grpc 1.43.1 → 1.44.0.pre2

data/src/core/lib/security/authorization/rbac_policy.h

@@ -0,0 +1,170 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+
+#include "src/core/lib/matchers/matchers.h"
+
+namespace grpc_core {
+
+// Represents Envoy RBAC Proto. [See
+// https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
+struct Rbac {
+  enum class Action {
+    kAllow,
+    kDeny,
+  };
+
+  struct CidrRange {
+    CidrRange() = default;
+    CidrRange(std::string address_prefix, uint32_t prefix_len);
+
+    CidrRange(CidrRange&& other) noexcept;
+    CidrRange& operator=(CidrRange&& other) noexcept;
+
+    std::string ToString() const;
+
+    std::string address_prefix;
+    uint32_t prefix_len;
+  };
+
+  // TODO(ashithasantosh): Support for destination_port_range.
+  struct Permission {
+    enum class RuleType {
+      kAnd,
+      kOr,
+      kNot,
+      kAny,
+      kHeader,
+      kPath,
+      kDestIp,
+      kDestPort,
+      kMetadata,
+      kReqServerName,
+    };
+
+    static Permission MakeAndPermission(
+        std::vector<std::unique_ptr<Permission>> permissions);
+    static Permission MakeOrPermission(
+        std::vector<std::unique_ptr<Permission>> permissions);
+    static Permission MakeNotPermission(Permission permission);
+    static Permission MakeAnyPermission();
+    static Permission MakeHeaderPermission(HeaderMatcher header_matcher);
+    static Permission MakePathPermission(StringMatcher string_matcher);
+    static Permission MakeDestIpPermission(CidrRange ip);
+    static Permission MakeDestPortPermission(int port);
+    // All the other fields in MetadataMatcher are ignored except invert.
+    static Permission MakeMetadataPermission(bool invert);
+    static Permission MakeReqServerNamePermission(StringMatcher string_matcher);
+
+    Permission() = default;
+
+    Permission(Permission&& other) noexcept;
+    Permission& operator=(Permission&& other) noexcept;
+
+    std::string ToString() const;
+
+    RuleType type = RuleType::kAnd;
+    HeaderMatcher header_matcher;
+    StringMatcher string_matcher;
+    CidrRange ip;
+    int port;
+    // For type kAnd/kOr/kNot. For kNot type, the vector will have only one
+    // element.
+    std::vector<std::unique_ptr<Permission>> permissions;
+    // For kMetadata
+    bool invert = false;
+  };
+
+  struct Principal {
+    enum class RuleType {
+      kAnd,
+      kOr,
+      kNot,
+      kAny,
+      kPrincipalName,
+      kSourceIp,
+      kDirectRemoteIp,
+      kRemoteIp,
+      kHeader,
+      kPath,
+      kMetadata,
+    };
+
+    static Principal MakeAndPrincipal(
+        std::vector<std::unique_ptr<Principal>> principals);
+    static Principal MakeOrPrincipal(
+        std::vector<std::unique_ptr<Principal>> principals);
+    static Principal MakeNotPrincipal(Principal principal);
+    static Principal MakeAnyPrincipal();
+    static Principal MakeAuthenticatedPrincipal(StringMatcher string_matcher);
+    static Principal MakeSourceIpPrincipal(CidrRange ip);
+    static Principal MakeDirectRemoteIpPrincipal(CidrRange ip);
+    static Principal MakeRemoteIpPrincipal(CidrRange ip);
+    static Principal MakeHeaderPrincipal(HeaderMatcher header_matcher);
+    static Principal MakePathPrincipal(StringMatcher string_matcher);
+    // All the other fields in MetadataMatcher are ignored except invert.
+    static Principal MakeMetadataPrincipal(bool invert);
+
+    Principal() = default;
+
+    Principal(Principal&& other) noexcept;
+    Principal& operator=(Principal&& other) noexcept;
+
+    std::string ToString() const;
+
+    RuleType type = RuleType::kAnd;
+    HeaderMatcher header_matcher;
+    StringMatcher string_matcher;
+    CidrRange ip;
+    // For type kAnd/kOr/kNot. For kNot type, the vector will have only one
+    // element.
+    std::vector<std::unique_ptr<Principal>> principals;
+    // For kMetadata
+    bool invert = false;
+  };
+
+  struct Policy {
+    Policy() = default;
+    Policy(Permission permissions, Principal principals);
+
+    Policy(Policy&& other) noexcept;
+    Policy& operator=(Policy&& other) noexcept;
+
+    std::string ToString() const;
+
+    Permission permissions;
+    Principal principals;
+  };
+
+  Rbac() = default;
+  Rbac(Rbac::Action action, std::map<std::string, Policy> policies);
+
+  Rbac(Rbac&& other) noexcept;
+  Rbac& operator=(Rbac&& other) noexcept;
+
+  std::string ToString() const;
+
+  Action action;
+  std::map<std::string, Policy> policies;
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H */

data/src/core/lib/security/context/security_context.cc

@@ -29,9 +29,9 @@
 
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/gpr/string.h"
-#include "src/core/lib/gprpp/arena.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/resource_quota/arena.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/surface/call.h"
 
@@ -235,7 +235,9 @@ void grpc_auth_context::add_property(const char* name, const char* value,
   grpc_auth_property* prop = &properties_.array[properties_.count++];
   prop->name = gpr_strdup(name);
   prop->value = static_cast<char*>(gpr_malloc(value_length + 1));
-  memcpy(prop->value, value, value_length);
+  if (value != nullptr) {
+    memcpy(prop->value, value, value_length);
+  }
   prop->value[value_length] = '\0';
   prop->value_length = value_length;
 }

data/src/core/lib/security/context/security_context.h

@@ -21,10 +21,10 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/lib/gprpp/arena.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/pollset.h"
+#include "src/core/lib/resource_quota/arena.h"
 #include "src/core/lib/security/credentials/credentials.h"
 
 extern grpc_core::DebugOnlyTraceFlag grpc_trace_auth_context_refcount;

data/src/core/lib/security/credentials/composite/composite_credentials.cc

@@ -44,7 +44,7 @@ struct grpc_composite_call_credentials_metadata_context {
   grpc_composite_call_credentials_metadata_context(
       grpc_composite_call_credentials* composite_creds,
       grpc_polling_entity* pollent, grpc_auth_metadata_context auth_md_context,
-      grpc_credentials_mdelem_array* md_array,
+      grpc_core::CredentialsMetadataArray* md_array,
       grpc_closure* on_request_metadata)
       : composite_creds(composite_creds),
         pollent(pollent),
@@ -59,7 +59,7 @@ struct grpc_composite_call_credentials_metadata_context {
   size_t creds_index = 0;
   grpc_polling_entity* pollent;
   grpc_auth_metadata_context auth_md_context;
-  grpc_credentials_mdelem_array* md_array;
+  grpc_core::CredentialsMetadataArray* md_array;
   grpc_closure* on_request_metadata;
   grpc_closure internal_on_request_metadata;
 };
@@ -91,8 +91,8 @@ static void composite_call_metadata_cb(void* arg, grpc_error_handle error) {
 
 bool grpc_composite_call_credentials::get_request_metadata(
     grpc_polling_entity* pollent, grpc_auth_metadata_context auth_md_context,
-    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
-    grpc_error_handle* error) {
+    grpc_core::CredentialsMetadataArray* md_array,
+    grpc_closure* on_request_metadata, grpc_error_handle* error) {
   grpc_composite_call_credentials_metadata_context* ctx;
   ctx = new grpc_composite_call_credentials_metadata_context(
       this, pollent, auth_md_context, md_array, on_request_metadata);
@@ -113,7 +113,7 @@ bool grpc_composite_call_credentials::get_request_metadata(
 }
 
 void grpc_composite_call_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* md_array, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* md_array, grpc_error_handle error) {
   for (size_t i = 0; i < inner_.size(); ++i) {
     inner_[i]->cancel_get_request_metadata(md_array, GRPC_ERROR_REF(error));
   }

data/src/core/lib/security/credentials/composite/composite_credentials.h

@@ -81,12 +81,13 @@ class grpc_composite_call_credentials : public grpc_call_credentials {
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   grpc_security_level min_security_level() const override {
     return min_security_level_;

data/src/core/lib/security/credentials/credentials.h

@@ -153,21 +153,11 @@ grpc_channel_credentials* grpc_channel_credentials_from_arg(
 grpc_channel_credentials* grpc_channel_credentials_find_in_args(
     const grpc_channel_args* args);
 
-/* --- grpc_credentials_mdelem_array. --- */
+/* --- grpc_core::CredentialsMetadataArray. --- */
 
-struct grpc_credentials_mdelem_array {
-  grpc_mdelem* md = nullptr;
-  size_t size = 0;
-};
-/// Takes a new ref to \a md.
-void grpc_credentials_mdelem_array_add(grpc_credentials_mdelem_array* list,
-                                       grpc_mdelem md);
-
-/// Appends all elements from \a src to \a dst, taking a new ref to each one.
-void grpc_credentials_mdelem_array_append(grpc_credentials_mdelem_array* dst,
-                                          grpc_credentials_mdelem_array* src);
-
-void grpc_credentials_mdelem_array_destroy(grpc_credentials_mdelem_array* list);
+namespace grpc_core {
+using CredentialsMetadataArray = std::vector<std::pair<Slice, Slice>>;
+}
 
 /* --- grpc_call_credentials. --- */
 
@@ -188,17 +178,17 @@ struct grpc_call_credentials
   // be set to indicate the result.  Otherwise, \a on_request_metadata will
   // be invoked asynchronously when complete.  \a md_array will be populated
   // with the resulting metadata once complete.
-  virtual bool get_request_metadata(grpc_polling_entity* pollent,
-                                    grpc_auth_metadata_context context,
-                                    grpc_credentials_mdelem_array* md_array,
-                                    grpc_closure* on_request_metadata,
-                                    grpc_error_handle* error) = 0;
+  virtual bool get_request_metadata(
+      grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_closure* on_request_metadata, grpc_error_handle* error) = 0;
 
   // Cancels a pending asynchronous operation started by
   // grpc_call_credentials_get_request_metadata() with the corresponding
   // value of \a md_array.
   virtual void cancel_get_request_metadata(
-      grpc_credentials_mdelem_array* md_array, grpc_error_handle error) = 0;
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) = 0;
 
   virtual grpc_security_level min_security_level() const {
     return min_security_level_;

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc

@@ -169,9 +169,8 @@ void AwsExternalAccountCredentials::RetrieveRegion() {
   grpc_http_response_destroy(&ctx_->response);
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveRegion, this, nullptr);
-  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent,
-                   ResourceQuota::Default(), &request, ctx_->deadline,
-                   &ctx_->closure, &ctx_->response);
+  grpc_httpcli_get(ctx_->pollent, ResourceQuota::Default(), &request,
+                   ctx_->deadline, &ctx_->closure, &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }
 
@@ -217,9 +216,8 @@ void AwsExternalAccountCredentials::RetrieveRoleName() {
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveRoleName, this, nullptr);
   // TODO(ctiller): use the caller's resource quota.
-  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent,
-                   ResourceQuota::Default(), &request, ctx_->deadline,
-                   &ctx_->closure, &ctx_->response);
+  grpc_httpcli_get(ctx_->pollent, ResourceQuota::Default(), &request,
+                   ctx_->deadline, &ctx_->closure, &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }
 
@@ -277,9 +275,8 @@ void AwsExternalAccountCredentials::RetrieveSigningKeys() {
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveSigningKeys, this, nullptr);
   // TODO(ctiller): use the caller's resource quota.
-  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent,
-                   ResourceQuota::Default(), &request, ctx_->deadline,
-                   &ctx_->closure, &ctx_->response);
+  grpc_httpcli_get(ctx_->pollent, ResourceQuota::Default(), &request,
+                   ctx_->deadline, &ctx_->closure, &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }
 

data/src/core/lib/security/credentials/external/external_account_credentials.cc

@@ -237,10 +237,10 @@ std::string ExternalAccountCredentials::debug_string() {
 // down.
 void ExternalAccountCredentials::fetch_oauth2(
     grpc_credentials_metadata_request* metadata_req,
-    grpc_httpcli_context* httpcli_context, grpc_polling_entity* pollent,
-    grpc_iomgr_cb_func response_cb, grpc_millis deadline) {
+    grpc_polling_entity* pollent, grpc_iomgr_cb_func response_cb,
+    grpc_millis deadline) {
   GPR_ASSERT(ctx_ == nullptr);
-  ctx_ = new HTTPRequestContext(httpcli_context, pollent, deadline);
+  ctx_ = new HTTPRequestContext(pollent, deadline);
   metadata_req_ = metadata_req;
   response_cb_ = response_cb;
   auto cb = [this](std::string token, grpc_error_handle error) {
@@ -326,9 +326,8 @@ void ExternalAccountCredentials::ExchangeToken(
   grpc_http_response_destroy(&ctx_->response);
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnExchangeToken, this, nullptr);
-  grpc_httpcli_post(ctx_->httpcli_context, ctx_->pollent,
-                    ResourceQuota::Default(), &request, body.c_str(),
-                    body.size(), ctx_->deadline, &ctx_->closure,
+  grpc_httpcli_post(ctx_->pollent, ResourceQuota::Default(), &request,
+                    body.c_str(), body.size(), ctx_->deadline, &ctx_->closure,
                     &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }
@@ -412,9 +411,8 @@ void ExternalAccountCredentials::ImpersenateServiceAccount() {
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnImpersenateServiceAccount, this, nullptr);
   // TODO(ctiller): Use the callers resource quota.
-  grpc_httpcli_post(ctx_->httpcli_context, ctx_->pollent,
-                    ResourceQuota::Default(), &request, body.c_str(),
-                    body.size(), ctx_->deadline, &ctx_->closure,
+  grpc_httpcli_post(ctx_->pollent, ResourceQuota::Default(), &request,
+                    body.c_str(), body.size(), ctx_->deadline, &ctx_->closure,
                     &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }

data/src/core/lib/security/credentials/external/external_account_credentials.h

@@ -61,16 +61,12 @@ class ExternalAccountCredentials
   // This is a helper struct to pass information between multiple callback based
   // asynchronous calls.
   struct HTTPRequestContext {
-    HTTPRequestContext(grpc_httpcli_context* httpcli_context,
-                       grpc_polling_entity* pollent, grpc_millis deadline)
-        : httpcli_context(httpcli_context),
-          pollent(pollent),
-          deadline(deadline) {}
+    HTTPRequestContext(grpc_polling_entity* pollent, grpc_millis deadline)
+        : pollent(pollent), deadline(deadline) {}
     ~HTTPRequestContext() { grpc_http_response_destroy(&response); }
 
     // Contextual parameters passed from
     // grpc_oauth2_token_fetcher_credentials::fetch_oauth2().
-    grpc_httpcli_context* httpcli_context;
     grpc_polling_entity* pollent;
     grpc_millis deadline;
 
@@ -92,7 +88,6 @@ class ExternalAccountCredentials
   // This method implements the common token fetch logic and it will be called
   // when grpc_oauth2_token_fetcher_credentials request a new access token.
   void fetch_oauth2(grpc_credentials_metadata_request* req,
-                    grpc_httpcli_context* httpcli_context,
                     grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
                     grpc_millis deadline) override;
 

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc

@@ -142,9 +142,8 @@ void UrlExternalAccountCredentials::RetrieveSubjectToken(
   grpc_http_response_destroy(&ctx_->response);
   ctx_->response = {};
   GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveSubjectToken, this, nullptr);
-  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent,
-                   ResourceQuota::Default(), &request, ctx_->deadline,
-                   &ctx_->closure, &ctx_->response);
+  grpc_httpcli_get(ctx_->pollent, ResourceQuota::Default(), &request,
+                   ctx_->deadline, &ctx_->closure, &ctx_->response);
   grpc_http_request_destroy(&request.http);
 }
 

data/src/core/lib/security/credentials/fake/fake_credentials.cc

@@ -91,9 +91,9 @@ const char* grpc_fake_transport_get_expected_targets(
 
 bool grpc_md_only_test_credentials::get_request_metadata(
     grpc_polling_entity* /*pollent*/, grpc_auth_metadata_context /*context*/,
-    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
-    grpc_error_handle* /*error*/) {
-  grpc_credentials_mdelem_array_add(md_array, md_);
+    grpc_core::CredentialsMetadataArray* md_array,
+    grpc_closure* on_request_metadata, grpc_error_handle* /*error*/) {
+  md_array->emplace_back(key_.Ref(), value_.Ref());
   if (is_async_) {
     grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_request_metadata,
                             GRPC_ERROR_NONE);
@@ -103,7 +103,8 @@ bool grpc_md_only_test_credentials::get_request_metadata(
 }
 
 void grpc_md_only_test_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* /*md_array*/, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* /*md_array*/,
+    grpc_error_handle error) {
   GRPC_ERROR_UNREF(error);
 }
 

data/src/core/lib/security/credentials/fake/fake_credentials.h

@@ -63,24 +63,25 @@ class grpc_md_only_test_credentials : public grpc_call_credentials {
                                 bool is_async)
       : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2,
                               GRPC_SECURITY_NONE),
-        md_(grpc_mdelem_from_slices(grpc_slice_from_copied_string(md_key),
-                                    grpc_slice_from_copied_string(md_value))),
+        key_(grpc_core::Slice::FromCopiedString(md_key)),
+        value_(grpc_core::Slice::FromCopiedString(md_value)),
         is_async_(is_async) {}
-  ~grpc_md_only_test_credentials() override { GRPC_MDELEM_UNREF(md_); }
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   std::string debug_string() override { return "MD only Test Credentials"; };
 
  private:
-  grpc_mdelem md_;
+  grpc_core::Slice key_;
+  grpc_core::Slice value_;
   bool is_async_;
 };
 

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -172,7 +172,6 @@ static void destroy_pollset(void* p, grpc_error_handle /*e*/) {
 static int is_metadata_server_reachable() {
   metadata_server_detector detector;
   grpc_httpcli_request request;
-  grpc_httpcli_context context;
   grpc_closure destroy_closure;
   /* The http call is local. If it takes more than one sec, it is for sure not
      on compute engine. */
@@ -186,10 +185,9 @@ static int is_metadata_server_reachable() {
   memset(&request, 0, sizeof(grpc_httpcli_request));
   request.host = const_cast<char*>(GRPC_COMPUTE_ENGINE_DETECTION_HOST);
   request.http.path = const_cast<char*>("/");
-  grpc_httpcli_context_init(&context);
   grpc_httpcli_get(
-      &context, &detector.pollent, grpc_core::ResourceQuota::Default(),
-      &request, grpc_core::ExecCtx::Get()->Now() + max_detection_delay,
+      &detector.pollent, grpc_core::ResourceQuota::Default(), &request,
+      grpc_core::ExecCtx::Get()->Now() + max_detection_delay,
       GRPC_CLOSURE_CREATE(on_metadata_server_detection_http_response, &detector,
                           grpc_schedule_on_exec_ctx),
       &detector.response);
@@ -208,7 +206,6 @@ static int is_metadata_server_reachable() {
     }
   }
   gpr_mu_unlock(g_polling_mu);
-  grpc_httpcli_context_destroy(&context);
   GRPC_CLOSURE_INIT(&destroy_closure, destroy_pollset,
                     grpc_polling_entity_pollset(&detector.pollent),
                     grpc_schedule_on_exec_ctx);

data/src/core/lib/security/credentials/iam/iam_credentials.cc

@@ -30,40 +30,37 @@
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/surface/api_trace.h"
 
-grpc_google_iam_credentials::~grpc_google_iam_credentials() {
-  grpc_credentials_mdelem_array_destroy(&md_array_);
-}
-
 bool grpc_google_iam_credentials::get_request_metadata(
     grpc_polling_entity* /*pollent*/, grpc_auth_metadata_context /*context*/,
-    grpc_credentials_mdelem_array* md_array,
+    grpc_core::CredentialsMetadataArray* md_array,
     grpc_closure* /*on_request_metadata*/, grpc_error_handle* /*error*/) {
-  grpc_credentials_mdelem_array_append(md_array, &md_array_);
+  if (token_.has_value()) {
+    md_array->emplace_back(grpc_core::Slice::FromStaticString(
+                               GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
+                           token_->Ref());
+  }
+  md_array->emplace_back(grpc_core::Slice::FromStaticString(
+                             GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
+                         authority_selector_.Ref());
   return true;
 }
 
 void grpc_google_iam_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* /*md_array*/, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* /*md_array*/,
+    grpc_error_handle error) {
   GRPC_ERROR_UNREF(error);
 }
 
 grpc_google_iam_credentials::grpc_google_iam_credentials(
     const char* token, const char* authority_selector)
     : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_IAM),
+      token_(token == nullptr ? absl::optional<grpc_core::Slice>()
+                              : grpc_core::Slice::FromCopiedString(token)),
+      authority_selector_(
+          grpc_core::Slice::FromCopiedString(authority_selector)),
       debug_string_(absl::StrFormat(
           "GoogleIAMCredentials{Token:%s,AuthoritySelector:%s}",
-          token != nullptr ? "present" : "absent", authority_selector)) {
-  grpc_mdelem md = grpc_mdelem_from_slices(
-      grpc_slice_from_static_string(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
-      grpc_slice_from_copied_string(token));
-  grpc_credentials_mdelem_array_add(&md_array_, md);
-  GRPC_MDELEM_UNREF(md);
-  md = grpc_mdelem_from_slices(
-      grpc_slice_from_static_string(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
-      grpc_slice_from_copied_string(authority_selector));
-  grpc_credentials_mdelem_array_add(&md_array_, md);
-  GRPC_MDELEM_UNREF(md);
-}
+          token != nullptr ? "present" : "absent", authority_selector)) {}
 
 grpc_call_credentials* grpc_google_iam_credentials_create(
     const char* token, const char* authority_selector, void* reserved) {

data/src/core/lib/security/credentials/iam/iam_credentials.h

@@ -29,20 +29,21 @@ class grpc_google_iam_credentials : public grpc_call_credentials {
  public:
   grpc_google_iam_credentials(const char* token,
                               const char* authority_selector);
-  ~grpc_google_iam_credentials() override;
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
   std::string debug_string() override { return debug_string_; }
 
  private:
-  grpc_credentials_mdelem_array md_array_;
+  const absl::optional<grpc_core::Slice> token_;
+  const grpc_core::Slice authority_selector_;
   const std::string debug_string_;
 };
 

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -22,6 +22,10 @@
 
 #include <string.h>
 
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
@@ -33,12 +37,6 @@
 #include "src/core/lib/security/util/json_util.h"
 #include "src/core/lib/slice/b64.h"
 
-extern "C" {
-#include <openssl/bio.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-}
-
 using grpc_core::Json;
 
 /* --- Constants. --- */