grpc 1.64.3 → 1.65.0

data/src/core/lib/security/security_connector/load_system_roots_supported.cc

@@ -32,15 +32,16 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#include "absl/log/log.h"
+
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 
 #include "src/core/lib/config/config_vars.h"
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/lib/security/security_connector/load_system_roots_supported.h"
+#include "src/core/util/useful.h"
 
 namespace grpc_core {
 namespace {
@@ -79,8 +80,7 @@ void GetAbsoluteFilePath(const char* valid_file_dir,
     int path_len = snprintf(path_buffer, MAXPATHLEN, "%s/%s", valid_file_dir,
                             file_entry_name);
     if (path_len == 0) {
-      gpr_log(GPR_ERROR, "failed to get absolute path for file: %s",
-              file_entry_name);
+      LOG(ERROR) << "failed to get absolute path for file: " << file_entry_name;
     }
   }
 }
@@ -110,7 +110,7 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
     if (stat_return == -1 || !S_ISREG(dir_entry_stat.st_mode)) {
       // no subdirectories.
       if (stat_return == -1) {
-        gpr_log(GPR_ERROR, "failed to get status for file: %s", file_data.path);
+        LOG(ERROR) << "failed to get status for file: " << file_data.path;
       }
       continue;
     }
@@ -131,7 +131,7 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
       if (read_ret != -1) {
         bytes_read += read_ret;
       } else {
-        gpr_log(GPR_ERROR, "failed to read file: %s", roots_filenames[i].path);
+        LOG(ERROR) << "failed to read file: " << roots_filenames[i].path;
       }
     }
   }

data/src/core/lib/security/security_connector/load_system_roots_windows.cc

@@ -32,9 +32,9 @@
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/lib/slice/slice_internal.h"
+#include "src/core/util/useful.h"
 
 namespace grpc_core {
 namespace {

data/src/core/lib/security/security_connector/local/local_security_connector.cc

@@ -24,6 +24,7 @@
 #include <utility>
 
 #include "absl/log/check.h"
+#include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/match.h"
@@ -33,7 +34,6 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 #include <grpc/support/port_platform.h>
 #include <grpc/support/string_util.h>
 
@@ -99,8 +99,7 @@ void local_check_peer(tsi_peer peer, grpc_endpoint* ep,
   absl::string_view local_addr = grpc_endpoint_get_local_address(ep);
   absl::StatusOr<grpc_core::URI> uri = grpc_core::URI::Parse(local_addr);
   if (!uri.ok() || !grpc_parse_uri(*uri, &resolved_addr)) {
-    gpr_log(GPR_ERROR, "Could not parse endpoint address: %s",
-            std::string(local_addr.data(), local_addr.size()).c_str());
+    LOG(ERROR) << "Could not parse endpoint address: " << local_addr;
   } else {
     grpc_resolved_address addr_normalized;
     grpc_resolved_address* addr =
@@ -269,9 +268,8 @@ grpc_local_channel_security_connector_create(
     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
     const grpc_core::ChannelArgs& args, const char* target_name) {
   if (channel_creds == nullptr || target_name == nullptr) {
-    gpr_log(
-        GPR_ERROR,
-        "Invalid arguments to grpc_local_channel_security_connector_create()");
+    LOG(ERROR) << "Invalid arguments to "
+                  "grpc_local_channel_security_connector_create()";
     return nullptr;
   }
   // Perform sanity check on UDS address. For TCP local connection, the check
@@ -283,9 +281,8 @@ grpc_local_channel_security_connector_create(
   if (creds->connect_type() == UDS &&
       !absl::StartsWith(server_uri_str, GRPC_UDS_URI_PATTERN) &&
       !absl::StartsWith(server_uri_str, GRPC_ABSTRACT_UDS_URI_PATTERN)) {
-    gpr_log(GPR_ERROR,
-            "Invalid UDS target name to "
-            "grpc_local_channel_security_connector_create()");
+    LOG(ERROR) << "Invalid UDS target name to "
+                  "grpc_local_channel_security_connector_create()";
     return nullptr;
   }
   return grpc_core::MakeRefCounted<grpc_local_channel_security_connector>(
@@ -296,9 +293,8 @@ grpc_core::RefCountedPtr<grpc_server_security_connector>
 grpc_local_server_security_connector_create(
     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
   if (server_creds == nullptr) {
-    gpr_log(
-        GPR_ERROR,
-        "Invalid arguments to grpc_local_server_security_connector_create()");
+    LOG(ERROR)
+        << "Invalid arguments to grpc_local_server_security_connector_create()";
     return nullptr;
   }
   return grpc_core::MakeRefCounted<grpc_local_server_security_connector>(

data/src/core/lib/security/security_connector/security_connector.cc

@@ -28,12 +28,9 @@
 #include <grpc/support/port_platform.h>
 
 #include "src/core/lib/channel/channel_args.h"
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/debug_location.h"
 #include "src/core/lib/security/credentials/credentials.h"
-
-grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount(
-    false, "security_connector_refcount");
+#include "src/core/util/useful.h"
 
 grpc_channel_security_connector::grpc_channel_security_connector(
     absl::string_view url_scheme,

data/src/core/lib/security/security_connector/security_connector.h

@@ -42,8 +42,6 @@
 #include "src/core/lib/promise/arena_promise.h"
 #include "src/core/tsi/transport_security_interface.h"
 
-extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount;
-
 // --- URL schemes. ---
 
 #define GRPC_SSL_URL_SCHEME "https"
@@ -63,7 +61,7 @@ class grpc_security_connector
  public:
   explicit grpc_security_connector(absl::string_view url_scheme)
       : grpc_core::RefCounted<grpc_security_connector>(
-            GRPC_TRACE_FLAG_ENABLED(grpc_trace_security_connector_refcount)
+            GRPC_TRACE_FLAG_ENABLED(security_connector_refcount)
                 ? "security_connector_refcount"
                 : nullptr),
         url_scheme_(url_scheme) {}

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -25,13 +25,13 @@
 #include <utility>
 
 #include "absl/log/check.h"
+#include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 #include <grpc/support/port_platform.h>
 
 #include "src/core/handshaker/handshaker.h"
@@ -112,8 +112,8 @@ class grpc_ssl_channel_security_connector final
         /*network_bio_buf_size=*/0,
         /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
-      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-              tsi_result_to_string(result));
+      LOG(ERROR) << "Handshaker creation failed with error "
+                 << tsi_result_to_string(result);
       return;
     }
     // Create handshakers.
@@ -204,8 +204,7 @@ class grpc_ssl_server_security_connector
     if (has_cert_config_fetcher()) {
       // Load initial credentials from certificate_config_fetcher:
       if (!try_fetch_ssl_server_credentials()) {
-        gpr_log(GPR_ERROR,
-                "Failed loading SSL server credentials from fetcher.");
+        LOG(ERROR) << "Failed loading SSL server credentials from fetcher.";
         return GRPC_SECURITY_ERROR;
       }
     } else {
@@ -236,8 +235,8 @@ class grpc_ssl_server_security_connector
               &options, &server_handshaker_factory_);
       gpr_free(alpn_protocol_strings);
       if (result != TSI_OK) {
-        gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-                tsi_result_to_string(result));
+        LOG(ERROR) << "Handshaker factory creation failed with "
+                   << tsi_result_to_string(result);
         return GRPC_SECURITY_ERROR;
       }
     }
@@ -254,8 +253,8 @@ class grpc_ssl_server_security_connector
         server_handshaker_factory_, /*network_bio_buf_size=*/0,
         /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
-      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-              tsi_result_to_string(result));
+      LOG(ERROR) << "Handshaker creation failed with error "
+                 << tsi_result_to_string(result);
       return;
     }
     // Create handshakers.
@@ -299,9 +298,8 @@ class grpc_ssl_server_security_connector
       status = try_replace_server_handshaker_factory(certificate_config);
     } else {
       // Log error, continue using previously-loaded credentials.
-      gpr_log(GPR_ERROR,
-              "Failed fetching new server credentials, continuing to "
-              "use previously-loaded credentials.");
+      LOG(ERROR) << "Failed fetching new server credentials, continuing to "
+                    "use previously-loaded credentials.";
       status = false;
     }
 
@@ -318,12 +316,12 @@ class grpc_ssl_server_security_connector
   bool try_replace_server_handshaker_factory(
       const grpc_ssl_server_certificate_config* config) {
     if (config == nullptr) {
-      gpr_log(GPR_ERROR,
-              "Server certificate config callback returned invalid (NULL) "
-              "config.");
+      LOG(ERROR)
+          << "Server certificate config callback returned invalid (NULL) "
+             "config.";
       return false;
     }
-    gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
+    VLOG(2) << "Using new server certificate config (" << config << ").";
 
     size_t num_alpn_protocols = 0;
     const char** alpn_protocol_strings =
@@ -351,8 +349,8 @@ class grpc_ssl_server_security_connector
     gpr_free(alpn_protocol_strings);
 
     if (result != TSI_OK) {
-      gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-              tsi_result_to_string(result));
+      LOG(ERROR) << "Handshaker factory creation failed with "
+                 << tsi_result_to_string(result);
       return false;
     }
     set_server_handshaker_factory(new_handshaker_factory);
@@ -380,7 +378,7 @@ grpc_ssl_channel_security_connector_create(
     const char* overridden_target_name,
     tsi_ssl_client_handshaker_factory* client_factory) {
   if (config == nullptr || target_name == nullptr) {
-    gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
+    LOG(ERROR) << "An ssl channel needs a config and a target name.";
     return nullptr;
   }
 

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -26,6 +26,7 @@
 #include <vector>
 
 #include "absl/log/check.h"
+#include "absl/log/log.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_split.h"
@@ -35,7 +36,6 @@
 #include <grpc/grpc_crl_provider.h>
 #include <grpc/impl/channel_arg_names.h>
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 #include <grpc/support/port_platform.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
@@ -43,7 +43,6 @@
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/config/config_vars.h"
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
@@ -51,6 +50,7 @@
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security.h"
+#include "src/core/util/useful.h"
 
 // -- Constants. --
 
@@ -123,7 +123,7 @@ tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
     case grpc_tls_version::TLS1_3:
       return tsi_tls_version::TSI_TLS1_3;
     default:
-      gpr_log(GPR_INFO, "Falling back to TLS 1.2.");
+      LOG(INFO) << "Falling back to TLS 1.2.";
       return tsi_tls_version::TSI_TLS1_2;
   }
 }
@@ -180,7 +180,7 @@ absl::Status SslCheckCallHost(absl::string_view host,
     status = GRPC_SECURITY_OK;
   }
   if (status != GRPC_SECURITY_OK) {
-    gpr_log(GPR_ERROR, "call host does not match SSL server name");
+    LOG(ERROR) << "call host does not match SSL server name";
     grpc_shallow_peer_destruct(&peer);
     return absl::UnauthenticatedError(
         "call host does not match SSL server name");
@@ -232,16 +232,16 @@ static bool IsSpiffeId(absl::string_view uri) {
     return false;
   };
   if (uri.size() > 2048) {
-    gpr_log(GPR_INFO, "Invalid SPIFFE ID: ID longer than 2048 bytes.");
+    LOG(INFO) << "Invalid SPIFFE ID: ID longer than 2048 bytes.";
     return false;
   }
   std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
   if (splits.size() < 4 || splits[3].empty()) {
-    gpr_log(GPR_INFO, "Invalid SPIFFE ID: workload id is empty.");
+    LOG(INFO) << "Invalid SPIFFE ID: workload id is empty.";
     return false;
   }
   if (splits[2].size() > 255) {
-    gpr_log(GPR_INFO, "Invalid SPIFFE ID: domain longer than 255 characters.");
+    LOG(INFO) << "Invalid SPIFFE ID: domain longer than 255 characters.";
     return false;
   }
   return true;
@@ -332,7 +332,7 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
                                      GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
                                      spiffe_data, spiffe_length);
     } else {
-      gpr_log(GPR_INFO, "Invalid SPIFFE ID: multiple URI SANs.");
+      LOG(INFO) << "Invalid SPIFFE ID: multiple URI SANs.";
     }
   }
   return ctx;
@@ -419,13 +419,12 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
   const char* root_certs;
   const tsi_ssl_root_certs_store* root_store;
   if (pem_root_certs == nullptr && !skip_server_certificate_verification) {
-    gpr_log(GPR_INFO,
-            "No root certificates specified; use ones stored in system default "
-            "locations instead");
+    LOG(INFO) << "No root certificates specified; use ones stored in system "
+                 "default locations instead";
     // Use default root certificates.
     root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
     if (root_certs == nullptr) {
-      gpr_log(GPR_ERROR, "Could not get default pem root certs.");
+      LOG(ERROR) << "Could not get default pem root certs.";
       return GRPC_SECURITY_ERROR;
     }
     root_store = grpc_core::DefaultSslRootStore::GetRootStore();
@@ -458,8 +457,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
                                                             handshaker_factory);
   gpr_free(options.alpn_protocols);
   if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-            tsi_result_to_string(result));
+    LOG(ERROR) << "Handshaker factory creation failed with "
+               << tsi_result_to_string(result);
     return GRPC_SECURITY_ERROR;
   }
   return GRPC_SECURITY_OK;
@@ -497,8 +496,8 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
                                                             handshaker_factory);
   gpr_free(alpn_protocol_strings);
   if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-            tsi_result_to_string(result));
+    LOG(ERROR) << "Handshaker factory creation failed with "
+               << tsi_result_to_string(result);
     return GRPC_SECURITY_ERROR;
   }
   return GRPC_SECURITY_OK;
@@ -575,9 +574,8 @@ grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
     auto slice =
         LoadFile(default_root_certs_path, /*add_null_terminator=*/true);
     if (!slice.ok()) {
-      gpr_log(GPR_ERROR, "error loading file %s: %s",
-              default_root_certs_path.c_str(),
-              slice.status().ToString().c_str());
+      LOG(ERROR) << "error loading file " << default_root_certs_path << ": "
+                 << slice.status();
     } else {
       result = std::move(*slice);
     }
@@ -603,8 +601,8 @@ grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
   if (result.empty() && ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
     auto slice = LoadFile(installed_roots_path, /*add_null_terminator=*/true);
     if (!slice.ok()) {
-      gpr_log(GPR_ERROR, "error loading file %s: %s", installed_roots_path,
-              slice.status().ToString().c_str());
+      LOG(ERROR) << "error loading file " << installed_roots_path << ": "
+                 << slice.status();
     } else {
       result = std::move(*slice);
     }

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -26,13 +26,13 @@
 
 #include "absl/functional/bind_front.h"
 #include "absl/log/check.h"
+#include "absl/log/log.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 #include <grpc/support/port_platform.h>
 #include <grpc/support/string_util.h>
 
@@ -246,21 +246,18 @@ TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
     const char* target_name, const char* overridden_target_name,
     tsi_ssl_session_cache* ssl_session_cache) {
   if (channel_creds == nullptr) {
-    gpr_log(GPR_ERROR,
-            "channel_creds is nullptr in "
-            "TlsChannelSecurityConnectorCreate()");
+    LOG(ERROR) << "channel_creds is nullptr in "
+                  "TlsChannelSecurityConnectorCreate()";
     return nullptr;
   }
   if (options == nullptr) {
-    gpr_log(GPR_ERROR,
-            "options is nullptr in "
-            "TlsChannelSecurityConnectorCreate()");
+    LOG(ERROR) << "options is nullptr in "
+                  "TlsChannelSecurityConnectorCreate()";
     return nullptr;
   }
   if (target_name == nullptr) {
-    gpr_log(GPR_ERROR,
-            "target_name is nullptr in "
-            "TlsChannelSecurityConnectorCreate()");
+    LOG(ERROR) << "target_name is nullptr in "
+                  "TlsChannelSecurityConnectorCreate()";
     return nullptr;
   }
   return MakeRefCounted<TlsChannelSecurityConnector>(
@@ -354,8 +351,8 @@ void TlsChannelSecurityConnector::add_handshakers(
         /*network_bio_buf_size=*/0,
         /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
-      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-              tsi_result_to_string(result));
+      LOG(ERROR) << "Handshaker creation failed with error "
+                 << tsi_result_to_string(result);
     }
   }
   // If tsi_hs is null, this will add a failing handshaker.
@@ -400,9 +397,8 @@ void TlsChannelSecurityConnector::cancel_check_peer(
       if (it != pending_verifier_requests_.end()) {
         pending_verifier_request = it->second->request();
       } else {
-        gpr_log(GPR_INFO,
-                "TlsChannelSecurityConnector::cancel_check_peer: no "
-                "corresponding pending request found");
+        LOG(INFO) << "TlsChannelSecurityConnector::cancel_check_peer: no "
+                     "corresponding pending request found";
       }
     }
     if (pending_verifier_request != nullptr) {
@@ -452,7 +448,7 @@ void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
   if (root_ready && identity_ready) {
     if (security_connector_->UpdateHandshakerFactoryLocked() !=
         GRPC_SECURITY_OK) {
-      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
+      LOG(ERROR) << "Update handshaker factory failed.";
     }
   }
 }
@@ -462,14 +458,12 @@ void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError(
     grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
   if (!root_cert_error.ok()) {
-    gpr_log(GPR_ERROR,
-            "TlsChannelCertificateWatcher getting root_cert_error: %s",
-            StatusToString(root_cert_error).c_str());
+    LOG(ERROR) << "TlsChannelCertificateWatcher getting root_cert_error: "
+               << StatusToString(root_cert_error);
   }
   if (!identity_cert_error.ok()) {
-    gpr_log(GPR_ERROR,
-            "TlsChannelCertificateWatcher getting identity_cert_error: %s",
-            StatusToString(identity_cert_error).c_str());
+    LOG(ERROR) << "TlsChannelCertificateWatcher getting identity_cert_error: "
+               << StatusToString(identity_cert_error);
   }
 }
 
@@ -565,15 +559,13 @@ TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
     RefCountedPtr<grpc_server_credentials> server_creds,
     RefCountedPtr<grpc_tls_credentials_options> options) {
   if (server_creds == nullptr) {
-    gpr_log(GPR_ERROR,
-            "server_creds is nullptr in "
-            "TlsServerSecurityConnectorCreate()");
+    LOG(ERROR) << "server_creds is nullptr in "
+                  "TlsServerSecurityConnectorCreate()";
     return nullptr;
   }
   if (options == nullptr) {
-    gpr_log(GPR_ERROR,
-            "options is nullptr in "
-            "TlsServerSecurityConnectorCreate()");
+    LOG(ERROR) << "options is nullptr in "
+                  "TlsServerSecurityConnectorCreate()";
     return nullptr;
   }
   return MakeRefCounted<TlsServerSecurityConnector>(std::move(server_creds),
@@ -633,8 +625,8 @@ void TlsServerSecurityConnector::add_handshakers(
         server_handshaker_factory_, /*network_bio_buf_size=*/0,
         /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
-      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-              tsi_result_to_string(result));
+      LOG(ERROR) << "Handshaker creation failed with error "
+                 << tsi_result_to_string(result);
     }
   }
   // If tsi_hs is null, this will add a failing handshaker.
@@ -679,9 +671,8 @@ void TlsServerSecurityConnector::cancel_check_peer(
       if (it != pending_verifier_requests_.end()) {
         pending_verifier_request = it->second->request();
       } else {
-        gpr_log(GPR_INFO,
-                "TlsServerSecurityConnector::cancel_check_peer: no "
-                "corresponding pending request found");
+        LOG(INFO) << "TlsServerSecurityConnector::cancel_check_peer: no "
+                     "corresponding pending request found";
       }
     }
     if (pending_verifier_request != nullptr) {
@@ -721,7 +712,7 @@ void TlsServerSecurityConnector::TlsServerCertificateWatcher::
       (!root_being_watched && identity_being_watched && identity_has_value)) {
     if (security_connector_->UpdateHandshakerFactoryLocked() !=
         GRPC_SECURITY_OK) {
-      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
+      LOG(ERROR) << "Update handshaker factory failed.";
     }
   }
 }
@@ -731,14 +722,12 @@ void TlsServerSecurityConnector::TlsServerCertificateWatcher::
 void TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError(
     grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
   if (!root_cert_error.ok()) {
-    gpr_log(GPR_ERROR,
-            "TlsServerCertificateWatcher getting root_cert_error: %s",
-            StatusToString(root_cert_error).c_str());
+    LOG(ERROR) << "TlsServerCertificateWatcher getting root_cert_error: "
+               << StatusToString(root_cert_error);
   }
   if (!identity_cert_error.ok()) {
-    gpr_log(GPR_ERROR,
-            "TlsServerCertificateWatcher getting identity_cert_error: %s",
-            StatusToString(identity_cert_error).c_str());
+    LOG(ERROR) << "TlsServerCertificateWatcher getting identity_cert_error: "
+               << StatusToString(identity_cert_error);
   }
 }
 

data/src/core/lib/security/transport/auth_filters.h

@@ -115,6 +115,7 @@ class ServerAuthFilter final : public ImplementChannelFilter<ServerAuthFilter> {
     }
     static const NoInterceptor OnServerInitialMetadata;
     static const NoInterceptor OnClientToServerMessage;
+    static const NoInterceptor OnClientToServerHalfClose;
     static const NoInterceptor OnServerToClientMessage;
     static const NoInterceptor OnServerTrailingMetadata;
     static const NoInterceptor OnFinalize;

data/src/core/lib/security/transport/client_auth_filter.cc

@@ -36,7 +36,6 @@
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/channel_fwd.h"
 #include "src/core/lib/channel/channel_stack.h"
-#include "src/core/lib/channel/context.h"
 #include "src/core/lib/channel/promise_based_filter.h"
 #include "src/core/lib/channel/status_util.h"
 #include "src/core/lib/gprpp/debug_location.h"
@@ -110,8 +109,7 @@ ClientAuthFilter::ClientAuthFilter(
 
 ArenaPromise<absl::StatusOr<CallArgs>> ClientAuthFilter::GetCallCredsMetadata(
     CallArgs call_args) {
-  auto* ctx = static_cast<grpc_client_security_context*>(
-      GetContext<grpc_call_context_element>()[GRPC_CONTEXT_SECURITY].value);
+  auto* ctx = GetContext<grpc_client_security_context>();
   grpc_call_credentials* channel_call_creds =
       args_.security_connector->mutable_request_metadata_creds();
   const bool call_creds_has_md = (ctx != nullptr) && (ctx->creds != nullptr);
@@ -178,17 +176,13 @@ ArenaPromise<absl::StatusOr<CallArgs>> ClientAuthFilter::GetCallCredsMetadata(
 
 ArenaPromise<ServerMetadataHandle> ClientAuthFilter::MakeCallPromise(
     CallArgs call_args, NextPromiseFactory next_promise_factory) {
-  auto* legacy_ctx = GetContext<grpc_call_context_element>();
-  if (legacy_ctx[GRPC_CONTEXT_SECURITY].value == nullptr) {
-    legacy_ctx[GRPC_CONTEXT_SECURITY].value =
-        grpc_client_security_context_create(GetContext<Arena>(),
-                                            /*creds=*/nullptr);
-    legacy_ctx[GRPC_CONTEXT_SECURITY].destroy =
-        grpc_client_security_context_destroy;
+  auto* sec_ctx = MaybeGetContext<grpc_client_security_context>();
+  if (sec_ctx == nullptr) {
+    sec_ctx = grpc_client_security_context_create(GetContext<Arena>(),
+                                                  /*creds=*/nullptr);
+    SetContext<SecurityContext>(sec_ctx);
   }
-  static_cast<grpc_client_security_context*>(
-      legacy_ctx[GRPC_CONTEXT_SECURITY].value)
-      ->auth_context = args_.auth_context;
+  sec_ctx->auth_context = args_.auth_context;
 
   auto* host =
       call_args.client_initial_metadata->get_pointer(HttpAuthorityMetadata());

data/src/core/lib/security/transport/server_auth_filter.cc

@@ -38,7 +38,6 @@
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/channel_fwd.h"
 #include "src/core/lib/channel/channel_stack.h"
-#include "src/core/lib/channel/context.h"
 #include "src/core/lib/channel/promise_based_filter.h"
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gprpp/debug_location.h"
@@ -57,7 +56,6 @@
 #include "src/core/lib/security/transport/auth_filters.h"  // IWYU pragma: keep
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
-#include "src/core/lib/surface/call_trace.h"
 #include "src/core/lib/transport/metadata_batch.h"
 #include "src/core/lib/transport/transport.h"
 
@@ -68,6 +66,7 @@ const grpc_channel_filter ServerAuthFilter::kFilter =
         "server-auth");
 
 const NoInterceptor ServerAuthFilter::Call::OnClientToServerMessage;
+const NoInterceptor ServerAuthFilter::Call::OnClientToServerHalfClose;
 const NoInterceptor ServerAuthFilter::Call::OnServerToClientMessage;
 const NoInterceptor ServerAuthFilter::Call::OnServerInitialMetadata;
 const NoInterceptor ServerAuthFilter::Call::OnServerTrailingMetadata;
@@ -133,7 +132,7 @@ struct ServerAuthFilter::RunApplicationCode::State {
 ServerAuthFilter::RunApplicationCode::RunApplicationCode(
     ServerAuthFilter* filter, ClientMetadata& metadata)
     : state_(GetContext<Arena>()->ManagedNew<State>(metadata)) {
-  if (grpc_call_trace.enabled()) {
+  if (GRPC_TRACE_FLAG_ENABLED(call)) {
     gpr_log(GPR_ERROR,
             "%s[server-auth]: Delegate to application: filter=%p this=%p "
             "auth_ctx=%p",
@@ -202,11 +201,7 @@ ServerAuthFilter::Call::Call(ServerAuthFilter* filter) {
       grpc_server_security_context_create(GetContext<Arena>());
   server_ctx->auth_context =
       filter->auth_context_->Ref(DEBUG_LOCATION, "server_auth_filter");
-  grpc_call_context_element& context =
-      GetContext<grpc_call_context_element>()[GRPC_CONTEXT_SECURITY];
-  if (context.value != nullptr) context.destroy(context.value);
-  context.value = server_ctx;
-  context.destroy = grpc_server_security_context_destroy;
+  SetContext<SecurityContext>(server_ctx);
 }
 
 ServerAuthFilter::ServerAuthFilter(