RubyGems - grpc - Versions diffs - 1.60.0 → 1.61.0.pre2 - Mend

grpc 1.60.0 → 1.61.0.pre2

Files changed (277) hide show

data/src/core/lib/resolver/endpoint_addresses.h CHANGED Viewed

@@ -23,8 +23,11 @@
 #include <set>
 #include <string>
+#include <utility>
 #include <vector>
+#include "absl/functional/function_ref.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/iomgr/resolved_address.h"
@@ -64,6 +67,9 @@ class EndpointAddresses {
   bool operator==(const EndpointAddresses& other) const {
     return Cmp(other) == 0;
   }
+  bool operator!=(const EndpointAddresses& other) const {
+    return Cmp(other) != 0;
+  }
   bool operator<(const EndpointAddresses& other) const {
     return Cmp(other) < 0;
   }
@@ -111,6 +117,48 @@ class EndpointAddressSet {
   std::set<grpc_resolved_address, ResolvedAddressLessThan> addresses_;
 };
+// An iterator interface for endpoints.
+class EndpointAddressesIterator {
+ public:
+  virtual ~EndpointAddressesIterator() = default;
+  // Invokes callback once for each endpoint.
+  virtual void ForEach(
+      absl::FunctionRef<void(const EndpointAddresses&)> callback) const = 0;
+};
+// Iterator over a fixed list of endpoints.
+class EndpointAddressesListIterator : public EndpointAddressesIterator {
+ public:
+  explicit EndpointAddressesListIterator(EndpointAddressesList endpoints)
+      : endpoints_(std::move(endpoints)) {}
+  void ForEach(absl::FunctionRef<void(const EndpointAddresses&)> callback)
+      const override {
+    for (const auto& endpoint : endpoints_) {
+      callback(endpoint);
+    }
+  }
+ private:
+  EndpointAddressesList endpoints_;
+};
+// Iterator that returns only a single endpoint.
+class SingleEndpointIterator : public EndpointAddressesIterator {
+ public:
+  explicit SingleEndpointIterator(EndpointAddresses endpoint)
+      : endpoint_(std::move(endpoint)) {}
+  void ForEach(absl::FunctionRef<void(const EndpointAddresses&)> callback)
+      const override {
+    callback(endpoint_);
+  }
+ private:
+  EndpointAddresses endpoint_;
+};
 }  // namespace grpc_core
 #endif  // GRPC_SRC_CORE_LIB_RESOLVER_ENDPOINT_ADDRESSES_H

data/src/core/lib/resource_quota/arena.h CHANGED Viewed

@@ -180,7 +180,7 @@ class Arena {
   template <typename T, typename... Args>
   T* New(Args&&... args) {
     T* t = static_cast<T*>(Alloc(sizeof(T)));
-    Construct(t, std::forward<Args>(args)...);
+    new (t) T(std::forward<Args>(args)...);
     return t;
   }
@@ -333,7 +333,7 @@ class Arena {
   //          value in Arena::PoolSizes, and so this may pessimize total
   //          arena size.
   template <typename T, typename... Args>
-  PoolPtr<T> MakePooled(Args&&... args) {
+  static PoolPtr<T> MakePooled(Args&&... args) {
     return PoolPtr<T>(new T(std::forward<Args>(args)...), PooledDeleter());
   }

data/src/core/lib/resource_quota/memory_quota.cc CHANGED Viewed

@@ -20,11 +20,19 @@
 #include <algorithm>
 #include <atomic>
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <memory>
 #include <tuple>
+#include <utility>
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
+#include <grpc/event_engine/internal/memory_allocator_impl.h>
+#include <grpc/slice.h>
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/mpscq.h"
@@ -34,6 +42,7 @@
 #include "src/core/lib/promise/race.h"
 #include "src/core/lib/promise/seq.h"
 #include "src/core/lib/resource_quota/trace.h"
+#include "src/core/lib/slice/slice_refcount.h"
 namespace grpc_core {
@@ -90,6 +99,39 @@ class MemoryQuotaTracker {
   Mutex mu_;
   std::vector<std::weak_ptr<BasicMemoryQuota>> quotas_ ABSL_GUARDED_BY(mu_);
 };
+// Reference count for a slice allocated by MemoryAllocator::MakeSlice.
+// Takes care of releasing memory back when the slice is destroyed.
+class SliceRefCount : public grpc_slice_refcount {
+ public:
+  SliceRefCount(
+      std::shared_ptr<
+          grpc_event_engine::experimental::internal::MemoryAllocatorImpl>
+          allocator,
+      size_t size)
+      : grpc_slice_refcount(Destroy),
+        allocator_(std::move(allocator)),
+        size_(size) {
+    // Nothing to do here.
+  }
+  ~SliceRefCount() {
+    allocator_->Release(size_);
+    allocator_.reset();
+  }
+ private:
+  static void Destroy(grpc_slice_refcount* p) {
+    auto* rc = static_cast<SliceRefCount*>(p);
+    rc->~SliceRefCount();
+    free(rc);
+  }
+  std::shared_ptr<
+      grpc_event_engine::experimental::internal::MemoryAllocatorImpl>
+      allocator_;
+  size_t size_;
+};
 }  // namespace
 //
@@ -337,6 +379,18 @@ void GrpcMemoryAllocatorImpl::Replenish() {
   free_bytes_.fetch_add(amount, std::memory_order_acq_rel);
 }
+grpc_slice GrpcMemoryAllocatorImpl::MakeSlice(MemoryRequest request) {
+  auto size = Reserve(request.Increase(sizeof(SliceRefCount)));
+  void* p = malloc(size);
+  new (p) SliceRefCount(shared_from_this(), size);
+  grpc_slice slice;
+  slice.refcount = static_cast<SliceRefCount*>(p);
+  slice.data.refcounted.bytes =
+      static_cast<uint8_t*>(p) + sizeof(SliceRefCount);
+  slice.data.refcounted.length = size - sizeof(SliceRefCount);
+  return slice;
+}
 //
 // BasicMemoryQuota
 //
@@ -604,14 +658,9 @@ BasicMemoryQuota::PressureInfo BasicMemoryQuota::GetPressureInfo() {
   if (size < 1) return PressureInfo{1, 1, 1};
   PressureInfo pressure_info;
   pressure_info.instantaneous_pressure = std::max(0.0, (size - free) / size);
-  if (IsMemoryPressureControllerEnabled()) {
-    pressure_info.pressure_control_value =
-        pressure_tracker_.AddSampleAndGetControlValue(
-            pressure_info.instantaneous_pressure);
-  } else {
-    pressure_info.pressure_control_value =
-        std::min(pressure_info.instantaneous_pressure, 1.0);
-  }
+  pressure_info.pressure_control_value =
+      pressure_tracker_.AddSampleAndGetControlValue(
+          pressure_info.instantaneous_pressure);
   pressure_info.max_recommended_allocation_size = quota_size / 16;
   return pressure_info;
 }

data/src/core/lib/resource_quota/memory_quota.h CHANGED Viewed

@@ -400,6 +400,12 @@ class GrpcMemoryAllocatorImpl final : public EventEngineMemoryAllocatorImpl {
   // Returns the number of bytes reserved.
   size_t Reserve(MemoryRequest request) override;
+  /// Allocate a slice, using MemoryRequest to size the number of returned
+  /// bytes. For a variable length request, check the returned slice length to
+  /// verify how much memory was allocated. Takes care of reserving memory for
+  /// any relevant control structures also.
+  grpc_slice MakeSlice(MemoryRequest request) override;
   // Release some bytes that were previously reserved.
   void Release(size_t n) override {
     // Add the released memory to our free bytes counter... if this increases

data/src/core/lib/security/authorization/grpc_server_authz_filter.cc CHANGED Viewed

@@ -39,6 +39,12 @@ namespace grpc_core {
 TraceFlag grpc_authz_trace(false, "grpc_authz_api");
+const NoInterceptor GrpcServerAuthzFilter::Call::OnServerInitialMetadata;
+const NoInterceptor GrpcServerAuthzFilter::Call::OnServerTrailingMetadata;
+const NoInterceptor GrpcServerAuthzFilter::Call::OnClientToServerMessage;
+const NoInterceptor GrpcServerAuthzFilter::Call::OnServerToClientMessage;
+const NoInterceptor GrpcServerAuthzFilter::Call::OnFinalize;
 GrpcServerAuthzFilter::GrpcServerAuthzFilter(
     RefCountedPtr<grpc_auth_context> auth_context, grpc_endpoint* endpoint,
     RefCountedPtr<grpc_authorization_policy_provider> provider)
@@ -61,9 +67,8 @@ absl::StatusOr<GrpcServerAuthzFilter> GrpcServerAuthzFilter::Create(
       /*endpoint=*/nullptr, provider->Ref());
 }
-bool GrpcServerAuthzFilter::IsAuthorized(
-    const ClientMetadataHandle& initial_metadata) {
-  EvaluateArgs args(initial_metadata.get(), &per_channel_evaluate_args_);
+bool GrpcServerAuthzFilter::IsAuthorized(ClientMetadata& initial_metadata) {
+  EvaluateArgs args(&initial_metadata, &per_channel_evaluate_args_);
   if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
     gpr_log(GPR_DEBUG,
             "checking request: url_path=%s, transport_security_type=%s, "
@@ -105,17 +110,15 @@ bool GrpcServerAuthzFilter::IsAuthorized(
   return false;
 }
-ArenaPromise<ServerMetadataHandle> GrpcServerAuthzFilter::MakeCallPromise(
-    CallArgs call_args, NextPromiseFactory next_promise_factory) {
-  if (!IsAuthorized(call_args.client_initial_metadata)) {
-    return ArenaPromise<ServerMetadataHandle>(
-        Immediate(ServerMetadataFromStatus(absl::PermissionDeniedError(
-            "Unauthorized RPC request rejected."))));
+absl::Status GrpcServerAuthzFilter::Call::OnClientInitialMetadata(
+    ClientMetadata& md, GrpcServerAuthzFilter* filter) {
+  if (!filter->IsAuthorized(md)) {
+    return absl::PermissionDeniedError("Unauthorized RPC request rejected.");
   }
-  return next_promise_factory(std::move(call_args));
+  return absl::OkStatus();
 }
-const grpc_channel_filter GrpcServerAuthzFilter::kFilterVtable =
+const grpc_channel_filter GrpcServerAuthzFilter::kFilter =
     MakePromiseBasedFilter<GrpcServerAuthzFilter, FilterEndpoint::kServer>(
         "grpc-server-authz");

data/src/core/lib/security/authorization/grpc_server_authz_filter.h CHANGED Viewed

@@ -34,22 +34,31 @@
 namespace grpc_core {
-class GrpcServerAuthzFilter final : public ChannelFilter {
+class GrpcServerAuthzFilter final
+    : public ImplementChannelFilter<GrpcServerAuthzFilter> {
  public:
-  static const grpc_channel_filter kFilterVtable;
+  static const grpc_channel_filter kFilter;
   static absl::StatusOr<GrpcServerAuthzFilter> Create(const ChannelArgs& args,
                                                       ChannelFilter::Args);
-  ArenaPromise<ServerMetadataHandle> MakeCallPromise(
-      CallArgs call_args, NextPromiseFactory next_promise_factory) override;
+  class Call {
+   public:
+    absl::Status OnClientInitialMetadata(ClientMetadata& md,
+                                         GrpcServerAuthzFilter* filter);
+    static const NoInterceptor OnServerInitialMetadata;
+    static const NoInterceptor OnServerTrailingMetadata;
+    static const NoInterceptor OnClientToServerMessage;
+    static const NoInterceptor OnServerToClientMessage;
+    static const NoInterceptor OnFinalize;
+  };
  private:
   GrpcServerAuthzFilter(
       RefCountedPtr<grpc_auth_context> auth_context, grpc_endpoint* endpoint,
       RefCountedPtr<grpc_authorization_policy_provider> provider);
-  bool IsAuthorized(const ClientMetadataHandle& initial_metadata);
+  bool IsAuthorized(ClientMetadata& initial_metadata);
   RefCountedPtr<grpc_auth_context> auth_context_;
   EvaluateArgs::PerChannelArgs per_channel_evaluate_args_;

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc CHANGED Viewed

@@ -525,4 +525,8 @@ void AwsExternalAccountCredentials::FinishRetrieveSubjectToken(
   }
 }
+absl::string_view AwsExternalAccountCredentials::CredentialSourceType() {
+  return "aws";
+}
 }  // namespace grpc_core

data/src/core/lib/security/credentials/external/aws_external_account_credentials.h CHANGED Viewed

@@ -24,6 +24,8 @@
 #include <string>
 #include <vector>
+#include "absl/strings/string_view.h"
 #include "src/core/lib/gprpp/orphanable.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/http/httpcli.h"
@@ -72,6 +74,8 @@ class AwsExternalAccountCredentials final : public ExternalAccountCredentials {
   void AddMetadataRequestHeaders(grpc_http_request* request);
+  absl::string_view CredentialSourceType() override;
   std::string audience_;
   OrphanablePtr<HttpRequest> http_request_;

data/src/core/lib/security/credentials/external/external_account_credentials.cc CHANGED Viewed

@@ -26,6 +26,7 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
+#include "absl/strings/escaping.h"
 #include "absl/strings/match.h"
 #include "absl/strings/numbers.h"
 #include "absl/strings/str_cat.h"
@@ -53,7 +54,6 @@
 #include "src/core/lib/security/credentials/external/file_external_account_credentials.h"
 #include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
 #include "src/core/lib/security/util/json_util.h"
-#include "src/core/lib/slice/b64.h"
 #include "src/core/lib/uri/uri_parser.h"
 #define EXTERNAL_ACCOUNT_CREDENTIALS_GRANT_TYPE \
@@ -271,6 +271,20 @@ std::string ExternalAccountCredentials::debug_string() {
                          grpc_oauth2_token_fetcher_credentials::debug_string());
 }
+std::string ExternalAccountCredentials::MetricsHeaderValue() {
+  return absl::StrFormat(
+      "gl-cpp/unknown auth/%s google-byoid-sdk source/%s sa-impersonation/%v "
+      "config-lifetime/%v",
+      grpc_version_string(), CredentialSourceType(),
+      !options_.service_account_impersonation_url.empty(),
+      options_.service_account_impersonation.token_lifetime_seconds !=
+          IMPERSONATED_CRED_DEFAULT_LIFETIME_IN_SECONDS);
+}
+absl::string_view ExternalAccountCredentials::CredentialSourceType() {
+  return "unknown";
+}
 // The token fetching flow:
 // 1. Retrieve subject token - Subclass's RetrieveSubjectToken() gets called
 // and the subject token is received in OnRetrieveSubjectTokenInternal().
@@ -317,27 +331,21 @@ void ExternalAccountCredentials::ExchangeToken(
   }
   grpc_http_request request;
   memset(&request, 0, sizeof(grpc_http_request));
-  grpc_http_header* headers = nullptr;
-  if (!options_.client_id.empty() && !options_.client_secret.empty()) {
-    request.hdr_count = 2;
-    headers = static_cast<grpc_http_header*>(
-        gpr_malloc(sizeof(grpc_http_header) * request.hdr_count));
-    headers[0].key = gpr_strdup("Content-Type");
-    headers[0].value = gpr_strdup("application/x-www-form-urlencoded");
+  const bool add_authorization_header =
+      !options_.client_id.empty() && !options_.client_secret.empty();
+  request.hdr_count = add_authorization_header ? 3 : 2;
+  auto* headers = static_cast<grpc_http_header*>(
+      gpr_malloc(sizeof(grpc_http_header) * request.hdr_count));
+  headers[0].key = gpr_strdup("Content-Type");
+  headers[0].value = gpr_strdup("application/x-www-form-urlencoded");
+  headers[1].key = gpr_strdup("x-goog-api-client");
+  headers[1].value = gpr_strdup(MetricsHeaderValue().c_str());
+  if (add_authorization_header) {
     std::string raw_cred =
         absl::StrFormat("%s:%s", options_.client_id, options_.client_secret);
-    char* encoded_cred =
-        grpc_base64_encode(raw_cred.c_str(), raw_cred.length(), 0, 0);
-    std::string str = absl::StrFormat("Basic %s", std::string(encoded_cred));
-    headers[1].key = gpr_strdup("Authorization");
-    headers[1].value = gpr_strdup(str.c_str());
-    gpr_free(encoded_cred);
-  } else {
-    request.hdr_count = 1;
-    headers = static_cast<grpc_http_header*>(
-        gpr_malloc(sizeof(grpc_http_header) * request.hdr_count));
-    headers[0].key = gpr_strdup("Content-Type");
-    headers[0].value = gpr_strdup("application/x-www-form-urlencoded");
+    std::string str = absl::StrFormat("Basic %s", absl::Base64Escape(raw_cred));
+    headers[2].key = gpr_strdup("Authorization");
+    headers[2].value = gpr_strdup(str.c_str());
   }
   request.hdrs = headers;
   std::vector<std::string> body_parts;

data/src/core/lib/security/credentials/external/external_account_credentials.h CHANGED Viewed

@@ -101,6 +101,10 @@ class ExternalAccountCredentials
       HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error_handle)> cb) = 0;
+  virtual absl::string_view CredentialSourceType();
+  std::string MetricsHeaderValue();
  private:
   // This method implements the common token fetch logic and it will be called
   // when grpc_oauth2_token_fetcher_credentials request a new access token.

data/src/core/lib/security/credentials/external/file_external_account_credentials.cc CHANGED Viewed

@@ -137,4 +137,8 @@ void FileExternalAccountCredentials::RetrieveSubjectToken(
   cb(std::string(content), absl::OkStatus());
 }
+absl::string_view FileExternalAccountCredentials::CredentialSourceType() {
+  return "file";
+}
 }  // namespace grpc_core

data/src/core/lib/security/credentials/external/file_external_account_credentials.h CHANGED Viewed

@@ -23,6 +23,8 @@
 #include <string>
 #include <vector>
+#include "absl/strings/string_view.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/credentials/external/external_account_credentials.h"
@@ -44,6 +46,8 @@ class FileExternalAccountCredentials final : public ExternalAccountCredentials {
       HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error_handle)> cb) override;
+  absl::string_view CredentialSourceType() override;
   // Fields of credential source
   std::string file_;
   std::string format_type_;

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc CHANGED Viewed

@@ -240,4 +240,8 @@ void UrlExternalAccountCredentials::FinishRetrieveSubjectToken(
   }
 }
+absl::string_view UrlExternalAccountCredentials::CredentialSourceType() {
+  return "url";
+}
 }  // namespace grpc_core

data/src/core/lib/security/credentials/external/url_external_account_credentials.h CHANGED Viewed

@@ -24,6 +24,8 @@
 #include <string>
 #include <vector>
+#include "absl/strings/string_view.h"
 #include "src/core/lib/gprpp/orphanable.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/http/httpcli.h"
@@ -48,6 +50,8 @@ class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
       HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error_handle)> cb) override;
+  absl::string_view CredentialSourceType() override;
   static void OnRetrieveSubjectToken(void* arg, grpc_error_handle error);
   void OnRetrieveSubjectTokenInternal(grpc_error_handle error);

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc CHANGED Viewed

@@ -152,7 +152,8 @@ grpc_plugin_credentials::GetRequestMetadata(
   // Create pending_request object.
   auto request = grpc_core::MakeRefCounted<PendingRequest>(
-      Ref(), std::move(initial_metadata), args);
+      RefAsSubclass<grpc_plugin_credentials>(), std::move(initial_metadata),
+      args);
   // Invoke the plugin.  The callback holds a ref to us.
   if (GRPC_TRACE_FLAG_ENABLED(grpc_plugin_credentials_trace)) {
     gpr_log(GPR_INFO, "plugin_credentials[%p]: request %p: invoking plugin",

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h CHANGED Viewed

@@ -39,7 +39,6 @@
 #include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/gprpp/thd.h"
 #include "src/core/lib/gprpp/unique_type_name.h"
-#include "src/core/lib/iomgr/iomgr_fwd.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
@@ -55,8 +54,6 @@
 struct grpc_tls_certificate_provider
     : public grpc_core::RefCounted<grpc_tls_certificate_provider> {
  public:
-  virtual grpc_pollset_set* interested_parties() const { return nullptr; }
   virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
   distributor() const = 0;

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc CHANGED Viewed

@@ -149,3 +149,15 @@ void grpc_tls_credentials_options_set_crl_provider(
   GPR_ASSERT(options != nullptr);
   options->set_crl_provider(provider);
 }
+void grpc_tls_credentials_options_set_min_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version min_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_min_tls_version(min_tls_version);
+}
+void grpc_tls_credentials_options_set_max_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version max_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_max_tls_version(max_tls_version);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc CHANGED Viewed

@@ -148,8 +148,7 @@ absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
     return absl::InvalidArgumentError("Refresh duration minimum is 60 seconds");
   }
   auto provider = std::make_shared<DirectoryReloaderCrlProvider>(
-      refresh_duration, reload_error_callback,
-      grpc_event_engine::experimental::GetDefaultEventEngine(),
+      refresh_duration, reload_error_callback, /*event_engine=*/nullptr,
       MakeDirectoryReader(directory));
   // This could be slow to do at startup, but we want to
   // make sure it's done before the provider is used.
@@ -157,10 +156,28 @@ absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
   return provider;
 }
+DirectoryReloaderCrlProvider::DirectoryReloaderCrlProvider(
+    std::chrono::seconds duration, std::function<void(absl::Status)> callback,
+    std::shared_ptr<grpc_event_engine::experimental::EventEngine> event_engine,
+    std::shared_ptr<DirectoryReader> directory_impl)
+    : refresh_duration_(Duration::FromSecondsAsDouble(duration.count())),
+      reload_error_callback_(std::move(callback)),
+      crl_directory_(std::move(directory_impl)) {
+  // Must be called before `GetDefaultEventEngine`
+  grpc_init();
+  if (event_engine == nullptr) {
+    event_engine_ = grpc_event_engine::experimental::GetDefaultEventEngine();
+  } else {
+    event_engine_ = std::move(event_engine);
+  }
+}
 DirectoryReloaderCrlProvider::~DirectoryReloaderCrlProvider() {
   if (refresh_handle_.has_value()) {
     event_engine_->Cancel(refresh_handle_.value());
   }
+  // Call here because we call grpc_init in the constructor
+  grpc_shutdown();
 }
 void DirectoryReloaderCrlProvider::UpdateAndStartTimer() {
@@ -209,9 +226,9 @@ absl::Status DirectoryReloaderCrlProvider::Update() {
     // in-place updated in crls_.
     for (auto& kv : new_crls) {
       std::shared_ptr<Crl>& crl = kv.second;
-      // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on the
-      // RHS, because C++ does not guarantee which of those will be executed
-      // first.
+      // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on
+      // the RHS, because C++ does not guarantee which of those will be
+      // executed first.
       std::string issuer(crl->Issuer());
       crls_[std::move(issuer)] = std::move(crl);
     }

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h CHANGED Viewed

@@ -98,11 +98,7 @@ class DirectoryReloaderCrlProvider
       std::chrono::seconds duration, std::function<void(absl::Status)> callback,
       std::shared_ptr<grpc_event_engine::experimental::EventEngine>
           event_engine,
-      std::shared_ptr<DirectoryReader> directory_impl)
-      : refresh_duration_(Duration::FromSecondsAsDouble(duration.count())),
-        reload_error_callback_(std::move(callback)),
-        event_engine_(std::move(event_engine)),
-        crl_directory_(std::move(directory_impl)) {}
+      std::shared_ptr<DirectoryReader> directory_impl);
   ~DirectoryReloaderCrlProvider() override;
   std::shared_ptr<Crl> GetCrl(const CertificateInfo& certificate_info) override;

data/src/core/lib/security/credentials/tls/tls_credentials.cc CHANGED Viewed

@@ -46,6 +46,22 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
     gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
     return false;
   }
+  // In this case, there will be non-retriable handshake errors.
+  if (options->min_tls_version() > options->max_tls_version()) {
+    gpr_log(GPR_ERROR, "TLS min version must not be higher than max version.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
+  if (options->max_tls_version() > grpc_tls_version::TLS1_3) {
+    gpr_log(GPR_ERROR, "TLS max version must not be higher than v1.3.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
+  if (options->min_tls_version() < grpc_tls_version::TLS1_2) {
+    gpr_log(GPR_ERROR, "TLS min version must not be lower than v1.2.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
   if (!options->crl_directory().empty() && options->crl_provider() != nullptr) {
     gpr_log(GPR_ERROR,
             "Setting crl_directory and crl_provider not supported. Using the "