grpc 1.60.0 → 1.61.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (277) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +208 -165
  3. data/include/grpc/event_engine/event_engine.h +59 -12
  4. data/include/grpc/event_engine/internal/memory_allocator_impl.h +6 -0
  5. data/include/grpc/event_engine/internal/slice_cast.h +12 -0
  6. data/include/grpc/event_engine/memory_allocator.h +3 -1
  7. data/include/grpc/event_engine/slice.h +5 -0
  8. data/include/grpc/grpc_security.h +22 -1
  9. data/include/grpc/impl/call.h +29 -0
  10. data/include/grpc/impl/channel_arg_names.h +12 -1
  11. data/include/grpc/impl/slice_type.h +1 -1
  12. data/include/grpc/module.modulemap +1 -0
  13. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +54 -7
  14. data/src/core/ext/filters/backend_metrics/backend_metric_filter.h +20 -6
  15. data/src/core/ext/filters/channel_idle/channel_idle_filter.cc +10 -13
  16. data/src/core/ext/filters/channel_idle/channel_idle_filter.h +18 -10
  17. data/src/core/ext/filters/channel_idle/legacy_channel_idle_filter.cc +326 -0
  18. data/src/core/ext/filters/channel_idle/legacy_channel_idle_filter.h +143 -0
  19. data/src/core/ext/filters/client_channel/backend_metric.cc +2 -2
  20. data/src/core/ext/filters/client_channel/client_channel.cc +32 -6
  21. data/src/core/ext/filters/client_channel/client_channel_internal.h +2 -0
  22. data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +1 -1
  23. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +54 -21
  24. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +3 -2
  25. data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +2 -1
  26. data/src/core/ext/filters/client_channel/lb_policy/endpoint_list.cc +12 -15
  27. data/src/core/ext/filters/client_channel/lb_policy/endpoint_list.h +8 -5
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +139 -92
  29. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +9 -4
  30. data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +9 -4
  31. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +10 -11
  32. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +94 -93
  33. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +5 -3
  34. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +12 -15
  35. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +38 -16
  36. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +25 -28
  37. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +10 -10
  38. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +37 -35
  39. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -9
  40. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +504 -461
  41. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +232 -122
  42. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +8 -6
  43. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +642 -251
  44. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.h +2 -6
  45. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +7 -8
  46. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +2 -1
  47. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +3 -1
  48. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +2 -2
  49. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +2 -2
  50. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +6 -8
  51. data/src/core/ext/filters/client_channel/resolver/xds/xds_dependency_manager.cc +1031 -0
  52. data/src/core/ext/filters/client_channel/resolver/xds/xds_dependency_manager.h +277 -0
  53. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +128 -270
  54. data/src/core/ext/filters/client_channel/resolver/xds/{xds_resolver.h → xds_resolver_attributes.h} +5 -4
  55. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver_trace.cc +25 -0
  56. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver_trace.h +30 -0
  57. data/src/core/ext/filters/client_channel/retry_filter.cc +1 -0
  58. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +35 -17
  59. data/src/core/ext/filters/deadline/deadline_filter.cc +12 -0
  60. data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +17 -13
  61. data/src/core/ext/filters/fault_injection/fault_injection_filter.h +13 -4
  62. data/src/core/ext/filters/http/client/http_client_filter.cc +23 -32
  63. data/src/core/ext/filters/http/client/http_client_filter.h +10 -5
  64. data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
  65. data/src/core/ext/filters/http/client_authority_filter.h +12 -4
  66. data/src/core/ext/filters/http/http_filters_plugin.cc +42 -20
  67. data/src/core/ext/filters/http/message_compress/compression_filter.cc +55 -80
  68. data/src/core/ext/filters/http/message_compress/compression_filter.h +54 -12
  69. data/src/core/ext/filters/http/message_compress/legacy_compression_filter.cc +325 -0
  70. data/src/core/ext/filters/http/message_compress/legacy_compression_filter.h +139 -0
  71. data/src/core/ext/filters/http/server/http_server_filter.cc +41 -41
  72. data/src/core/ext/filters/http/server/http_server_filter.h +11 -4
  73. data/src/core/ext/filters/message_size/message_size_filter.cc +56 -76
  74. data/src/core/ext/filters/message_size/message_size_filter.h +35 -23
  75. data/src/core/ext/filters/rbac/rbac_filter.cc +15 -11
  76. data/src/core/ext/filters/rbac/rbac_filter.h +11 -4
  77. data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +25 -13
  78. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +47 -50
  79. data/src/core/ext/filters/stateful_session/stateful_session_filter.h +21 -4
  80. data/src/core/ext/transport/chttp2/alpn/alpn.cc +1 -1
  81. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +2 -2
  82. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +11 -2
  83. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +67 -145
  84. data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +3 -3
  85. data/src/core/ext/transport/chttp2/transport/flow_control.cc +21 -82
  86. data/src/core/ext/transport/chttp2/transport/flow_control.h +1 -8
  87. data/src/core/ext/transport/chttp2/transport/frame.cc +506 -0
  88. data/src/core/ext/transport/chttp2/transport/frame.h +214 -0
  89. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +1 -1
  90. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +33 -79
  91. data/src/core/ext/transport/chttp2/transport/frame_settings.h +4 -7
  92. data/src/core/ext/transport/chttp2/transport/http2_settings.cc +122 -32
  93. data/src/core/ext/transport/chttp2/transport/http2_settings.h +142 -37
  94. data/src/core/ext/transport/chttp2/transport/internal.h +1 -22
  95. data/src/core/ext/transport/chttp2/transport/parsing.cc +23 -37
  96. data/src/core/ext/transport/chttp2/transport/writing.cc +26 -58
  97. data/src/core/ext/transport/inproc/inproc_transport.cc +172 -13
  98. data/src/core/ext/upb-gen/envoy/extensions/upstreams/http/v3/http_protocol_options.upb.h +712 -0
  99. data/src/core/ext/upb-gen/envoy/extensions/upstreams/http/v3/http_protocol_options.upb_minitable.c +151 -0
  100. data/src/core/ext/upb-gen/envoy/extensions/upstreams/http/v3/http_protocol_options.upb_minitable.h +33 -0
  101. data/src/core/ext/upbdefs-gen/envoy/extensions/upstreams/http/v3/http_protocol_options.upbdefs.c +133 -0
  102. data/src/core/ext/upbdefs-gen/envoy/extensions/upstreams/http/v3/http_protocol_options.upbdefs.h +50 -0
  103. data/src/core/ext/xds/certificate_provider_store.cc +2 -1
  104. data/src/core/ext/xds/certificate_provider_store.h +0 -5
  105. data/src/core/ext/xds/xds_api.cc +31 -18
  106. data/src/core/ext/xds/xds_api.h +2 -2
  107. data/src/core/ext/xds/xds_bootstrap.h +3 -0
  108. data/src/core/ext/xds/xds_certificate_provider.cc +88 -287
  109. data/src/core/ext/xds/xds_certificate_provider.h +44 -111
  110. data/src/core/ext/xds/xds_client.cc +420 -414
  111. data/src/core/ext/xds/xds_client.h +31 -22
  112. data/src/core/ext/xds/xds_client_grpc.cc +3 -1
  113. data/src/core/ext/xds/xds_cluster.cc +104 -11
  114. data/src/core/ext/xds/xds_cluster.h +9 -1
  115. data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +9 -5
  116. data/src/core/ext/xds/xds_common_types.cc +14 -10
  117. data/src/core/ext/xds/xds_endpoint.cc +9 -4
  118. data/src/core/ext/xds/xds_endpoint.h +5 -1
  119. data/src/core/ext/xds/xds_health_status.cc +12 -2
  120. data/src/core/ext/xds/xds_health_status.h +4 -2
  121. data/src/core/ext/xds/xds_http_rbac_filter.cc +5 -3
  122. data/src/core/ext/xds/xds_listener.cc +14 -8
  123. data/src/core/ext/xds/xds_resource_type_impl.h +6 -4
  124. data/src/core/ext/xds/xds_route_config.cc +34 -22
  125. data/src/core/ext/xds/xds_route_config.h +1 -0
  126. data/src/core/ext/xds/xds_server_config_fetcher.cc +61 -57
  127. data/src/core/ext/xds/xds_transport.h +3 -0
  128. data/src/core/ext/xds/xds_transport_grpc.cc +47 -50
  129. data/src/core/ext/xds/xds_transport_grpc.h +4 -0
  130. data/src/core/lib/channel/call_tracer.cc +12 -0
  131. data/src/core/lib/channel/call_tracer.h +17 -3
  132. data/src/core/lib/channel/channel_args.cc +24 -14
  133. data/src/core/lib/channel/channel_args.h +74 -13
  134. data/src/core/lib/channel/channel_stack.cc +27 -0
  135. data/src/core/lib/channel/channel_stack.h +10 -10
  136. data/src/core/lib/channel/connected_channel.cc +64 -18
  137. data/src/core/lib/channel/promise_based_filter.h +1041 -1
  138. data/src/core/lib/channel/server_call_tracer_filter.cc +43 -35
  139. data/src/core/lib/compression/compression_internal.cc +0 -3
  140. data/src/core/lib/event_engine/ares_resolver.cc +35 -14
  141. data/src/core/lib/event_engine/ares_resolver.h +9 -10
  142. data/src/core/lib/event_engine/cf_engine/dns_service_resolver.cc +8 -1
  143. data/src/core/lib/event_engine/posix_engine/native_posix_dns_resolver.cc +132 -0
  144. data/src/core/lib/event_engine/posix_engine/native_posix_dns_resolver.h +61 -0
  145. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +52 -36
  146. data/src/core/lib/event_engine/posix_engine/posix_engine.h +4 -9
  147. data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +11 -3
  148. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +9 -2
  149. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +7 -0
  150. data/src/core/lib/event_engine/posix_engine/timer_manager.cc +17 -27
  151. data/src/core/lib/event_engine/posix_engine/timer_manager.h +0 -3
  152. data/src/core/lib/event_engine/ref_counted_dns_resolver_interface.h +55 -0
  153. data/src/core/lib/event_engine/windows/native_windows_dns_resolver.cc +114 -0
  154. data/src/core/lib/event_engine/windows/native_windows_dns_resolver.h +51 -0
  155. data/src/core/lib/event_engine/windows/windows_engine.cc +7 -7
  156. data/src/core/lib/experiments/config.cc +13 -0
  157. data/src/core/lib/experiments/config.h +3 -0
  158. data/src/core/lib/experiments/experiments.cc +245 -366
  159. data/src/core/lib/experiments/experiments.h +50 -156
  160. data/src/core/lib/gprpp/debug_location.h +13 -0
  161. data/src/core/lib/gprpp/dual_ref_counted.h +36 -7
  162. data/src/core/lib/gprpp/orphanable.h +27 -0
  163. data/src/core/lib/gprpp/ref_counted.h +63 -22
  164. data/src/core/lib/gprpp/ref_counted_ptr.h +70 -27
  165. data/src/core/lib/gprpp/ref_counted_string.h +13 -0
  166. data/src/core/lib/gprpp/status_helper.cc +1 -2
  167. data/src/core/lib/iomgr/combiner.cc +15 -51
  168. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +31 -0
  169. data/src/core/lib/iomgr/event_engine_shims/endpoint.h +16 -0
  170. data/src/core/lib/iomgr/tcp_client_posix.cc +4 -3
  171. data/src/core/lib/load_balancing/lb_policy.h +1 -1
  172. data/src/core/lib/promise/activity.cc +17 -2
  173. data/src/core/lib/promise/activity.h +5 -4
  174. data/src/core/lib/promise/all_ok.h +80 -0
  175. data/src/core/lib/promise/detail/join_state.h +2077 -0
  176. data/src/core/lib/promise/detail/promise_factory.h +1 -0
  177. data/src/core/lib/promise/detail/promise_like.h +8 -1
  178. data/src/core/lib/promise/detail/seq_state.h +3458 -150
  179. data/src/core/lib/promise/detail/status.h +42 -5
  180. data/src/core/lib/promise/for_each.h +13 -1
  181. data/src/core/lib/promise/if.h +4 -0
  182. data/src/core/lib/promise/latch.h +6 -3
  183. data/src/core/lib/promise/party.cc +33 -31
  184. data/src/core/lib/promise/party.h +142 -6
  185. data/src/core/lib/promise/poll.h +39 -13
  186. data/src/core/lib/promise/promise.h +4 -0
  187. data/src/core/lib/promise/seq.h +107 -7
  188. data/src/core/lib/promise/status_flag.h +196 -0
  189. data/src/core/lib/promise/try_join.h +132 -0
  190. data/src/core/lib/promise/try_seq.h +132 -10
  191. data/src/core/lib/resolver/endpoint_addresses.cc +0 -1
  192. data/src/core/lib/resolver/endpoint_addresses.h +48 -0
  193. data/src/core/lib/resource_quota/arena.h +2 -2
  194. data/src/core/lib/resource_quota/memory_quota.cc +57 -8
  195. data/src/core/lib/resource_quota/memory_quota.h +6 -0
  196. data/src/core/lib/security/authorization/grpc_server_authz_filter.cc +14 -11
  197. data/src/core/lib/security/authorization/grpc_server_authz_filter.h +14 -5
  198. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +4 -0
  199. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +4 -0
  200. data/src/core/lib/security/credentials/external/external_account_credentials.cc +28 -20
  201. data/src/core/lib/security/credentials/external/external_account_credentials.h +4 -0
  202. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +4 -0
  203. data/src/core/lib/security/credentials/external/file_external_account_credentials.h +4 -0
  204. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +4 -0
  205. data/src/core/lib/security/credentials/external/url_external_account_credentials.h +4 -0
  206. data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +2 -1
  207. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +0 -3
  208. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +12 -0
  209. data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc +22 -5
  210. data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h +1 -5
  211. data/src/core/lib/security/credentials/tls/tls_credentials.cc +16 -0
  212. data/src/core/lib/security/credentials/xds/xds_credentials.cc +21 -28
  213. data/src/core/lib/security/credentials/xds/xds_credentials.h +2 -4
  214. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +4 -3
  215. data/src/core/lib/security/transport/auth_filters.h +71 -4
  216. data/src/core/lib/security/transport/client_auth_filter.cc +2 -4
  217. data/src/core/lib/security/transport/legacy_server_auth_filter.cc +244 -0
  218. data/src/core/lib/security/transport/server_auth_filter.cc +70 -90
  219. data/src/core/lib/slice/slice_buffer.h +3 -0
  220. data/src/core/lib/surface/builtins.cc +1 -1
  221. data/src/core/lib/surface/call.cc +683 -196
  222. data/src/core/lib/surface/call.h +26 -13
  223. data/src/core/lib/surface/call_trace.cc +42 -1
  224. data/src/core/lib/surface/channel.cc +0 -1
  225. data/src/core/lib/surface/channel.h +0 -6
  226. data/src/core/lib/surface/channel_init.h +26 -0
  227. data/src/core/lib/surface/init.cc +14 -8
  228. data/src/core/lib/surface/server.cc +256 -237
  229. data/src/core/lib/surface/server.h +26 -54
  230. data/src/core/lib/surface/version.cc +2 -2
  231. data/src/core/lib/surface/wait_for_cq_end_op.h +94 -0
  232. data/src/core/lib/transport/call_final_info.cc +38 -0
  233. data/src/core/lib/transport/call_final_info.h +54 -0
  234. data/src/core/lib/transport/connectivity_state.cc +3 -2
  235. data/src/core/lib/transport/connectivity_state.h +4 -0
  236. data/src/core/lib/transport/metadata_batch.h +4 -4
  237. data/src/core/lib/transport/transport.cc +70 -19
  238. data/src/core/lib/transport/transport.h +395 -25
  239. data/src/core/plugin_registry/grpc_plugin_registry.cc +3 -0
  240. data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +0 -3
  241. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +1 -1
  242. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  243. data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +1 -1
  244. data/src/core/tsi/ssl_transport_security.cc +65 -43
  245. data/src/ruby/ext/grpc/rb_channel_args.c +3 -1
  246. data/src/ruby/ext/grpc/rb_grpc.c +0 -1
  247. data/src/ruby/ext/grpc/rb_grpc.h +0 -2
  248. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
  249. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
  250. data/src/ruby/lib/grpc/version.rb +1 -1
  251. data/third_party/upb/upb/reflection/def_pool.h +2 -2
  252. data/third_party/zlib/adler32.c +5 -27
  253. data/third_party/zlib/compress.c +5 -16
  254. data/third_party/zlib/crc32.c +86 -162
  255. data/third_party/zlib/deflate.c +233 -336
  256. data/third_party/zlib/deflate.h +8 -8
  257. data/third_party/zlib/gzguts.h +11 -12
  258. data/third_party/zlib/infback.c +7 -23
  259. data/third_party/zlib/inffast.c +1 -4
  260. data/third_party/zlib/inffast.h +1 -1
  261. data/third_party/zlib/inflate.c +30 -99
  262. data/third_party/zlib/inftrees.c +6 -11
  263. data/third_party/zlib/inftrees.h +3 -3
  264. data/third_party/zlib/trees.c +224 -302
  265. data/third_party/zlib/uncompr.c +4 -12
  266. data/third_party/zlib/zconf.h +6 -2
  267. data/third_party/zlib/zlib.h +191 -188
  268. data/third_party/zlib/zutil.c +16 -44
  269. data/third_party/zlib/zutil.h +10 -10
  270. metadata +35 -13
  271. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +0 -1173
  272. data/src/core/lib/event_engine/memory_allocator.cc +0 -74
  273. data/src/core/lib/transport/pid_controller.cc +0 -51
  274. data/src/core/lib/transport/pid_controller.h +0 -116
  275. data/third_party/upb/upb/collections/array.h +0 -17
  276. data/third_party/upb/upb/collections/map.h +0 -17
  277. data/third_party/upb/upb/upb.hpp +0 -18
@@ -74,10 +74,8 @@ bool XdsVerifySubjectAlternativeNames(
74
74
  //
75
75
 
76
76
  XdsCertificateVerifier::XdsCertificateVerifier(
77
- RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
78
- std::string cluster_name)
79
- : xds_certificate_provider_(std::move(xds_certificate_provider)),
80
- cluster_name_(std::move(cluster_name)) {}
77
+ RefCountedPtr<XdsCertificateProvider> xds_certificate_provider)
78
+ : xds_certificate_provider_(std::move(xds_certificate_provider)) {}
81
79
 
82
80
  bool XdsCertificateVerifier::Verify(
83
81
  grpc_tls_custom_verification_check_request* request,
@@ -86,15 +84,15 @@ bool XdsCertificateVerifier::Verify(
86
84
  if (!XdsVerifySubjectAlternativeNames(
87
85
  request->peer_info.san_names.uri_names,
88
86
  request->peer_info.san_names.uri_names_size,
89
- xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
87
+ xds_certificate_provider_->san_matchers()) &&
90
88
  !XdsVerifySubjectAlternativeNames(
91
89
  request->peer_info.san_names.ip_names,
92
90
  request->peer_info.san_names.ip_names_size,
93
- xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
91
+ xds_certificate_provider_->san_matchers()) &&
94
92
  !XdsVerifySubjectAlternativeNames(
95
93
  request->peer_info.san_names.dns_names,
96
94
  request->peer_info.san_names.dns_names_size,
97
- xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
95
+ xds_certificate_provider_->san_matchers())) {
98
96
  *sync_status = absl::Status(
99
97
  absl::StatusCode::kUnauthenticated,
100
98
  "SANs from certificate did not match SANs from xDS control plane");
@@ -108,9 +106,12 @@ void XdsCertificateVerifier::Cancel(
108
106
  int XdsCertificateVerifier::CompareImpl(
109
107
  const grpc_tls_certificate_verifier* other) const {
110
108
  auto* o = static_cast<const XdsCertificateVerifier*>(other);
111
- int r = QsortCompare(xds_certificate_provider_, o->xds_certificate_provider_);
112
- if (r != 0) return r;
113
- return cluster_name_.compare(o->cluster_name_);
109
+ if (xds_certificate_provider_ == nullptr ||
110
+ o->xds_certificate_provider_ == nullptr) {
111
+ return QsortCompare(xds_certificate_provider_,
112
+ o->xds_certificate_provider_);
113
+ }
114
+ return xds_certificate_provider_->Compare(o->xds_certificate_provider_.get());
114
115
  }
115
116
 
116
117
  UniqueTypeName XdsCertificateVerifier::type() const {
@@ -140,12 +141,9 @@ XdsCredentials::create_security_connector(
140
141
  RefCountedPtr<grpc_channel_security_connector> security_connector;
141
142
  auto xds_certificate_provider = args->GetObjectRef<XdsCertificateProvider>();
142
143
  if (xds_certificate_provider != nullptr) {
143
- std::string cluster_name(
144
- args->GetString(GRPC_ARG_XDS_CLUSTER_NAME).value());
145
- const bool watch_root =
146
- xds_certificate_provider->ProvidesRootCerts(cluster_name);
144
+ const bool watch_root = xds_certificate_provider->ProvidesRootCerts();
147
145
  const bool watch_identity =
148
- xds_certificate_provider->ProvidesIdentityCerts(cluster_name);
146
+ xds_certificate_provider->ProvidesIdentityCerts();
149
147
  if (watch_root || watch_identity) {
150
148
  auto tls_credentials_options =
151
149
  MakeRefCounted<grpc_tls_credentials_options>();
@@ -153,16 +151,14 @@ XdsCredentials::create_security_connector(
153
151
  xds_certificate_provider);
154
152
  if (watch_root) {
155
153
  tls_credentials_options->set_watch_root_cert(true);
156
- tls_credentials_options->set_root_cert_name(cluster_name);
157
154
  }
158
155
  if (watch_identity) {
159
156
  tls_credentials_options->set_watch_identity_pair(true);
160
- tls_credentials_options->set_identity_cert_name(cluster_name);
161
157
  }
162
158
  tls_credentials_options->set_verify_server_cert(true);
163
159
  tls_credentials_options->set_certificate_verifier(
164
- MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
165
- std::move(cluster_name)));
160
+ MakeRefCounted<XdsCertificateVerifier>(
161
+ std::move(xds_certificate_provider)));
166
162
  tls_credentials_options->set_check_call_host(false);
167
163
  auto tls_credentials =
168
164
  MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
@@ -189,20 +185,17 @@ XdsServerCredentials::create_security_connector(const ChannelArgs& args) {
189
185
  auto xds_certificate_provider = args.GetObjectRef<XdsCertificateProvider>();
190
186
  // Identity certs are a must for TLS.
191
187
  if (xds_certificate_provider != nullptr &&
192
- xds_certificate_provider->ProvidesIdentityCerts("")) {
188
+ xds_certificate_provider->ProvidesIdentityCerts()) {
193
189
  auto tls_credentials_options =
194
190
  MakeRefCounted<grpc_tls_credentials_options>();
195
191
  tls_credentials_options->set_watch_identity_pair(true);
196
192
  tls_credentials_options->set_certificate_provider(xds_certificate_provider);
197
- if (xds_certificate_provider->ProvidesRootCerts("")) {
193
+ if (xds_certificate_provider->ProvidesRootCerts()) {
198
194
  tls_credentials_options->set_watch_root_cert(true);
199
- if (xds_certificate_provider->GetRequireClientCertificate("")) {
200
- tls_credentials_options->set_cert_request_type(
201
- GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
202
- } else {
203
- tls_credentials_options->set_cert_request_type(
204
- GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
205
- }
195
+ tls_credentials_options->set_cert_request_type(
196
+ xds_certificate_provider->require_client_certificate()
197
+ ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
198
+ : GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
206
199
  } else {
207
200
  // Do not request client certificate if there is no way to verify.
208
201
  tls_credentials_options->set_cert_request_type(
@@ -46,9 +46,8 @@ namespace grpc_core {
46
46
 
47
47
  class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
48
48
  public:
49
- XdsCertificateVerifier(
50
- RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
51
- std::string cluster_name);
49
+ explicit XdsCertificateVerifier(
50
+ RefCountedPtr<XdsCertificateProvider> xds_certificate_provider);
52
51
 
53
52
  bool Verify(grpc_tls_custom_verification_check_request* request,
54
53
  std::function<void(absl::Status)>,
@@ -61,7 +60,6 @@ class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
61
60
  int CompareImpl(const grpc_tls_certificate_verifier* other) const override;
62
61
 
63
62
  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
64
- std::string cluster_name_;
65
63
  };
66
64
 
67
65
  class XdsCredentials final : public grpc_channel_credentials {
@@ -379,7 +379,8 @@ void TlsChannelSecurityConnector::check_peer(
379
379
  grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
380
380
  GPR_ASSERT(options_->certificate_verifier() != nullptr);
381
381
  auto* pending_request = new ChannelPendingVerifierRequest(
382
- Ref(), on_peer_checked, peer, target_name);
382
+ RefAsSubclass<TlsChannelSecurityConnector>(), on_peer_checked, peer,
383
+ target_name);
383
384
  {
384
385
  MutexLock lock(&verifier_request_map_mu_);
385
386
  pending_verifier_requests_.emplace(on_peer_checked, pending_request);
@@ -653,8 +654,8 @@ void TlsServerSecurityConnector::check_peer(
653
654
  *auth_context =
654
655
  grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
655
656
  if (options_->certificate_verifier() != nullptr) {
656
- auto* pending_request =
657
- new ServerPendingVerifierRequest(Ref(), on_peer_checked, peer);
657
+ auto* pending_request = new ServerPendingVerifierRequest(
658
+ RefAsSubclass<TlsServerSecurityConnector>(), on_peer_checked, peer);
658
659
  {
659
660
  MutexLock lock(&verifier_request_map_mu_);
660
661
  pending_verifier_requests_.emplace(on_peer_checked, pending_request);
@@ -62,23 +62,90 @@ class ClientAuthFilter final : public ChannelFilter {
62
62
  grpc_call_credentials::GetRequestMetadataArgs args_;
63
63
  };
64
64
 
65
- class ServerAuthFilter final : public ChannelFilter {
65
+ class LegacyServerAuthFilter final : public ChannelFilter {
66
66
  public:
67
67
  static const grpc_channel_filter kFilter;
68
68
 
69
- static absl::StatusOr<ServerAuthFilter> Create(const ChannelArgs& args,
70
- ChannelFilter::Args);
69
+ static absl::StatusOr<LegacyServerAuthFilter> Create(const ChannelArgs& args,
70
+ ChannelFilter::Args);
71
71
 
72
72
  // Construct a promise for one call.
73
73
  ArenaPromise<ServerMetadataHandle> MakeCallPromise(
74
74
  CallArgs call_args, NextPromiseFactory next_promise_factory) override;
75
75
 
76
+ private:
77
+ LegacyServerAuthFilter(
78
+ RefCountedPtr<grpc_server_credentials> server_credentials,
79
+ RefCountedPtr<grpc_auth_context> auth_context);
80
+
81
+ class RunApplicationCode;
82
+
83
+ ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
84
+ CallArgs call_args);
85
+
86
+ RefCountedPtr<grpc_server_credentials> server_credentials_;
87
+ RefCountedPtr<grpc_auth_context> auth_context_;
88
+ };
89
+
90
+ class ServerAuthFilter final : public ImplementChannelFilter<ServerAuthFilter> {
76
91
  private:
77
92
  ServerAuthFilter(RefCountedPtr<grpc_server_credentials> server_credentials,
78
93
  RefCountedPtr<grpc_auth_context> auth_context);
79
94
 
80
- class RunApplicationCode;
95
+ class RunApplicationCode {
96
+ public:
97
+ RunApplicationCode(ServerAuthFilter* filter, ClientMetadata& metadata);
98
+
99
+ RunApplicationCode(const RunApplicationCode&) = delete;
100
+ RunApplicationCode& operator=(const RunApplicationCode&) = delete;
101
+ RunApplicationCode(RunApplicationCode&& other) noexcept
102
+ : state_(std::exchange(other.state_, nullptr)) {}
103
+ RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
104
+ state_ = std::exchange(other.state_, nullptr);
105
+ return *this;
106
+ }
107
+
108
+ Poll<absl::Status> operator()();
109
+
110
+ private:
111
+ // Called from application code.
112
+ static void OnMdProcessingDone(void* user_data,
113
+ const grpc_metadata* consumed_md,
114
+ size_t num_consumed_md,
115
+ const grpc_metadata* response_md,
116
+ size_t num_response_md,
117
+ grpc_status_code status,
118
+ const char* error_details);
119
+
120
+ struct State;
121
+ State* state_;
122
+ };
123
+
124
+ public:
125
+ static const grpc_channel_filter kFilter;
81
126
 
127
+ static absl::StatusOr<ServerAuthFilter> Create(const ChannelArgs& args,
128
+ ChannelFilter::Args);
129
+
130
+ class Call {
131
+ public:
132
+ explicit Call(ServerAuthFilter* filter);
133
+ auto OnClientInitialMetadata(ClientMetadata& md, ServerAuthFilter* filter) {
134
+ return If(
135
+ filter->server_credentials_ == nullptr ||
136
+ filter->server_credentials_->auth_metadata_processor().process ==
137
+ nullptr,
138
+ ImmediateOkStatus(),
139
+ [filter, md = &md]() { return RunApplicationCode(filter, *md); });
140
+ }
141
+ static const NoInterceptor OnServerInitialMetadata;
142
+ static const NoInterceptor OnClientToServerMessage;
143
+ static const NoInterceptor OnServerToClientMessage;
144
+ static const NoInterceptor OnServerTrailingMetadata;
145
+ static const NoInterceptor OnFinalize;
146
+ };
147
+
148
+ private:
82
149
  ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
83
150
  CallArgs call_args);
84
151
 
@@ -216,10 +216,8 @@ absl::StatusOr<ClientAuthFilter> ClientAuthFilter::Create(
216
216
  return absl::InvalidArgumentError(
217
217
  "Auth context missing from client auth filter args");
218
218
  }
219
-
220
- return ClientAuthFilter(
221
- static_cast<grpc_channel_security_connector*>(sc)->Ref(),
222
- auth_context->Ref());
219
+ return ClientAuthFilter(sc->RefAsSubclass<grpc_channel_security_connector>(),
220
+ auth_context->Ref());
223
221
  }
224
222
 
225
223
  const grpc_channel_filter ClientAuthFilter::kFilter =
@@ -0,0 +1,244 @@
1
+ //
2
+ //
3
+ // Copyright 2015 gRPC authors.
4
+ //
5
+ // Licensed under the Apache License, Version 2.0 (the "License");
6
+ // you may not use this file except in compliance with the License.
7
+ // You may obtain a copy of the License at
8
+ //
9
+ // http://www.apache.org/licenses/LICENSE-2.0
10
+ //
11
+ // Unless required by applicable law or agreed to in writing, software
12
+ // distributed under the License is distributed on an "AS IS" BASIS,
13
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ // See the License for the specific language governing permissions and
15
+ // limitations under the License.
16
+ //
17
+ //
18
+
19
+ #include <grpc/support/port_platform.h>
20
+
21
+ #include <algorithm>
22
+ #include <atomic>
23
+ #include <cstddef>
24
+ #include <functional>
25
+ #include <memory>
26
+ #include <utility>
27
+
28
+ #include "absl/status/status.h"
29
+ #include "absl/status/statusor.h"
30
+
31
+ #include <grpc/grpc.h>
32
+ #include <grpc/grpc_security.h>
33
+ #include <grpc/status.h>
34
+ #include <grpc/support/alloc.h>
35
+ #include <grpc/support/log.h>
36
+
37
+ #include "src/core/lib/channel/channel_args.h"
38
+ #include "src/core/lib/channel/channel_fwd.h"
39
+ #include "src/core/lib/channel/channel_stack.h"
40
+ #include "src/core/lib/channel/context.h"
41
+ #include "src/core/lib/channel/promise_based_filter.h"
42
+ #include "src/core/lib/debug/trace.h"
43
+ #include "src/core/lib/gprpp/debug_location.h"
44
+ #include "src/core/lib/gprpp/ref_counted_ptr.h"
45
+ #include "src/core/lib/gprpp/status_helper.h"
46
+ #include "src/core/lib/iomgr/error.h"
47
+ #include "src/core/lib/iomgr/exec_ctx.h"
48
+ #include "src/core/lib/promise/activity.h"
49
+ #include "src/core/lib/promise/arena_promise.h"
50
+ #include "src/core/lib/promise/context.h"
51
+ #include "src/core/lib/promise/poll.h"
52
+ #include "src/core/lib/promise/try_seq.h"
53
+ #include "src/core/lib/resource_quota/arena.h"
54
+ #include "src/core/lib/security/context/security_context.h"
55
+ #include "src/core/lib/security/credentials/credentials.h"
56
+ #include "src/core/lib/security/transport/auth_filters.h" // IWYU pragma: keep
57
+ #include "src/core/lib/slice/slice.h"
58
+ #include "src/core/lib/slice/slice_internal.h"
59
+ #include "src/core/lib/surface/call_trace.h"
60
+ #include "src/core/lib/transport/metadata_batch.h"
61
+ #include "src/core/lib/transport/transport.h"
62
+
63
+ namespace grpc_core {
64
+
65
+ const grpc_channel_filter LegacyServerAuthFilter::kFilter =
66
+ MakePromiseBasedFilter<LegacyServerAuthFilter, FilterEndpoint::kServer>(
67
+ "server-auth");
68
+
69
+ namespace {
70
+
71
+ class ArrayEncoder {
72
+ public:
73
+ explicit ArrayEncoder(grpc_metadata_array* result) : result_(result) {}
74
+
75
+ void Encode(const Slice& key, const Slice& value) {
76
+ Append(key.Ref(), value.Ref());
77
+ }
78
+
79
+ template <typename Which>
80
+ void Encode(Which, const typename Which::ValueType& value) {
81
+ Append(Slice(StaticSlice::FromStaticString(Which::key())),
82
+ Slice(Which::Encode(value)));
83
+ }
84
+
85
+ void Encode(HttpMethodMetadata,
86
+ const typename HttpMethodMetadata::ValueType&) {}
87
+
88
+ private:
89
+ void Append(Slice key, Slice value) {
90
+ if (result_->count == result_->capacity) {
91
+ result_->capacity =
92
+ std::max(result_->capacity + 8, result_->capacity * 2);
93
+ result_->metadata = static_cast<grpc_metadata*>(gpr_realloc(
94
+ result_->metadata, result_->capacity * sizeof(grpc_metadata)));
95
+ }
96
+ auto* usr_md = &result_->metadata[result_->count++];
97
+ usr_md->key = key.TakeCSlice();
98
+ usr_md->value = value.TakeCSlice();
99
+ }
100
+
101
+ grpc_metadata_array* result_;
102
+ };
103
+
104
+ // TODO(ctiller): seek out all users of this functionality and change API so
105
+ // that this unilateral format conversion IS NOT REQUIRED.
106
+ grpc_metadata_array MetadataBatchToMetadataArray(
107
+ const grpc_metadata_batch* batch) {
108
+ grpc_metadata_array result;
109
+ grpc_metadata_array_init(&result);
110
+ ArrayEncoder encoder(&result);
111
+ batch->Encode(&encoder);
112
+ return result;
113
+ }
114
+
115
+ } // namespace
116
+
117
+ class LegacyServerAuthFilter::RunApplicationCode {
118
+ public:
119
+ // TODO(ctiller): Allocate state_ into a pool on the arena to reuse this
120
+ // memory later
121
+ RunApplicationCode(LegacyServerAuthFilter* filter, CallArgs call_args)
122
+ : state_(GetContext<Arena>()->ManagedNew<State>(std::move(call_args))) {
123
+ if (grpc_call_trace.enabled()) {
124
+ gpr_log(GPR_ERROR,
125
+ "%s[server-auth]: Delegate to application: filter=%p this=%p "
126
+ "auth_ctx=%p",
127
+ Activity::current()->DebugTag().c_str(), filter, this,
128
+ filter->auth_context_.get());
129
+ }
130
+ filter->server_credentials_->auth_metadata_processor().process(
131
+ filter->server_credentials_->auth_metadata_processor().state,
132
+ filter->auth_context_.get(), state_->md.metadata, state_->md.count,
133
+ OnMdProcessingDone, state_);
134
+ }
135
+
136
+ RunApplicationCode(const RunApplicationCode&) = delete;
137
+ RunApplicationCode& operator=(const RunApplicationCode&) = delete;
138
+ RunApplicationCode(RunApplicationCode&& other) noexcept
139
+ : state_(std::exchange(other.state_, nullptr)) {}
140
+ RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
141
+ state_ = std::exchange(other.state_, nullptr);
142
+ return *this;
143
+ }
144
+
145
+ Poll<absl::StatusOr<CallArgs>> operator()() {
146
+ if (state_->done.load(std::memory_order_acquire)) {
147
+ return Poll<absl::StatusOr<CallArgs>>(std::move(state_->call_args));
148
+ }
149
+ return Pending{};
150
+ }
151
+
152
+ private:
153
+ struct State {
154
+ explicit State(CallArgs call_args) : call_args(std::move(call_args)) {}
155
+ Waker waker{Activity::current()->MakeOwningWaker()};
156
+ absl::StatusOr<CallArgs> call_args;
157
+ grpc_metadata_array md =
158
+ MetadataBatchToMetadataArray(call_args->client_initial_metadata.get());
159
+ std::atomic<bool> done{false};
160
+ };
161
+
162
+ // Called from application code.
163
+ static void OnMdProcessingDone(
164
+ void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md,
165
+ const grpc_metadata* response_md, size_t num_response_md,
166
+ grpc_status_code status, const char* error_details) {
167
+ ApplicationCallbackExecCtx callback_exec_ctx;
168
+ ExecCtx exec_ctx;
169
+
170
+ auto* state = static_cast<State*>(user_data);
171
+
172
+ // TODO(ZhenLian): Implement support for response_md.
173
+ if (response_md != nullptr && num_response_md > 0) {
174
+ gpr_log(GPR_ERROR,
175
+ "response_md in auth metadata processing not supported for now. "
176
+ "Ignoring...");
177
+ }
178
+
179
+ if (status == GRPC_STATUS_OK) {
180
+ ClientMetadataHandle& md = state->call_args->client_initial_metadata;
181
+ for (size_t i = 0; i < num_consumed_md; i++) {
182
+ md->Remove(StringViewFromSlice(consumed_md[i].key));
183
+ }
184
+ } else {
185
+ if (error_details == nullptr) {
186
+ error_details = "Authentication metadata processing failed.";
187
+ }
188
+ state->call_args = grpc_error_set_int(
189
+ absl::Status(static_cast<absl::StatusCode>(status), error_details),
190
+ StatusIntProperty::kRpcStatus, status);
191
+ }
192
+
193
+ // Clean up.
194
+ for (size_t i = 0; i < state->md.count; i++) {
195
+ CSliceUnref(state->md.metadata[i].key);
196
+ CSliceUnref(state->md.metadata[i].value);
197
+ }
198
+ grpc_metadata_array_destroy(&state->md);
199
+
200
+ auto waker = std::move(state->waker);
201
+ state->done.store(true, std::memory_order_release);
202
+ waker.Wakeup();
203
+ }
204
+
205
+ State* state_;
206
+ };
207
+
208
+ ArenaPromise<ServerMetadataHandle> LegacyServerAuthFilter::MakeCallPromise(
209
+ CallArgs call_args, NextPromiseFactory next_promise_factory) {
210
+ // Create server security context. Set its auth context from channel
211
+ // data and save it in the call context.
212
+ grpc_server_security_context* server_ctx =
213
+ grpc_server_security_context_create(GetContext<Arena>());
214
+ server_ctx->auth_context =
215
+ auth_context_->Ref(DEBUG_LOCATION, "server_auth_filter");
216
+ grpc_call_context_element& context =
217
+ GetContext<grpc_call_context_element>()[GRPC_CONTEXT_SECURITY];
218
+ if (context.value != nullptr) context.destroy(context.value);
219
+ context.value = server_ctx;
220
+ context.destroy = grpc_server_security_context_destroy;
221
+
222
+ if (server_credentials_ == nullptr ||
223
+ server_credentials_->auth_metadata_processor().process == nullptr) {
224
+ return next_promise_factory(std::move(call_args));
225
+ }
226
+
227
+ return TrySeq(RunApplicationCode(this, std::move(call_args)),
228
+ std::move(next_promise_factory));
229
+ }
230
+
231
+ LegacyServerAuthFilter::LegacyServerAuthFilter(
232
+ RefCountedPtr<grpc_server_credentials> server_credentials,
233
+ RefCountedPtr<grpc_auth_context> auth_context)
234
+ : server_credentials_(server_credentials), auth_context_(auth_context) {}
235
+
236
+ absl::StatusOr<LegacyServerAuthFilter> LegacyServerAuthFilter::Create(
237
+ const ChannelArgs& args, ChannelFilter::Args) {
238
+ auto auth_context = args.GetObjectRef<grpc_auth_context>();
239
+ GPR_ASSERT(auth_context != nullptr);
240
+ auto creds = args.GetObjectRef<grpc_server_credentials>();
241
+ return LegacyServerAuthFilter(std::move(creds), std::move(auth_context));
242
+ }
243
+
244
+ } // namespace grpc_core