grpc 1.60.0 → 1.62.0

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc

@@ -32,11 +32,11 @@
 #include <grpc/support/time.h>
 
 #include "src/core/lib/debug/trace.h"
+#include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/gprpp/stat.h"
 #include "src/core/lib/gprpp/status_helper.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/exec_ctx.h"
-#include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/surface/api_trace.h"
@@ -280,17 +280,15 @@ absl::optional<std::string>
 FileWatcherCertificateProvider::ReadRootCertificatesFromFile(
     const std::string& root_cert_full_path) {
   // Read the root file.
-  grpc_slice root_slice = grpc_empty_slice();
-  grpc_error_handle root_error =
-      grpc_load_file(root_cert_full_path.c_str(), 0, &root_slice);
-  if (!root_error.ok()) {
+  auto root_slice =
+      LoadFile(root_cert_full_path, /*add_null_terminator=*/false);
+  if (!root_slice.ok()) {
     gpr_log(GPR_ERROR, "Reading file %s failed: %s",
-            root_cert_full_path.c_str(), StatusToString(root_error).c_str());
+            root_cert_full_path.c_str(),
+            root_slice.status().ToString().c_str());
     return absl::nullopt;
   }
-  std::string root_cert(StringViewFromSlice(root_slice));
-  CSliceUnref(root_slice);
-  return root_cert;
+  return std::string(root_slice->as_string_view());
 }
 
 namespace {
@@ -309,10 +307,6 @@ absl::optional<PemKeyCertPairList>
 FileWatcherCertificateProvider::ReadIdentityKeyCertPairFromFiles(
     const std::string& private_key_path,
     const std::string& identity_certificate_path) {
-  struct SliceWrapper {
-    grpc_slice slice = grpc_empty_slice();
-    ~SliceWrapper() { CSliceUnref(slice); }
-  };
   const int kNumRetryAttempts = 3;
   for (int i = 0; i < kNumRetryAttempts; ++i) {
     // TODO(ZhenLian): replace the timestamp approach with key-match approach
@@ -337,24 +331,22 @@ FileWatcherCertificateProvider::ReadIdentityKeyCertPairFromFiles(
       continue;
     }
     // Read the identity files.
-    SliceWrapper key_slice, cert_slice;
-    grpc_error_handle key_error =
-        grpc_load_file(private_key_path.c_str(), 0, &key_slice.slice);
-    if (!key_error.ok()) {
+    auto key_slice = LoadFile(private_key_path, /*add_null_terminator=*/false);
+    if (!key_slice.ok()) {
       gpr_log(GPR_ERROR, "Reading file %s failed: %s. Start retrying...",
-              private_key_path.c_str(), StatusToString(key_error).c_str());
+              private_key_path.c_str(), key_slice.status().ToString().c_str());
       continue;
     }
-    grpc_error_handle cert_error =
-        grpc_load_file(identity_certificate_path.c_str(), 0, &cert_slice.slice);
-    if (!cert_error.ok()) {
+    auto cert_slice =
+        LoadFile(identity_certificate_path, /*add_null_terminator=*/false);
+    if (!cert_slice.ok()) {
       gpr_log(GPR_ERROR, "Reading file %s failed: %s. Start retrying...",
               identity_certificate_path.c_str(),
-              StatusToString(cert_error).c_str());
+              cert_slice.status().ToString().c_str());
       continue;
     }
-    std::string private_key(StringViewFromSlice(key_slice.slice));
-    std::string cert_chain(StringViewFromSlice(cert_slice.slice));
+    std::string private_key(key_slice->as_string_view());
+    std::string cert_chain(cert_slice->as_string_view());
     PemKeyCertPairList identity_pairs;
     identity_pairs.emplace_back(private_key, cert_chain);
     // Checking the last modification of identity files before reading.

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h

@@ -39,7 +39,6 @@
 #include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/gprpp/thd.h"
 #include "src/core/lib/gprpp/unique_type_name.h"
-#include "src/core/lib/iomgr/iomgr_fwd.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 
@@ -55,8 +54,6 @@
 struct grpc_tls_certificate_provider
     : public grpc_core::RefCounted<grpc_tls_certificate_provider> {
  public:
-  virtual grpc_pollset_set* interested_parties() const { return nullptr; }
-
   virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
   distributor() const = 0;
 

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -149,3 +149,15 @@ void grpc_tls_credentials_options_set_crl_provider(
   GPR_ASSERT(options != nullptr);
   options->set_crl_provider(provider);
 }
+
+void grpc_tls_credentials_options_set_min_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version min_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_min_tls_version(min_tls_version);
+}
+
+void grpc_tls_credentials_options_set_max_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version max_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_max_tls_version(max_tls_version);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc

@@ -148,8 +148,7 @@ absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
     return absl::InvalidArgumentError("Refresh duration minimum is 60 seconds");
   }
   auto provider = std::make_shared<DirectoryReloaderCrlProvider>(
-      refresh_duration, reload_error_callback,
-      grpc_event_engine::experimental::GetDefaultEventEngine(),
+      refresh_duration, reload_error_callback, /*event_engine=*/nullptr,
       MakeDirectoryReader(directory));
   // This could be slow to do at startup, but we want to
   // make sure it's done before the provider is used.
@@ -157,10 +156,28 @@ absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
   return provider;
 }
 
+DirectoryReloaderCrlProvider::DirectoryReloaderCrlProvider(
+    std::chrono::seconds duration, std::function<void(absl::Status)> callback,
+    std::shared_ptr<grpc_event_engine::experimental::EventEngine> event_engine,
+    std::shared_ptr<DirectoryReader> directory_impl)
+    : refresh_duration_(Duration::FromSecondsAsDouble(duration.count())),
+      reload_error_callback_(std::move(callback)),
+      crl_directory_(std::move(directory_impl)) {
+  // Must be called before `GetDefaultEventEngine`
+  grpc_init();
+  if (event_engine == nullptr) {
+    event_engine_ = grpc_event_engine::experimental::GetDefaultEventEngine();
+  } else {
+    event_engine_ = std::move(event_engine);
+  }
+}
+
 DirectoryReloaderCrlProvider::~DirectoryReloaderCrlProvider() {
   if (refresh_handle_.has_value()) {
     event_engine_->Cancel(refresh_handle_.value());
   }
+  // Call here because we call grpc_init in the constructor
+  grpc_shutdown();
 }
 
 void DirectoryReloaderCrlProvider::UpdateAndStartTimer() {
@@ -209,9 +226,9 @@ absl::Status DirectoryReloaderCrlProvider::Update() {
     // in-place updated in crls_.
     for (auto& kv : new_crls) {
       std::shared_ptr<Crl>& crl = kv.second;
-      // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on the
-      // RHS, because C++ does not guarantee which of those will be executed
-      // first.
+      // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on
+      // the RHS, because C++ does not guarantee which of those will be
+      // executed first.
       std::string issuer(crl->Issuer());
       crls_[std::move(issuer)] = std::move(crl);
     }

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h

@@ -98,11 +98,7 @@ class DirectoryReloaderCrlProvider
       std::chrono::seconds duration, std::function<void(absl::Status)> callback,
       std::shared_ptr<grpc_event_engine::experimental::EventEngine>
           event_engine,
-      std::shared_ptr<DirectoryReader> directory_impl)
-      : refresh_duration_(Duration::FromSecondsAsDouble(duration.count())),
-        reload_error_callback_(std::move(callback)),
-        event_engine_(std::move(event_engine)),
-        crl_directory_(std::move(directory_impl)) {}
+      std::shared_ptr<DirectoryReader> directory_impl);
 
   ~DirectoryReloaderCrlProvider() override;
   std::shared_ptr<Crl> GetCrl(const CertificateInfo& certificate_info) override;

data/src/core/lib/security/credentials/tls/tls_credentials.cc

@@ -46,6 +46,22 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
     gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
     return false;
   }
+  // In this case, there will be non-retriable handshake errors.
+  if (options->min_tls_version() > options->max_tls_version()) {
+    gpr_log(GPR_ERROR, "TLS min version must not be higher than max version.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
+  if (options->max_tls_version() > grpc_tls_version::TLS1_3) {
+    gpr_log(GPR_ERROR, "TLS max version must not be higher than v1.3.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
+  if (options->min_tls_version() < grpc_tls_version::TLS1_2) {
+    gpr_log(GPR_ERROR, "TLS min version must not be lower than v1.2.");
+    grpc_tls_credentials_options_destroy(options);
+    return false;
+  }
   if (!options->crl_directory().empty() && options->crl_provider() != nullptr) {
     gpr_log(GPR_ERROR,
             "Setting crl_directory and crl_provider not supported. Using the "

data/src/core/lib/security/credentials/xds/xds_credentials.cc

@@ -26,7 +26,6 @@
 #include <grpc/impl/channel_arg_names.h>
 #include <grpc/support/log.h>
 
-#include "src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h"
 #include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/gpr/useful.h"
@@ -34,6 +33,7 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
 #include "src/core/lib/security/credentials/tls/tls_utils.h"
+#include "src/core/load_balancing/xds/xds_channel_args.h"
 
 namespace grpc_core {
 
@@ -74,10 +74,8 @@ bool XdsVerifySubjectAlternativeNames(
 //
 
 XdsCertificateVerifier::XdsCertificateVerifier(
-    RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
-    std::string cluster_name)
-    : xds_certificate_provider_(std::move(xds_certificate_provider)),
-      cluster_name_(std::move(cluster_name)) {}
+    RefCountedPtr<XdsCertificateProvider> xds_certificate_provider)
+    : xds_certificate_provider_(std::move(xds_certificate_provider)) {}
 
 bool XdsCertificateVerifier::Verify(
     grpc_tls_custom_verification_check_request* request,
@@ -86,15 +84,15 @@ bool XdsCertificateVerifier::Verify(
   if (!XdsVerifySubjectAlternativeNames(
           request->peer_info.san_names.uri_names,
           request->peer_info.san_names.uri_names_size,
-          xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+          xds_certificate_provider_->san_matchers()) &&
       !XdsVerifySubjectAlternativeNames(
           request->peer_info.san_names.ip_names,
           request->peer_info.san_names.ip_names_size,
-          xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+          xds_certificate_provider_->san_matchers()) &&
       !XdsVerifySubjectAlternativeNames(
           request->peer_info.san_names.dns_names,
           request->peer_info.san_names.dns_names_size,
-          xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
+          xds_certificate_provider_->san_matchers())) {
     *sync_status = absl::Status(
         absl::StatusCode::kUnauthenticated,
         "SANs from certificate did not match SANs from xDS control plane");
@@ -108,9 +106,12 @@ void XdsCertificateVerifier::Cancel(
 int XdsCertificateVerifier::CompareImpl(
     const grpc_tls_certificate_verifier* other) const {
   auto* o = static_cast<const XdsCertificateVerifier*>(other);
-  int r = QsortCompare(xds_certificate_provider_, o->xds_certificate_provider_);
-  if (r != 0) return r;
-  return cluster_name_.compare(o->cluster_name_);
+  if (xds_certificate_provider_ == nullptr ||
+      o->xds_certificate_provider_ == nullptr) {
+    return QsortCompare(xds_certificate_provider_,
+                        o->xds_certificate_provider_);
+  }
+  return xds_certificate_provider_->Compare(o->xds_certificate_provider_.get());
 }
 
 UniqueTypeName XdsCertificateVerifier::type() const {
@@ -140,12 +141,9 @@ XdsCredentials::create_security_connector(
   RefCountedPtr<grpc_channel_security_connector> security_connector;
   auto xds_certificate_provider = args->GetObjectRef<XdsCertificateProvider>();
   if (xds_certificate_provider != nullptr) {
-    std::string cluster_name(
-        args->GetString(GRPC_ARG_XDS_CLUSTER_NAME).value());
-    const bool watch_root =
-        xds_certificate_provider->ProvidesRootCerts(cluster_name);
+    const bool watch_root = xds_certificate_provider->ProvidesRootCerts();
     const bool watch_identity =
-        xds_certificate_provider->ProvidesIdentityCerts(cluster_name);
+        xds_certificate_provider->ProvidesIdentityCerts();
     if (watch_root || watch_identity) {
       auto tls_credentials_options =
           MakeRefCounted<grpc_tls_credentials_options>();
@@ -153,16 +151,14 @@ XdsCredentials::create_security_connector(
           xds_certificate_provider);
       if (watch_root) {
         tls_credentials_options->set_watch_root_cert(true);
-        tls_credentials_options->set_root_cert_name(cluster_name);
       }
       if (watch_identity) {
         tls_credentials_options->set_watch_identity_pair(true);
-        tls_credentials_options->set_identity_cert_name(cluster_name);
       }
       tls_credentials_options->set_verify_server_cert(true);
       tls_credentials_options->set_certificate_verifier(
-          MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
-                                                 std::move(cluster_name)));
+          MakeRefCounted<XdsCertificateVerifier>(
+              std::move(xds_certificate_provider)));
       tls_credentials_options->set_check_call_host(false);
       auto tls_credentials =
           MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
@@ -189,20 +185,17 @@ XdsServerCredentials::create_security_connector(const ChannelArgs& args) {
   auto xds_certificate_provider = args.GetObjectRef<XdsCertificateProvider>();
   // Identity certs are a must for TLS.
   if (xds_certificate_provider != nullptr &&
-      xds_certificate_provider->ProvidesIdentityCerts("")) {
+      xds_certificate_provider->ProvidesIdentityCerts()) {
     auto tls_credentials_options =
         MakeRefCounted<grpc_tls_credentials_options>();
     tls_credentials_options->set_watch_identity_pair(true);
     tls_credentials_options->set_certificate_provider(xds_certificate_provider);
-    if (xds_certificate_provider->ProvidesRootCerts("")) {
+    if (xds_certificate_provider->ProvidesRootCerts()) {
       tls_credentials_options->set_watch_root_cert(true);
-      if (xds_certificate_provider->GetRequireClientCertificate("")) {
-        tls_credentials_options->set_cert_request_type(
-            GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
-      } else {
-        tls_credentials_options->set_cert_request_type(
-            GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
-      }
+      tls_credentials_options->set_cert_request_type(
+          xds_certificate_provider->require_client_certificate()
+              ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
+              : GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
     } else {
       // Do not request client certificate if there is no way to verify.
       tls_credentials_options->set_cert_request_type(

data/src/core/lib/security/credentials/xds/xds_credentials.h

@@ -46,9 +46,8 @@ namespace grpc_core {
 
 class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
  public:
-  XdsCertificateVerifier(
-      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
-      std::string cluster_name);
+  explicit XdsCertificateVerifier(
+      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider);
 
   bool Verify(grpc_tls_custom_verification_check_request* request,
               std::function<void(absl::Status)>,
@@ -61,7 +60,6 @@ class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
   int CompareImpl(const grpc_tls_certificate_verifier* other) const override;
 
   RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
-  std::string cluster_name_;
 };
 
 class XdsCredentials final : public grpc_channel_credentials {

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc

@@ -38,7 +38,6 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
-#include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gpr/useful.h"
@@ -58,6 +57,7 @@
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/core/lib/security/transport/security_handshaker.h"
 #include "src/core/lib/transport/handshaker.h"
+#include "src/core/load_balancing/grpclb/grpclb.h"
 #include "src/core/tsi/fake_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 

data/src/core/lib/security/security_connector/load_system_roots_supported.cc

@@ -37,8 +37,8 @@
 
 #include "src/core/lib/config/config_vars.h"
 #include "src/core/lib/gpr/useful.h"
+#include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/iomgr/error.h"
-#include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/lib/security/security_connector/load_system_roots_supported.h"
 
@@ -63,14 +63,10 @@ const char* kCertDirectories[] = {""};
 #endif                      // GPR_APPLE
 
 grpc_slice GetSystemRootCerts() {
-  grpc_slice valid_bundle_slice = grpc_empty_slice();
   size_t num_cert_files_ = GPR_ARRAY_SIZE(kCertFiles);
   for (size_t i = 0; i < num_cert_files_; i++) {
-    grpc_error_handle error =
-        grpc_load_file(kCertFiles[i], 1, &valid_bundle_slice);
-    if (error.ok()) {
-      return valid_bundle_slice;
-    }
+    auto slice = LoadFile(kCertFiles[i], /*add_null_terminator=*/true);
+    if (slice.ok()) return slice->TakeCSlice();
   }
   return grpc_empty_slice();
 }

data/src/core/lib/security/security_connector/local/local_security_connector.cc

@@ -37,7 +37,7 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
-#include "src/core/ext/filters/client_channel/client_channel.h"
+#include "src/core/client_channel/client_channel_filter.h"
 #include "src/core/lib/address_utils/parse_address.h"
 #include "src/core/lib/address_utils/sockaddr_utils.h"
 #include "src/core/lib/channel/channel_args.h"

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -44,8 +44,8 @@
 #include "src/core/lib/config/config_vars.h"
 #include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/host_port.h"
+#include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
-#include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/tsi/ssl_transport_security.h"
@@ -566,40 +566,49 @@ const char* DefaultSslRootStore::GetPemRootCerts() {
 }
 
 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
-  grpc_slice result = grpc_empty_slice();
+  Slice result;
   // First try to load the roots from the configuration.
-  auto default_root_certs_path = ConfigVars::Get().DefaultSslRootsFilePath();
+  std::string default_root_certs_path =
+      ConfigVars::Get().DefaultSslRootsFilePath();
   if (!default_root_certs_path.empty()) {
-    GRPC_LOG_IF_ERROR(
-        "load_file",
-        grpc_load_file(std::string(default_root_certs_path).c_str(), 1,
-                       &result));
+    auto slice =
+        LoadFile(default_root_certs_path, /*add_null_terminator=*/true);
+    if (!slice.ok()) {
+      gpr_log(GPR_ERROR, "error loading file %s: %s",
+              default_root_certs_path.c_str(),
+              slice.status().ToString().c_str());
+    } else {
+      result = std::move(*slice);
+    }
   }
   // Try overridden roots if needed.
   grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
-  if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
+  if (result.empty() && ssl_roots_override_cb != nullptr) {
     char* pem_root_certs = nullptr;
     ovrd_res = ssl_roots_override_cb(&pem_root_certs);
     if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
       GPR_ASSERT(pem_root_certs != nullptr);
-      result = grpc_slice_from_copied_buffer(
+      result = Slice::FromCopiedBuffer(
           pem_root_certs,
           strlen(pem_root_certs) + 1);  // nullptr terminator.
     }
     gpr_free(pem_root_certs);
   }
   // Try loading roots from OS trust store if flag is enabled.
-  if (GRPC_SLICE_IS_EMPTY(result) &&
-      !ConfigVars::Get().NotUseSystemSslRoots()) {
-    result = LoadSystemRootCerts();
+  if (result.empty() && !ConfigVars::Get().NotUseSystemSslRoots()) {
+    result = Slice(LoadSystemRootCerts());
   }
   // Fallback to roots manually shipped with gRPC.
-  if (GRPC_SLICE_IS_EMPTY(result) &&
-      ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
-    GRPC_LOG_IF_ERROR("load_file",
-                      grpc_load_file(installed_roots_path, 1, &result));
+  if (result.empty() && ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
+    auto slice = LoadFile(installed_roots_path, /*add_null_terminator=*/true);
+    if (!slice.ok()) {
+      gpr_log(GPR_ERROR, "error loading file %s: %s", installed_roots_path,
+              slice.status().ToString().c_str());
+    } else {
+      result = std::move(*slice);
+    }
   }
-  return result;
+  return result.TakeCSlice();
 }
 
 void DefaultSslRootStore::InitRootStore() {

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -379,7 +379,8 @@ void TlsChannelSecurityConnector::check_peer(
       grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
   GPR_ASSERT(options_->certificate_verifier() != nullptr);
   auto* pending_request = new ChannelPendingVerifierRequest(
-      Ref(), on_peer_checked, peer, target_name);
+      RefAsSubclass<TlsChannelSecurityConnector>(), on_peer_checked, peer,
+      target_name);
   {
     MutexLock lock(&verifier_request_map_mu_);
     pending_verifier_requests_.emplace(on_peer_checked, pending_request);
@@ -653,8 +654,8 @@ void TlsServerSecurityConnector::check_peer(
   *auth_context =
       grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
   if (options_->certificate_verifier() != nullptr) {
-    auto* pending_request =
-        new ServerPendingVerifierRequest(Ref(), on_peer_checked, peer);
+    auto* pending_request = new ServerPendingVerifierRequest(
+        RefAsSubclass<TlsServerSecurityConnector>(), on_peer_checked, peer);
     {
       MutexLock lock(&verifier_request_map_mu_);
       pending_verifier_requests_.emplace(on_peer_checked, pending_request);

data/src/core/lib/security/transport/auth_filters.h

@@ -62,23 +62,90 @@ class ClientAuthFilter final : public ChannelFilter {
   grpc_call_credentials::GetRequestMetadataArgs args_;
 };
 
-class ServerAuthFilter final : public ChannelFilter {
+class LegacyServerAuthFilter final : public ChannelFilter {
  public:
   static const grpc_channel_filter kFilter;
 
-  static absl::StatusOr<ServerAuthFilter> Create(const ChannelArgs& args,
-                                                 ChannelFilter::Args);
+  static absl::StatusOr<LegacyServerAuthFilter> Create(const ChannelArgs& args,
+                                                       ChannelFilter::Args);
 
   // Construct a promise for one call.
   ArenaPromise<ServerMetadataHandle> MakeCallPromise(
       CallArgs call_args, NextPromiseFactory next_promise_factory) override;
 
+ private:
+  LegacyServerAuthFilter(
+      RefCountedPtr<grpc_server_credentials> server_credentials,
+      RefCountedPtr<grpc_auth_context> auth_context);
+
+  class RunApplicationCode;
+
+  ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
+      CallArgs call_args);
+
+  RefCountedPtr<grpc_server_credentials> server_credentials_;
+  RefCountedPtr<grpc_auth_context> auth_context_;
+};
+
+class ServerAuthFilter final : public ImplementChannelFilter<ServerAuthFilter> {
  private:
   ServerAuthFilter(RefCountedPtr<grpc_server_credentials> server_credentials,
                    RefCountedPtr<grpc_auth_context> auth_context);
 
-  class RunApplicationCode;
+  class RunApplicationCode {
+   public:
+    RunApplicationCode(ServerAuthFilter* filter, ClientMetadata& metadata);
+
+    RunApplicationCode(const RunApplicationCode&) = delete;
+    RunApplicationCode& operator=(const RunApplicationCode&) = delete;
+    RunApplicationCode(RunApplicationCode&& other) noexcept
+        : state_(std::exchange(other.state_, nullptr)) {}
+    RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
+      state_ = std::exchange(other.state_, nullptr);
+      return *this;
+    }
+
+    Poll<absl::Status> operator()();
+
+   private:
+    // Called from application code.
+    static void OnMdProcessingDone(void* user_data,
+                                   const grpc_metadata* consumed_md,
+                                   size_t num_consumed_md,
+                                   const grpc_metadata* response_md,
+                                   size_t num_response_md,
+                                   grpc_status_code status,
+                                   const char* error_details);
+
+    struct State;
+    State* state_;
+  };
+
+ public:
+  static const grpc_channel_filter kFilter;
 
+  static absl::StatusOr<ServerAuthFilter> Create(const ChannelArgs& args,
+                                                 ChannelFilter::Args);
+
+  class Call {
+   public:
+    explicit Call(ServerAuthFilter* filter);
+    auto OnClientInitialMetadata(ClientMetadata& md, ServerAuthFilter* filter) {
+      return If(
+          filter->server_credentials_ == nullptr ||
+              filter->server_credentials_->auth_metadata_processor().process ==
+                  nullptr,
+          ImmediateOkStatus(),
+          [filter, md = &md]() { return RunApplicationCode(filter, *md); });
+    }
+    static const NoInterceptor OnServerInitialMetadata;
+    static const NoInterceptor OnClientToServerMessage;
+    static const NoInterceptor OnServerToClientMessage;
+    static const NoInterceptor OnServerTrailingMetadata;
+    static const NoInterceptor OnFinalize;
+  };
+
+ private:
   ArenaPromise<absl::StatusOr<CallArgs>> GetCallCredsMetadata(
       CallArgs call_args);
 

data/src/core/lib/security/transport/client_auth_filter.cc

@@ -216,10 +216,8 @@ absl::StatusOr<ClientAuthFilter> ClientAuthFilter::Create(
     return absl::InvalidArgumentError(
         "Auth context missing from client auth filter args");
   }
-
-  return ClientAuthFilter(
-      static_cast<grpc_channel_security_connector*>(sc)->Ref(),
-      auth_context->Ref());
+  return ClientAuthFilter(sc->RefAsSubclass<grpc_channel_security_connector>(),
+                          auth_context->Ref());
 }
 
 const grpc_channel_filter ClientAuthFilter::kFilter =