grpc 1.17.1 → 1.18.0.pre1

data/src/core/lib/security/credentials/google_default/google_default_credentials.h

@@ -21,6 +21,7 @@
 
 #include <grpc/support/port_platform.h>
 
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/security/credentials/credentials.h"
 
 #define GRPC_GOOGLE_CLOUD_SDK_CONFIG_DIRECTORY "gcloud"
@@ -39,11 +40,33 @@
   "/" GRPC_GOOGLE_WELL_KNOWN_CREDENTIALS_FILE
 #endif
 
-typedef struct {
-  grpc_channel_credentials base;
-  grpc_channel_credentials* alts_creds;
-  grpc_channel_credentials* ssl_creds;
-} grpc_google_default_channel_credentials;
+class grpc_google_default_channel_credentials
+    : public grpc_channel_credentials {
+ public:
+  grpc_google_default_channel_credentials(
+      grpc_core::RefCountedPtr<grpc_channel_credentials> alts_creds,
+      grpc_core::RefCountedPtr<grpc_channel_credentials> ssl_creds)
+      : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT),
+        alts_creds_(std::move(alts_creds)),
+        ssl_creds_(std::move(ssl_creds)) {}
+
+  ~grpc_google_default_channel_credentials() override = default;
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+  create_security_connector(
+      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+      const char* target, const grpc_channel_args* args,
+      grpc_channel_args** new_args) override;
+
+  const grpc_channel_credentials* alts_creds() const {
+    return alts_creds_.get();
+  }
+  const grpc_channel_credentials* ssl_creds() const { return ssl_creds_.get(); }
+
+ private:
+  grpc_core::RefCountedPtr<grpc_channel_credentials> alts_creds_;
+  grpc_core::RefCountedPtr<grpc_channel_credentials> ssl_creds_;
+};
 
 namespace grpc_core {
 namespace internal {

data/src/core/lib/security/credentials/iam/iam_credentials.cc

@@ -22,6 +22,7 @@
 
 #include <string.h>
 
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/surface/api_trace.h"
 
 #include <grpc/support/alloc.h>
@@ -29,32 +30,37 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
-static void iam_destruct(grpc_call_credentials* creds) {
-  grpc_google_iam_credentials* c =
-      reinterpret_cast<grpc_google_iam_credentials*>(creds);
-  grpc_credentials_mdelem_array_destroy(&c->md_array);
+grpc_google_iam_credentials::~grpc_google_iam_credentials() {
+  grpc_credentials_mdelem_array_destroy(&md_array_);
 }
 
-static bool iam_get_request_metadata(grpc_call_credentials* creds,
-                                     grpc_polling_entity* pollent,
-                                     grpc_auth_metadata_context context,
-                                     grpc_credentials_mdelem_array* md_array,
-                                     grpc_closure* on_request_metadata,
-                                     grpc_error** error) {
-  grpc_google_iam_credentials* c =
-      reinterpret_cast<grpc_google_iam_credentials*>(creds);
-  grpc_credentials_mdelem_array_append(md_array, &c->md_array);
+bool grpc_google_iam_credentials::get_request_metadata(
+    grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
+    grpc_error** error) {
+  grpc_credentials_mdelem_array_append(md_array, &md_array_);
   return true;
 }
 
-static void iam_cancel_get_request_metadata(
-    grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array,
-    grpc_error* error) {
+void grpc_google_iam_credentials::cancel_get_request_metadata(
+    grpc_credentials_mdelem_array* md_array, grpc_error* error) {
   GRPC_ERROR_UNREF(error);
 }
 
-static grpc_call_credentials_vtable iam_vtable = {
-    iam_destruct, iam_get_request_metadata, iam_cancel_get_request_metadata};
+grpc_google_iam_credentials::grpc_google_iam_credentials(
+    const char* token, const char* authority_selector)
+    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_IAM) {
+  grpc_mdelem md = grpc_mdelem_from_slices(
+      grpc_slice_from_static_string(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
+      grpc_slice_from_copied_string(token));
+  grpc_credentials_mdelem_array_add(&md_array_, md);
+  GRPC_MDELEM_UNREF(md);
+  md = grpc_mdelem_from_slices(
+      grpc_slice_from_static_string(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
+      grpc_slice_from_copied_string(authority_selector));
+  grpc_credentials_mdelem_array_add(&md_array_, md);
+  GRPC_MDELEM_UNREF(md);
+}
 
 grpc_call_credentials* grpc_google_iam_credentials_create(
     const char* token, const char* authority_selector, void* reserved) {
@@ -66,21 +72,7 @@ grpc_call_credentials* grpc_google_iam_credentials_create(
   GPR_ASSERT(reserved == nullptr);
   GPR_ASSERT(token != nullptr);
   GPR_ASSERT(authority_selector != nullptr);
-  grpc_google_iam_credentials* c =
-      static_cast<grpc_google_iam_credentials*>(gpr_zalloc(sizeof(*c)));
-  c->base.type = GRPC_CALL_CREDENTIALS_TYPE_IAM;
-  c->base.vtable = &iam_vtable;
-  gpr_ref_init(&c->base.refcount, 1);
-  grpc_mdelem md = grpc_mdelem_from_slices(
-      grpc_slice_from_static_string(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
-      grpc_slice_from_copied_string(token));
-  grpc_credentials_mdelem_array_add(&c->md_array, md);
-  GRPC_MDELEM_UNREF(md);
-  md = grpc_mdelem_from_slices(
-      grpc_slice_from_static_string(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
-      grpc_slice_from_copied_string(authority_selector));
-  grpc_credentials_mdelem_array_add(&c->md_array, md);
-  GRPC_MDELEM_UNREF(md);
-
-  return &c->base;
+  return grpc_core::MakeRefCounted<grpc_google_iam_credentials>(
+             token, authority_selector)
+      .release();
 }

data/src/core/lib/security/credentials/iam/iam_credentials.h

@@ -23,9 +23,23 @@
 
 #include "src/core/lib/security/credentials/credentials.h"
 
-typedef struct {
-  grpc_call_credentials base;
-  grpc_credentials_mdelem_array md_array;
-} grpc_google_iam_credentials;
+class grpc_google_iam_credentials : public grpc_call_credentials {
+ public:
+  grpc_google_iam_credentials(const char* token,
+                              const char* authority_selector);
+  ~grpc_google_iam_credentials() override;
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) override;
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) override;
+
+ private:
+  grpc_credentials_mdelem_array md_array_;
+};
 
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_IAM_IAM_CREDENTIALS_H */

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -23,6 +23,8 @@
 #include <inttypes.h>
 #include <string.h>
 
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/surface/api_trace.h"
 
 #include <grpc/support/alloc.h>
@@ -30,71 +32,66 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
-static void jwt_reset_cache(grpc_service_account_jwt_access_credentials* c) {
-  GRPC_MDELEM_UNREF(c->cached.jwt_md);
-  c->cached.jwt_md = GRPC_MDNULL;
-  if (c->cached.service_url != nullptr) {
-    gpr_free(c->cached.service_url);
-    c->cached.service_url = nullptr;
+void grpc_service_account_jwt_access_credentials::reset_cache() {
+  GRPC_MDELEM_UNREF(cached_.jwt_md);
+  cached_.jwt_md = GRPC_MDNULL;
+  if (cached_.service_url != nullptr) {
+    gpr_free(cached_.service_url);
+    cached_.service_url = nullptr;
   }
-  c->cached.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME);
+  cached_.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME);
 }
 
-static void jwt_destruct(grpc_call_credentials* creds) {
-  grpc_service_account_jwt_access_credentials* c =
-      reinterpret_cast<grpc_service_account_jwt_access_credentials*>(creds);
-  grpc_auth_json_key_destruct(&c->key);
-  jwt_reset_cache(c);
-  gpr_mu_destroy(&c->cache_mu);
+grpc_service_account_jwt_access_credentials::
+    ~grpc_service_account_jwt_access_credentials() {
+  grpc_auth_json_key_destruct(&key_);
+  reset_cache();
+  gpr_mu_destroy(&cache_mu_);
 }
 
-static bool jwt_get_request_metadata(grpc_call_credentials* creds,
-                                     grpc_polling_entity* pollent,
-                                     grpc_auth_metadata_context context,
-                                     grpc_credentials_mdelem_array* md_array,
-                                     grpc_closure* on_request_metadata,
-                                     grpc_error** error) {
-  grpc_service_account_jwt_access_credentials* c =
-      reinterpret_cast<grpc_service_account_jwt_access_credentials*>(creds);
+bool grpc_service_account_jwt_access_credentials::get_request_metadata(
+    grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
+    grpc_error** error) {
   gpr_timespec refresh_threshold = gpr_time_from_seconds(
       GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN);
 
   /* See if we can return a cached jwt. */
   grpc_mdelem jwt_md = GRPC_MDNULL;
   {
-    gpr_mu_lock(&c->cache_mu);
-    if (c->cached.service_url != nullptr &&
-        strcmp(c->cached.service_url, context.service_url) == 0 &&
-        !GRPC_MDISNULL(c->cached.jwt_md) &&
-        (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration,
-                                   gpr_now(GPR_CLOCK_REALTIME)),
-                      refresh_threshold) > 0)) {
-      jwt_md = GRPC_MDELEM_REF(c->cached.jwt_md);
+    gpr_mu_lock(&cache_mu_);
+    if (cached_.service_url != nullptr &&
+        strcmp(cached_.service_url, context.service_url) == 0 &&
+        !GRPC_MDISNULL(cached_.jwt_md) &&
+        (gpr_time_cmp(
+             gpr_time_sub(cached_.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)),
+             refresh_threshold) > 0)) {
+      jwt_md = GRPC_MDELEM_REF(cached_.jwt_md);
     }
-    gpr_mu_unlock(&c->cache_mu);
+    gpr_mu_unlock(&cache_mu_);
   }
 
   if (GRPC_MDISNULL(jwt_md)) {
     char* jwt = nullptr;
     /* Generate a new jwt. */
-    gpr_mu_lock(&c->cache_mu);
-    jwt_reset_cache(c);
-    jwt = grpc_jwt_encode_and_sign(&c->key, context.service_url,
-                                   c->jwt_lifetime, nullptr);
+    gpr_mu_lock(&cache_mu_);
+    reset_cache();
+    jwt = grpc_jwt_encode_and_sign(&key_, context.service_url, jwt_lifetime_,
+                                   nullptr);
     if (jwt != nullptr) {
       char* md_value;
       gpr_asprintf(&md_value, "Bearer %s", jwt);
       gpr_free(jwt);
-      c->cached.jwt_expiration =
-          gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), c->jwt_lifetime);
-      c->cached.service_url = gpr_strdup(context.service_url);
-      c->cached.jwt_md = grpc_mdelem_from_slices(
+      cached_.jwt_expiration =
+          gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_);
+      cached_.service_url = gpr_strdup(context.service_url);
+      cached_.jwt_md = grpc_mdelem_from_slices(
           grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
           grpc_slice_from_copied_string(md_value));
       gpr_free(md_value);
-      jwt_md = GRPC_MDELEM_REF(c->cached.jwt_md);
+      jwt_md = GRPC_MDELEM_REF(cached_.jwt_md);
     }
-    gpr_mu_unlock(&c->cache_mu);
+    gpr_mu_unlock(&cache_mu_);
   }
 
   if (!GRPC_MDISNULL(jwt_md)) {
@@ -106,29 +103,15 @@ static bool jwt_get_request_metadata(grpc_call_credentials* creds,
   return true;
 }
 
-static void jwt_cancel_get_request_metadata(
-    grpc_call_credentials* c, grpc_credentials_mdelem_array* md_array,
-    grpc_error* error) {
+void grpc_service_account_jwt_access_credentials::cancel_get_request_metadata(
+    grpc_credentials_mdelem_array* md_array, grpc_error* error) {
   GRPC_ERROR_UNREF(error);
 }
 
-static grpc_call_credentials_vtable jwt_vtable = {
-    jwt_destruct, jwt_get_request_metadata, jwt_cancel_get_request_metadata};
-
-grpc_call_credentials*
-grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
-    grpc_auth_json_key key, gpr_timespec token_lifetime) {
-  grpc_service_account_jwt_access_credentials* c;
-  if (!grpc_auth_json_key_is_valid(&key)) {
-    gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
-    return nullptr;
-  }
-  c = static_cast<grpc_service_account_jwt_access_credentials*>(
-      gpr_zalloc(sizeof(grpc_service_account_jwt_access_credentials)));
-  c->base.type = GRPC_CALL_CREDENTIALS_TYPE_JWT;
-  gpr_ref_init(&c->base.refcount, 1);
-  c->base.vtable = &jwt_vtable;
-  c->key = key;
+grpc_service_account_jwt_access_credentials::
+    grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
+                                                gpr_timespec token_lifetime)
+    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT), key_(key) {
   gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
   if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
     gpr_log(GPR_INFO,
@@ -136,10 +119,20 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
             static_cast<int>(max_token_lifetime.tv_sec));
     token_lifetime = grpc_max_auth_token_lifetime();
   }
-  c->jwt_lifetime = token_lifetime;
-  gpr_mu_init(&c->cache_mu);
-  jwt_reset_cache(c);
-  return &c->base;
+  jwt_lifetime_ = token_lifetime;
+  gpr_mu_init(&cache_mu_);
+  reset_cache();
+}
+
+grpc_core::RefCountedPtr<grpc_call_credentials>
+grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
+    grpc_auth_json_key key, gpr_timespec token_lifetime) {
+  if (!grpc_auth_json_key_is_valid(&key)) {
+    gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
+    return nullptr;
+  }
+  return grpc_core::MakeRefCounted<grpc_service_account_jwt_access_credentials>(
+      key, token_lifetime);
 }
 
 static char* redact_private_key(const char* json_key) {
@@ -182,9 +175,7 @@ grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
   }
   GPR_ASSERT(reserved == nullptr);
   grpc_core::ExecCtx exec_ctx;
-  grpc_call_credentials* creds =
-      grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
-          grpc_auth_json_key_create_from_string(json_key), token_lifetime);
-
-  return creds;
+  return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
+             grpc_auth_json_key_create_from_string(json_key), token_lifetime)
+      .release();
 }

data/src/core/lib/security/credentials/jwt/jwt_credentials.h

@@ -24,25 +24,44 @@
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/jwt/json_token.h"
 
-typedef struct {
-  grpc_call_credentials base;
+class grpc_service_account_jwt_access_credentials
+    : public grpc_call_credentials {
+ public:
+  grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
+                                              gpr_timespec token_lifetime);
+  ~grpc_service_account_jwt_access_credentials() override;
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) override;
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) override;
+
+  const gpr_timespec& jwt_lifetime() const { return jwt_lifetime_; }
+  const grpc_auth_json_key& key() const { return key_; }
+
+ private:
+  void reset_cache();
 
   // Have a simple cache for now with just 1 entry. We could have a map based on
   // the service_url for a more sophisticated one.
-  gpr_mu cache_mu;
+  gpr_mu cache_mu_;
   struct {
-    grpc_mdelem jwt_md;
-    char* service_url;
+    grpc_mdelem jwt_md = GRPC_MDNULL;
+    char* service_url = nullptr;
     gpr_timespec jwt_expiration;
-  } cached;
+  } cached_;
 
-  grpc_auth_json_key key;
-  gpr_timespec jwt_lifetime;
-} grpc_service_account_jwt_access_credentials;
+  grpc_auth_json_key key_;
+  gpr_timespec jwt_lifetime_;
+};
 
 // Private constructor for jwt credentials from an already parsed json key.
 // Takes ownership of the key.
-grpc_call_credentials*
+grpc_core::RefCountedPtr<grpc_call_credentials>
 grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
     grpc_auth_json_key key, gpr_timespec token_lifetime);
 

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -31,7 +31,9 @@
 #include <grpc/support/sync.h>
 
 extern "C" {
+#include <openssl/bn.h>
 #include <openssl/pem.h>
+#include <openssl/rsa.h>
 }
 
 #include "src/core/lib/gpr/string.h"

data/src/core/lib/security/credentials/local/local_credentials.cc

@@ -29,49 +29,36 @@
 
 #define GRPC_CREDENTIALS_TYPE_LOCAL "Local"
 
-static void local_credentials_destruct(grpc_channel_credentials* creds) {}
-
-static void local_server_credentials_destruct(grpc_server_credentials* creds) {}
-
-static grpc_security_status local_create_security_connector(
-    grpc_channel_credentials* creds,
-    grpc_call_credentials* request_metadata_creds, const char* target_name,
-    const grpc_channel_args* args, grpc_channel_security_connector** sc,
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+grpc_local_credentials::create_security_connector(
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+    const char* target_name, const grpc_channel_args* args,
     grpc_channel_args** new_args) {
   return grpc_local_channel_security_connector_create(
-      creds, request_metadata_creds, args, target_name, sc);
+      this->Ref(), std::move(request_metadata_creds), args, target_name);
 }
 
-static grpc_security_status local_server_create_security_connector(
-    grpc_server_credentials* creds, grpc_server_security_connector** sc) {
-  return grpc_local_server_security_connector_create(creds, sc);
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+grpc_local_server_credentials::create_security_connector() {
+  return grpc_local_server_security_connector_create(this->Ref());
 }
 
-static const grpc_channel_credentials_vtable local_credentials_vtable = {
-    local_credentials_destruct, local_create_security_connector,
-    /*duplicate_without_call_credentials=*/nullptr};
-
-static const grpc_server_credentials_vtable local_server_credentials_vtable = {
-    local_server_credentials_destruct, local_server_create_security_connector};
+grpc_local_credentials::grpc_local_credentials(
+    grpc_local_connect_type connect_type)
+    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
+      connect_type_(connect_type) {}
 
 grpc_channel_credentials* grpc_local_credentials_create(
     grpc_local_connect_type connect_type) {
-  auto creds = static_cast<grpc_local_credentials*>(
-      gpr_zalloc(sizeof(grpc_local_credentials)));
-  creds->connect_type = connect_type;
-  creds->base.type = GRPC_CREDENTIALS_TYPE_LOCAL;
-  creds->base.vtable = &local_credentials_vtable;
-  gpr_ref_init(&creds->base.refcount, 1);
-  return &creds->base;
+  return grpc_core::New<grpc_local_credentials>(connect_type);
 }
 
+grpc_local_server_credentials::grpc_local_server_credentials(
+    grpc_local_connect_type connect_type)
+    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
+      connect_type_(connect_type) {}
+
 grpc_server_credentials* grpc_local_server_credentials_create(
     grpc_local_connect_type connect_type) {
-  auto creds = static_cast<grpc_local_server_credentials*>(
-      gpr_zalloc(sizeof(grpc_local_server_credentials)));
-  creds->connect_type = connect_type;
-  creds->base.type = GRPC_CREDENTIALS_TYPE_LOCAL;
-  creds->base.vtable = &local_server_credentials_vtable;
-  gpr_ref_init(&creds->base.refcount, 1);
-  return &creds->base;
+  return grpc_core::New<grpc_local_server_credentials>(connect_type);
 }