diff --git a/BUILD b/BUILD
index d66485e998cf9..afff44dfd0d18 100644
--- a/BUILD
+++ b/BUILD
@@ -1763,6 +1763,7 @@ grpc_cc_library(
"//src/core:lib/security/credentials/plugin/plugin_credentials.cc",
"//src/core:lib/security/security_connector/security_connector.cc",
"//src/core:lib/security/transport/client_auth_filter.cc",
+ "//src/core:lib/security/transport/legacy_server_auth_filter.cc",
"//src/core:lib/security/transport/secure_endpoint.cc",
"//src/core:lib/security/transport/security_handshaker.cc",
"//src/core:lib/security/transport/server_auth_filter.cc",
diff --git a/CMakeLists.txt b/CMakeLists.txt
index af749535ef69b..18c766055605c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2457,6 +2457,7 @@ add_library(grpc
src/core/lib/security/security_connector/ssl_utils.cc
src/core/lib/security/security_connector/tls/tls_security_connector.cc
src/core/lib/security/transport/client_auth_filter.cc
+ src/core/lib/security/transport/legacy_server_auth_filter.cc
src/core/lib/security/transport/secure_endpoint.cc
src/core/lib/security/transport/security_handshaker.cc
src/core/lib/security/transport/server_auth_filter.cc
@@ -3149,6 +3150,7 @@ add_library(grpc_unsecure
src/core/lib/security/security_connector/load_system_roots_supported.cc
src/core/lib/security/security_connector/security_connector.cc
src/core/lib/security/transport/client_auth_filter.cc
+ src/core/lib/security/transport/legacy_server_auth_filter.cc
src/core/lib/security/transport/secure_endpoint.cc
src/core/lib/security/transport/security_handshaker.cc
src/core/lib/security/transport/server_auth_filter.cc
@@ -5137,6 +5139,7 @@ add_library(grpc_authorization_provider
src/core/lib/security/security_connector/load_system_roots_supported.cc
src/core/lib/security/security_connector/security_connector.cc
src/core/lib/security/transport/client_auth_filter.cc
+ src/core/lib/security/transport/legacy_server_auth_filter.cc
src/core/lib/security/transport/secure_endpoint.cc
src/core/lib/security/transport/security_handshaker.cc
src/core/lib/security/transport/server_auth_filter.cc
diff --git a/Makefile b/Makefile
index 5f47717caf750..d993130239412 100644
--- a/Makefile
+++ b/Makefile
@@ -1659,6 +1659,7 @@ LIBGRPC_SRC = \
src/core/lib/security/security_connector/ssl_utils.cc \
src/core/lib/security/security_connector/tls/tls_security_connector.cc \
src/core/lib/security/transport/client_auth_filter.cc \
+ src/core/lib/security/transport/legacy_server_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
src/core/lib/security/transport/server_auth_filter.cc \
@@ -2201,6 +2202,7 @@ LIBGRPC_UNSECURE_SRC = \
src/core/lib/security/security_connector/load_system_roots_supported.cc \
src/core/lib/security/security_connector/security_connector.cc \
src/core/lib/security/transport/client_auth_filter.cc \
+ src/core/lib/security/transport/legacy_server_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
src/core/lib/security/transport/server_auth_filter.cc \
diff --git a/Package.swift b/Package.swift
index fe0e8286502ba..e7791b2b5f685 100644
--- a/Package.swift
+++ b/Package.swift
@@ -1802,6 +1802,7 @@ let package = Package(
"src/core/lib/security/security_connector/tls/tls_security_connector.h",
"src/core/lib/security/transport/auth_filters.h",
"src/core/lib/security/transport/client_auth_filter.cc",
+ "src/core/lib/security/transport/legacy_server_auth_filter.cc",
"src/core/lib/security/transport/secure_endpoint.cc",
"src/core/lib/security/transport/secure_endpoint.h",
"src/core/lib/security/transport/security_handshaker.cc",
diff --git a/bazel/experiments.bzl b/bazel/experiments.bzl
index 1b63ca0a1b24d..29a091e12d723 100644
--- a/bazel/experiments.bzl
+++ b/bazel/experiments.bzl
@@ -52,6 +52,7 @@ EXPERIMENT_ENABLES = {
"unconstrained_max_quota_buffer_size": "unconstrained_max_quota_buffer_size",
"v3_channel_idle_filters": "v3_channel_idle_filters",
"v3_compression_filter": "v3_compression_filter",
+ "v3_server_auth_filter": "v3_server_auth_filter",
"work_serializer_clears_time_cache": "work_serializer_clears_time_cache",
"work_serializer_dispatch": "work_serializer_dispatch",
"write_size_policy": "write_size_policy",
diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml
index c0a2f52c64333..a62fc967c3624 100644
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@@ -1913,6 +1913,7 @@ libs:
- src/core/lib/security/security_connector/ssl_utils.cc
- src/core/lib/security/security_connector/tls/tls_security_connector.cc
- src/core/lib/security/transport/client_auth_filter.cc
+ - src/core/lib/security/transport/legacy_server_auth_filter.cc
- src/core/lib/security/transport/secure_endpoint.cc
- src/core/lib/security/transport/security_handshaker.cc
- src/core/lib/security/transport/server_auth_filter.cc
@@ -2959,6 +2960,7 @@ libs:
- src/core/lib/security/security_connector/load_system_roots_supported.cc
- src/core/lib/security/security_connector/security_connector.cc
- src/core/lib/security/transport/client_auth_filter.cc
+ - src/core/lib/security/transport/legacy_server_auth_filter.cc
- src/core/lib/security/transport/secure_endpoint.cc
- src/core/lib/security/transport/security_handshaker.cc
- src/core/lib/security/transport/server_auth_filter.cc
@@ -5002,6 +5004,7 @@ libs:
- src/core/lib/security/security_connector/load_system_roots_supported.cc
- src/core/lib/security/security_connector/security_connector.cc
- src/core/lib/security/transport/client_auth_filter.cc
+ - src/core/lib/security/transport/legacy_server_auth_filter.cc
- src/core/lib/security/transport/secure_endpoint.cc
- src/core/lib/security/transport/security_handshaker.cc
- src/core/lib/security/transport/server_auth_filter.cc
diff --git a/config.m4 b/config.m4
index 146fbf7251c7e..ad0d6caee2855 100644
--- a/config.m4
+++ b/config.m4
@@ -791,6 +791,7 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/security_connector/ssl_utils.cc \
src/core/lib/security/security_connector/tls/tls_security_connector.cc \
src/core/lib/security/transport/client_auth_filter.cc \
+ src/core/lib/security/transport/legacy_server_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
src/core/lib/security/transport/server_auth_filter.cc \
diff --git a/config.w32 b/config.w32
index 6fd1c3c50dd79..f18a8de275d97 100644
--- a/config.w32
+++ b/config.w32
@@ -756,6 +756,7 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\security_connector\\ssl_utils.cc " +
"src\\core\\lib\\security\\security_connector\\tls\\tls_security_connector.cc " +
"src\\core\\lib\\security\\transport\\client_auth_filter.cc " +
+ "src\\core\\lib\\security\\transport\\legacy_server_auth_filter.cc " +
"src\\core\\lib\\security\\transport\\secure_endpoint.cc " +
"src\\core\\lib\\security\\transport\\security_handshaker.cc " +
"src\\core\\lib\\security\\transport\\server_auth_filter.cc " +
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
index f0db95cb452b5..728112f7bb57f 100644
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@@ -1901,6 +1901,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/security_connector/tls/tls_security_connector.h',
'src/core/lib/security/transport/auth_filters.h',
'src/core/lib/security/transport/client_auth_filter.cc',
+ 'src/core/lib/security/transport/legacy_server_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/secure_endpoint.h',
'src/core/lib/security/transport/security_handshaker.cc',
diff --git a/grpc.gemspec b/grpc.gemspec
index e72ad3b33ce02..67b0773a72181 100644
--- a/grpc.gemspec
+++ b/grpc.gemspec
@@ -1804,6 +1804,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/security_connector/tls/tls_security_connector.h )
s.files += %w( src/core/lib/security/transport/auth_filters.h )
s.files += %w( src/core/lib/security/transport/client_auth_filter.cc )
+ s.files += %w( src/core/lib/security/transport/legacy_server_auth_filter.cc )
s.files += %w( src/core/lib/security/transport/secure_endpoint.cc )
s.files += %w( src/core/lib/security/transport/secure_endpoint.h )
s.files += %w( src/core/lib/security/transport/security_handshaker.cc )
diff --git a/grpc.gyp b/grpc.gyp
index fd09bd55d1e58..0cd7bdb032f1b 100644
--- a/grpc.gyp
+++ b/grpc.gyp
@@ -978,6 +978,7 @@
'src/core/lib/security/security_connector/ssl_utils.cc',
'src/core/lib/security/security_connector/tls/tls_security_connector.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
+ 'src/core/lib/security/transport/legacy_server_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
'src/core/lib/security/transport/server_auth_filter.cc',
@@ -1461,6 +1462,7 @@
'src/core/lib/security/security_connector/load_system_roots_supported.cc',
'src/core/lib/security/security_connector/security_connector.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
+ 'src/core/lib/security/transport/legacy_server_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
'src/core/lib/security/transport/server_auth_filter.cc',
@@ -2239,6 +2241,7 @@
'src/core/lib/security/security_connector/load_system_roots_supported.cc',
'src/core/lib/security/security_connector/security_connector.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
+ 'src/core/lib/security/transport/legacy_server_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
'src/core/lib/security/transport/server_auth_filter.cc',
diff --git a/package.xml b/package.xml
index 35e5ea371e775..54d49bdff94c4 100644
--- a/package.xml
+++ b/package.xml
@@ -1786,6 +1786,7 @@
+
diff --git a/src/core/lib/channel/promise_based_filter.h b/src/core/lib/channel/promise_based_filter.h
index b455ab869b992..5c3b7ddb55aa7 100644
--- a/src/core/lib/channel/promise_based_filter.h
+++ b/src/core/lib/channel/promise_based_filter.h
@@ -63,6 +63,7 @@
#include "src/core/lib/promise/poll.h"
#include "src/core/lib/promise/promise.h"
#include "src/core/lib/promise/race.h"
+#include "src/core/lib/promise/try_seq.h"
#include "src/core/lib/resource_quota/arena.h"
#include "src/core/lib/slice/slice_buffer.h"
#include "src/core/lib/surface/call.h"
@@ -330,54 +331,88 @@ auto MapResult(void (Derived::Call::*fn)(ServerMetadata&), Promise x,
});
}
-inline auto RunCall(const NoInterceptor*, CallArgs call_args,
- NextPromiseFactory next_promise_factory, void*) {
- return next_promise_factory(std::move(call_args));
-}
+template
+struct RunCallImpl;
template
-inline auto RunCall(void (Derived::Call::*fn)(ClientMetadata& md),
- CallArgs call_args, NextPromiseFactory next_promise_factory,
- FilterCallData* call_data) {
- GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
- call_data->call.OnClientInitialMetadata(*call_args.client_initial_metadata);
- return next_promise_factory(std::move(call_args));
-}
+struct RunCallImpl {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ void*) {
+ return next_promise_factory(std::move(call_args));
+ }
+};
template
-inline auto RunCall(
- ServerMetadataHandle (Derived::Call::*fn)(ClientMetadata& md),
- CallArgs call_args, NextPromiseFactory next_promise_factory,
- FilterCallData* call_data) -> ArenaPromise {
- GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
- auto return_md = call_data->call.OnClientInitialMetadata(
- *call_args.client_initial_metadata);
- if (return_md == nullptr) return next_promise_factory(std::move(call_args));
- return Immediate(std::move(return_md));
-}
+struct RunCallImpl {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data) {
+ call_data->call.OnClientInitialMetadata(*call_args.client_initial_metadata);
+ return next_promise_factory(std::move(call_args));
+ }
+};
template
-inline auto RunCall(ServerMetadataHandle (Derived::Call::*fn)(
- ClientMetadata& md, Derived* channel),
- CallArgs call_args, NextPromiseFactory next_promise_factory,
- FilterCallData* call_data)
- -> ArenaPromise {
- GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
- auto return_md = call_data->call.OnClientInitialMetadata(
- *call_args.client_initial_metadata, call_data->channel);
- if (return_md == nullptr) return next_promise_factory(std::move(call_args));
- return Immediate(std::move(return_md));
-}
+struct RunCallImpl {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data)
+ -> ArenaPromise {
+ auto return_md = call_data->call.OnClientInitialMetadata(
+ *call_args.client_initial_metadata);
+ if (return_md == nullptr) return next_promise_factory(std::move(call_args));
+ return Immediate(std::move(return_md));
+ }
+};
template
-inline auto RunCall(void (Derived::Call::*fn)(ClientMetadata& md,
- Derived* channel),
- CallArgs call_args, NextPromiseFactory next_promise_factory,
- FilterCallData* call_data) {
- GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
- call_data->call.OnClientInitialMetadata(*call_args.client_initial_metadata,
- call_data->channel);
- return next_promise_factory(std::move(call_args));
+struct RunCallImpl {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data)
+ -> ArenaPromise {
+ auto return_md = call_data->call.OnClientInitialMetadata(
+ *call_args.client_initial_metadata, call_data->channel);
+ if (return_md == nullptr) return next_promise_factory(std::move(call_args));
+ return Immediate(std::move(return_md));
+ }
+};
+
+template
+struct RunCallImpl<
+ void (Derived::Call::*)(ClientMetadata& md, Derived* channel), Derived> {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data) {
+ call_data->call.OnClientInitialMetadata(*call_args.client_initial_metadata,
+ call_data->channel);
+ return next_promise_factory(std::move(call_args));
+ }
+};
+
+template
+struct RunCallImpl<
+ Promise (Derived::Call::*)(ClientMetadata& md, Derived* channel), Derived,
+ absl::void_t(
+ std::declval>))>> {
+ static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data) {
+ ClientMetadata& md_ref = *call_args.client_initial_metadata;
+ return TrySeq(
+ call_data->call.OnClientInitialMetadata(md_ref, call_data->channel),
+ [call_args = std::move(call_args),
+ next_promise_factory = std::move(next_promise_factory)]() mutable {
+ return next_promise_factory(std::move(call_args));
+ });
+ }
+};
+
+template
+auto RunCall(Interceptor interceptor, CallArgs call_args,
+ NextPromiseFactory next_promise_factory,
+ FilterCallData* call_data) {
+ GPR_DEBUG_ASSERT(interceptor == &Derived::Call::OnClientInitialMetadata);
+ return RunCallImpl::Run(
+ std::move(call_args), std::move(next_promise_factory), call_data);
}
inline void InterceptClientToServerMessage(const NoInterceptor*, void*,
@@ -558,6 +593,30 @@ inline void InterceptClientInitialMetadata(
});
}
+// Returning a promise that resolves to something that can be cast to
+// ServerMetadataHandle also counts
+template
+absl::void_t(
+ std::declval>))>
+InterceptClientInitialMetadata(Promise (Derived::Call::*promise_factory)(
+ ClientMetadata& md, Derived* channel),
+ typename Derived::Call* call, Derived* channel,
+ CallSpineInterface* call_spine) {
+ GPR_DEBUG_ASSERT(promise_factory == &Derived::Call::OnClientInitialMetadata);
+ call_spine->client_initial_metadata().receiver.InterceptAndMap(
+ [call, call_spine, channel](ClientMetadataHandle md) {
+ ClientMetadata& md_ref = *md;
+ return Map(call->OnClientInitialMetadata(md_ref, channel),
+ [md = std::move(md),
+ call_spine](PromiseResult status) mutable
+ -> absl::optional {
+ if (IsStatusOk(status)) return std::move(md);
+ return call_spine->Cancel(
+ StatusCast(std::move(status)));
+ });
+ });
+}
+
template
inline void InterceptServerInitialMetadata(const NoInterceptor*, void*,
const CallArgs&) {}
@@ -903,6 +962,8 @@ MakeFilterCall(Derived* derived) {
// the filter can return nullptr for success, or a metadata handle for
// failure (in which case the call will be aborted).
// useful for cases where the exact metadata returned needs to be customized.
+// It's also acceptable to return a promise that resolves to the
+// relevant return type listed above.
// Finally, OnFinalize can be added to intecept call finalization.
// It must have one of the signatures:
// - static const NoInterceptor OnFinalize:
diff --git a/src/core/lib/experiments/experiments.cc b/src/core/lib/experiments/experiments.cc
index 9141512058514..3ec2239e017ae 100644
--- a/src/core/lib/experiments/experiments.cc
+++ b/src/core/lib/experiments/experiments.cc
@@ -158,6 +158,9 @@ const char* const additional_constraints_v3_channel_idle_filters = "{}";
const char* const description_v3_compression_filter =
"Use the compression filter utilizing the v3 filter api";
const char* const additional_constraints_v3_compression_filter = "{}";
+const char* const description_v3_server_auth_filter =
+ "Use the server auth filter utilizing the v3 filter api";
+const char* const additional_constraints_v3_server_auth_filter = "{}";
const char* const description_work_serializer_clears_time_cache =
"Have the work serializer clear the time cache when it dispatches work.";
const char* const additional_constraints_work_serializer_clears_time_cache =
@@ -274,6 +277,8 @@ const ExperimentMetadata g_experiment_metadata[] = {
additional_constraints_v3_channel_idle_filters, nullptr, 0, false, true},
{"v3_compression_filter", description_v3_compression_filter,
additional_constraints_v3_compression_filter, nullptr, 0, false, true},
+ {"v3_server_auth_filter", description_v3_server_auth_filter,
+ additional_constraints_v3_server_auth_filter, nullptr, 0, false, true},
{"work_serializer_clears_time_cache",
description_work_serializer_clears_time_cache,
additional_constraints_work_serializer_clears_time_cache, nullptr, 0, true,
@@ -427,6 +432,9 @@ const char* const additional_constraints_v3_channel_idle_filters = "{}";
const char* const description_v3_compression_filter =
"Use the compression filter utilizing the v3 filter api";
const char* const additional_constraints_v3_compression_filter = "{}";
+const char* const description_v3_server_auth_filter =
+ "Use the server auth filter utilizing the v3 filter api";
+const char* const additional_constraints_v3_server_auth_filter = "{}";
const char* const description_work_serializer_clears_time_cache =
"Have the work serializer clear the time cache when it dispatches work.";
const char* const additional_constraints_work_serializer_clears_time_cache =
@@ -543,6 +551,8 @@ const ExperimentMetadata g_experiment_metadata[] = {
additional_constraints_v3_channel_idle_filters, nullptr, 0, false, true},
{"v3_compression_filter", description_v3_compression_filter,
additional_constraints_v3_compression_filter, nullptr, 0, false, true},
+ {"v3_server_auth_filter", description_v3_server_auth_filter,
+ additional_constraints_v3_server_auth_filter, nullptr, 0, false, true},
{"work_serializer_clears_time_cache",
description_work_serializer_clears_time_cache,
additional_constraints_work_serializer_clears_time_cache, nullptr, 0, true,
@@ -696,6 +706,9 @@ const char* const additional_constraints_v3_channel_idle_filters = "{}";
const char* const description_v3_compression_filter =
"Use the compression filter utilizing the v3 filter api";
const char* const additional_constraints_v3_compression_filter = "{}";
+const char* const description_v3_server_auth_filter =
+ "Use the server auth filter utilizing the v3 filter api";
+const char* const additional_constraints_v3_server_auth_filter = "{}";
const char* const description_work_serializer_clears_time_cache =
"Have the work serializer clear the time cache when it dispatches work.";
const char* const additional_constraints_work_serializer_clears_time_cache =
@@ -812,6 +825,8 @@ const ExperimentMetadata g_experiment_metadata[] = {
additional_constraints_v3_channel_idle_filters, nullptr, 0, false, true},
{"v3_compression_filter", description_v3_compression_filter,
additional_constraints_v3_compression_filter, nullptr, 0, false, true},
+ {"v3_server_auth_filter", description_v3_server_auth_filter,
+ additional_constraints_v3_server_auth_filter, nullptr, 0, false, true},
{"work_serializer_clears_time_cache",
description_work_serializer_clears_time_cache,
additional_constraints_work_serializer_clears_time_cache, nullptr, 0, true,
diff --git a/src/core/lib/experiments/experiments.h b/src/core/lib/experiments/experiments.h
index d337d9da2fa92..05e2157985ee4 100644
--- a/src/core/lib/experiments/experiments.h
+++ b/src/core/lib/experiments/experiments.h
@@ -109,6 +109,7 @@ inline bool IsTraceRecordCallopsEnabled() { return false; }
inline bool IsUnconstrainedMaxQuotaBufferSizeEnabled() { return false; }
inline bool IsV3ChannelIdleFiltersEnabled() { return false; }
inline bool IsV3CompressionFilterEnabled() { return false; }
+inline bool IsV3ServerAuthFilterEnabled() { return false; }
#define GRPC_EXPERIMENT_IS_INCLUDED_WORK_SERIALIZER_CLEARS_TIME_CACHE
inline bool IsWorkSerializerClearsTimeCacheEnabled() { return true; }
inline bool IsWorkSerializerDispatchEnabled() { return false; }
@@ -173,6 +174,7 @@ inline bool IsTraceRecordCallopsEnabled() { return false; }
inline bool IsUnconstrainedMaxQuotaBufferSizeEnabled() { return false; }
inline bool IsV3ChannelIdleFiltersEnabled() { return false; }
inline bool IsV3CompressionFilterEnabled() { return false; }
+inline bool IsV3ServerAuthFilterEnabled() { return false; }
#define GRPC_EXPERIMENT_IS_INCLUDED_WORK_SERIALIZER_CLEARS_TIME_CACHE
inline bool IsWorkSerializerClearsTimeCacheEnabled() { return true; }
inline bool IsWorkSerializerDispatchEnabled() { return false; }
@@ -237,6 +239,7 @@ inline bool IsTraceRecordCallopsEnabled() { return false; }
inline bool IsUnconstrainedMaxQuotaBufferSizeEnabled() { return false; }
inline bool IsV3ChannelIdleFiltersEnabled() { return false; }
inline bool IsV3CompressionFilterEnabled() { return false; }
+inline bool IsV3ServerAuthFilterEnabled() { return false; }
#define GRPC_EXPERIMENT_IS_INCLUDED_WORK_SERIALIZER_CLEARS_TIME_CACHE
inline bool IsWorkSerializerClearsTimeCacheEnabled() { return true; }
inline bool IsWorkSerializerDispatchEnabled() { return false; }
@@ -285,6 +288,7 @@ enum ExperimentIds {
kExperimentIdUnconstrainedMaxQuotaBufferSize,
kExperimentIdV3ChannelIdleFilters,
kExperimentIdV3CompressionFilter,
+ kExperimentIdV3ServerAuthFilter,
kExperimentIdWorkSerializerClearsTimeCache,
kExperimentIdWorkSerializerDispatch,
kExperimentIdWriteSizePolicy,
@@ -432,6 +436,10 @@ inline bool IsV3ChannelIdleFiltersEnabled() {
inline bool IsV3CompressionFilterEnabled() {
return IsExperimentEnabled(kExperimentIdV3CompressionFilter);
}
+#define GRPC_EXPERIMENT_IS_INCLUDED_V3_SERVER_AUTH_FILTER
+inline bool IsV3ServerAuthFilterEnabled() {
+ return IsExperimentEnabled(kExperimentIdV3ServerAuthFilter);
+}
#define GRPC_EXPERIMENT_IS_INCLUDED_WORK_SERIALIZER_CLEARS_TIME_CACHE
inline bool IsWorkSerializerClearsTimeCacheEnabled() {
return IsExperimentEnabled(kExperimentIdWorkSerializerClearsTimeCache);
diff --git a/src/core/lib/experiments/experiments.yaml b/src/core/lib/experiments/experiments.yaml
index 8fd03836ea966..36d3f2baaa1b8 100644
--- a/src/core/lib/experiments/experiments.yaml
+++ b/src/core/lib/experiments/experiments.yaml
@@ -265,6 +265,12 @@
expiry: 2024/04/04
owner: ctiller@google.com
test_tags: ["compression_test"]
+- name: v3_server_auth_filter
+ description:
+ Use the server auth filter utilizing the v3 filter api
+ expiry: 2024/04/04
+ owner: ctiller@google.com
+ test_tags: []
- name: work_serializer_clears_time_cache
description:
Have the work serializer clear the time cache when it dispatches work.
diff --git a/src/core/lib/promise/detail/promise_like.h b/src/core/lib/promise/detail/promise_like.h
index 4bec366164294..6f7a6e5d63972 100644
--- a/src/core/lib/promise/detail/promise_like.h
+++ b/src/core/lib/promise/detail/promise_like.h
@@ -63,15 +63,12 @@ auto WrapInPoll(T&& x) -> decltype(PollWrapper::Wrap(std::forward(x))) {
return PollWrapper::Wrap(std::forward(x));
}
-template
+template ::type>::value>>
class PromiseLike {
private:
GPR_NO_UNIQUE_ADDRESS F f_;
- static_assert(!std::is_void::type>::value,
- "PromiseLike cannot be used with a function that returns void "
- "- return Empty{} instead");
-
public:
// NOLINTNEXTLINE - internal detail that drastically simplifies calling code.
PromiseLike(F&& f) : f_(std::forward(f)) {}
diff --git a/src/core/lib/promise/poll.h b/src/core/lib/promise/poll.h
index d55174e744150..d9b773f540934 100644
--- a/src/core/lib/promise/poll.h
+++ b/src/core/lib/promise/poll.h
@@ -192,6 +192,7 @@ class Poll>;
// lambda, for example (via enable_if).
template
struct PollTraits {
+ using Type = T;
static constexpr bool is_poll() { return false; }
};
diff --git a/src/core/lib/promise/promise.h b/src/core/lib/promise/promise.h
index ab9b0d6becda3..dad484900d4d3 100644
--- a/src/core/lib/promise/promise.h
+++ b/src/core/lib/promise/promise.h
@@ -89,6 +89,10 @@ auto WithResult(F f) ->
return f;
}
+template
+using PromiseResult = typename PollTraits<
+ typename promise_detail::PromiseLike::Result>::Type;
+
} // namespace grpc_core
#endif // GRPC_SRC_CORE_LIB_PROMISE_PROMISE_H
diff --git a/src/core/lib/security/transport/auth_filters.h b/src/core/lib/security/transport/auth_filters.h
index 7c69b8f1b57a2..37b4e5bf0c408 100644
--- a/src/core/lib/security/transport/auth_filters.h
+++ b/src/core/lib/security/transport/auth_filters.h
@@ -62,23 +62,90 @@ class ClientAuthFilter final : public ChannelFilter {
grpc_call_credentials::GetRequestMetadataArgs args_;
};
-class ServerAuthFilter final : public ChannelFilter {
+class LegacyServerAuthFilter final : public ChannelFilter {
public:
static const grpc_channel_filter kFilter;
- static absl::StatusOr Create(const ChannelArgs& args,
- ChannelFilter::Args);
+ static absl::StatusOr Create(const ChannelArgs& args,
+ ChannelFilter::Args);
// Construct a promise for one call.
ArenaPromise MakeCallPromise(
CallArgs call_args, NextPromiseFactory next_promise_factory) override;
+ private:
+ LegacyServerAuthFilter(
+ RefCountedPtr server_credentials,
+ RefCountedPtr auth_context);
+
+ class RunApplicationCode;
+
+ ArenaPromise> GetCallCredsMetadata(
+ CallArgs call_args);
+
+ RefCountedPtr server_credentials_;
+ RefCountedPtr auth_context_;
+};
+
+class ServerAuthFilter final : public ImplementChannelFilter {
private:
ServerAuthFilter(RefCountedPtr server_credentials,
RefCountedPtr auth_context);
- class RunApplicationCode;
+ class RunApplicationCode {
+ public:
+ RunApplicationCode(ServerAuthFilter* filter, ClientMetadata& metadata);
+
+ RunApplicationCode(const RunApplicationCode&) = delete;
+ RunApplicationCode& operator=(const RunApplicationCode&) = delete;
+ RunApplicationCode(RunApplicationCode&& other) noexcept
+ : state_(std::exchange(other.state_, nullptr)) {}
+ RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
+ state_ = std::exchange(other.state_, nullptr);
+ return *this;
+ }
+
+ Poll operator()();
+
+ private:
+ // Called from application code.
+ static void OnMdProcessingDone(void* user_data,
+ const grpc_metadata* consumed_md,
+ size_t num_consumed_md,
+ const grpc_metadata* response_md,
+ size_t num_response_md,
+ grpc_status_code status,
+ const char* error_details);
+
+ struct State;
+ State* state_;
+ };
+
+ public:
+ static const grpc_channel_filter kFilter;
+ static absl::StatusOr Create(const ChannelArgs& args,
+ ChannelFilter::Args);
+
+ class Call {
+ public:
+ explicit Call(ServerAuthFilter* filter);
+ auto OnClientInitialMetadata(ClientMetadata& md, ServerAuthFilter* filter) {
+ return If(
+ filter->server_credentials_ == nullptr ||
+ filter->server_credentials_->auth_metadata_processor().process ==
+ nullptr,
+ ImmediateOkStatus(),
+ [filter, md = &md]() { return RunApplicationCode(filter, *md); });
+ }
+ static const NoInterceptor OnServerInitialMetadata;
+ static const NoInterceptor OnClientToServerMessage;
+ static const NoInterceptor OnServerToClientMessage;
+ static const NoInterceptor OnServerTrailingMetadata;
+ static const NoInterceptor OnFinalize;
+ };
+
+ private:
ArenaPromise> GetCallCredsMetadata(
CallArgs call_args);
diff --git a/src/core/lib/security/transport/legacy_server_auth_filter.cc b/src/core/lib/security/transport/legacy_server_auth_filter.cc
new file mode 100644
index 0000000000000..7b8da39f2ddda
--- /dev/null
+++ b/src/core/lib/security/transport/legacy_server_auth_filter.cc
@@ -0,0 +1,244 @@
+//
+//
+// Copyright 2015 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+
+#include
+#include
+#include
+#include
+#include
+
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/channel/channel_fwd.h"
+#include "src/core/lib/channel/channel_stack.h"
+#include "src/core/lib/channel/context.h"
+#include "src/core/lib/channel/promise_based_filter.h"
+#include "src/core/lib/debug/trace.h"
+#include "src/core/lib/gprpp/debug_location.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/status_helper.h"
+#include "src/core/lib/iomgr/error.h"
+#include "src/core/lib/iomgr/exec_ctx.h"
+#include "src/core/lib/promise/activity.h"
+#include "src/core/lib/promise/arena_promise.h"
+#include "src/core/lib/promise/context.h"
+#include "src/core/lib/promise/poll.h"
+#include "src/core/lib/promise/try_seq.h"
+#include "src/core/lib/resource_quota/arena.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/transport/auth_filters.h" // IWYU pragma: keep
+#include "src/core/lib/slice/slice.h"
+#include "src/core/lib/slice/slice_internal.h"
+#include "src/core/lib/surface/call_trace.h"
+#include "src/core/lib/transport/metadata_batch.h"
+#include "src/core/lib/transport/transport.h"
+
+namespace grpc_core {
+
+const grpc_channel_filter LegacyServerAuthFilter::kFilter =
+ MakePromiseBasedFilter(
+ "server-auth");
+
+namespace {
+
+class ArrayEncoder {
+ public:
+ explicit ArrayEncoder(grpc_metadata_array* result) : result_(result) {}
+
+ void Encode(const Slice& key, const Slice& value) {
+ Append(key.Ref(), value.Ref());
+ }
+
+ template
+ void Encode(Which, const typename Which::ValueType& value) {
+ Append(Slice(StaticSlice::FromStaticString(Which::key())),
+ Slice(Which::Encode(value)));
+ }
+
+ void Encode(HttpMethodMetadata,
+ const typename HttpMethodMetadata::ValueType&) {}
+
+ private:
+ void Append(Slice key, Slice value) {
+ if (result_->count == result_->capacity) {
+ result_->capacity =
+ std::max(result_->capacity + 8, result_->capacity * 2);
+ result_->metadata = static_cast(gpr_realloc(
+ result_->metadata, result_->capacity * sizeof(grpc_metadata)));
+ }
+ auto* usr_md = &result_->metadata[result_->count++];
+ usr_md->key = key.TakeCSlice();
+ usr_md->value = value.TakeCSlice();
+ }
+
+ grpc_metadata_array* result_;
+};
+
+// TODO(ctiller): seek out all users of this functionality and change API so
+// that this unilateral format conversion IS NOT REQUIRED.
+grpc_metadata_array MetadataBatchToMetadataArray(
+ const grpc_metadata_batch* batch) {
+ grpc_metadata_array result;
+ grpc_metadata_array_init(&result);
+ ArrayEncoder encoder(&result);
+ batch->Encode(&encoder);
+ return result;
+}
+
+} // namespace
+
+class LegacyServerAuthFilter::RunApplicationCode {
+ public:
+ // TODO(ctiller): Allocate state_ into a pool on the arena to reuse this
+ // memory later
+ RunApplicationCode(LegacyServerAuthFilter* filter, CallArgs call_args)
+ : state_(GetContext()->ManagedNew(std::move(call_args))) {
+ if (grpc_call_trace.enabled()) {
+ gpr_log(GPR_ERROR,
+ "%s[server-auth]: Delegate to application: filter=%p this=%p "
+ "auth_ctx=%p",
+ Activity::current()->DebugTag().c_str(), filter, this,
+ filter->auth_context_.get());
+ }
+ filter->server_credentials_->auth_metadata_processor().process(
+ filter->server_credentials_->auth_metadata_processor().state,
+ filter->auth_context_.get(), state_->md.metadata, state_->md.count,
+ OnMdProcessingDone, state_);
+ }
+
+ RunApplicationCode(const RunApplicationCode&) = delete;
+ RunApplicationCode& operator=(const RunApplicationCode&) = delete;
+ RunApplicationCode(RunApplicationCode&& other) noexcept
+ : state_(std::exchange(other.state_, nullptr)) {}
+ RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
+ state_ = std::exchange(other.state_, nullptr);
+ return *this;
+ }
+
+ Poll> operator()() {
+ if (state_->done.load(std::memory_order_acquire)) {
+ return Poll>(std::move(state_->call_args));
+ }
+ return Pending{};
+ }
+
+ private:
+ struct State {
+ explicit State(CallArgs call_args) : call_args(std::move(call_args)) {}
+ Waker waker{Activity::current()->MakeOwningWaker()};
+ absl::StatusOr call_args;
+ grpc_metadata_array md =
+ MetadataBatchToMetadataArray(call_args->client_initial_metadata.get());
+ std::atomic done{false};
+ };
+
+ // Called from application code.
+ static void OnMdProcessingDone(
+ void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md,
+ const grpc_metadata* response_md, size_t num_response_md,
+ grpc_status_code status, const char* error_details) {
+ ApplicationCallbackExecCtx callback_exec_ctx;
+ ExecCtx exec_ctx;
+
+ auto* state = static_cast(user_data);
+
+ // TODO(ZhenLian): Implement support for response_md.
+ if (response_md != nullptr && num_response_md > 0) {
+ gpr_log(GPR_ERROR,
+ "response_md in auth metadata processing not supported for now. "
+ "Ignoring...");
+ }
+
+ if (status == GRPC_STATUS_OK) {
+ ClientMetadataHandle& md = state->call_args->client_initial_metadata;
+ for (size_t i = 0; i < num_consumed_md; i++) {
+ md->Remove(StringViewFromSlice(consumed_md[i].key));
+ }
+ } else {
+ if (error_details == nullptr) {
+ error_details = "Authentication metadata processing failed.";
+ }
+ state->call_args = grpc_error_set_int(
+ absl::Status(static_cast(status), error_details),
+ StatusIntProperty::kRpcStatus, status);
+ }
+
+ // Clean up.
+ for (size_t i = 0; i < state->md.count; i++) {
+ CSliceUnref(state->md.metadata[i].key);
+ CSliceUnref(state->md.metadata[i].value);
+ }
+ grpc_metadata_array_destroy(&state->md);
+
+ auto waker = std::move(state->waker);
+ state->done.store(true, std::memory_order_release);
+ waker.Wakeup();
+ }
+
+ State* state_;
+};
+
+ArenaPromise LegacyServerAuthFilter::MakeCallPromise(
+ CallArgs call_args, NextPromiseFactory next_promise_factory) {
+ // Create server security context. Set its auth context from channel
+ // data and save it in the call context.
+ grpc_server_security_context* server_ctx =
+ grpc_server_security_context_create(GetContext());
+ server_ctx->auth_context =
+ auth_context_->Ref(DEBUG_LOCATION, "server_auth_filter");
+ grpc_call_context_element& context =
+ GetContext()[GRPC_CONTEXT_SECURITY];
+ if (context.value != nullptr) context.destroy(context.value);
+ context.value = server_ctx;
+ context.destroy = grpc_server_security_context_destroy;
+
+ if (server_credentials_ == nullptr ||
+ server_credentials_->auth_metadata_processor().process == nullptr) {
+ return next_promise_factory(std::move(call_args));
+ }
+
+ return TrySeq(RunApplicationCode(this, std::move(call_args)),
+ std::move(next_promise_factory));
+}
+
+LegacyServerAuthFilter::LegacyServerAuthFilter(
+ RefCountedPtr server_credentials,
+ RefCountedPtr auth_context)
+ : server_credentials_(server_credentials), auth_context_(auth_context) {}
+
+absl::StatusOr LegacyServerAuthFilter::Create(
+ const ChannelArgs& args, ChannelFilter::Args) {
+ auto auth_context = args.GetObjectRef();
+ GPR_ASSERT(auth_context != nullptr);
+ auto creds = args.GetObjectRef();
+ return LegacyServerAuthFilter(std::move(creds), std::move(auth_context));
+}
+
+} // namespace grpc_core
diff --git a/src/core/lib/security/transport/server_auth_filter.cc b/src/core/lib/security/transport/server_auth_filter.cc
index 765ddcdf42bf7..b0713f41770f8 100644
--- a/src/core/lib/security/transport/server_auth_filter.cc
+++ b/src/core/lib/security/transport/server_auth_filter.cc
@@ -66,6 +66,12 @@ const grpc_channel_filter ServerAuthFilter::kFilter =
MakePromiseBasedFilter(
"server-auth");
+const NoInterceptor ServerAuthFilter::Call::OnClientToServerMessage;
+const NoInterceptor ServerAuthFilter::Call::OnServerToClientMessage;
+const NoInterceptor ServerAuthFilter::Call::OnServerInitialMetadata;
+const NoInterceptor ServerAuthFilter::Call::OnServerTrailingMetadata;
+const NoInterceptor ServerAuthFilter::Call::OnFinalize;
+
namespace {
class ArrayEncoder {
@@ -114,118 +120,92 @@ grpc_metadata_array MetadataBatchToMetadataArray(
} // namespace
-class ServerAuthFilter::RunApplicationCode {
- public:
- // TODO(ctiller): Allocate state_ into a pool on the arena to reuse this
- // memory later
- RunApplicationCode(ServerAuthFilter* filter, CallArgs call_args)
- : state_(GetContext()->ManagedNew(std::move(call_args))) {
- if (grpc_call_trace.enabled()) {
- gpr_log(GPR_ERROR,
- "%s[server-auth]: Delegate to application: filter=%p this=%p "
- "auth_ctx=%p",
- Activity::current()->DebugTag().c_str(), filter, this,
- filter->auth_context_.get());
- }
- filter->server_credentials_->auth_metadata_processor().process(
- filter->server_credentials_->auth_metadata_processor().state,
- filter->auth_context_.get(), state_->md.metadata, state_->md.count,
- OnMdProcessingDone, state_);
- }
+struct ServerAuthFilter::RunApplicationCode::State {
+ explicit State(ClientMetadata& client_metadata)
+ : client_metadata(&client_metadata) {}
+ Waker waker{Activity::current()->MakeOwningWaker()};
+ absl::StatusOr client_metadata;
+ grpc_metadata_array md = MetadataBatchToMetadataArray(*client_metadata);
+ std::atomic done{false};
+};
- RunApplicationCode(const RunApplicationCode&) = delete;
- RunApplicationCode& operator=(const RunApplicationCode&) = delete;
- RunApplicationCode(RunApplicationCode&& other) noexcept
- : state_(std::exchange(other.state_, nullptr)) {}
- RunApplicationCode& operator=(RunApplicationCode&& other) noexcept {
- state_ = std::exchange(other.state_, nullptr);
- return *this;
+ServerAuthFilter::RunApplicationCode::RunApplicationCode(
+ ServerAuthFilter* filter, ClientMetadata& metadata)
+ : state_(GetContext()->ManagedNew(metadata)) {
+ if (grpc_call_trace.enabled()) {
+ gpr_log(GPR_ERROR,
+ "%s[server-auth]: Delegate to application: filter=%p this=%p "
+ "auth_ctx=%p",
+ Activity::current()->DebugTag().c_str(), filter, this,
+ filter->auth_context_.get());
}
+ filter->server_credentials_->auth_metadata_processor().process(
+ filter->server_credentials_->auth_metadata_processor().state,
+ filter->auth_context_.get(), state_->md.metadata, state_->md.count,
+ OnMdProcessingDone, state_);
+}
- Poll> operator()() {
- if (state_->done.load(std::memory_order_acquire)) {
- return Poll>(std::move(state_->call_args));
- }
- return Pending{};
+Poll ServerAuthFilter::RunApplicationCode::operator()() {
+ if (state_->done.load(std::memory_order_acquire)) {
+ return Poll(std::move(state_->client_metadata).status());
}
+ return Pending{};
+}
- private:
- struct State {
- explicit State(CallArgs call_args) : call_args(std::move(call_args)) {}
- Waker waker{Activity::current()->MakeOwningWaker()};
- absl::StatusOr call_args;
- grpc_metadata_array md =
- MetadataBatchToMetadataArray(call_args->client_initial_metadata.get());
- std::atomic done{false};
- };
-
- // Called from application code.
- static void OnMdProcessingDone(
- void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md,
- const grpc_metadata* response_md, size_t num_response_md,
- grpc_status_code status, const char* error_details) {
- ApplicationCallbackExecCtx callback_exec_ctx;
- ExecCtx exec_ctx;
-
- auto* state = static_cast(user_data);
-
- // TODO(ZhenLian): Implement support for response_md.
- if (response_md != nullptr && num_response_md > 0) {
- gpr_log(GPR_ERROR,
- "response_md in auth metadata processing not supported for now. "
- "Ignoring...");
- }
+void ServerAuthFilter::RunApplicationCode::OnMdProcessingDone(
+ void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md,
+ const grpc_metadata* response_md, size_t num_response_md,
+ grpc_status_code status, const char* error_details) {
+ ApplicationCallbackExecCtx callback_exec_ctx;
+ ExecCtx exec_ctx;
- if (status == GRPC_STATUS_OK) {
- ClientMetadataHandle& md = state->call_args->client_initial_metadata;
- for (size_t i = 0; i < num_consumed_md; i++) {
- md->Remove(StringViewFromSlice(consumed_md[i].key));
- }
- } else {
- if (error_details == nullptr) {
- error_details = "Authentication metadata processing failed.";
- }
- state->call_args = grpc_error_set_int(
- absl::Status(static_cast(status), error_details),
- StatusIntProperty::kRpcStatus, status);
- }
+ auto* state = static_cast(user_data);
+
+ // TODO(ZhenLian): Implement support for response_md.
+ if (response_md != nullptr && num_response_md > 0) {
+ gpr_log(GPR_ERROR,
+ "response_md in auth metadata processing not supported for now. "
+ "Ignoring...");
+ }
- // Clean up.
- for (size_t i = 0; i < state->md.count; i++) {
- CSliceUnref(state->md.metadata[i].key);
- CSliceUnref(state->md.metadata[i].value);
+ if (status == GRPC_STATUS_OK) {
+ ClientMetadata& md = **state->client_metadata;
+ for (size_t i = 0; i < num_consumed_md; i++) {
+ md.Remove(StringViewFromSlice(consumed_md[i].key));
}
- grpc_metadata_array_destroy(&state->md);
+ } else {
+ if (error_details == nullptr) {
+ error_details = "Authentication metadata processing failed.";
+ }
+ state->client_metadata = grpc_error_set_int(
+ absl::Status(static_cast(status), error_details),
+ StatusIntProperty::kRpcStatus, status);
+ }
- auto waker = std::move(state->waker);
- state->done.store(true, std::memory_order_release);
- waker.Wakeup();
+ // Clean up.
+ for (size_t i = 0; i < state->md.count; i++) {
+ CSliceUnref(state->md.metadata[i].key);
+ CSliceUnref(state->md.metadata[i].value);
}
+ grpc_metadata_array_destroy(&state->md);
- State* state_;
-};
+ auto waker = std::move(state->waker);
+ state->done.store(true, std::memory_order_release);
+ waker.Wakeup();
+}
-ArenaPromise ServerAuthFilter::MakeCallPromise(
- CallArgs call_args, NextPromiseFactory next_promise_factory) {
+ServerAuthFilter::Call::Call(ServerAuthFilter* filter) {
// Create server security context. Set its auth context from channel
// data and save it in the call context.
grpc_server_security_context* server_ctx =
grpc_server_security_context_create(GetContext());
server_ctx->auth_context =
- auth_context_->Ref(DEBUG_LOCATION, "server_auth_filter");
+ filter->auth_context_->Ref(DEBUG_LOCATION, "server_auth_filter");
grpc_call_context_element& context =
GetContext()[GRPC_CONTEXT_SECURITY];
if (context.value != nullptr) context.destroy(context.value);
context.value = server_ctx;
context.destroy = grpc_server_security_context_destroy;
-
- if (server_credentials_ == nullptr ||
- server_credentials_->auth_metadata_processor().process == nullptr) {
- return next_promise_factory(std::move(call_args));
- }
-
- return TrySeq(RunApplicationCode(this, std::move(call_args)),
- std::move(next_promise_factory));
}
ServerAuthFilter::ServerAuthFilter(
diff --git a/src/core/lib/surface/init.cc b/src/core/lib/surface/init.cc
index 5535ece6f2652..cf11feaf49139 100644
--- a/src/core/lib/surface/init.cc
+++ b/src/core/lib/surface/init.cc
@@ -72,14 +72,20 @@ void RegisterSecurityFilters(CoreConfiguration::Builder* builder) {
builder->channel_init()
->RegisterFilter(GRPC_CLIENT_DIRECT_CHANNEL, &ClientAuthFilter::kFilter)
.IfHasChannelArg(GRPC_ARG_SECURITY_CONNECTOR);
- builder->channel_init()
- ->RegisterFilter(GRPC_SERVER_CHANNEL, &ServerAuthFilter::kFilter)
- .IfHasChannelArg(GRPC_SERVER_CREDENTIALS_ARG);
+ if (IsV3ServerAuthFilterEnabled()) {
+ builder->channel_init()
+ ->RegisterFilter(GRPC_SERVER_CHANNEL, &ServerAuthFilter::kFilter)
+ .IfHasChannelArg(GRPC_SERVER_CREDENTIALS_ARG);
+ } else {
+ builder->channel_init()
+ ->RegisterFilter(GRPC_SERVER_CHANNEL, &LegacyServerAuthFilter::kFilter)
+ .IfHasChannelArg(GRPC_SERVER_CREDENTIALS_ARG);
+ }
builder->channel_init()
->RegisterFilter(GRPC_SERVER_CHANNEL,
&GrpcServerAuthzFilter::kFilterVtable)
.IfHasChannelArg(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER)
- .After({&ServerAuthFilter::kFilter});
+ .After({&ServerAuthFilter::kFilter, &LegacyServerAuthFilter::kFilter});
}
} // namespace grpc_core
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
index 9c2ba0008a52f..bd30eef8d3270 100644
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@@ -765,6 +765,7 @@
'src/core/lib/security/security_connector/ssl_utils.cc',
'src/core/lib/security/security_connector/tls/tls_security_connector.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
+ 'src/core/lib/security/transport/legacy_server_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
'src/core/lib/security/transport/server_auth_filter.cc',
diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal
index 66440c542e37d..b5b0613515e4b 100644
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@@ -2803,6 +2803,7 @@ src/core/lib/security/security_connector/tls/tls_security_connector.cc \
src/core/lib/security/security_connector/tls/tls_security_connector.h \
src/core/lib/security/transport/auth_filters.h \
src/core/lib/security/transport/client_auth_filter.cc \
+src/core/lib/security/transport/legacy_server_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/secure_endpoint.h \
src/core/lib/security/transport/security_handshaker.cc \
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index aa559d588d15a..20bcf8d1df8dd 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -2582,6 +2582,7 @@ src/core/lib/security/security_connector/tls/tls_security_connector.cc \
src/core/lib/security/security_connector/tls/tls_security_connector.h \
src/core/lib/security/transport/auth_filters.h \
src/core/lib/security/transport/client_auth_filter.cc \
+src/core/lib/security/transport/legacy_server_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/secure_endpoint.h \
src/core/lib/security/transport/security_handshaker.cc \