grpc 1.75.0.pre1 → 1.76.0.pre1

data/src/core/credentials/call/jwt/jwt_verifier.cc

@@ -45,7 +45,6 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/time.h>
 
-#include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
@@ -61,6 +60,7 @@
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/tsi/ssl_types.h"
+#include "src/core/util/grpc_check.h"
 #include "src/core/util/http_client/httpcli.h"
 #include "src/core/util/http_client/httpcli_ssl_credentials.h"
 #include "src/core/util/http_client/parser.h"
@@ -311,7 +311,7 @@ grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims,
   gpr_timespec skewed_now;
   int audience_ok;
 
-  CHECK_NE(claims, nullptr);
+  GRPC_CHECK_NE(claims, nullptr);
 
   skewed_now =
       gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew);
@@ -455,7 +455,7 @@ static EVP_PKEY* extract_pkey_from_x509(const char* x509_str) {
   EVP_PKEY* result = nullptr;
   BIO* bio = BIO_new(BIO_s_mem());
   size_t len = strlen(x509_str);
-  CHECK_LT(len, static_cast<size_t>(INT_MAX));
+  GRPC_CHECK_LT(len, static_cast<size_t>(INT_MAX));
   BIO_write(bio, x509_str, static_cast<int>(len));
   x509 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
   if (x509 == nullptr) {
@@ -526,8 +526,8 @@ static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) {
   BIGNUM* tmp_e = nullptr;
   Json::Object::const_iterator it;
 
-  CHECK(json.type() == Json::Type::kObject);
-  CHECK_NE(kty, nullptr);
+  GRPC_CHECK(json.type() == Json::Type::kObject);
+  GRPC_CHECK_NE(kty, nullptr);
   if (strcmp(kty, "RSA") != 0) {
     LOG(ERROR) << "Unsupported key type " << kty;
     goto end;
@@ -652,7 +652,7 @@ static int verify_jwt_signature(EVP_PKEY* key, const char* alg,
   const EVP_MD* md = evp_md_from_alg(alg);
   int result = 0;
 
-  CHECK_NE(md, nullptr);  // Checked before.
+  GRPC_CHECK_NE(md, nullptr);  // Checked before.
   if (md_ctx == nullptr) {
     LOG(ERROR) << "Could not create EVP_MD_CTX.";
     goto end;
@@ -791,7 +791,7 @@ static email_key_mapping* verifier_get_mapping(grpc_jwt_verifier* v,
 static void verifier_put_mapping(grpc_jwt_verifier* v, const char* email_domain,
                                  const char* key_url_prefix) {
   email_key_mapping* mapping = verifier_get_mapping(v, email_domain);
-  CHECK(v->num_mappings < v->allocated_mappings);
+  GRPC_CHECK(v->num_mappings < v->allocated_mappings);
   if (mapping != nullptr) {
     gpr_free(mapping->key_url_prefix);
     mapping->key_url_prefix = gpr_strdup(key_url_prefix);
@@ -800,7 +800,7 @@ static void verifier_put_mapping(grpc_jwt_verifier* v, const char* email_domain,
   v->mappings[v->num_mappings].email_domain = gpr_strdup(email_domain);
   v->mappings[v->num_mappings].key_url_prefix = gpr_strdup(key_url_prefix);
   v->num_mappings++;
-  CHECK(v->num_mappings <= v->allocated_mappings);
+  GRPC_CHECK(v->num_mappings <= v->allocated_mappings);
 }
 
 // Very non-sophisticated way to detect an email address. Should be good
@@ -812,7 +812,7 @@ const char* grpc_jwt_issuer_email_domain(const char* issuer) {
   if (*email_domain == '\0') return nullptr;
   const char* dot = strrchr(email_domain, '.');
   if (dot == nullptr || dot == email_domain) return email_domain;
-  CHECK(dot > email_domain);
+  GRPC_CHECK(dot > email_domain);
   // There may be a subdomain, we just want the domain.
   dot = static_cast<const char*>(
       gpr_memrchr(email_domain, '.', static_cast<size_t>(dot - email_domain)));
@@ -833,7 +833,8 @@ static void retrieve_key_and_verify(verifier_cb_ctx* ctx) {
   char* path;
   absl::StatusOr<grpc_core::URI> uri;
 
-  CHECK(ctx != nullptr && ctx->header != nullptr && ctx->claims != nullptr);
+  GRPC_CHECK(ctx != nullptr && ctx->header != nullptr &&
+             ctx->claims != nullptr);
   iss = ctx->claims->iss;
   if (ctx->header->kid == nullptr) {
     LOG(ERROR) << "Missing kid in jose header.";
@@ -852,7 +853,7 @@ static void retrieve_key_and_verify(verifier_cb_ctx* ctx) {
   email_domain = grpc_jwt_issuer_email_domain(iss);
   if (email_domain != nullptr) {
     email_key_mapping* mapping;
-    CHECK_NE(ctx->verifier, nullptr);
+    GRPC_CHECK_NE(ctx->verifier, nullptr);
     mapping = verifier_get_mapping(ctx->verifier, email_domain);
     if (mapping == nullptr) {
       LOG(ERROR) << "Missing mapping for issuer email.";
@@ -919,8 +920,8 @@ void grpc_jwt_verifier_verify(grpc_jwt_verifier* verifier,
   Json json;
   std::string signature_str;
 
-  CHECK(verifier != nullptr && jwt != nullptr && audience != nullptr &&
-        cb != nullptr);
+  GRPC_CHECK(verifier != nullptr && jwt != nullptr && audience != nullptr &&
+             cb != nullptr);
   dot = strchr(cur, '.');
   if (dot == nullptr) goto error;
   json = parse_json_part_from_jwt(cur, static_cast<size_t>(dot - cur));

data/src/core/credentials/call/oauth2/oauth2_credentials.cc

@@ -35,7 +35,6 @@
 #include <memory>
 #include <vector>
 
-#include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/numbers.h"
@@ -53,6 +52,7 @@
 #include "src/core/lib/promise/poll.h"
 #include "src/core/lib/promise/promise.h"
 #include "src/core/lib/transport/error_utils.h"
+#include "src/core/util/grpc_check.h"
 #include "src/core/util/http_client/httpcli_ssl_credentials.h"
 #include "src/core/util/json/json.h"
 #include "src/core/util/json/json_reader.h"
@@ -293,6 +293,9 @@ class grpc_compute_engine_token_fetcher_credentials
     : public grpc_core::Oauth2TokenFetcherCredentials {
  public:
   grpc_compute_engine_token_fetcher_credentials() = default;
+  explicit grpc_compute_engine_token_fetcher_credentials(
+      std::vector<grpc_core::URI::QueryParam> query_params)
+      : query_params_(std::move(query_params)) {}
   ~grpc_compute_engine_token_fetcher_credentials() override = default;
 
   std::string debug_string() override {
@@ -317,8 +320,8 @@ class grpc_compute_engine_token_fetcher_credentials
     auto uri = grpc_core::URI::Create("http", /*user_info=*/"",
                                       GRPC_COMPUTE_ENGINE_METADATA_HOST,
                                       GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH,
-                                      {} /* query params */, "" /* fragment */);
-    CHECK(uri.ok());  // params are hardcoded
+                                      query_params_, "" /* fragment */);
+    GRPC_CHECK(uri.ok());  // params are hardcoded
     auto http_request = grpc_core::HttpRequest::Get(
         std::move(*uri), /*args=*/nullptr, pollent, &request, deadline,
         on_complete, response,
@@ -327,17 +330,22 @@ class grpc_compute_engine_token_fetcher_credentials
     http_request->Start();
     return http_request;
   }
-};
 
+  std::vector<grpc_core::URI::QueryParam> query_params_;
+};
 }  // namespace
 
 grpc_call_credentials* grpc_google_compute_engine_credentials_create(
-    void* reserved) {
+    grpc_google_compute_engine_credentials_options* options) {
   GRPC_TRACE_LOG(api, INFO)
-      << "grpc_compute_engine_credentials_create(reserved=" << reserved << ")";
-  CHECK_EQ(reserved, nullptr);
+      << "grpc_compute_engine_credentials_create(options=" << options << ")";
+  std::vector<grpc_core::URI::QueryParam> query_params;
+  if (options != nullptr && options->alts_hard_bound) {
+    query_params.push_back({"transport", "alts"});
+  }
   return grpc_core::MakeRefCounted<
-             grpc_compute_engine_token_fetcher_credentials>()
+             grpc_compute_engine_token_fetcher_credentials>(
+             std::move(query_params))
       .release();
 }
 
@@ -377,7 +385,7 @@ grpc_google_refresh_token_credentials::StartHttpRequest(
                                     GRPC_GOOGLE_OAUTH2_SERVICE_HOST,
                                     GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH,
                                     {} /* query params */, "" /* fragment */);
-  CHECK(uri.ok());  // params are hardcoded
+  GRPC_CHECK(uri.ok());  // params are hardcoded
   auto http_request = grpc_core::HttpRequest::Post(
       std::move(*uri), /*args=*/nullptr, pollent, &request, deadline,
       on_complete, response, grpc_core::CreateHttpRequestSSLCredentials());
@@ -426,7 +434,7 @@ grpc_call_credentials* grpc_google_refresh_token_credentials_create(
       << "grpc_refresh_token_credentials_create(json_refresh_token="
       << create_loggable_refresh_token(&token) << ", reserved=" << reserved
       << ")";
-  CHECK_EQ(reserved, nullptr);
+  GRPC_CHECK_EQ(reserved, nullptr);
   return grpc_refresh_token_credentials_create_from_auth_refresh_token(token)
       .release();
 }
@@ -604,7 +612,7 @@ absl::StatusOr<URI> ValidateStsCredentialsOptions(
 
 grpc_call_credentials* grpc_sts_credentials_create(
     const grpc_sts_credentials_options* options, void* reserved) {
-  CHECK_EQ(reserved, nullptr);
+  GRPC_CHECK_EQ(reserved, nullptr);
   absl::StatusOr<grpc_core::URI> sts_url =
       grpc_core::ValidateStsCredentialsOptions(options);
   if (!sts_url.ok()) {
@@ -650,7 +658,7 @@ grpc_call_credentials* grpc_access_token_credentials_create(
   GRPC_TRACE_LOG(api, INFO) << "grpc_access_token_credentials_create(access_"
                                "token=<redacted>, reserved="
                             << reserved << ")";
-  CHECK_EQ(reserved, nullptr);
+  GRPC_CHECK_EQ(reserved, nullptr);
   return grpc_core::MakeRefCounted<grpc_access_token_credentials>(access_token)
       .release();
 }

data/src/core/credentials/call/plugin/plugin_credentials.cc

@@ -24,7 +24,6 @@
 #include <atomic>
 #include <memory>
 
-#include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
@@ -36,6 +35,7 @@
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/surface/validate_metadata.h"
+#include "src/core/util/grpc_check.h"
 
 grpc_plugin_credentials::~grpc_plugin_credentials() {
   if (plugin_.state != nullptr && plugin_.destroy != nullptr) {
@@ -196,6 +196,6 @@ grpc_call_credentials* grpc_metadata_credentials_create_from_plugin(
   GRPC_TRACE_LOG(api, INFO)
       << "grpc_metadata_credentials_create_from_plugin(reserved=" << reserved
       << ")";
-  CHECK_EQ(reserved, nullptr);
+  GRPC_CHECK_EQ(reserved, nullptr);
   return new grpc_plugin_credentials(plugin, min_security_level);
 }

data/src/core/credentials/transport/alts/alts_credentials.cc

@@ -90,8 +90,8 @@ grpc_channel_credentials* grpc_alts_credentials_create_customized(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url, bool enable_untrusted_alts) {
   if (!enable_untrusted_alts && !grpc_alts_is_running_on_gcp()) {
-    LOG(ERROR) << "ALTS creds ignored. Not running on GCP and untrusted ALTS "
-                  "is not enabled.";
+    VLOG(1) << "ALTS creds ignored. Not running on GCP and untrusted ALTS "
+               "is not enabled.";
     return nullptr;
   }
   return new grpc_alts_credentials(options, handshaker_service_url);
@@ -101,8 +101,8 @@ grpc_server_credentials* grpc_alts_server_credentials_create_customized(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url, bool enable_untrusted_alts) {
   if (!enable_untrusted_alts && !grpc_alts_is_running_on_gcp()) {
-    LOG(ERROR) << "ALTS server creds ignored. Not running on GCP and untrusted "
-                  "ALTS is not enabled.";
+    VLOG(1) << "ALTS server creds ignored. Not running on GCP and untrusted "
+               "ALTS is not enabled.";
     return nullptr;
   }
   return new grpc_alts_server_credentials(options, handshaker_service_url);

data/src/core/credentials/transport/alts/alts_security_connector.cc

@@ -31,7 +31,6 @@
 #include <optional>
 #include <utility>
 
-#include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/string_view.h"
@@ -53,6 +52,7 @@
 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
 #include "src/core/tsi/transport_security.h"
 #include "src/core/util/debug_location.h"
+#include "src/core/util/grpc_check.h"
 #include "src/core/util/ref_counted_ptr.h"
 
 void grpc_alts_set_rpc_protocol_versions(
@@ -102,11 +102,12 @@ class grpc_alts_channel_security_connector final
         static_cast<const grpc_alts_credentials*>(channel_creds());
     const size_t user_specified_max_frame_size =
         std::max(0, args.GetInt(GRPC_ARG_TSI_MAX_FRAME_SIZE).value_or(0));
-    CHECK(alts_tsi_handshaker_create(
-              creds->options(), target_name_, creds->handshaker_service_url(),
-              true, interested_parties, &handshaker,
-              user_specified_max_frame_size,
-              args.GetOwnedString(GRPC_ARG_TRANSPORT_PROTOCOLS)) == TSI_OK);
+    GRPC_CHECK(alts_tsi_handshaker_create(
+                   creds->options(), target_name_,
+                   creds->handshaker_service_url(), true, interested_parties,
+                   &handshaker, user_specified_max_frame_size,
+                   args.GetOwnedString(GRPC_ARG_TRANSPORT_PROTOCOLS)) ==
+               TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));
   }
@@ -156,10 +157,11 @@ class grpc_alts_server_security_connector final
         static_cast<const grpc_alts_server_credentials*>(server_creds());
     size_t user_specified_max_frame_size =
         std::max(0, args.GetInt(GRPC_ARG_TSI_MAX_FRAME_SIZE).value_or(0));
-    CHECK(alts_tsi_handshaker_create(
-              creds->options(), nullptr, creds->handshaker_service_url(), false,
-              interested_parties, &handshaker, user_specified_max_frame_size,
-              args.GetOwnedString(GRPC_ARG_TRANSPORT_PROTOCOLS)) == TSI_OK);
+    GRPC_CHECK(
+        alts_tsi_handshaker_create(
+            creds->options(), nullptr, creds->handshaker_service_url(), false,
+            interested_parties, &handshaker, user_specified_max_frame_size,
+            args.GetOwnedString(GRPC_ARG_TRANSPORT_PROTOCOLS)) == TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));
   }
@@ -250,8 +252,8 @@ RefCountedPtr<grpc_auth_context> grpc_alts_auth_context_from_tsi_peer(
       grpc_auth_context_add_property(
           ctx.get(), TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY,
           tsi_prop->value.data, tsi_prop->value.length);
-      CHECK(grpc_auth_context_set_peer_identity_property_name(
-                ctx.get(), TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY) == 1);
+      GRPC_CHECK(grpc_auth_context_set_peer_identity_property_name(
+                     ctx.get(), TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY) == 1);
     }
     // Add alts context to auth context.
     if (strcmp(tsi_prop->name, TSI_ALTS_CONTEXT) == 0) {

data/src/core/credentials/transport/alts/grpc_alts_credentials_client_options.cc

@@ -21,6 +21,10 @@
 #include <grpc/support/port_platform.h>
 #include <grpc/support/string_util.h>
 
+#include <algorithm>
+#include <memory>
+#include <optional>
+
 #include "absl/log/log.h"
 #include "src/core/credentials/transport/alts/grpc_alts_credentials_options.h"
 #include "src/core/tsi/alts/handshaker/transport_security_common_api.h"
@@ -70,8 +74,7 @@ static const grpc_alts_credentials_options_vtable vtable = {
 
 grpc_alts_credentials_options* grpc_alts_credentials_client_options_create(
     void) {
-  auto client_options = static_cast<grpc_alts_credentials_client_options*>(
-      gpr_zalloc(sizeof(grpc_alts_credentials_client_options)));
+  auto client_options = new grpc_alts_credentials_client_options();
   client_options->base.vtable = &vtable;
   return &client_options->base;
 }
@@ -101,12 +104,28 @@ static grpc_alts_credentials_options* alts_client_options_copy(
     prev = new_node;
     node = node->next;
   }
+
+  new_options->record_protocols = options->record_protocols;
+
+  new_client_options->token_fetcher =
+      reinterpret_cast<const grpc_alts_credentials_client_options*>(options)
+          ->token_fetcher;
   // Copy rpc protocol versions.
   grpc_gcp_rpc_protocol_versions_copy(&options->rpc_versions,
                                       &new_options->rpc_versions);
   return new_options;
 }
 
+void grpc_alts_credentials_client_options_set_token_fetcher(
+    grpc_alts_credentials_options* options,
+    std::shared_ptr<grpc::alts::TokenFetcher> token_fetcher) {
+  if (options == nullptr) {
+    return;
+  }
+  reinterpret_cast<grpc_alts_credentials_client_options*>(options)
+      ->token_fetcher = token_fetcher;
+}
+
 static void alts_client_options_destroy(
     grpc_alts_credentials_options* options) {
   if (options == nullptr) {
@@ -120,4 +139,5 @@ static void alts_client_options_destroy(
     target_service_account_destroy(node);
     node = next_node;
   }
+  delete client_options;
 }

data/src/core/credentials/transport/alts/grpc_alts_credentials_options.cc

@@ -40,6 +40,15 @@ void grpc_alts_credentials_options_destroy(
     if (options->vtable != nullptr && options->vtable->destruct != nullptr) {
       options->vtable->destruct(options);
     }
-    gpr_free(options);
   }
 }
+
+void grpc_alts_credentials_client_options_set_record_protocols(
+    grpc_alts_credentials_options* options,
+    const absl::Span<std::string> record_protocols) {
+  if (options == nullptr) {
+    return;
+  }
+  std::copy(record_protocols.begin(), record_protocols.end(),
+            std::back_inserter(options->record_protocols));
+}

data/src/core/credentials/transport/alts/grpc_alts_credentials_options.h

@@ -23,8 +23,29 @@
 #include <grpc/grpc_security.h>
 #include <grpc/support/port_platform.h>
 
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "absl/status/statusor.h"
 #include "src/core/tsi/alts/handshaker/transport_security_common_api.h"
 
+namespace grpc::alts {
+
+// Its implementation must be thread-safe.
+class TokenFetcher {
+ public:
+  virtual ~TokenFetcher() = default;
+
+  // Thread-safe and non-blocking. The returned token must be strongly bound.
+  // Failure to comply with this requirement will result in a serious security
+  // issue. The token must also be valid for at least 9 hours to outlive an
+  // arbitrary ALTS connection.
+  virtual absl::StatusOr<std::string> GetToken() = 0;
+};
+
+}  // namespace grpc::alts
+
 // V-table for grpc_alts_credentials_options
 typedef struct grpc_alts_credentials_options_vtable {
   grpc_alts_credentials_options* (*copy)(
@@ -35,6 +56,7 @@ typedef struct grpc_alts_credentials_options_vtable {
 struct grpc_alts_credentials_options {
   const struct grpc_alts_credentials_options_vtable* vtable;
   grpc_gcp_rpc_protocol_versions rpc_versions;
+  std::vector<std::string> record_protocols;
 };
 
 typedef struct target_service_account {
@@ -50,6 +72,7 @@ typedef struct target_service_account {
 typedef struct grpc_alts_credentials_client_options {
   grpc_alts_credentials_options base;
   target_service_account* target_account_list_head;
+  std::shared_ptr<grpc::alts::TokenFetcher> token_fetcher;
 } grpc_alts_credentials_client_options;
 
 ///
@@ -71,4 +94,12 @@ typedef struct grpc_alts_credentials_server_options {
 grpc_alts_credentials_options* grpc_alts_credentials_options_copy(
     const grpc_alts_credentials_options* options);
 
+void grpc_alts_credentials_client_options_set_token_fetcher(
+    grpc_alts_credentials_options* options,
+    std::shared_ptr<grpc::alts::TokenFetcher> token_fetcher);
+
+void grpc_alts_credentials_client_options_set_record_protocols(
+    grpc_alts_credentials_options* options,
+    const absl::Span<std::string> record_protocols);
+
 #endif  // GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_ALTS_GRPC_ALTS_CREDENTIALS_OPTIONS_H

data/src/core/credentials/transport/alts/grpc_alts_credentials_server_options.cc

@@ -27,7 +27,12 @@ static grpc_alts_credentials_options* alts_server_options_copy(
     const grpc_alts_credentials_options* options);
 
 static void alts_server_options_destroy(
-    grpc_alts_credentials_options* /*options*/) {}
+    grpc_alts_credentials_options* options) {
+  if (options == nullptr) {
+    return;
+  }
+  delete reinterpret_cast<grpc_alts_credentials_server_options*>(options);
+}
 
 static const grpc_alts_credentials_options_vtable vtable = {
     alts_server_options_copy, alts_server_options_destroy};
@@ -35,8 +40,7 @@ static const grpc_alts_credentials_options_vtable vtable = {
 grpc_alts_credentials_options* grpc_alts_credentials_server_options_create(
     void) {
   grpc_alts_credentials_server_options* server_options =
-      static_cast<grpc_alts_credentials_server_options*>(
-          gpr_zalloc(sizeof(*server_options)));
+      new grpc_alts_credentials_server_options();
   server_options->base.vtable = &vtable;
   return &server_options->base;
 }
@@ -51,5 +55,6 @@ static grpc_alts_credentials_options* alts_server_options_copy(
   // Copy rpc protocol versions.
   grpc_gcp_rpc_protocol_versions_copy(&options->rpc_versions,
                                       &new_options->rpc_versions);
+  new_options->record_protocols = options->record_protocols;
   return new_options;
 }

data/src/core/credentials/transport/composite/composite_channel_credentials.cc

@@ -22,13 +22,13 @@
 #include <memory>
 #include <vector>
 
-#include "absl/log/check.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_join.h"
 #include "src/core/call/metadata_batch.h"
 #include "src/core/credentials/call/composite/composite_call_credentials.h"
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/promise/try_seq.h"
+#include "src/core/util/grpc_check.h"
 #include "src/core/util/ref_counted_ptr.h"
 
 grpc_core::UniqueTypeName grpc_composite_channel_credentials::Type() {
@@ -40,8 +40,8 @@ grpc_core::RefCountedPtr<grpc_channel_security_connector>
 grpc_composite_channel_credentials::create_security_connector(
     grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
     const char* target, grpc_core::ChannelArgs* args) {
-  CHECK(inner_creds_ != nullptr);
-  CHECK(call_creds_ != nullptr);
+  GRPC_CHECK(inner_creds_ != nullptr);
+  GRPC_CHECK(call_creds_ != nullptr);
   // If we are passed a call_creds, create a call composite to pass it
   // downstream.
   if (call_creds != nullptr) {
@@ -57,8 +57,8 @@ grpc_composite_channel_credentials::create_security_connector(
 grpc_channel_credentials* grpc_composite_channel_credentials_create(
     grpc_channel_credentials* channel_creds, grpc_call_credentials* call_creds,
     void* reserved) {
-  CHECK(channel_creds != nullptr && call_creds != nullptr &&
-        reserved == nullptr);
+  GRPC_CHECK(channel_creds != nullptr && call_creds != nullptr &&
+             reserved == nullptr);
   GRPC_TRACE_LOG(api, INFO)
       << "grpc_composite_channel_credentials_create(channel_creds="
       << channel_creds << ", call_creds=" << call_creds

data/src/core/credentials/transport/fake/fake_security_connector.cc

@@ -30,7 +30,6 @@
 #include <string>
 #include <utility>
 
-#include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
@@ -54,6 +53,7 @@
 #include "src/core/tsi/transport_security_interface.h"
 #include "src/core/util/crash.h"
 #include "src/core/util/debug_location.h"
+#include "src/core/util/grpc_check.h"
 #include "src/core/util/host_port.h"
 #include "src/core/util/ref_counted_ptr.h"
 #include "src/core/util/string.h"
@@ -140,7 +140,7 @@ class grpc_fake_channel_security_connector final
 
  private:
   bool fake_check_target(const char* target, const char* set_str) const {
-    CHECK_NE(target, nullptr);
+    GRPC_CHECK_NE(target, nullptr);
     char** set = nullptr;
     size_t set_size = 0;
     gpr_string_split(set_str, ",", &set, &set_size);