Merge pull request #17291 from soheilhy/worktree-security-cpp

Move security credentials, connectors, and auth context to C++

4 files changed, 22 insertions, 34 deletions

diff --git a/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc b/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc
index 6e8fbdcab7..657ff69312 100644
--- a/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc
+++ b/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc
@@ -88,22 +88,18 @@ grpc_channel_args* grpc_lb_policy_grpclb_modify_lb_channel_args(
   // bearer token credentials.
   grpc_channel_credentials* channel_credentials =
       grpc_channel_credentials_find_in_args(args);
-  grpc_channel_credentials* creds_sans_call_creds = nullptr;
+  grpc_core::RefCountedPtr<grpc_channel_credentials> creds_sans_call_creds;
   if (channel_credentials != nullptr) {
     creds_sans_call_creds =
-        grpc_channel_credentials_duplicate_without_call_credentials(
-            channel_credentials);
+        channel_credentials->duplicate_without_call_credentials();
     GPR_ASSERT(creds_sans_call_creds != nullptr);
     args_to_remove[num_args_to_remove++] = GRPC_ARG_CHANNEL_CREDENTIALS;
     args_to_add[num_args_to_add++] =
-        grpc_channel_credentials_to_arg(creds_sans_call_creds);
+        grpc_channel_credentials_to_arg(creds_sans_call_creds.get());
   }
   grpc_channel_args* result = grpc_channel_args_copy_and_add_and_remove(
       args, args_to_remove, num_args_to_remove, args_to_add, num_args_to_add);
   // Clean up.
   grpc_channel_args_destroy(args);
-  if (creds_sans_call_creds != nullptr) {
-    grpc_channel_credentials_unref(creds_sans_call_creds);
-  }
   return result;
 }
diff --git a/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc b/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc
index 9a11f8e39f..55c646e6ee 100644
--- a/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc
+++ b/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc
@@ -87,22 +87,18 @@ grpc_channel_args* grpc_lb_policy_xds_modify_lb_channel_args(
   // bearer token credentials.
   grpc_channel_credentials* channel_credentials =
       grpc_channel_credentials_find_in_args(args);
-  grpc_channel_credentials* creds_sans_call_creds = nullptr;
+  grpc_core::RefCountedPtr<grpc_channel_credentials> creds_sans_call_creds;
   if (channel_credentials != nullptr) {
     creds_sans_call_creds =
-        grpc_channel_credentials_duplicate_without_call_credentials(
-            channel_credentials);
+        channel_credentials->duplicate_without_call_credentials();
     GPR_ASSERT(creds_sans_call_creds != nullptr);
     args_to_remove[num_args_to_remove++] = GRPC_ARG_CHANNEL_CREDENTIALS;
     args_to_add[num_args_to_add++] =
-        grpc_channel_credentials_to_arg(creds_sans_call_creds);
+        grpc_channel_credentials_to_arg(creds_sans_call_creds.get());
   }
   grpc_channel_args* result = grpc_channel_args_copy_and_add_and_remove(
       args, args_to_remove, num_args_to_remove, args_to_add, num_args_to_add);
   // Clean up.
   grpc_channel_args_destroy(args);
-  if (creds_sans_call_creds != nullptr) {
-    grpc_channel_credentials_unref(creds_sans_call_creds);
-  }
   return result;
 }
diff --git a/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc b/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc
index e73eee4353..9612698e96 100644
--- a/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc
+++ b/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc
@@ -110,14 +110,14 @@ static grpc_subchannel_args* get_secure_naming_subchannel_args(
   grpc_channel_args* args_with_authority =
       grpc_channel_args_copy_and_add(args->args, args_to_add, num_args_to_add);
   grpc_uri_destroy(server_uri);
-  grpc_channel_security_connector* subchannel_security_connector = nullptr;
   // Create the security connector using the credentials and target name.
   grpc_channel_args* new_args_from_connector = nullptr;
-  const grpc_security_status security_status =
-      grpc_channel_credentials_create_security_connector(
-          channel_credentials, authority.get(), args_with_authority,
-          &subchannel_security_connector, &new_args_from_connector);
-  if (security_status != GRPC_SECURITY_OK) {
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+      subchannel_security_connector =
+          channel_credentials->create_security_connector(
+              /*call_creds=*/nullptr, authority.get(), args_with_authority,
+              &new_args_from_connector);
+  if (subchannel_security_connector == nullptr) {
     gpr_log(GPR_ERROR,
             "Failed to create secure subchannel for secure name '%s'",
             authority.get());
@@ -125,15 +125,14 @@ static grpc_subchannel_args* get_secure_naming_subchannel_args(
     return nullptr;
   }
   grpc_arg new_security_connector_arg =
-      grpc_security_connector_to_arg(&subchannel_security_connector->base);
+      grpc_security_connector_to_arg(subchannel_security_connector.get());
 
   grpc_channel_args* new_args = grpc_channel_args_copy_and_add(
       new_args_from_connector != nullptr ? new_args_from_connector
                                          : args_with_authority,
       &new_security_connector_arg, 1);
 
-  GRPC_SECURITY_CONNECTOR_UNREF(&subchannel_security_connector->base,
-                                "lb_channel_create");
+  subchannel_security_connector.reset(DEBUG_LOCATION, "lb_channel_create");
   if (new_args_from_connector != nullptr) {
     grpc_channel_args_destroy(new_args_from_connector);
   }
diff --git a/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc b/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc
index 6689a17da6..98fdb62070 100644
--- a/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc
+++ b/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc
@@ -31,6 +31,7 @@
 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/handshaker.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/surface/api_trace.h"
@@ -40,9 +41,8 @@ int grpc_server_add_secure_http2_port(grpc_server* server, const char* addr,
                                       grpc_server_credentials* creds) {
   grpc_core::ExecCtx exec_ctx;
   grpc_error* err = GRPC_ERROR_NONE;
-  grpc_server_security_connector* sc = nullptr;
+  grpc_core::RefCountedPtr<grpc_server_security_connector> sc;
   int port_num = 0;
-  grpc_security_status status;
   grpc_channel_args* args = nullptr;
   GRPC_API_TRACE(
       "grpc_server_add_secure_http2_port("
@@ -54,30 +54,27 @@ int grpc_server_add_secure_http2_port(grpc_server* server, const char* addr,
         "No credentials specified for secure server port (creds==NULL)");
     goto done;
   }
-  status = grpc_server_credentials_create_security_connector(creds, &sc);
-  if (status != GRPC_SECURITY_OK) {
+  sc = creds->create_security_connector();
+  if (sc == nullptr) {
     char* msg;
     gpr_asprintf(&msg,
                  "Unable to create secure server with credentials of type %s.",
-                 creds->type);
-    err = grpc_error_set_int(GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg),
-                             GRPC_ERROR_INT_SECURITY_STATUS, status);
+                 creds->type());
+    err = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
     gpr_free(msg);
     goto done;
   }
   // Create channel args.
   grpc_arg args_to_add[2];
   args_to_add[0] = grpc_server_credentials_to_arg(creds);
-  args_to_add[1] = grpc_security_connector_to_arg(&sc->base);
+  args_to_add[1] = grpc_security_connector_to_arg(sc.get());
   args =
       grpc_channel_args_copy_and_add(grpc_server_get_channel_args(server),
                                      args_to_add, GPR_ARRAY_SIZE(args_to_add));
   // Add server port.
   err = grpc_chttp2_server_add_port(server, addr, args, &port_num);
 done:
-  if (sc != nullptr) {
-    GRPC_SECURITY_CONNECTOR_UNREF(&sc->base, "server");
-  }
+  sc.reset(DEBUG_LOCATION, "server");
 
   if (err != GRPC_ERROR_NONE) {
     const char* msg = grpc_error_string(err);