chore: migrate to gitea

vendor/google.golang.org/api/option/internaloption/internaloption.go

@@ -0,0 +1,337 @@
+// Copyright 2020 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package internaloption contains options used internally by Google client code.
+package internaloption
+
+import (
+	"context"
+	"log/slog"
+	"maps"
+
+	"cloud.google.com/go/auth"
+	"github.com/googleapis/gax-go/v2/internallog"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/internal"
+	"google.golang.org/api/option"
+)
+
+type defaultEndpointOption string
+
+func (o defaultEndpointOption) Apply(settings *internal.DialSettings) {
+	settings.DefaultEndpoint = string(o)
+}
+
+// WithDefaultEndpoint is an option that indicates the default endpoint.
+//
+// It should only be used internally by generated clients.
+//
+// This is similar to WithEndpoint, but allows us to determine whether the user has overridden the default endpoint.
+//
+// Deprecated: WithDefaultEndpoint does not support setting the universe domain.
+// Use WithDefaultEndpointTemplate and WithDefaultUniverseDomain to compose the
+// default endpoint instead.
+func WithDefaultEndpoint(url string) option.ClientOption {
+	return defaultEndpointOption(url)
+}
+
+type defaultEndpointTemplateOption string
+
+func (o defaultEndpointTemplateOption) Apply(settings *internal.DialSettings) {
+	settings.DefaultEndpointTemplate = string(o)
+}
+
+// WithDefaultEndpointTemplate provides a template for creating the endpoint
+// using a universe domain. See also WithDefaultUniverseDomain and
+// option.WithUniverseDomain. The placeholder UNIVERSE_DOMAIN should be used
+// instead of a concrete universe domain such as "googleapis.com".
+//
+// Example: WithDefaultEndpointTemplate("https://logging.UNIVERSE_DOMAIN/")
+//
+// It should only be used internally by generated clients.
+func WithDefaultEndpointTemplate(url string) option.ClientOption {
+	return defaultEndpointTemplateOption(url)
+}
+
+type defaultMTLSEndpointOption string
+
+func (o defaultMTLSEndpointOption) Apply(settings *internal.DialSettings) {
+	settings.DefaultMTLSEndpoint = string(o)
+}
+
+// WithDefaultMTLSEndpoint is an option that indicates the default mTLS endpoint.
+//
+// It should only be used internally by generated clients.
+func WithDefaultMTLSEndpoint(url string) option.ClientOption {
+	return defaultMTLSEndpointOption(url)
+}
+
+// SkipDialSettingsValidation bypasses validation on ClientOptions.
+//
+// It should only be used internally.
+func SkipDialSettingsValidation() option.ClientOption {
+	return skipDialSettingsValidation{}
+}
+
+type skipDialSettingsValidation struct{}
+
+func (s skipDialSettingsValidation) Apply(settings *internal.DialSettings) {
+	settings.SkipValidation = true
+}
+
+// EnableDirectPath returns a ClientOption that overrides the default
+// attempt to use DirectPath.
+//
+// It should only be used internally by generated clients.
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+func EnableDirectPath(dp bool) option.ClientOption {
+	return enableDirectPath(dp)
+}
+
+type enableDirectPath bool
+
+func (e enableDirectPath) Apply(o *internal.DialSettings) {
+	o.EnableDirectPath = bool(e)
+}
+
+// EnableDirectPathXds returns a ClientOption that overrides the default
+// DirectPath type. It is only valid when DirectPath is enabled.
+//
+// It should only be used internally by generated clients.
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+func EnableDirectPathXds() option.ClientOption {
+	return enableDirectPathXds(true)
+}
+
+type enableDirectPathXds bool
+
+func (x enableDirectPathXds) Apply(o *internal.DialSettings) {
+	o.EnableDirectPathXds = bool(x)
+}
+
+// AllowNonDefaultServiceAccount returns a ClientOption that overrides the default
+// requirement for using the default service account for DirectPath.
+//
+// It should only be used internally by generated clients.
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+func AllowNonDefaultServiceAccount(nd bool) option.ClientOption {
+	return allowNonDefaultServiceAccount(nd)
+}
+
+type allowNonDefaultServiceAccount bool
+
+func (a allowNonDefaultServiceAccount) Apply(o *internal.DialSettings) {
+	o.AllowNonDefaultServiceAccount = bool(a)
+}
+
+// WithDefaultAudience returns a ClientOption that specifies a default audience
+// to be used as the audience field ("aud") for the JWT token authentication.
+//
+// It should only be used internally by generated clients.
+func WithDefaultAudience(audience string) option.ClientOption {
+	return withDefaultAudience(audience)
+}
+
+type withDefaultAudience string
+
+func (w withDefaultAudience) Apply(o *internal.DialSettings) {
+	o.DefaultAudience = string(w)
+}
+
+// WithDefaultScopes returns a ClientOption that overrides the default OAuth2
+// scopes to be used for a service.
+//
+// It should only be used internally by generated clients.
+func WithDefaultScopes(scope ...string) option.ClientOption {
+	return withDefaultScopes(scope)
+}
+
+type withDefaultScopes []string
+
+func (w withDefaultScopes) Apply(o *internal.DialSettings) {
+	o.DefaultScopes = make([]string, len(w))
+	copy(o.DefaultScopes, w)
+}
+
+// WithTelemetryAttributes returns a ClientOption that specifies a map of
+// telemetry attributes to be added to all telemetry signals, such as tracing
+// and metrics, for purposes including representing the static identity of the
+// client (e.g., service name, version). These attributes are expected to be
+// consistent across all signals to enable cross-signal correlation.
+//
+// It should only be used internally by generated clients.
+func WithTelemetryAttributes(attrs map[string]string) option.ClientOption {
+	return withTelemetryAttributes(attrs)
+}
+
+type withTelemetryAttributes map[string]string
+
+func (w withTelemetryAttributes) Apply(o *internal.DialSettings) {
+	o.TelemetryAttributes = maps.Clone(w)
+}
+
+// WithDefaultUniverseDomain returns a ClientOption that sets the default universe domain.
+//
+// It should only be used internally by generated clients.
+//
+// This is similar to the public WithUniverse, but allows us to determine whether the user has
+// overridden the default universe.
+func WithDefaultUniverseDomain(ud string) option.ClientOption {
+	return withDefaultUniverseDomain(ud)
+}
+
+type withDefaultUniverseDomain string
+
+func (w withDefaultUniverseDomain) Apply(o *internal.DialSettings) {
+	o.DefaultUniverseDomain = string(w)
+}
+
+// EnableJwtWithScope returns a ClientOption that specifies if scope can be used
+// with self-signed JWT.
+//
+// EnableJwtWithScope is ignored when option.WithUniverseDomain is set
+// to a value other than the Google Default Universe (GDU) of "googleapis.com".
+// For non-GDU domains, token exchange is impossible and services must
+// support self-signed JWTs with scopes.
+func EnableJwtWithScope() option.ClientOption {
+	return enableJwtWithScope(true)
+}
+
+type enableJwtWithScope bool
+
+func (w enableJwtWithScope) Apply(o *internal.DialSettings) {
+	o.EnableJwtWithScope = bool(w)
+}
+
+// AllowHardBoundTokens returns a ClientOption that allows libraries to request a hard-bound token.
+// Obtaining hard-bound tokens requires the connection to be established using either Application
+// Layer Transport Security (ALTS) or mutual TLS (mTLS) with S2A. For more information on ALTS,
+// see: https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
+//
+// The AllowHardBoundTokens option accepts the following values (or a combination thereof):
+//
+//   - "MTLS_S2A": Allows obtaining hard-bound tokens when the connection uses mutual TLS with S2A.
+//   - "ALTS":     Allows obtaining hard-bound tokens when the connection uses ALTS.
+//
+// For example, to allow obtaining hard-bound tokens with either MTLS_S2A or ALTS, you would
+// provide both values (e.g., {"MTLS_S2A","ALTS"}).  If no value is provided, hard-bound tokens
+// will not be requested.
+//
+// It should only be used internally by generated clients.
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+func AllowHardBoundTokens(protocol ...string) option.ClientOption {
+	return allowHardBoundTokens(protocol)
+}
+
+type allowHardBoundTokens []string
+
+func (a allowHardBoundTokens) Apply(o *internal.DialSettings) {
+	o.AllowHardBoundTokens = make([]string, len(a))
+	copy(o.AllowHardBoundTokens, a)
+}
+
+// WithCredentials returns a client option to specify credentials which will be used to authenticate API calls.
+// This credential takes precedence over all other credential options.
+func WithCredentials(creds *google.Credentials) option.ClientOption {
+	return (*withCreds)(creds)
+}
+
+type withCreds google.Credentials
+
+func (w *withCreds) Apply(o *internal.DialSettings) {
+	o.InternalCredentials = (*google.Credentials)(w)
+}
+
+// EnableNewAuthLibrary returns a ClientOption that specifies if libraries in this
+// module to delegate auth to our new library. This option will be removed in
+// the future once all clients have been moved to the new auth layer.
+func EnableNewAuthLibrary() option.ClientOption {
+	return enableNewAuthLibrary(true)
+}
+
+type enableNewAuthLibrary bool
+
+func (w enableNewAuthLibrary) Apply(o *internal.DialSettings) {
+	o.EnableNewAuthLibrary = bool(w)
+}
+
+// EnableAsyncRefreshDryRun returns a ClientOption that specifies if libraries in this
+// module should asynchronously refresh auth token in parallel to sync refresh.
+//
+// This option can be used to determine whether refreshing the token asymnchronously
+// prior to its actual expiry works without any issues in a particular environment.
+//
+// errHandler function will be called when there is an error while refreshing
+// the token asynchronously.
+//
+// This is an EXPERIMENTAL option and will be removed in the future.
+// TODO(b/372244283): Remove after b/358175516 has been fixed
+func EnableAsyncRefreshDryRun(errHandler func()) option.ClientOption {
+	return enableAsyncRefreshDryRun{
+		errHandler: errHandler,
+	}
+}
+
+// TODO(b/372244283): Remove after b/358175516 has been fixed
+type enableAsyncRefreshDryRun struct {
+	errHandler func()
+}
+
+// TODO(b/372244283): Remove after b/358175516 has been fixed
+func (w enableAsyncRefreshDryRun) Apply(o *internal.DialSettings) {
+	o.EnableAsyncRefreshDryRun = w.errHandler
+}
+
+// EmbeddableAdapter is a no-op option.ClientOption that allow libraries to
+// create their own client options by embedding this type into their own
+// client-specific option wrapper. See example for usage.
+type EmbeddableAdapter struct{}
+
+func (*EmbeddableAdapter) Apply(_ *internal.DialSettings) {}
+
+// GetLogger is a helper for client libraries to extract the [slog.Logger] from
+// the provided options or return a default logger if one is not found.
+//
+// It should only be used internally by generated clients. This is an EXPERIMENTAL API
+// and may be changed or removed in the future.
+func GetLogger(opts []option.ClientOption) *slog.Logger {
+	var ds internal.DialSettings
+	for _, opt := range opts {
+		opt.Apply(&ds)
+	}
+	return internallog.New(ds.Logger)
+}
+
+// AuthCreds returns [cloud.google.com/go/auth.Credentials] using the following
+// options provided via [option.ClientOption], including legacy oauth2/google
+// options, in this order:
+//
+//   - [option.WithoutAuthentication]
+//   - [option.Credentials]
+//   - [WithCredentials] (internal use only)
+//   - [option.WithCredentials]
+//   - [option.WithTokenSource]
+//
+// If there are no applicable credentials options, then it passes the
+// following options to [cloud.google.com/go/auth/credentials.DetectDefault] and
+// returns the result:
+//
+//   - [option.WithAudiences]
+//   - [option.WithAuthCredentialsFile]
+//   - [option.WithCredentialsFile]
+//   - [option.WithAuthCredentialsJSON]
+//   - [option.WithCredentialsJSON]
+//   - [option.WithScopes]
+//   - [WithDefaultScopes] (internal use only)
+//   - [EnableJwtWithScope] (internal use only)
+//
+// This function should only be used internally by generated clients. This is an
+// EXPERIMENTAL API and may be changed or removed in the future.
+func AuthCreds(ctx context.Context, opts []option.ClientOption) (*auth.Credentials, error) {
+	var ds internal.DialSettings
+	for _, opt := range opts {
+		opt.Apply(&ds)
+	}
+	return internal.AuthCreds(ctx, &ds)
+}

vendor/google.golang.org/api/option/option.go

@@ -0,0 +1,537 @@
+// Copyright 2017 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package option contains options for Google API clients.
+package option
+
+import (
+	"crypto/tls"
+	"log/slog"
+	"net/http"
+
+	"cloud.google.com/go/auth"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/internal"
+	"google.golang.org/api/internal/credentialstype"
+	"google.golang.org/api/internal/impersonate"
+	"google.golang.org/grpc"
+)
+
+// CredentialsType specifies the type of JSON credentials being provided
+// to a loading function such as [WithAuthCredentialsFile] or
+// [WithAuthCredentialsJSON].
+type CredentialsType = credentialstype.CredType
+
+const (
+	// ServiceAccount represents a service account file type.
+	ServiceAccount = credentialstype.ServiceAccount
+	// AuthorizedUser represents an authorized user credentials file type.
+	AuthorizedUser = credentialstype.AuthorizedUser
+	// ImpersonatedServiceAccount represents an impersonated service account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ImpersonatedServiceAccount = credentialstype.ImpersonatedServiceAccount
+	// ExternalAccount represents an external account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ExternalAccount = credentialstype.ExternalAccount
+)
+
+// A ClientOption is an option for a Google API client.
+type ClientOption interface {
+	Apply(*internal.DialSettings)
+}
+
+// WithTokenSource returns a ClientOption that specifies an OAuth2 token
+// source to be used as the basis for authentication.
+func WithTokenSource(s oauth2.TokenSource) ClientOption {
+	return withTokenSource{s}
+}
+
+type withTokenSource struct{ ts oauth2.TokenSource }
+
+func (w withTokenSource) Apply(o *internal.DialSettings) {
+	o.TokenSource = w.ts
+}
+
+type withCredFile string
+
+func (w withCredFile) Apply(o *internal.DialSettings) {
+	o.CredentialsFile = string(w)
+}
+
+// WithCredentialsFile returns a ClientOption that authenticates
+// API calls with the given service account or refresh token JSON
+// credentials file.
+//
+// Deprecated: This function is being deprecated because of a potential security risk.
+//
+// This function does not validate the credential configuration. The security
+// risk occurs when a credential configuration is accepted from a source that
+// is not under your control and used without validation on your side.
+//
+// If you know that you will be loading credential configurations of a
+// specific type, it is recommended to use a credential-type-specific
+// option function.
+// This will ensure that an unexpected credential type with potential for
+// malicious intent is not loaded unintentionally. You might still have to do
+// validation for certain credential types. Please follow the recommendation
+// for that function. For example, if you want to load only service accounts,
+// you can use [WithAuthCredentialsFile] with [ServiceAccount]:
+//
+//	option.WithAuthCredentialsFile(option.ServiceAccount, "/path/to/file.json")
+//
+// If you are loading your credential configuration from an untrusted source and have
+// not mitigated the risks (e.g. by validating the configuration yourself), make
+// these changes as soon as possible to prevent security risks to your environment.
+//
+// Regardless of the function used, it is always your responsibility to validate
+// configurations received from external sources.
+func WithCredentialsFile(filename string) ClientOption {
+	return withCredFile(filename)
+}
+
+// WithAuthCredentialsFile returns a ClientOption that authenticates API calls
+// with the given JSON credentials file and credential type.
+//
+// Important: If you accept a credential configuration (credential
+// JSON/File/Stream) from an external source for authentication to Google
+// Cloud Platform, you must validate it before providing it to any Google
+// API or library. Providing an unvalidated credential configuration to
+// Google APIs can compromise the security of your systems and data. For
+// more information, refer to [Validate credential configurations from
+// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+func WithAuthCredentialsFile(credType CredentialsType, filename string) ClientOption {
+	return withAuthCredentialsFile{
+		credsType: credType,
+		filename:  filename,
+	}
+}
+
+type withAuthCredentialsFile struct {
+	credsType CredentialsType
+	filename  string
+}
+
+func (w withAuthCredentialsFile) Apply(o *internal.DialSettings) {
+	o.AuthCredentialsFile = w.filename
+	o.AuthCredentialsType = w.credsType
+}
+
+// WithServiceAccountFile returns a ClientOption that uses a Google service
+// account credentials file to authenticate.
+//
+// Important: If you accept a credential configuration (credential
+// JSON/File/Stream) from an external source for authentication to Google
+// Cloud Platform, you must validate it before providing it to any Google
+// API or library. Providing an unvalidated credential configuration to
+// Google APIs can compromise the security of your systems and data. For
+// more information, refer to [Validate credential configurations from
+// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+//
+// Deprecated: Use WithAuthCredentialsFile instead.
+func WithServiceAccountFile(filename string) ClientOption {
+	return WithAuthCredentialsFile(ServiceAccount, filename)
+}
+
+// WithCredentialsJSON returns a ClientOption that authenticates
+// API calls with the given service account or refresh token JSON
+// credentials.
+//
+// Deprecated: This function is being deprecated because of a potential security risk.
+//
+// This function does not validate the credential configuration. The security
+// risk occurs when a credential configuration is accepted from a source that
+// is not under your control and used without validation on your side.
+//
+// If you know that you will be loading credential configurations of a
+// specific type, it is recommended to use a credential-type-specific
+// option function.
+// This will ensure that an unexpected credential type with potential for
+// malicious intent is not loaded unintentionally. You might still have to do
+// validation for certain credential types. Please follow the recommendation
+// for that function. For example, if you want to load only service accounts,
+// you can use [WithAuthCredentialsJSON] with [ServiceAccount]:
+//
+//	option.WithAuthCredentialsJSON(option.ServiceAccount, json)
+//
+// If you are loading your credential configuration from an untrusted source and have
+// not mitigated the risks (e.g. by validating the configuration yourself), make
+// these changes as soon as possible to prevent security risks to your environment.
+//
+// Regardless of the function used, it is always your responsibility to validate
+// configurations received from external sources.
+func WithCredentialsJSON(p []byte) ClientOption {
+	return withCredentialsJSON(p)
+}
+
+type withCredentialsJSON []byte
+
+func (w withCredentialsJSON) Apply(o *internal.DialSettings) {
+	o.CredentialsJSON = make([]byte, len(w))
+	copy(o.CredentialsJSON, w)
+}
+
+// WithAuthCredentialsJSON returns a ClientOption that authenticates API calls
+// with the given JSON credentials and credential type.
+//
+// Important: If you accept a credential configuration (credential
+// JSON/File/Stream) from an external source for authentication to Google
+// Cloud Platform, you must validate it before providing it to any Google
+// API or library. Providing an unvalidated credential configuration to
+// Google APIs can compromise the security of your systems and data. For
+// more information, refer to [Validate credential configurations from
+// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+func WithAuthCredentialsJSON(credType CredentialsType, json []byte) ClientOption {
+	return withAuthCredentialsJSON{
+		credsType: credType,
+		json:      json,
+	}
+}
+
+type withAuthCredentialsJSON struct {
+	credsType CredentialsType
+	json      []byte
+}
+
+func (w withAuthCredentialsJSON) Apply(o *internal.DialSettings) {
+	o.AuthCredentialsJSON = w.json
+	o.AuthCredentialsType = w.credsType
+}
+
+// WithEndpoint returns a ClientOption that overrides the default endpoint
+// to be used for a service. Please note that by default Google APIs only
+// accept HTTPS traffic.
+//
+// For a gRPC client, the port number is typically included in the endpoint.
+// Example: "us-central1-speech.googleapis.com:443".
+//
+// For a REST client, the port number is typically not included. Example:
+// "https://speech.googleapis.com".
+func WithEndpoint(url string) ClientOption {
+	return withEndpoint(url)
+}
+
+type withEndpoint string
+
+func (w withEndpoint) Apply(o *internal.DialSettings) {
+	o.Endpoint = string(w)
+}
+
+// WithScopes returns a ClientOption that overrides the default OAuth2 scopes
+// to be used for a service.
+//
+// If both WithScopes and WithTokenSource are used, scope settings from the
+// token source will be used instead.
+func WithScopes(scope ...string) ClientOption {
+	return withScopes(scope)
+}
+
+type withScopes []string
+
+func (w withScopes) Apply(o *internal.DialSettings) {
+	o.Scopes = make([]string, len(w))
+	copy(o.Scopes, w)
+}
+
+// WithUserAgent returns a ClientOption that sets the User-Agent. This option
+// is incompatible with the [WithHTTPClient] option. If you wish to provide a
+// custom client you will need to add this header via RoundTripper middleware.
+func WithUserAgent(ua string) ClientOption {
+	return withUA(ua)
+}
+
+type withUA string
+
+func (w withUA) Apply(o *internal.DialSettings) { o.UserAgent = string(w) }
+
+// WithHTTPClient returns a ClientOption that specifies the HTTP client to use
+// as the basis of communications. This option may only be used with services
+// that support HTTP as their communication transport. When used, the
+// WithHTTPClient option takes precedent over all other supplied options.
+func WithHTTPClient(client *http.Client) ClientOption {
+	return withHTTPClient{client}
+}
+
+type withHTTPClient struct{ client *http.Client }
+
+func (w withHTTPClient) Apply(o *internal.DialSettings) {
+	o.HTTPClient = w.client
+}
+
+// WithGRPCConn returns a ClientOption that specifies the gRPC client
+// connection to use as the basis of communications. This option may only be
+// used with services that support gRPC as their communication transport. When
+// used, the WithGRPCConn option takes precedent over all other supplied
+// options.
+func WithGRPCConn(conn *grpc.ClientConn) ClientOption {
+	return withGRPCConn{conn}
+}
+
+type withGRPCConn struct{ conn *grpc.ClientConn }
+
+func (w withGRPCConn) Apply(o *internal.DialSettings) {
+	o.GRPCConn = w.conn
+}
+
+// WithGRPCDialOption returns a ClientOption that appends a new grpc.DialOption
+// to an underlying gRPC dial. It does not work with WithGRPCConn.
+func WithGRPCDialOption(opt grpc.DialOption) ClientOption {
+	return withGRPCDialOption{opt}
+}
+
+type withGRPCDialOption struct{ opt grpc.DialOption }
+
+func (w withGRPCDialOption) Apply(o *internal.DialSettings) {
+	o.GRPCDialOpts = append(o.GRPCDialOpts, w.opt)
+}
+
+// WithGRPCConnectionPool returns a ClientOption that creates a pool of gRPC
+// connections that requests will be balanced between.
+func WithGRPCConnectionPool(size int) ClientOption {
+	return withGRPCConnectionPool(size)
+}
+
+type withGRPCConnectionPool int
+
+func (w withGRPCConnectionPool) Apply(o *internal.DialSettings) {
+	o.GRPCConnPoolSize = int(w)
+}
+
+// WithAPIKey returns a ClientOption that specifies an API key to be used
+// as the basis for authentication.
+//
+// API Keys can only be used for JSON-over-HTTP APIs, including those under
+// the import path google.golang.org/api/....
+func WithAPIKey(apiKey string) ClientOption {
+	return withAPIKey(apiKey)
+}
+
+type withAPIKey string
+
+func (w withAPIKey) Apply(o *internal.DialSettings) { o.APIKey = string(w) }
+
+// WithAudiences returns a ClientOption that specifies an audience to be used
+// as the audience field ("aud") for the JWT token authentication.
+func WithAudiences(audience ...string) ClientOption {
+	return withAudiences(audience)
+}
+
+type withAudiences []string
+
+func (w withAudiences) Apply(o *internal.DialSettings) {
+	o.Audiences = make([]string, len(w))
+	copy(o.Audiences, w)
+}
+
+// WithoutAuthentication returns a ClientOption that specifies that no
+// authentication should be used. It is suitable only for testing and for
+// accessing public resources, like public Google Cloud Storage buckets.
+// It is an error to provide both WithoutAuthentication and any of WithAPIKey,
+// WithTokenSource, WithCredentialsFile or WithServiceAccountFile.
+func WithoutAuthentication() ClientOption {
+	return withoutAuthentication{}
+}
+
+type withoutAuthentication struct{}
+
+func (w withoutAuthentication) Apply(o *internal.DialSettings) { o.NoAuth = true }
+
+// WithQuotaProject returns a ClientOption that specifies the project used
+// for quota and billing purposes.
+//
+// For more information please read:
+// https://cloud.google.com/apis/docs/system-parameters
+func WithQuotaProject(quotaProject string) ClientOption {
+	return withQuotaProject(quotaProject)
+}
+
+type withQuotaProject string
+
+func (w withQuotaProject) Apply(o *internal.DialSettings) {
+	o.QuotaProject = string(w)
+}
+
+// WithRequestReason returns a ClientOption that specifies a reason for
+// making the request, which is intended to be recorded in audit logging.
+// An example reason would be a support-case ticket number.
+//
+// For more information please read:
+// https://cloud.google.com/apis/docs/system-parameters
+func WithRequestReason(requestReason string) ClientOption {
+	return withRequestReason(requestReason)
+}
+
+type withRequestReason string
+
+func (w withRequestReason) Apply(o *internal.DialSettings) {
+	o.RequestReason = string(w)
+}
+
+// WithTelemetryDisabled returns a ClientOption that disables default telemetry (OpenCensus)
+// settings on gRPC and HTTP clients.
+// An example reason would be to bind custom telemetry that overrides the defaults.
+func WithTelemetryDisabled() ClientOption {
+	return withTelemetryDisabled{}
+}
+
+type withTelemetryDisabled struct{}
+
+func (w withTelemetryDisabled) Apply(o *internal.DialSettings) {
+	o.TelemetryDisabled = true
+}
+
+// ClientCertSource is a function that returns a TLS client certificate to be used
+// when opening TLS connections.
+//
+// It follows the same semantics as crypto/tls.Config.GetClientCertificate.
+//
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+type ClientCertSource = func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
+
+// WithClientCertSource returns a ClientOption that specifies a
+// callback function for obtaining a TLS client certificate.
+//
+// This option is used for supporting mTLS authentication, where the
+// server validates the client certifcate when establishing a connection.
+//
+// The callback function will be invoked whenever the server requests a
+// certificate from the client. Implementations of the callback function
+// should try to ensure that a valid certificate can be repeatedly returned
+// on demand for the entire life cycle of the transport client. If a nil
+// Certificate is returned (i.e. no Certificate can be obtained), an error
+// should be returned.
+//
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+func WithClientCertSource(s ClientCertSource) ClientOption {
+	return withClientCertSource{s}
+}
+
+type withClientCertSource struct{ s ClientCertSource }
+
+func (w withClientCertSource) Apply(o *internal.DialSettings) {
+	o.ClientCertSource = w.s
+}
+
+// ImpersonateCredentials returns a ClientOption that will impersonate the
+// target service account.
+//
+// In order to impersonate the target service account
+// the base service account must have the Service Account Token Creator role,
+// roles/iam.serviceAccountTokenCreator, on the target service account.
+// See https://cloud.google.com/iam/docs/understanding-service-accounts.
+//
+// Optionally, delegates can be used during impersonation if the base service
+// account lacks the token creator role on the target. When using delegates,
+// each service account must be granted roles/iam.serviceAccountTokenCreator
+// on the next service account in the chain.
+//
+// For example, if a base service account of SA1 is trying to impersonate target
+// service account SA2 while using delegate service accounts DSA1 and DSA2,
+// the following must be true:
+//
+//  1. Base service account SA1 has roles/iam.serviceAccountTokenCreator on
+//     DSA1.
+//  2. DSA1 has roles/iam.serviceAccountTokenCreator on DSA2.
+//  3. DSA2 has roles/iam.serviceAccountTokenCreator on target SA2.
+//
+// The resulting impersonated credential will either have the default scopes of
+// the client being instantiating or the scopes from WithScopes if provided.
+// Scopes are required for creating impersonated credentials, so if this option
+// is used while not using a NewClient/NewService function, WithScopes must also
+// be explicitly passed in as well.
+//
+// If the base credential is an authorized user and not a service account, or if
+// the option WithQuotaProject is set, the target service account must have a
+// role that grants the serviceusage.services.use permission such as
+// roles/serviceusage.serviceUsageConsumer.
+//
+// This is an EXPERIMENTAL API and may be changed or removed in the future.
+//
+// Deprecated: This option has been replaced by `impersonate` package:
+// `google.golang.org/api/impersonate`. Please use the `impersonate` package
+// instead with the WithTokenSource option.
+func ImpersonateCredentials(target string, delegates ...string) ClientOption {
+	return impersonateServiceAccount{
+		target:    target,
+		delegates: delegates,
+	}
+}
+
+type impersonateServiceAccount struct {
+	target    string
+	delegates []string
+}
+
+func (i impersonateServiceAccount) Apply(o *internal.DialSettings) {
+	o.ImpersonationConfig = &impersonate.Config{
+		Target: i.target,
+	}
+	o.ImpersonationConfig.Delegates = make([]string, len(i.delegates))
+	copy(o.ImpersonationConfig.Delegates, i.delegates)
+}
+
+type withCreds google.Credentials
+
+func (w *withCreds) Apply(o *internal.DialSettings) {
+	o.Credentials = (*google.Credentials)(w)
+}
+
+// WithCredentials returns a ClientOption that authenticates API calls.
+func WithCredentials(creds *google.Credentials) ClientOption {
+	return (*withCreds)(creds)
+}
+
+// WithAuthCredentials returns a ClientOption that specifies an
+// [cloud.google.com/go/auth.Credentials] to be used as the basis for
+// authentication.
+func WithAuthCredentials(creds *auth.Credentials) ClientOption {
+	return withAuthCredentials{creds}
+}
+
+type withAuthCredentials struct{ creds *auth.Credentials }
+
+func (w withAuthCredentials) Apply(o *internal.DialSettings) {
+	o.AuthCredentials = w.creds
+}
+
+// WithUniverseDomain returns a ClientOption that sets the universe domain.
+func WithUniverseDomain(ud string) ClientOption {
+	return withUniverseDomain(ud)
+}
+
+type withUniverseDomain string
+
+func (w withUniverseDomain) Apply(o *internal.DialSettings) {
+	o.UniverseDomain = string(w)
+}
+
+// WithLogger returns a ClientOption that sets the logger used throughout the
+// client library call stack. If this option is provided it takes precedence
+// over the value set in GOOGLE_SDK_GO_LOGGING_LEVEL. Specifying this option
+// enables logging at the provided logger's configured level.
+func WithLogger(l *slog.Logger) ClientOption {
+	return withLogger{l}
+}
+
+type withLogger struct{ l *slog.Logger }
+
+func (w withLogger) Apply(o *internal.DialSettings) {
+	o.Logger = w.l
+}