Merge pull request #835 from ctiller/credit

C++ Credentials Rework

11 files changed, 350 insertions, 186 deletions

diff --git a/src/cpp/client/channel.cc b/src/cpp/client/channel.cc
index 450cf67ac8..5380d3a232 100644
--- a/src/cpp/client/channel.cc
+++ b/src/cpp/client/channel.cc
@@ -53,43 +53,23 @@
 
 namespace grpc {
 
-Channel::Channel(const grpc::string &target, const ChannelArguments &args)
-    : target_(target) {
-  grpc_channel_args channel_args;
-  args.SetChannelArgs(&channel_args);
-  c_channel_ = grpc_channel_create(
-      target_.c_str(), channel_args.num_args > 0 ? &channel_args : nullptr);
-}
-
-Channel::Channel(const grpc::string &target,
-                 const std::unique_ptr<Credentials> &creds,
-                 const ChannelArguments &args)
-    : target_(args.GetSslTargetNameOverride().empty()
-                  ? target
-                  : args.GetSslTargetNameOverride()) {
-  grpc_channel_args channel_args;
-  args.SetChannelArgs(&channel_args);
-  grpc_credentials *c_creds = creds ? creds->GetRawCreds() : nullptr;
-  c_channel_ = grpc_secure_channel_create(
-      c_creds, target.c_str(),
-      channel_args.num_args > 0 ? &channel_args : nullptr);
-}
+Channel::Channel(const grpc::string& target, grpc_channel* channel)
+    : target_(target), c_channel_(channel) {}
 
 Channel::~Channel() { grpc_channel_destroy(c_channel_); }
 
-Call Channel::CreateCall(const RpcMethod &method, ClientContext *context,
-                         CompletionQueue *cq) {
-  auto c_call =
-      grpc_channel_create_call(
-          c_channel_, cq->cq(), method.name(),
-          context->authority().empty() ? target_.c_str()
-                                       : context->authority().c_str(),
-          context->RawDeadline());
+Call Channel::CreateCall(const RpcMethod& method, ClientContext* context,
+                         CompletionQueue* cq) {
+  auto c_call = grpc_channel_create_call(c_channel_, cq->cq(), method.name(),
+                                         context->authority().empty()
+                                             ? target_.c_str()
+                                             : context->authority().c_str(),
+                                         context->RawDeadline());
   context->set_call(c_call);
   return Call(c_call, this, cq);
 }
 
-void Channel::PerformOpsOnCall(CallOpBuffer *buf, Call *call) {
+void Channel::PerformOpsOnCall(CallOpBuffer* buf, Call* call) {
   static const size_t MAX_OPS = 8;
   size_t nops = MAX_OPS;
   grpc_op ops[MAX_OPS];
diff --git a/src/cpp/client/channel.h b/src/cpp/client/channel.h
index 63c6e2bde6..a1de3817e6 100644
--- a/src/cpp/client/channel.h
+++ b/src/cpp/client/channel.h
@@ -51,10 +51,7 @@ class StreamContextInterface;
 
 class Channel GRPC_FINAL : public ChannelInterface {
  public:
-  Channel(const grpc::string &target, const ChannelArguments &args);
-  Channel(const grpc::string &target, const std::unique_ptr<Credentials> &creds,
-          const ChannelArguments &args);
-
+  Channel(const grpc::string &target, grpc_channel *c_channel);
   ~Channel() GRPC_OVERRIDE;
 
   virtual Call CreateCall(const RpcMethod &method, ClientContext *context,
@@ -63,7 +60,7 @@ class Channel GRPC_FINAL : public ChannelInterface {
 
  private:
   const grpc::string target_;
-  grpc_channel *c_channel_;  // owned
+  grpc_channel *const c_channel_;  // owned
 };
 
 }  // namespace grpc
diff --git a/src/cpp/client/create_channel.cc b/src/cpp/client/create_channel.cc
index 583e072799..57d215d0f3 100644
--- a/src/cpp/client/create_channel.cc
+++ b/src/cpp/client/create_channel.cc
@@ -40,14 +40,10 @@
 namespace grpc {
 class ChannelArguments;
 
-std::shared_ptr<ChannelInterface> CreateChannelDeprecated(
-    const grpc::string &target, const ChannelArguments &args) {
-  return std::shared_ptr<ChannelInterface>(new Channel(target, args));
-}
-
 std::shared_ptr<ChannelInterface> CreateChannel(
     const grpc::string &target, const std::unique_ptr<Credentials> &creds,
     const ChannelArguments &args) {
-  return std::shared_ptr<ChannelInterface>(new Channel(target, creds, args));
+  return creds ? creds->CreateChannel(target, args) : 
+  	std::shared_ptr<ChannelInterface>(new Channel(target, grpc_lame_client_channel_create()));
 }
 }  // namespace grpc
diff --git a/src/cpp/client/credentials.cc b/src/cpp/client/credentials.cc
index eff0892810..e806284988 100644
--- a/src/cpp/client/credentials.cc
+++ b/src/cpp/client/credentials.cc
@@ -31,98 +31,10 @@
  *
  */
 
-#include <string>
-
-#include <grpc/grpc_security.h>
-#include <grpc/support/log.h>
-
 #include <grpc++/credentials.h>
 
 namespace grpc {
 
-Credentials::Credentials(grpc_credentials *c_creds) : creds_(c_creds) {}
-
-Credentials::~Credentials() { grpc_credentials_release(creds_); }
-grpc_credentials *Credentials::GetRawCreds() { return creds_; }
-
-std::unique_ptr<Credentials> CredentialsFactory::GoogleDefaultCredentials() {
-  grpc_credentials *c_creds = grpc_google_default_credentials_create();
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Builds SSL Credentials given SSL specific options
-std::unique_ptr<Credentials> CredentialsFactory::SslCredentials(
-    const SslCredentialsOptions &options) {
-  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
-      options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
-
-  grpc_credentials *c_creds = grpc_ssl_credentials_create(
-      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
-      options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair);
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Builds credentials for use when running in GCE
-std::unique_ptr<Credentials> CredentialsFactory::ComputeEngineCredentials() {
-  grpc_credentials *c_creds = grpc_compute_engine_credentials_create();
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Builds service account credentials.
-std::unique_ptr<Credentials> CredentialsFactory::ServiceAccountCredentials(
-    const grpc::string &json_key, const grpc::string &scope,
-    std::chrono::seconds token_lifetime) {
-  gpr_timespec lifetime = gpr_time_from_seconds(
-      token_lifetime.count() > 0 ? token_lifetime.count() : 0);
-  grpc_credentials *c_creds = grpc_service_account_credentials_create(
-      json_key.c_str(), scope.c_str(), lifetime);
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Builds JWT credentials.
-std::unique_ptr<Credentials> CredentialsFactory::JWTCredentials(
-    const grpc::string &json_key, std::chrono::seconds token_lifetime) {
-  gpr_timespec lifetime = gpr_time_from_seconds(
-      token_lifetime.count() > 0 ? token_lifetime.count() : 0);
-  grpc_credentials *c_creds =
-      grpc_jwt_credentials_create(json_key.c_str(), lifetime);
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Builds IAM credentials.
-std::unique_ptr<Credentials> CredentialsFactory::IAMCredentials(
-    const grpc::string &authorization_token,
-    const grpc::string &authority_selector) {
-  grpc_credentials *c_creds = grpc_iam_credentials_create(
-      authorization_token.c_str(), authority_selector.c_str());
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
-
-// Combines two credentials objects into a composite credentials.
-std::unique_ptr<Credentials> CredentialsFactory::CompositeCredentials(
-    const std::unique_ptr<Credentials> &creds1,
-    const std::unique_ptr<Credentials> &creds2) {
-  // Note that we are not saving unique_ptrs to the two credentials
-  // passed in here. This is OK because the underlying C objects (i.e.,
-  // creds1 and creds2) into grpc_composite_credentials_create will see their
-  // refcounts incremented.
-  grpc_credentials *c_creds = grpc_composite_credentials_create(
-      creds1->GetRawCreds(), creds2->GetRawCreds());
-  std::unique_ptr<Credentials> cpp_creds(
-      c_creds == nullptr ? nullptr : new Credentials(c_creds));
-  return cpp_creds;
-}
+Credentials::~Credentials() {}
 
 }  // namespace grpc
diff --git a/src/cpp/client/insecure_credentials.cc b/src/cpp/client/insecure_credentials.cc
new file mode 100644
index 0000000000..2dcfe69591
--- /dev/null
+++ b/src/cpp/client/insecure_credentials.cc
@@ -0,0 +1,65 @@
+/*
+ *
+ * Copyright 2015, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string>
+
+#include <grpc/grpc.h>
+#include <grpc/support/log.h>
+
+#include <grpc++/channel_arguments.h>
+#include <grpc++/config.h>
+#include <grpc++/credentials.h>
+#include "src/cpp/client/channel.h"
+
+namespace grpc {
+
+namespace {
+class InsecureCredentialsImpl GRPC_FINAL : public Credentials {
+ public:
+  std::shared_ptr<grpc::ChannelInterface> CreateChannel(
+      const string& target, const grpc::ChannelArguments& args) GRPC_OVERRIDE {
+    grpc_channel_args channel_args;
+    args.SetChannelArgs(&channel_args);
+    return std::shared_ptr<ChannelInterface>(new Channel(
+        target, grpc_channel_create(target.c_str(), &channel_args)));
+  }
+
+  SecureCredentials* AsSecureCredentials() { return nullptr; }
+};
+}  // namespace
+
+std::unique_ptr<Credentials> InsecureCredentials() {
+  return std::unique_ptr<Credentials>(new InsecureCredentialsImpl());
+}
+
+}  // namespace grpc
diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc
new file mode 100644
index 0000000000..5eb5c54794
--- /dev/null
+++ b/src/cpp/client/secure_credentials.cc
@@ -0,0 +1,131 @@
+/*
+ *
+ * Copyright 2015, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string>
+
+#include <grpc/grpc_security.h>
+#include <grpc/support/log.h>
+
+#include <grpc++/channel_arguments.h>
+#include <grpc++/config.h>
+#include <grpc++/credentials.h>
+#include "src/cpp/client/channel.h"
+
+namespace grpc {
+
+class SecureCredentials GRPC_FINAL : public Credentials {
+ public:
+  explicit SecureCredentials(grpc_credentials* c_creds) : c_creds_(c_creds) {}
+  ~SecureCredentials() GRPC_OVERRIDE { grpc_credentials_release(c_creds_); }
+  grpc_credentials* GetRawCreds() { return c_creds_; }
+
+  std::shared_ptr<grpc::ChannelInterface> CreateChannel(
+      const string& target, const grpc::ChannelArguments& args) GRPC_OVERRIDE {
+    grpc_channel_args channel_args;
+    args.SetChannelArgs(&channel_args);
+    return std::shared_ptr<ChannelInterface>(new Channel(
+        target,
+        grpc_secure_channel_create(c_creds_, target.c_str(), &channel_args)));
+  }
+
+  SecureCredentials* AsSecureCredentials() { return this; }
+
+ private:
+  grpc_credentials* const c_creds_;
+};
+
+namespace {
+std::unique_ptr<Credentials> WrapCredentials(grpc_credentials* creds) {
+  return creds == nullptr
+             ? nullptr
+             : std::unique_ptr<Credentials>(new SecureCredentials(creds));
+}
+}  // namespace
+
+std::unique_ptr<Credentials> GoogleDefaultCredentials() {
+  return WrapCredentials(grpc_google_default_credentials_create());
+}
+
+// Builds SSL Credentials given SSL specific options
+std::unique_ptr<Credentials> SslCredentials(
+    const SslCredentialsOptions& options) {
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
+      options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
+
+  grpc_credentials* c_creds = grpc_ssl_credentials_create(
+      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
+      options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair);
+  return WrapCredentials(c_creds);
+}
+
+// Builds credentials for use when running in GCE
+std::unique_ptr<Credentials> ComputeEngineCredentials() {
+  return WrapCredentials(grpc_compute_engine_credentials_create());
+}
+
+// Builds service account credentials.
+std::unique_ptr<Credentials> ServiceAccountCredentials(
+    const grpc::string& json_key, const grpc::string& scope,
+    std::chrono::seconds token_lifetime) {
+  gpr_timespec lifetime = gpr_time_from_seconds(
+      token_lifetime.count() > 0 ? token_lifetime.count() : 0);
+  return WrapCredentials(grpc_service_account_credentials_create(
+      json_key.c_str(), scope.c_str(), lifetime));
+}
+
+// Builds IAM credentials.
+std::unique_ptr<Credentials> IAMCredentials(
+    const grpc::string& authorization_token,
+    const grpc::string& authority_selector) {
+  return WrapCredentials(grpc_iam_credentials_create(
+      authorization_token.c_str(), authority_selector.c_str()));
+}
+
+// Combines two credentials objects into a composite credentials.
+std::unique_ptr<Credentials> CompositeCredentials(
+    const std::unique_ptr<Credentials>& creds1,
+    const std::unique_ptr<Credentials>& creds2) {
+  // Note that we are not saving unique_ptrs to the two credentials
+  // passed in here. This is OK because the underlying C objects (i.e.,
+  // creds1 and creds2) into grpc_composite_credentials_create will see their
+  // refcounts incremented.
+  SecureCredentials* s1 = creds1->AsSecureCredentials();
+  SecureCredentials* s2 = creds2->AsSecureCredentials();
+  if (s1 && s2) {
+    return WrapCredentials(grpc_composite_credentials_create(
+        s1->GetRawCreds(), s2->GetRawCreds()));
+  }
+  return nullptr;
+}
+
+}  // namespace grpc
diff --git a/src/cpp/server/insecure_server_credentials.cc b/src/cpp/server/insecure_server_credentials.cc
new file mode 100644
index 0000000000..f5e4732f73
--- /dev/null
+++ b/src/cpp/server/insecure_server_credentials.cc
@@ -0,0 +1,52 @@
+/*
+ *
+ * Copyright 2015, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <grpc/grpc_security.h>
+#include <grpc++/server_credentials.h>
+
+namespace grpc {
+namespace {
+class InsecureServerCredentialsImpl GRPC_FINAL : public ServerCredentials {
+ public:
+  int AddPortToServer(const grpc::string& addr,
+                      grpc_server* server) GRPC_OVERRIDE {
+    return grpc_server_add_http2_port(server, addr.c_str());
+  }
+};
+}  // namespace
+
+std::shared_ptr<ServerCredentials> InsecureServerCredentials() {
+  return std::shared_ptr<ServerCredentials>(new InsecureServerCredentialsImpl());
+}
+
+}  // namespace grpc
diff --git a/src/cpp/server/secure_server_credentials.cc b/src/cpp/server/secure_server_credentials.cc
new file mode 100644
index 0000000000..ff35638503
--- /dev/null
+++ b/src/cpp/server/secure_server_credentials.cc
@@ -0,0 +1,71 @@
+/*
+ *
+ * Copyright 2015, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <grpc/grpc_security.h>
+
+#include <grpc++/server_credentials.h>
+
+namespace grpc {
+
+namespace {
+class SecureServerCredentials GRPC_FINAL : public ServerCredentials {
+ public:
+  explicit SecureServerCredentials(grpc_server_credentials* creds) : creds_(creds) {}
+  ~SecureServerCredentials() GRPC_OVERRIDE {
+    grpc_server_credentials_release(creds_);
+  }
+
+  int AddPortToServer(const grpc::string& addr,
+                      grpc_server* server) GRPC_OVERRIDE {
+    return grpc_server_add_secure_http2_port(server, addr.c_str(), creds_);
+  }
+
+ private:
+  grpc_server_credentials* const creds_;
+};
+}  // namespace
+
+std::shared_ptr<ServerCredentials> SslServerCredentials(
+    const SslServerCredentialsOptions &options) {
+  std::vector<grpc_ssl_pem_key_cert_pair> pem_key_cert_pairs;
+  for (const auto &key_cert_pair : options.pem_key_cert_pairs) {
+    pem_key_cert_pairs.push_back(
+        {key_cert_pair.private_key.c_str(), key_cert_pair.cert_chain.c_str()});
+  }
+  grpc_server_credentials *c_creds = grpc_ssl_server_credentials_create(
+      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
+      &pem_key_cert_pairs[0], pem_key_cert_pairs.size());
+  return std::shared_ptr<ServerCredentials>(new SecureServerCredentials(c_creds));
+}
+
+}  // namespace grpc
diff --git a/src/cpp/server/server.cc b/src/cpp/server/server.cc
index 2a5a7fe5eb..e69032a657 100644
--- a/src/cpp/server/server.cc
+++ b/src/cpp/server/server.cc
@@ -170,26 +170,13 @@ class Server::SyncRequest GRPC_FINAL : public CompletionQueueTag {
   grpc_completion_queue* cq_;
 };
 
-Server::Server(ThreadPoolInterface* thread_pool, bool thread_pool_owned,
-               ServerCredentials* creds)
+Server::Server(ThreadPoolInterface* thread_pool, bool thread_pool_owned)
     : started_(false),
       shutdown_(false),
       num_running_cb_(0),
+      server_(grpc_server_create(cq_.cq(), nullptr)),
       thread_pool_(thread_pool),
-      thread_pool_owned_(thread_pool_owned),
-      secure_(creds != nullptr) {
-  if (creds) {
-    server_ =
-        grpc_secure_server_create(creds->GetRawCreds(), cq_.cq(), nullptr);
-  } else {
-    server_ = grpc_server_create(cq_.cq(), nullptr);
-  }
-}
-
-Server::Server() {
-  // Should not be called.
-  GPR_ASSERT(false);
-}
+      thread_pool_owned_(thread_pool_owned) {}
 
 Server::~Server() {
   std::unique_lock<std::mutex> lock(mu_);
@@ -239,13 +226,9 @@ bool Server::RegisterAsyncService(AsynchronousService* service) {
   return true;
 }
 
-int Server::AddPort(const grpc::string& addr) {
+int Server::AddPort(const grpc::string& addr, ServerCredentials* creds) {
   GPR_ASSERT(!started_);
-  if (secure_) {
-    return grpc_server_add_secure_http2_port(server_, addr.c_str());
-  } else {
-    return grpc_server_add_http2_port(server_, addr.c_str());
-  }
+  return creds->AddPortToServer(addr, server_);
 }
 
 bool Server::Start() {
diff --git a/src/cpp/server/server_builder.cc b/src/cpp/server/server_builder.cc
index ae60f3d8b6..5de592334d 100644
--- a/src/cpp/server/server_builder.cc
+++ b/src/cpp/server/server_builder.cc
@@ -51,14 +51,10 @@ void ServerBuilder::RegisterAsyncService(AsynchronousService* service) {
   async_services_.push_back(service);
 }
 
-void ServerBuilder::AddPort(const grpc::string& addr) {
-  ports_.push_back(addr);
-}
-
-void ServerBuilder::SetCredentials(
-    const std::shared_ptr<ServerCredentials>& creds) {
-  GPR_ASSERT(!creds_);
-  creds_ = creds;
+void ServerBuilder::AddPort(const grpc::string& addr,
+                            std::shared_ptr<ServerCredentials> creds,
+                            int* selected_port) {
+  ports_.push_back(Port{addr, creds, selected_port});
 }
 
 void ServerBuilder::SetThreadPool(ThreadPoolInterface* thread_pool) {
@@ -71,14 +67,13 @@ std::unique_ptr<Server> ServerBuilder::BuildAndStart() {
     gpr_log(GPR_ERROR, "Mixing async and sync services is unsupported for now");
     return nullptr;
   }
-  if (!thread_pool_ && services_.size()) {
+  if (!thread_pool_ && !services_.empty()) {
     int cores = gpr_cpu_num_cores();
     if (!cores) cores = 4;
     thread_pool_ = new ThreadPool(cores);
     thread_pool_owned = true;
   }
-  std::unique_ptr<Server> server(
-      new Server(thread_pool_, thread_pool_owned, creds_.get()));
+  std::unique_ptr<Server> server(new Server(thread_pool_, thread_pool_owned));
   for (auto* service : services_) {
     if (!server->RegisterService(service)) {
       return nullptr;
@@ -90,8 +85,10 @@ std::unique_ptr<Server> ServerBuilder::BuildAndStart() {
     }
   }
   for (auto& port : ports_) {
-    if (!server->AddPort(port)) {
-      return nullptr;
+    int r = server->AddPort(port.addr, port.creds.get());
+    if (!r) return nullptr;
+    if (port.selected_port != nullptr) {
+      *port.selected_port = r;
     }
   }
   if (!server->Start()) {
diff --git a/src/cpp/server/server_credentials.cc b/src/cpp/server/server_credentials.cc
index 69ad000ccc..6bdb465baa 100644
--- a/src/cpp/server/server_credentials.cc
+++ b/src/cpp/server/server_credentials.cc
@@ -37,26 +37,6 @@
 
 namespace grpc {
 
-ServerCredentials::ServerCredentials(grpc_server_credentials *c_creds)
-    : creds_(c_creds) {}
-
-ServerCredentials::~ServerCredentials() {
-  grpc_server_credentials_release(creds_);
-}
-
-grpc_server_credentials *ServerCredentials::GetRawCreds() { return creds_; }
-
-std::shared_ptr<ServerCredentials> ServerCredentialsFactory::SslCredentials(
-    const SslServerCredentialsOptions &options) {
-  std::vector<grpc_ssl_pem_key_cert_pair> pem_key_cert_pairs;
-  for (const auto &key_cert_pair : options.pem_key_cert_pairs) {
-    pem_key_cert_pairs.push_back(
-        {key_cert_pair.private_key.c_str(), key_cert_pair.cert_chain.c_str()});
-  }
-  grpc_server_credentials *c_creds = grpc_ssl_server_credentials_create(
-      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
-      &pem_key_cert_pairs[0], pem_key_cert_pairs.size());
-  return std::shared_ptr<ServerCredentials>(new ServerCredentials(c_creds));
-}
+ServerCredentials::~ServerCredentials() {}
 
 }  // namespace grpc