+}
+
+// MarshalUser marshals userpb.User to proto.User
+func MarshalUser(user *userpb.User) *proto.User {
+	return &proto.User{
+		Id: &proto.UserId{
+			Idp:      user.Id.Idp,
+			OpaqueId: user.Id.OpaqueId,
+			Type:     proto.UserType(user.Id.Type),
+		},
+		Username:     user.Username,
+		Mail:         user.Mail,
+		MailVerified: user.MailVerified,
+		DisplayName:  user.DisplayName,
+		Groups:       user.Groups,
+		UidNumber:    user.UidNumber,
+		GidNumber:    user.GidNumber,
+	}
+}

pkg/proto/manager.proto

@@ -1,10 +1,13 @@
 package shared
 
 import (
+	"context"
 	"net/rpc"
 
 	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	"github.com/hashicorp/go-plugin"
+	proto "github.com/jimil749/reva-plugin-benchmark/pkg/proto"
+	"google.golang.org/grpc"
 )
 
 // Handshake is a common handshake that is shared by plugin and host.
@@ -17,7 +20,8 @@ var Handshake = plugin.HandshakeConfig{
 
 // PluginMap is the map of plugins we can dispense.
 var PluginMap = map[string]plugin.Plugin{
-	"json": &JSONPlugin{},
+	"json":      &JSONPlugin{},
+	"json_grpc": &JSONPluginGRPC{},
 }
 
 // Manager is the interface that we're exposing as a plugin. This interface is only used for plugin
@@ -45,10 +49,33 @@ func (*JSONPlugin) Client(b *plugin.MuxBroker, c *rpc.Client) (interface{}, erro
 	return &RPCClient{Client: c}, nil
 }
 
+// ------------------------------ For Non-RPC Plugins--------------------------------------
 // UserManager is the interface we're exposing as a plugin for plugin systems NOT using RPC.
 type UserManager interface {
 	GetUser(*userpb.UserId) (*userpb.User, error)
 	GetUserByClaim(claim, value string) (*userpb.User, error)
 	GetUserGroups(*userpb.UserId) ([]string, error)
 	FindUsers(query string) ([]*userpb.User, error)
 }
+
+type ManagerGRPC interface {
+	OnLoad(userFile string) error
+	GetUser(*userpb.UserId) (*userpb.User, error)
+	GetUserByClaim(claim, value string) (*userpb.User, error)
+	GetUserGroups(*userpb.UserId) ([]string, error)
+	FindUsers(query string) ([]*userpb.User, error)
+}
+
+type JSONPluginGRPC struct {
+	plugin.Plugin
+	Impl Manager
+}
+
+func (p *JSONPluginGRPC) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error {
+	proto.RegisterUserAPIServer(s, &GRPCServer{Impl: p.Impl})
+	return nil
+}
+
+func (p *JSONPluginGRPC) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
+	return &GRPCClient{client: proto.NewUserAPIClient(c)}, nil
+}

pkg/proto/manager_grpc.pb.go

@@ -0,0 +1,52 @@
+package shared
+
+type User struct {
+	Id           *UserId
+	Username     string
+	Mail         string
+	MailVerified bool
+	DisplayName  string
+	Groups       []string
+	Opaque       *Opaque
+	UidNumber    int64
+	GidNumber    int64
+}
+
+// A UserId represents a user.
+type UserId struct {
+	Idp      string
+	OpaqueId string
+	Type     UserType
+}
+
+// The type of user.
+type UserType int32
+
+const (
+	// The user is invalid, for example, is missing primary attributes.
+	UserType_USER_TYPE_INVALID UserType = 0
+	// A primary user.
+	UserType_USER_TYPE_PRIMARY UserType = 1
+	// A secondary user for cases with multiple identities.
+	UserType_USER_TYPE_SECONDARY UserType = 2
+	// A user catering to specific services.
+	UserType_USER_TYPE_SERVICE UserType = 3
+	// A user to be used by specific applications.
+	UserType_USER_TYPE_APPLICATION UserType = 4
+	// A guest user not affiliated to the IDP.
+	UserType_USER_TYPE_GUEST UserType = 5
+	// A federated user provided by external IDPs.
+	UserType_USER_TYPE_FEDERATED UserType = 6
+	// A lightweight user account without access to various major functionalities.
+	UserType_USER_TYPE_LIGHTWEIGHT UserType = 7
+)
+
+type Opaque struct {
+	// REQUIRED.
+	Map map[string]*OpaqueEntry
+}
+
+type OpaqueEntry struct {
+	Decoder string `protobuf:"bytes,1,opt,name=decoder,proto3" json:"decoder,omitempty"`
+	Value   []byte `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+}