grpc 1.73.0 → 1.74.0

data/src/core/credentials/call/gcp_service_account_identity/gcp_service_account_identity_credentials.cc

@@ -16,23 +16,16 @@
 
 #include "src/core/credentials/call/gcp_service_account_identity/gcp_service_account_identity_credentials.h"
 
-#include <grpc/support/time.h>
-
 #include "absl/functional/any_invocable.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
-#include "absl/strings/escaping.h"
 #include "absl/strings/str_cat.h"
-#include "absl/strings/str_split.h"
 #include "absl/strings/string_view.h"
 #include "src/core/call/metadata.h"
+#include "src/core/credentials/call/jwt_util.h"
 #include "src/core/credentials/transport/transport_credentials.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/transport/status_conversion.h"
-#include "src/core/util/json/json.h"
-#include "src/core/util/json/json_args.h"
-#include "src/core/util/json/json_object_loader.h"
-#include "src/core/util/json/json_reader.h"
 #include "src/core/util/ref_counted_ptr.h"
 #include "src/core/util/status_helper.h"
 #include "src/core/util/uri.h"
@@ -88,51 +81,16 @@ class JwtTokenFetcherCallCredentials::HttpFetchRequest final
                                                self->response_.status)));
       return;
     }
+    // Return token object.
     absl::string_view body(self->response_.body, self->response_.body_length);
-    // Parse JWT token based on https://datatracker.ietf.org/doc/html/rfc7519.
-    // We don't do full verification here, just enough to extract the
-    // expiration time.
-    // First, split the 3 '.'-delimited parts.
-    std::vector<absl::string_view> parts = absl::StrSplit(body, '.');
-    if (parts.size() != 3) {
-      self->on_done_(absl::UnauthenticatedError("error parsing JWT token"));
-      return;
-    }
-    // Base64-decode the payload.
-    std::string payload;
-    if (!absl::WebSafeBase64Unescape(parts[1], &payload)) {
-      self->on_done_(absl::UnauthenticatedError("error parsing JWT token"));
-      return;
-    }
-    // Parse as JSON.
-    auto json = JsonParse(payload);
-    if (!json.ok()) {
-      self->on_done_(absl::UnauthenticatedError("error parsing JWT token"));
+    auto expiration_time = GetJwtExpirationTime(body);
+    if (!expiration_time.ok()) {
+      self->on_done_(expiration_time.status());
       return;
     }
-    // Extract "exp" field.
-    struct ParsedPayload {
-      uint64_t exp = 0;
-
-      static const JsonLoaderInterface* JsonLoader(const JsonArgs&) {
-        static const auto kJsonLoader = JsonObjectLoader<ParsedPayload>()
-                                            .Field("exp", &ParsedPayload::exp)
-                                            .Finish();
-        return kJsonLoader;
-      }
-    };
-    auto parsed_payload = LoadFromJson<ParsedPayload>(*json, JsonArgs(), "");
-    if (!parsed_payload.ok()) {
-      self->on_done_(absl::UnauthenticatedError("error parsing JWT token"));
-      return;
-    }
-    gpr_timespec ts = gpr_time_0(GPR_CLOCK_REALTIME);
-    ts.tv_sec = parsed_payload->exp;
-    Timestamp expiration_time = Timestamp::FromTimespecRoundDown(ts);
-    // Return token object.
     self->on_done_(MakeRefCounted<Token>(
         Slice::FromCopiedString(absl::StrCat("Bearer ", body)),
-        expiration_time));
+        *expiration_time));
   }
 
   OrphanablePtr<HttpRequest> http_request_;

data/src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.cc

@@ -0,0 +1,86 @@
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include "src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.h"
+
+#include "absl/status/status.h"
+#include "absl/strings/str_cat.h"
+#include "src/core/credentials/call/jwt_util.h"
+#include "src/core/util/load_file.h"
+
+namespace grpc_core {
+
+class JwtTokenFileCallCredentials::FileReader final
+    : public TokenFetcherCredentials::FetchRequest {
+ public:
+  FileReader(JwtTokenFileCallCredentials* creds,
+             absl::AnyInvocable<void(
+                 absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
+                 on_done)
+      : creds_(creds), on_done_(std::move(on_done)) {
+    creds->event_engine().Run([self = RefAsSubclass<FileReader>()]() {
+      ExecCtx exec_ctx;
+      self->ReadFile();
+    });
+  }
+
+  void Orphan() override {
+    // Can't really do anything to cancel in this case.
+    Unref();
+  }
+
+ private:
+  void ReadFile() {
+    auto contents = LoadFile(creds_->path_, /*add_null_terminator=*/false);
+    if (!contents.ok()) {
+      on_done_(absl::UnavailableError(contents.status().message()));
+      return;
+    }
+    absl::string_view body = contents->as_string_view();
+    auto expiration_time = GetJwtExpirationTime(body);
+    if (!expiration_time.ok()) {
+      on_done_(expiration_time.status());
+      return;
+    }
+    on_done_(MakeRefCounted<Token>(
+        Slice::FromCopiedString(absl::StrCat("Bearer ", body)),
+        *expiration_time));
+  }
+
+  JwtTokenFileCallCredentials* creds_;
+  absl::AnyInvocable<void(
+      absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
+      on_done_;
+};
+
+std::string JwtTokenFileCallCredentials::debug_string() {
+  return absl::StrCat("JwtTokenFileCallCredentials(", path_, ")");
+}
+
+UniqueTypeName JwtTokenFileCallCredentials::Type() {
+  return GRPC_UNIQUE_TYPE_NAME_HERE("JwtTokenFile");
+}
+
+OrphanablePtr<TokenFetcherCredentials::FetchRequest>
+JwtTokenFileCallCredentials::FetchToken(
+    Timestamp /*deadline*/,
+    absl::AnyInvocable<
+        void(absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
+        on_done) {
+  return MakeOrphanable<FileReader>(this, std::move(on_done));
+}
+
+}  // namespace grpc_core

data/src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.h

@@ -0,0 +1,74 @@
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_TOKEN_FILE_JWT_TOKEN_FILE_CALL_CREDENTIALS_H
+#define GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_TOKEN_FILE_JWT_TOKEN_FILE_CALL_CREDENTIALS_H
+
+#include <grpc/credentials.h>
+#include <grpc/grpc_security.h>
+
+#include <string>
+
+#include "absl/functional/any_invocable.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "src/core/credentials/call/call_credentials.h"
+#include "src/core/credentials/call/token_fetcher/token_fetcher_credentials.h"
+#include "src/core/util/orphanable.h"
+#include "src/core/util/ref_counted_ptr.h"
+#include "src/core/util/time.h"
+#include "src/core/util/unique_type_name.h"
+
+namespace grpc_core {
+
+// JWT token file call credentials.
+// See gRFC A97 (https://github.com/grpc/proposal/pull/492).
+class JwtTokenFileCallCredentials : public TokenFetcherCredentials {
+ public:
+  explicit JwtTokenFileCallCredentials(
+      absl::string_view path,
+      std::shared_ptr<grpc_event_engine::experimental::EventEngine>
+          event_engine = nullptr)
+      : TokenFetcherCredentials(std::move(event_engine)), path_(path) {}
+
+  std::string debug_string() override;
+
+  static UniqueTypeName Type();
+
+  UniqueTypeName type() const override { return Type(); }
+
+  absl::string_view path() const { return path_; }
+
+ private:
+  class FileReader;
+
+  OrphanablePtr<FetchRequest> FetchToken(
+      Timestamp /*deadline*/,
+      absl::AnyInvocable<
+          void(absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
+          on_done) final;
+
+  int cmp_impl(const grpc_call_credentials* other) const override {
+    // TODO(yashykt): Check if we can do something better here
+    return QsortCompare(static_cast<const grpc_call_credentials*>(this), other);
+  }
+
+  std::string path_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_TOKEN_FILE_JWT_TOKEN_FILE_CALL_CREDENTIALS_H

data/src/core/credentials/call/jwt_util.cc

@@ -0,0 +1,70 @@
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include "src/core/credentials/call/jwt_util.h"
+
+#include <grpc/support/time.h>
+
+#include <string>
+#include <vector>
+
+#include "absl/status/status.h"
+#include "absl/strings/escaping.h"
+#include "absl/strings/str_split.h"
+#include "src/core/util/json/json.h"
+#include "src/core/util/json/json_args.h"
+#include "src/core/util/json/json_object_loader.h"
+#include "src/core/util/json/json_reader.h"
+
+namespace grpc_core {
+
+absl::StatusOr<Timestamp> GetJwtExpirationTime(absl::string_view jwt) {
+  // First, split the 3 '.'-delimited parts.
+  std::vector<absl::string_view> parts = absl::StrSplit(jwt, '.');
+  if (parts.size() != 3) {
+    return absl::UnauthenticatedError("error parsing JWT token");
+  }
+  // Base64-decode the payload.
+  std::string payload;
+  if (!absl::WebSafeBase64Unescape(parts[1], &payload)) {
+    return absl::UnauthenticatedError("error parsing JWT token");
+  }
+  // Parse as JSON.
+  auto json = JsonParse(payload);
+  if (!json.ok()) {
+    return absl::UnauthenticatedError("error parsing JWT token");
+  }
+  // Extract "exp" field.
+  struct ParsedPayload {
+    uint64_t exp = 0;
+
+    static const JsonLoaderInterface* JsonLoader(const JsonArgs&) {
+      static const auto kJsonLoader = JsonObjectLoader<ParsedPayload>()
+                                          .Field("exp", &ParsedPayload::exp)
+                                          .Finish();
+      return kJsonLoader;
+    }
+  };
+  auto parsed_payload = LoadFromJson<ParsedPayload>(*json, JsonArgs(), "");
+  if (!parsed_payload.ok()) {
+    return absl::UnauthenticatedError("error parsing JWT token");
+  }
+  gpr_timespec ts = gpr_time_0(GPR_CLOCK_REALTIME);
+  ts.tv_sec = parsed_payload->exp;
+  return Timestamp::FromTimespecRoundDown(ts);
+}
+
+}  // namespace grpc_core

data/src/core/credentials/call/jwt_util.h

@@ -0,0 +1,32 @@
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_UTIL_H
+#define GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_UTIL_H
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "src/core/util/time.h"
+
+namespace grpc_core {
+
+// Extract the expiration time from a JWT token based on
+// https://datatracker.ietf.org/doc/html/rfc7519.
+absl::StatusOr<Timestamp> GetJwtExpirationTime(absl::string_view jwt);
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_CREDENTIALS_CALL_JWT_UTIL_H

data/src/core/credentials/transport/channel_creds_registry_init.cc

@@ -57,7 +57,7 @@ class GoogleDefaultChannelCredsFactory : public ChannelCredsFactory<> {
   RefCountedPtr<grpc_channel_credentials> CreateChannelCreds(
       RefCountedPtr<ChannelCredsConfig> /*config*/) const override {
     return RefCountedPtr<grpc_channel_credentials>(
-        grpc_google_default_credentials_create(nullptr));
+        grpc_google_default_credentials_create(nullptr, nullptr));
   }
 
  private:

data/src/core/credentials/transport/google_default/google_default_credentials.cc

@@ -42,6 +42,7 @@
 #include "src/core/credentials/call/jwt/json_token.h"
 #include "src/core/credentials/call/jwt/jwt_credentials.h"
 #include "src/core/credentials/call/oauth2/oauth2_credentials.h"
+#include "src/core/credentials/transport/alts/alts_security_connector.h"
 #include "src/core/credentials/transport/alts/check_gcp_environment.h"
 #include "src/core/credentials/transport/transport_credentials.h"
 #include "src/core/lib/channel/channel_args.h"
@@ -338,6 +339,65 @@ static bool metadata_server_available() {
   return static_cast<bool>(g_metadata_server_available);
 }
 
+// A grpc_call_credentials implementation that uses two
+// underlying credentials: one for TLS and one for ALTS.
+// The implementation will pick the right credentials based on the auth
+// context's GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME property.
+class GoogleDefaultCallCredentialsWrapper : public grpc_call_credentials {
+ public:
+  GoogleDefaultCallCredentialsWrapper(
+      grpc_core::RefCountedPtr<grpc_call_credentials> tls_credentials,
+      grpc_core::RefCountedPtr<grpc_call_credentials> alts_credentials)
+      : tls_credentials_(std::move(tls_credentials)),
+        alts_credentials_(std::move(alts_credentials)) {};
+
+  void Orphaned() override {
+    tls_credentials_.reset();
+    alts_credentials_.reset();
+  }
+
+  static grpc_core::UniqueTypeName Type() {
+    static grpc_core::UniqueTypeName::Factory kFactory("Dual");
+    return kFactory.Create();
+  }
+
+  grpc_core::UniqueTypeName type() const override { return Type(); }
+
+  grpc_core::ArenaPromise<absl::StatusOr<grpc_core::ClientMetadataHandle>>
+  GetRequestMetadata(grpc_core::ClientMetadataHandle initial_metadata,
+                     const GetRequestMetadataArgs* args) override {
+    bool use_alts = false;
+    if (args != nullptr) {
+      auto auth_context = args->auth_context;
+      if (auth_context != nullptr &&
+          grpc_auth_context_peer_is_authenticated(auth_context.get()) == 1) {
+        // This channel is authenticated.
+        grpc_auth_property_iterator property_it =
+            grpc_auth_context_find_properties_by_name(
+                auth_context.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME);
+        const grpc_auth_property* property =
+            grpc_auth_property_iterator_next(&property_it);
+        use_alts =
+            property != nullptr &&
+            strcmp(property->value, GRPC_ALTS_TRANSPORT_SECURITY_TYPE) == 0;
+      }
+    }
+    return (use_alts ? alts_credentials_ : tls_credentials_)
+        ->GetRequestMetadata(std::move(initial_metadata), args);
+  }
+
+ private:
+  int cmp_impl(const grpc_call_credentials* other) const override {
+    return QsortCompare(static_cast<const grpc_call_credentials*>(this), other);
+  }
+  std::string debug_string() override {
+    return "GoogleDefaultCallCredentialsWrapper";
+  }
+
+  grpc_core::RefCountedPtr<grpc_call_credentials> tls_credentials_;
+  grpc_core::RefCountedPtr<grpc_call_credentials> alts_credentials_;
+};
+
 static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
     grpc_error_handle* error) {
   grpc_core::RefCountedPtr<grpc_call_credentials> call_creds;
@@ -373,14 +433,16 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
 }
 
 grpc_channel_credentials* grpc_google_default_credentials_create(
-    grpc_call_credentials* call_credentials) {
+    grpc_call_credentials* call_creds_for_tls,
+    grpc_call_credentials* call_creds_for_alts) {
   grpc_channel_credentials* result = nullptr;
-  grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
+  grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(
+      call_creds_for_tls);
   grpc_error_handle error;
   grpc_core::ExecCtx exec_ctx;
 
   GRPC_TRACE_LOG(api, INFO)
-      << "grpc_google_default_credentials_create(" << call_credentials << ")";
+      << "grpc_google_default_credentials_create(" << call_creds_for_tls << ")";
 
   if (call_creds == nullptr) {
     call_creds = make_default_call_creds(&error);
@@ -400,6 +462,13 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
         grpc_core::MakeRefCounted<grpc_google_default_channel_credentials>(
             grpc_core::RefCountedPtr<grpc_channel_credentials>(alts_creds),
             grpc_core::RefCountedPtr<grpc_channel_credentials>(ssl_creds));
+    if (call_creds_for_alts != nullptr) {
+      grpc_core::RefCountedPtr<grpc_call_credentials> alts_call_creds(
+          call_creds_for_alts);
+      call_creds =
+          grpc_core::MakeRefCounted<GoogleDefaultCallCredentialsWrapper>(
+              std::move(call_creds), std::move(alts_call_creds));
+    }
     result = grpc_composite_channel_credentials_create(
         creds.get(), call_creds.get(), nullptr);
     CHECK_NE(result, nullptr);
@@ -412,7 +481,6 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
 
 namespace grpc_core {
 namespace internal {
-
 void set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker) {
   g_gce_tenancy_checker = checker;
 }

data/src/core/credentials/transport/ssl/ssl_credentials.cc

@@ -58,7 +58,6 @@ grpc_ssl_credentials::grpc_ssl_credentials(
       root_store_ = grpc_core::DefaultSslRootStore::GetRootStore();
     }
   } else {
-    config_.pem_root_certs = config_.pem_root_certs;
     root_store_ = nullptr;
   }
 

data/src/core/credentials/transport/tls/load_system_roots_supported.cc

@@ -131,6 +131,7 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
       } else {
         LOG(ERROR) << "failed to read file: " << roots_filenames[i].path;
       }
+      close(file_descriptor);
     }
   }
   bundle_slice = grpc_slice_new(bundle_string, bytes_read, gpr_free);

data/src/core/credentials/transport/xds/xds_credentials.cc

@@ -134,9 +134,6 @@ RefCountedPtr<grpc_channel_security_connector>
 XdsCredentials::create_security_connector(
     RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
     ChannelArgs* args) {
-  // TODO(yashykt): This arg will no longer need to be added after b/173119596
-  // is fixed.
-  *args = args->SetIfUnset(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, target_name);
   RefCountedPtr<grpc_channel_security_connector> security_connector;
   auto xds_certificate_provider = args->GetObjectRef<XdsCertificateProvider>();
   if (xds_certificate_provider != nullptr) {

data/src/core/ext/filters/gcp_authentication/gcp_authentication_filter.cc

@@ -167,14 +167,14 @@ GcpAuthenticationFilter::Create(const ChannelArgs& args,
     return absl::InvalidArgumentError(
         "gcp_auth: xds config not found in channel args");
   }
-  // Get existing cache or create new one.
-  auto cache = filter_args.GetOrCreateState<CallCredentialsCache>(
-      filter_config->filter_instance_name, [&]() {
-        return MakeRefCounted<CallCredentialsCache>(filter_config->cache_size);
-      });
-  // Make sure size is updated, in case we're reusing a pre-existing
-  // cache but it has the wrong size.
-  cache->SetMaxSize(filter_config->cache_size);
+  // Get cache from blackboard.  This must have been populated
+  // previously by the XdsConfigSelector.
+  auto cache = filter_args.GetState<CallCredentialsCache>(
+      filter_config->filter_instance_name);
+  if (cache == nullptr) {
+    return absl::InvalidArgumentError(
+        "gcp_auth: cache object not found in filter state");
+  }
   // Instantiate filter.
   return std::unique_ptr<GcpAuthenticationFilter>(
       new GcpAuthenticationFilter(std::move(service_config), filter_config,

data/src/core/ext/filters/gcp_authentication/gcp_authentication_filter.h

@@ -42,6 +42,22 @@ namespace grpc_core {
 class GcpAuthenticationFilter
     : public ImplementChannelFilter<GcpAuthenticationFilter> {
  public:
+  class CallCredentialsCache : public Blackboard::Entry {
+   public:
+    explicit CallCredentialsCache(size_t max_size) : cache_(max_size) {}
+
+    static UniqueTypeName Type();
+
+    void SetMaxSize(size_t max_size);
+
+    RefCountedPtr<grpc_call_credentials> Get(const std::string& audience);
+
+   private:
+    Mutex mu_;
+    LruCache<std::string /*audience*/, RefCountedPtr<grpc_call_credentials>>
+        cache_ ABSL_GUARDED_BY(&mu_);
+  };
+
   static const grpc_channel_filter kFilter;
 
   static absl::string_view TypeName() { return "gcp_authentication_filter"; }
@@ -62,22 +78,6 @@ class GcpAuthenticationFilter
   };
 
  private:
-  class CallCredentialsCache : public Blackboard::Entry {
-   public:
-    explicit CallCredentialsCache(size_t max_size) : cache_(max_size) {}
-
-    static UniqueTypeName Type();
-
-    void SetMaxSize(size_t max_size);
-
-    RefCountedPtr<grpc_call_credentials> Get(const std::string& audience);
-
-   private:
-    Mutex mu_;
-    LruCache<std::string /*audience*/, RefCountedPtr<grpc_call_credentials>>
-        cache_ ABSL_GUARDED_BY(&mu_);
-  };
-
   GcpAuthenticationFilter(
       RefCountedPtr<ServiceConfig> service_config,
       const GcpAuthenticationParsedConfig::Config* filter_config,

data/src/core/ext/filters/http/client_authority_filter.cc

@@ -73,13 +73,11 @@ void RegisterClientAuthorityFilter(CoreConfiguration::Builder* builder) {
   builder->channel_init()
       ->RegisterFilter<ClientAuthorityFilter>(GRPC_CLIENT_SUBCHANNEL)
       .If(NeedsClientAuthorityFilter)
-      .Before<ClientAuthFilter>()
-      .Before<LegacyClientAuthFilter>();
+      .Before<ClientAuthFilter>();
   builder->channel_init()
       ->RegisterFilter<ClientAuthorityFilter>(GRPC_CLIENT_DIRECT_CHANNEL)
       .If(NeedsClientAuthorityFilter)
-      .Before<ClientAuthFilter>()
-      .Before<LegacyClientAuthFilter>();
+      .Before<ClientAuthFilter>();
 }
 
 }  // namespace grpc_core

data/src/core/ext/filters/http/message_compress/compression_filter.h

@@ -24,11 +24,13 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include <cstddef>
 #include <optional>
 
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
 #include "src/core/call/metadata_batch.h"
+#include "src/core/channelz/property_list.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/channel_fwd.h"
 #include "src/core/lib/channel/promise_based_filter.h"
@@ -91,18 +93,15 @@ class ChannelCompression {
       bool is_client, MessageHandle message, DecompressArgs args,
       CallTracerInterface* call_tracer) const;
 
-  Json::Object ToJsonObject() const {
-    Json::Object object;
-    if (max_recv_size_.has_value()) {
-      object["maxRecvSize"] = Json::FromNumber(*max_recv_size_);
-    }
-    object["defaultCompressionAlgorithm"] = Json::FromString(
-        CompressionAlgorithmAsString(default_compression_algorithm_));
-    object["enabledCompressionAlgorithms"] = Json::FromString(
-        std::string(enabled_compression_algorithms_.ToString()));
-    object["enableCompression"] = Json::FromBool(enable_compression_);
-    object["enableDecompression"] = Json::FromBool(enable_decompression_);
-    return object;
+  channelz::PropertyList ChannelzProperties() const {
+    return channelz::PropertyList()
+        .Set("max_recv_size", max_recv_size_)
+        .Set("default_compression_algorithm",
+             CompressionAlgorithmAsString(default_compression_algorithm_))
+        .Set("enabled_compression_algorithms",
+             enabled_compression_algorithms_.ToString())
+        .Set("enable_compression", enable_compression_)
+        .Set("enable_decompression", enable_decompression_);
   }
 
  private:
@@ -132,12 +131,14 @@ class ClientCompressionFilter final
 
   explicit ClientCompressionFilter(const ChannelArgs& args)
       : channelz::DataSource(args.GetObjectRef<channelz::BaseNode>()),
-        compression_engine_(args) {}
-  ~ClientCompressionFilter() override { ResetDataSource(); }
+        compression_engine_(args) {
+    SourceConstructed();
+  }
+  ~ClientCompressionFilter() override { SourceDestructing(); }
 
-  void AddData(channelz::DataSink& sink) override {
-    sink.AddAdditionalInfo("clientCompressionFilter",
-                           compression_engine_.ToJsonObject());
+  void AddData(channelz::DataSink sink) override {
+    sink.AddData("clientCompressionFilter",
+                 compression_engine_.ChannelzProperties());
   }
 
   // Construct a promise for one call.
@@ -182,12 +183,14 @@ class ServerCompressionFilter final
 
   explicit ServerCompressionFilter(const ChannelArgs& args)
       : channelz::DataSource(args.GetObjectRef<channelz::BaseNode>()),
-        compression_engine_(args) {}
-  ~ServerCompressionFilter() override { ResetDataSource(); }
+        compression_engine_(args) {
+    SourceConstructed();
+  }
+  ~ServerCompressionFilter() override { SourceDestructing(); }
 
-  void AddData(channelz::DataSink& sink) override {
-    sink.AddAdditionalInfo("serverCompressionFilter",
-                           compression_engine_.ToJsonObject());
+  void AddData(channelz::DataSink sink) override {
+    sink.AddData("serverCompressionFilter",
+                 compression_engine_.ChannelzProperties());
   }
 
   // Construct a promise for one call.