grpc 1.55.0 → 1.56.2

data/src/core/lib/security/certificate_provider/certificate_provider_factory.h

@@ -23,12 +23,15 @@
 
 #include <string>
 
+#include "absl/strings/string_view.h"
+
 #include <grpc/grpc_security.h>
 
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
-#include "src/core/lib/iomgr/error.h"
+#include "src/core/lib/gprpp/validation_errors.h"
 #include "src/core/lib/json/json.h"
+#include "src/core/lib/json/json_args.h"
 
 namespace grpc_core {
 
@@ -43,7 +46,7 @@ class CertificateProviderFactory {
 
     // Name of the type of the CertificateProvider. Unique to each type of
     // config.
-    virtual const char* name() const = 0;
+    virtual absl::string_view name() const = 0;
 
     virtual std::string ToString() const = 0;
   };
@@ -51,10 +54,11 @@ class CertificateProviderFactory {
   virtual ~CertificateProviderFactory() = default;
 
   // Name of the plugin.
-  virtual const char* name() const = 0;
+  virtual absl::string_view name() const = 0;
 
   virtual RefCountedPtr<Config> CreateCertificateProviderConfig(
-      const Json& config_json, grpc_error_handle* error) = 0;
+      const Json& config_json, const JsonArgs& args,
+      ValidationErrors* errors) = 0;
 
   // Create a CertificateProvider instance from config.
   virtual RefCountedPtr<grpc_tls_certificate_provider>

data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc

@@ -20,11 +20,8 @@
 
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
 
-#include <string.h>
-
-#include <algorithm>
+#include <string>
 #include <utility>
-#include <vector>
 
 #include <grpc/support/log.h>
 
@@ -32,29 +29,22 @@ namespace grpc_core {
 
 void CertificateProviderRegistry::Builder::RegisterCertificateProviderFactory(
     std::unique_ptr<CertificateProviderFactory> factory) {
+  absl::string_view name = factory->name();
   gpr_log(GPR_DEBUG, "registering certificate provider factory for \"%s\"",
-          factory->name());
-  for (size_t i = 0; i < factories_.size(); ++i) {
-    GPR_ASSERT(strcmp(factories_[i]->name(), factory->name()) != 0);
-  }
-  factories_.push_back(std::move(factory));
+          std::string(name).c_str());
+  GPR_ASSERT(factories_.emplace(name, std::move(factory)).second);
 }
 
 CertificateProviderRegistry CertificateProviderRegistry::Builder::Build() {
-  CertificateProviderRegistry r;
-  r.factories_ = std::move(factories_);
-  return r;
+  return CertificateProviderRegistry(std::move(factories_));
 }
 
 CertificateProviderFactory*
 CertificateProviderRegistry::LookupCertificateProviderFactory(
     absl::string_view name) const {
-  for (size_t i = 0; i < factories_.size(); ++i) {
-    if (name == factories_[i]->name()) {
-      return factories_[i].get();
-    }
-  }
-  return nullptr;
+  auto it = factories_.find(name);
+  if (it == factories_.end()) return nullptr;
+  return it->second.get();
 }
 
 }  // namespace grpc_core

data/src/core/lib/security/certificate_provider/certificate_provider_registry.h

@@ -21,8 +21,9 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <map>
 #include <memory>
-#include <vector>
+#include <utility>
 
 #include "absl/strings/string_view.h"
 
@@ -32,20 +33,24 @@ namespace grpc_core {
 
 // Global registry for all the certificate provider plugins.
 class CertificateProviderRegistry {
+ private:
+  using FactoryMap =
+      std::map<absl::string_view, std::unique_ptr<CertificateProviderFactory>>;
+
  public:
   class Builder {
    public:
-    // Register a provider with the registry. Can only be called after calling
-    // InitRegistry(). The key of the factory is extracted from factory
-    // parameter with method CertificateProviderFactory::name. If the same key
-    // is registered twice, an exception is raised.
+    // Register a provider with the registry. The key of the factory is
+    // extracted from factory parameter with method
+    // CertificateProviderFactory::name. The registry with a given name
+    // cannot be registered twice.
     void RegisterCertificateProviderFactory(
         std::unique_ptr<CertificateProviderFactory> factory);
 
     CertificateProviderRegistry Build();
 
    private:
-    std::vector<std::unique_ptr<CertificateProviderFactory>> factories_;
+    FactoryMap factories_;
   };
 
   CertificateProviderRegistry(const CertificateProviderRegistry&) = delete;
@@ -60,9 +65,10 @@ class CertificateProviderRegistry {
       absl::string_view name) const;
 
  private:
-  CertificateProviderRegistry() = default;
+  explicit CertificateProviderRegistry(FactoryMap factories)
+      : factories_(std::move(factories)) {}
 
-  std::vector<std::unique_ptr<CertificateProviderFactory>> factories_;
+  FactoryMap factories_;
 };
 
 }  // namespace grpc_core

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc

@@ -34,6 +34,7 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
@@ -487,19 +488,25 @@ void AwsExternalAccountCredentials::BuildSubjectToken() {
   }
   // Construct subject token
   Json::Array headers;
-  headers.push_back(Json(
-      {{"key", "Authorization"}, {"value", signed_headers["Authorization"]}}));
-  headers.push_back(Json({{"key", "host"}, {"value", signed_headers["host"]}}));
+  headers.push_back(Json::FromObject(
+      {{"key", Json::FromString("Authorization")},
+       {"value", Json::FromString(signed_headers["Authorization"])}}));
   headers.push_back(
-      Json({{"key", "x-amz-date"}, {"value", signed_headers["x-amz-date"]}}));
-  headers.push_back(Json({{"key", "x-amz-security-token"},
-                          {"value", signed_headers["x-amz-security-token"]}}));
-  headers.push_back(
-      Json({{"key", "x-goog-cloud-target-resource"}, {"value", audience_}}));
-  Json::Object object{{"url", Json(cred_verification_url_)},
-                      {"method", Json("POST")},
-                      {"headers", Json(headers)}};
-  Json subject_token_json(object);
+      Json::FromObject({{"key", Json::FromString("host")},
+                        {"value", Json::FromString(signed_headers["host"])}}));
+  headers.push_back(Json::FromObject(
+      {{"key", Json::FromString("x-amz-date")},
+       {"value", Json::FromString(signed_headers["x-amz-date"])}}));
+  headers.push_back(Json::FromObject(
+      {{"key", Json::FromString("x-amz-security-token")},
+       {"value", Json::FromString(signed_headers["x-amz-security-token"])}}));
+  headers.push_back(Json::FromObject(
+      {{"key", Json::FromString("x-goog-cloud-target-resource")},
+       {"value", Json::FromString(audience_)}}));
+  Json subject_token_json =
+      Json::FromObject({{"url", Json::FromString(cred_verification_url_)},
+                        {"method", Json::FromString("POST")},
+                        {"headers", Json::FromArray(headers)}});
   std::string subject_token = UrlEncode(JsonDump(subject_token_json));
   FinishRetrieveSubjectToken(subject_token, absl::OkStatus());
 }

data/src/core/lib/security/credentials/external/external_account_credentials.cc

@@ -40,6 +40,7 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
@@ -328,9 +329,10 @@ void ExternalAccountCredentials::ExchangeToken(
   Json::Object addtional_options_json_object;
   if (options_.client_id.empty() && options_.client_secret.empty()) {
     addtional_options_json_object["userProject"] =
-        options_.workforce_pool_user_project;
+        Json::FromString(options_.workforce_pool_user_project);
   }
-  Json addtional_options_json(std::move(addtional_options_json_object));
+  Json addtional_options_json =
+      Json::FromObject(std::move(addtional_options_json_object));
   body_parts.push_back(absl::StrFormat(
       "options=%s", UrlEncode(JsonDump(addtional_options_json)).c_str()));
   std::string body = absl::StrJoin(body_parts, "&");

data/src/core/lib/security/credentials/external/file_external_account_credentials.cc

@@ -25,6 +25,7 @@
 #include "absl/strings/string_view.h"
 
 #include <grpc/slice.h>
+#include <grpc/support/json.h>
 
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/json/json.h"

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc

@@ -33,6 +33,7 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -34,6 +34,7 @@
 #include <grpc/grpc_security_constants.h>
 #include <grpc/slice.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/sync.h>
 

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -36,6 +36,7 @@
 
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/time.h>
 
@@ -165,12 +166,12 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key) {
 // --- jwt encoding and signature. ---
 
 static char* encoded_jwt_header(const char* key_id, const char* algorithm) {
-  Json json = Json::Object{
-      {"alg", algorithm},
-      {"typ", GRPC_JWT_TYPE},
-      {"kid", key_id},
-  };
-  std::string json_str = JsonDump(json);
+  Json json = Json::FromObject({
+      {"alg", Json::FromString(algorithm)},
+      {"typ", Json::FromString(GRPC_JWT_TYPE)},
+      {"kid", Json::FromString(key_id)},
+  });
+  std::string json_str = grpc_core::JsonDump(json);
   return grpc_base64_encode(json_str.c_str(), json_str.size(), 1, 0);
 }
 
@@ -185,20 +186,20 @@ static char* encoded_jwt_claim(const grpc_auth_json_key* json_key,
   }
 
   Json::Object object = {
-      {"iss", json_key->client_email},
-      {"aud", audience},
-      {"iat", now.tv_sec},
-      {"exp", expiration.tv_sec},
+      {"iss", Json::FromString(json_key->client_email)},
+      {"aud", Json::FromString(audience)},
+      {"iat", Json::FromNumber(now.tv_sec)},
+      {"exp", Json::FromNumber(expiration.tv_sec)},
   };
   if (scope != nullptr) {
-    object["scope"] = scope;
+    object["scope"] = Json::FromString(scope);
   } else {
     // Unscoped JWTs need a sub field.
-    object["sub"] = json_key->client_email;
+    object["sub"] = Json::FromString(json_key->client_email);
   }
 
-  Json json(object);
-  std::string json_str = JsonDump(json);
+  std::string json_str =
+      grpc_core::JsonDump(Json::FromObject(std::move(object)));
   return grpc_base64_encode(json_str.c_str(), json_str.size(), 1, 0);
 }
 

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -30,6 +30,7 @@
 #include "absl/strings/str_cat.h"
 
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
@@ -145,9 +146,10 @@ static char* redact_private_key(const char* json_key) {
     return gpr_strdup("<Json failed to parse.>");
   }
   Json::Object object = json->object();
-  object["private_key"] = "<redacted>";
+  object["private_key"] = Json::FromString("<redacted>");
   return gpr_strdup(
-      grpc_core::JsonDump(Json(std::move(object)), /*indent=*/2).c_str());
+      grpc_core::JsonDump(Json::FromObject(std::move(object)), /*indent=*/2)
+          .c_str());
 }
 
 grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -45,6 +45,7 @@
 #include <grpc/grpc.h>
 #include <grpc/slice.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/time.h>

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -39,6 +39,7 @@
 #include <grpc/grpc_security.h>
 #include <grpc/slice.h>
 #include <grpc/support/alloc.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/time.h>

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -120,3 +120,11 @@ void grpc_tls_credentials_options_set_tls_session_key_log_file_path(
   }
   options->set_tls_session_key_log_file_path(path != nullptr ? path : "");
 }
+
+void grpc_tls_credentials_options_set_send_client_ca_list(
+    grpc_tls_credentials_options* options, bool send_client_ca_list) {
+  if (options == nullptr) {
+    return;
+  }
+  options->set_send_client_ca_list(send_client_ca_list);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -61,6 +61,7 @@ struct grpc_tls_credentials_options
   const std::string& identity_cert_name() const { return identity_cert_name_; }
   const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
   const std::string& crl_directory() const { return crl_directory_; }
+  bool send_client_ca_list() const { return send_client_ca_list_; }
 
   // Setters for member fields.
   void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
@@ -81,6 +82,7 @@ struct grpc_tls_credentials_options
   void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
   //  gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
   void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
+  void set_send_client_ca_list(bool send_client_ca_list) { send_client_ca_list_ = send_client_ca_list; }
 
   bool operator==(const grpc_tls_credentials_options& other) const {
     return cert_request_type_ == other.cert_request_type_ &&
@@ -95,7 +97,8 @@ struct grpc_tls_credentials_options
       watch_identity_pair_ == other.watch_identity_pair_ &&
       identity_cert_name_ == other.identity_cert_name_ &&
       tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
-      crl_directory_ == other.crl_directory_;
+      crl_directory_ == other.crl_directory_ &&
+      send_client_ca_list_ == other.send_client_ca_list_;
   }
 
  private:
@@ -112,6 +115,7 @@ struct grpc_tls_credentials_options
   std::string identity_cert_name_;
   std::string tls_session_key_log_file_path_;
   std::string crl_directory_;
+  bool send_client_ca_list_ = false;
 };
 
 #endif  // GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H

data/src/core/lib/security/security_connector/alts/alts_security_connector.cc

@@ -130,11 +130,7 @@ class grpc_alts_channel_security_connector final
   }
 
   grpc_core::ArenaPromise<absl::Status> CheckCallHost(
-      absl::string_view host, grpc_auth_context*) override {
-    if (host.empty() || host != target_name_) {
-      return grpc_core::Immediate(absl::UnauthenticatedError(
-          "ALTS call host does not match target name"));
-    }
+      absl::string_view, grpc_auth_context*) override {
     return grpc_core::ImmediateOkStatus();
   }
 

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -465,7 +465,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
-    const char* crl_directory,
+    const char* crl_directory, bool send_client_ca_list,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -483,6 +483,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.max_tls_version = max_tls_version;
   options.key_logger = tls_session_key_logger;
   options.crl_directory = crl_directory;
+  options.send_client_ca_list = send_client_ca_list;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -93,7 +93,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
-    const char* crl_directory,
+    const char* crl_directory, bool send_client_ca_list,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
 // Free the memory occupied by key cert pairs.

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -830,7 +830,7 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()),
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
-      &server_handshaker_factory_);
+      options_->send_client_ca_list(), &server_handshaker_factory_);
   // Free memory.
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);

data/src/core/lib/security/util/json_util.cc

@@ -26,6 +26,7 @@
 
 #include "absl/strings/str_cat.h"
 
+#include <grpc/support/json.h>
 #include <grpc/support/string_util.h>
 
 #include "src/core/lib/iomgr/error.h"

data/src/core/lib/service_config/service_config_call_data.h

@@ -21,14 +21,14 @@
 
 #include <stddef.h>
 
-#include <map>
 #include <memory>
 #include <utility>
 
-#include "absl/strings/string_view.h"
-
+#include "src/core/lib/channel/context.h"
+#include "src/core/lib/gprpp/chunked_vector.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/unique_type_name.h"
+#include "src/core/lib/resource_quota/arena.h"
 #include "src/core/lib/service_config/service_config.h"
 #include "src/core/lib/service_config/service_config_parser.h"
 
@@ -38,43 +38,72 @@ namespace grpc_core {
 /// A pointer to this object is stored in the call_context
 /// GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA element, so that filters can
 /// easily access method and global parameters for the call.
+///
+/// Must be accessed when holding the call combiner (legacy filter) or from
+/// inside the activity (promise-based filter).
 class ServiceConfigCallData {
  public:
-  using CallAttributes = std::map<UniqueTypeName, absl::string_view>;
+  class CallAttributeInterface {
+   public:
+    virtual ~CallAttributeInterface() = default;
+    virtual UniqueTypeName type() const = 0;
+  };
+
+  ServiceConfigCallData(Arena* arena, grpc_call_context_element* call_context)
+      : call_attributes_(arena) {
+    call_context[GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA].value = this;
+    call_context[GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA].destroy = Destroy;
+  }
 
-  ServiceConfigCallData() : method_configs_(nullptr) {}
+  virtual ~ServiceConfigCallData() = default;
 
-  ServiceConfigCallData(
+  void SetServiceConfig(
       RefCountedPtr<ServiceConfig> service_config,
-      const ServiceConfigParser::ParsedConfigVector* method_configs,
-      CallAttributes call_attributes)
-      : service_config_(std::move(service_config)),
-        method_configs_(method_configs),
-        call_attributes_(std::move(call_attributes)) {}
+      const ServiceConfigParser::ParsedConfigVector* method_configs) {
+    service_config_ = std::move(service_config);
+    method_configs_ = method_configs;
+  }
 
   ServiceConfig* service_config() { return service_config_.get(); }
 
   ServiceConfigParser::ParsedConfig* GetMethodParsedConfig(size_t index) const {
-    return method_configs_ != nullptr ? (*method_configs_)[index].get()
-                                      : nullptr;
+    if (method_configs_ == nullptr) return nullptr;
+    return (*method_configs_)[index].get();
   }
 
   ServiceConfigParser::ParsedConfig* GetGlobalParsedConfig(size_t index) const {
+    if (service_config_ == nullptr) return nullptr;
     return service_config_->GetGlobalParsedConfig(index);
   }
 
-  const CallAttributes& call_attributes() const { return call_attributes_; }
+  void SetCallAttribute(CallAttributeInterface* value) {
+    // Overwrite existing entry if we already have one for this type.
+    for (CallAttributeInterface*& attribute : call_attributes_) {
+      if (value->type() == attribute->type()) {
+        attribute = value;
+        return;
+      }
+    }
+    // Otherwise, add a new entry.
+    call_attributes_.EmplaceBack(value);
+  }
 
-  // Must be called when holding the call combiner (legacy filter) or from
-  // inside the activity (promise-based filter).
-  void SetCallAttribute(UniqueTypeName name, absl::string_view value) {
-    call_attributes_[name] = value;
+  CallAttributeInterface* GetCallAttribute(UniqueTypeName type) const {
+    for (CallAttributeInterface* attribute : call_attributes_) {
+      if (attribute->type() == type) return attribute;
+    }
+    return nullptr;
   }
 
  private:
+  static void Destroy(void* ptr) {
+    auto* self = static_cast<ServiceConfigCallData*>(ptr);
+    self->~ServiceConfigCallData();
+  }
+
   RefCountedPtr<ServiceConfig> service_config_;
-  const ServiceConfigParser::ParsedConfigVector* method_configs_;
-  CallAttributes call_attributes_;
+  const ServiceConfigParser::ParsedConfigVector* method_configs_ = nullptr;
+  ChunkedVector<CallAttributeInterface*, 4> call_attributes_;
 };
 
 }  // namespace grpc_core

data/src/core/lib/service_config/service_config_impl.cc

@@ -121,7 +121,8 @@ RefCountedPtr<ServiceConfig> ServiceConfigImpl::Create(
     service_config->parsed_method_config_vectors_storage_.reserve(
         method_configs->size());
     for (size_t i = 0; i < method_configs->size(); ++i) {
-      const Json::Object& method_config_json = (*method_configs)[i];
+      const Json method_config_json =
+          Json::FromObject(std::move((*method_configs)[i]));
       ValidationErrors::ScopedField field(
           errors, absl::StrCat(".methodConfig[", i, "]"));
       // Have each parser read this method config.