Move google_default channel_credentials out of `include/grpc/grpc_security.h` (#31786)

BUILD

@@ -195,6 +195,7 @@ GPR_PUBLIC_HDRS = [
 GRPC_PUBLIC_HDRS = [
     "include/grpc/byte_buffer.h",
     "include/grpc/byte_buffer_reader.h",
+    "include/grpc/channel_credentials/google_default.h",
     "include/grpc/compression.h",
     "include/grpc/fork.h",
     "include/grpc/grpc.h",

CMakeLists.txt

@@ -2436,6 +2436,7 @@ foreach(_hdr
   include/grpc/byte_buffer.h
   include/grpc/byte_buffer_reader.h
   include/grpc/census.h
+  include/grpc/channel_credentials/google_default.h
   include/grpc/compression.h
   include/grpc/event_engine/endpoint_config.h
   include/grpc/event_engine/event_engine.h
@@ -3042,6 +3043,7 @@ foreach(_hdr
   include/grpc/byte_buffer.h
   include/grpc/byte_buffer_reader.h
   include/grpc/census.h
+  include/grpc/channel_credentials/google_default.h
   include/grpc/compression.h
   include/grpc/event_engine/endpoint_config.h
   include/grpc/event_engine/event_engine.h
@@ -4520,6 +4522,7 @@ target_link_libraries(grpc_authorization_provider
 foreach(_hdr
   include/grpc/byte_buffer.h
   include/grpc/byte_buffer_reader.h
+  include/grpc/channel_credentials/google_default.h
   include/grpc/compression.h
   include/grpc/event_engine/endpoint_config.h
   include/grpc/event_engine/event_engine.h

Makefile

@@ -1670,6 +1670,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/byte_buffer.h \
     include/grpc/byte_buffer_reader.h \
     include/grpc/census.h \
+    include/grpc/channel_credentials/google_default.h \
     include/grpc/compression.h \
     include/grpc/event_engine/endpoint_config.h \
     include/grpc/event_engine/event_engine.h \
@@ -2136,6 +2137,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/byte_buffer.h \
     include/grpc/byte_buffer_reader.h \
     include/grpc/census.h \
+    include/grpc/channel_credentials/google_default.h \
     include/grpc/compression.h \
     include/grpc/event_engine/endpoint_config.h \
     include/grpc/event_engine/event_engine.h \

build_autogenerated.yaml

@@ -257,6 +257,7 @@ libs:
   - include/grpc/byte_buffer.h
   - include/grpc/byte_buffer_reader.h
   - include/grpc/census.h
+  - include/grpc/channel_credentials/google_default.h
   - include/grpc/compression.h
   - include/grpc/event_engine/endpoint_config.h
   - include/grpc/event_engine/event_engine.h
@@ -1839,6 +1840,7 @@ libs:
   - include/grpc/byte_buffer.h
   - include/grpc/byte_buffer_reader.h
   - include/grpc/census.h
+  - include/grpc/channel_credentials/google_default.h
   - include/grpc/compression.h
   - include/grpc/event_engine/endpoint_config.h
   - include/grpc/event_engine/event_engine.h
@@ -3374,6 +3376,7 @@ libs:
   public_headers:
   - include/grpc/byte_buffer.h
   - include/grpc/byte_buffer_reader.h
+  - include/grpc/channel_credentials/google_default.h
   - include/grpc/compression.h
   - include/grpc/event_engine/endpoint_config.h
   - include/grpc/event_engine/event_engine.h

gRPC-Core.podspec

@@ -107,6 +107,7 @@ Pod::Spec.new do |s|
     ss.source_files = 'include/grpc/byte_buffer.h',
                       'include/grpc/byte_buffer_reader.h',
                       'include/grpc/census.h',
+                      'include/grpc/channel_credentials/google_default.h',
                       'include/grpc/compression.h',
                       'include/grpc/event_engine/endpoint_config.h',
                       'include/grpc/event_engine/event_engine.h',

grpc.def

@@ -10,6 +10,7 @@ EXPORTS
     grpc_byte_buffer_reader_peek
     grpc_byte_buffer_reader_readall
     grpc_raw_byte_buffer_from_reader
+    grpc_google_default_credentials_create
     grpc_compression_algorithm_is_message
     grpc_compression_algorithm_is_stream
     grpc_compression_algorithm_parse
@@ -115,7 +116,6 @@ EXPORTS
     grpc_ssl_session_cache_destroy
     grpc_ssl_session_cache_create_channel_arg
     grpc_call_credentials_release
-    grpc_google_default_credentials_create
     grpc_set_ssl_roots_override_callback
     grpc_ssl_credentials_create
     grpc_ssl_credentials_create_ex

grpc.gemspec

@@ -50,6 +50,7 @@ Gem::Specification.new do |s|
   s.files += %w( include/grpc/byte_buffer.h )
   s.files += %w( include/grpc/byte_buffer_reader.h )
   s.files += %w( include/grpc/census.h )
+  s.files += %w( include/grpc/channel_credentials/google_default.h )
   s.files += %w( include/grpc/compression.h )
   s.files += %w( include/grpc/event_engine/endpoint_config.h )
   s.files += %w( include/grpc/event_engine/event_engine.h )

include/grpc/channel_credentials/google_default.h

@@ -0,0 +1,52 @@
+// Copyright 2022 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CHANNEL_CREDENTIALS_GOOGLE_DEFAULT_H
+#define GRPC_CHANNEL_CREDENTIALS_GOOGLE_DEFAULT_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc.h>
+#include <grpc/grpc_security.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Creates default credentials to connect to a google gRPC service.
+   WARNING: Do NOT use this credentials to connect to a non-google service as
+   this could result in an oauth2 token leak. The security level of the
+   resulting connection is GRPC_PRIVACY_AND_INTEGRITY.
+
+   If specified, the supplied call credentials object will be attached to the
+   returned channel credentials object. The call_credentials object must remain
+   valid throughout the lifetime of the returned grpc_channel_credentials
+   object. It is expected that the call credentials object was generated
+   according to the Application Default Credentials mechanism and asserts the
+   identity of the default service account of the machine. Supplying any other
+   sort of call credential will result in undefined behavior, up to and
+   including the sudden and unexpected failure of RPCs.
+
+   If nullptr is supplied, the returned channel credentials object will use a
+   call credentials object based on the Application Default Credentials
+   mechanism.
+*/
+GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(
+    grpc_call_credentials* call_credentials);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GRPC_CHANNEL_CREDENTIALS_GOOGLE_DEFAULT_H */

include/grpc/grpc_security.h

@@ -131,27 +131,6 @@ typedef struct grpc_call_credentials grpc_call_credentials;
    The creator of the credentials object is responsible for its release. */
 GRPCAPI void grpc_call_credentials_release(grpc_call_credentials* creds);
 
-/** Creates default credentials to connect to a google gRPC service.
-   WARNING: Do NOT use this credentials to connect to a non-google service as
-   this could result in an oauth2 token leak. The security level of the
-   resulting connection is GRPC_PRIVACY_AND_INTEGRITY.
-
-   If specified, the supplied call credentials object will be attached to the
-   returned channel credentials object. The call_credentials object must remain
-   valid throughout the lifetime of the returned grpc_channel_credentials
-   object. It is expected that the call credentials object was generated
-   according to the Application Default Credentials mechanism and asserts the
-   identity of the default service account of the machine. Supplying any other
-   sort of call credential will result in undefined behavior, up to and
-   including the sudden and unexpected failure of RPCs.
-
-   If nullptr is supplied, the returned channel credentials object will use a
-   call credentials object based on the Application Default Credentials
-   mechanism.
-*/
-GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(
-    grpc_call_credentials* call_credentials);
-
 /** Callback for getting the SSL roots override from the application.
    In case of success, *pem_roots_certs must be set to a NULL terminated string
    containing the list of PEM encoded root certificates. The ownership is passed

include/grpc/module.modulemap

@@ -5,6 +5,7 @@ framework module grpc {
 header "byte_buffer.h"
   header "byte_buffer_reader.h"
   header "census.h"
+  header "channel_credentials/google_default.h"
   header "compression.h"
   header "fork.h"
   header "grpc.h"

package.xml

@@ -32,6 +32,7 @@
     <file baseinstalldir="/" name="include/grpc/byte_buffer.h" role="src" />
     <file baseinstalldir="/" name="include/grpc/byte_buffer_reader.h" role="src" />
     <file baseinstalldir="/" name="include/grpc/census.h" role="src" />
+    <file baseinstalldir="/" name="include/grpc/channel_credentials/google_default.h" role="src" />
     <file baseinstalldir="/" name="include/grpc/compression.h" role="src" />
     <file baseinstalldir="/" name="include/grpc/event_engine/endpoint_config.h" role="src" />
     <file baseinstalldir="/" name="include/grpc/event_engine/event_engine.h" role="src" />

src/core/lib/security/credentials/channel_creds_registry_init.cc

@@ -22,6 +22,7 @@
 
 #include "absl/strings/string_view.h"
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 

src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -32,6 +32,7 @@
 #include "absl/strings/strip.h"
 #include "absl/types/optional.h"
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/grpc_security.h>  // IWYU pragma: keep
 #include <grpc/grpc_security_constants.h>
 #include <grpc/impl/codegen/grpc_types.h>

src/cpp/client/secure_credentials.cc

@@ -29,6 +29,7 @@
 #include "absl/strings/str_join.h"
 #include "absl/types/optional.h"
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/event_engine/event_engine.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/impl/codegen/gpr_types.h>

src/php/ext/grpc/channel_credentials.c

@@ -27,6 +27,7 @@
 #include <ext/spl/spl_exceptions.h>
 #include <zend_exceptions.h>
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/string_util.h>
 

src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi

@@ -552,7 +552,6 @@ cdef extern from "grpc/grpc_security.h":
   void grpc_set_ssl_roots_override_callback(
       grpc_ssl_roots_override_callback cb) nogil
 
-  grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
   grpc_channel_credentials *grpc_ssl_credentials_create(
       const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
       verify_peer_options *verify_options, void *reserved) nogil
@@ -667,7 +666,7 @@ cdef extern from "grpc/grpc_security.h":
   ctypedef struct grpc_alts_credentials_options:
     # We don't care about the internals (and in fact don't know them)
     pass
- 
+
   grpc_channel_credentials *grpc_alts_credentials_create(
     const grpc_alts_credentials_options *options)
   grpc_server_credentials *grpc_alts_server_credentials_create(
@@ -679,6 +678,9 @@ cdef extern from "grpc/grpc_security.h":
   void grpc_alts_credentials_client_options_add_target_service_account(grpc_alts_credentials_options *options, const char *service_account)
 
 
+cdef extern from "grpc/channel_credentials/google_default.h":
+  grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
+
 
 cdef extern from "grpc/compression.h":
 

src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -33,6 +33,7 @@ grpc_byte_buffer_reader_next_type grpc_byte_buffer_reader_next_import;
 grpc_byte_buffer_reader_peek_type grpc_byte_buffer_reader_peek_import;
 grpc_byte_buffer_reader_readall_type grpc_byte_buffer_reader_readall_import;
 grpc_raw_byte_buffer_from_reader_type grpc_raw_byte_buffer_from_reader_import;
+grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
 grpc_compression_algorithm_is_message_type grpc_compression_algorithm_is_message_import;
 grpc_compression_algorithm_is_stream_type grpc_compression_algorithm_is_stream_import;
 grpc_compression_algorithm_parse_type grpc_compression_algorithm_parse_import;
@@ -138,7 +139,6 @@ grpc_ssl_session_cache_create_lru_type grpc_ssl_session_cache_create_lru_import;
 grpc_ssl_session_cache_destroy_type grpc_ssl_session_cache_destroy_import;
 grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_create_channel_arg_import;
 grpc_call_credentials_release_type grpc_call_credentials_release_import;
-grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
 grpc_set_ssl_roots_override_callback_type grpc_set_ssl_roots_override_callback_import;
 grpc_ssl_credentials_create_type grpc_ssl_credentials_create_import;
 grpc_ssl_credentials_create_ex_type grpc_ssl_credentials_create_ex_import;
@@ -318,6 +318,7 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_byte_buffer_reader_peek_import = (grpc_byte_buffer_reader_peek_type) GetProcAddress(library, "grpc_byte_buffer_reader_peek");
   grpc_byte_buffer_reader_readall_import = (grpc_byte_buffer_reader_readall_type) GetProcAddress(library, "grpc_byte_buffer_reader_readall");
   grpc_raw_byte_buffer_from_reader_import = (grpc_raw_byte_buffer_from_reader_type) GetProcAddress(library, "grpc_raw_byte_buffer_from_reader");
+  grpc_google_default_credentials_create_import = (grpc_google_default_credentials_create_type) GetProcAddress(library, "grpc_google_default_credentials_create");
   grpc_compression_algorithm_is_message_import = (grpc_compression_algorithm_is_message_type) GetProcAddress(library, "grpc_compression_algorithm_is_message");
   grpc_compression_algorithm_is_stream_import = (grpc_compression_algorithm_is_stream_type) GetProcAddress(library, "grpc_compression_algorithm_is_stream");
   grpc_compression_algorithm_parse_import = (grpc_compression_algorithm_parse_type) GetProcAddress(library, "grpc_compression_algorithm_parse");
@@ -423,7 +424,6 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_ssl_session_cache_destroy_import = (grpc_ssl_session_cache_destroy_type) GetProcAddress(library, "grpc_ssl_session_cache_destroy");
   grpc_ssl_session_cache_create_channel_arg_import = (grpc_ssl_session_cache_create_channel_arg_type) GetProcAddress(library, "grpc_ssl_session_cache_create_channel_arg");
   grpc_call_credentials_release_import = (grpc_call_credentials_release_type) GetProcAddress(library, "grpc_call_credentials_release");
-  grpc_google_default_credentials_create_import = (grpc_google_default_credentials_create_type) GetProcAddress(library, "grpc_google_default_credentials_create");
   grpc_set_ssl_roots_override_callback_import = (grpc_set_ssl_roots_override_callback_type) GetProcAddress(library, "grpc_set_ssl_roots_override_callback");
   grpc_ssl_credentials_create_import = (grpc_ssl_credentials_create_type) GetProcAddress(library, "grpc_ssl_credentials_create");
   grpc_ssl_credentials_create_ex_import = (grpc_ssl_credentials_create_ex_type) GetProcAddress(library, "grpc_ssl_credentials_create_ex");

src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -26,6 +26,7 @@
 #include <windows.h>
 
 #include <grpc/byte_buffer.h>
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/compression.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_posix.h>
@@ -74,6 +75,9 @@ extern grpc_byte_buffer_reader_readall_type grpc_byte_buffer_reader_readall_impo
 typedef grpc_byte_buffer*(*grpc_raw_byte_buffer_from_reader_type)(grpc_byte_buffer_reader* reader);
 extern grpc_raw_byte_buffer_from_reader_type grpc_raw_byte_buffer_from_reader_import;
 #define grpc_raw_byte_buffer_from_reader grpc_raw_byte_buffer_from_reader_import
+typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials);
+extern grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
+#define grpc_google_default_credentials_create grpc_google_default_credentials_create_import
 typedef int(*grpc_compression_algorithm_is_message_type)(grpc_compression_algorithm algorithm);
 extern grpc_compression_algorithm_is_message_type grpc_compression_algorithm_is_message_import;
 #define grpc_compression_algorithm_is_message grpc_compression_algorithm_is_message_import
@@ -389,9 +393,6 @@ extern grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_cre
 typedef void(*grpc_call_credentials_release_type)(grpc_call_credentials* creds);
 extern grpc_call_credentials_release_type grpc_call_credentials_release_import;
 #define grpc_call_credentials_release grpc_call_credentials_release_import
-typedef grpc_channel_credentials*(*grpc_google_default_credentials_create_type)(grpc_call_credentials* call_credentials);
-extern grpc_google_default_credentials_create_type grpc_google_default_credentials_create_import;
-#define grpc_google_default_credentials_create grpc_google_default_credentials_create_import
 typedef void(*grpc_set_ssl_roots_override_callback_type)(grpc_ssl_roots_override_callback cb);
 extern grpc_set_ssl_roots_override_callback_type grpc_set_ssl_roots_override_callback_import;
 #define grpc_set_ssl_roots_override_callback grpc_set_ssl_roots_override_callback_import

test/core/security/credentials_test.cc

@@ -33,6 +33,7 @@
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_replace.h"
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/grpc_security.h>
 #include <grpc/slice.h>
 #include <grpc/support/alloc.h>

test/core/security/print_google_default_creds_token.cc

@@ -19,6 +19,7 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/slice.h>

test/core/surface/public_headers_must_be_c89.c

@@ -19,6 +19,7 @@
 #include <grpc/byte_buffer.h>
 #include <grpc/byte_buffer_reader.h>
 #include <grpc/census.h>
+#include <grpc/channel_credentials/google_default.h>
 #include <grpc/compression.h>
 #include <grpc/fork.h>
 #include <grpc/grpc.h>
@@ -80,6 +81,7 @@ int main(int argc, char **argv) {
   printf("%lx", (unsigned long) grpc_byte_buffer_reader_peek);
   printf("%lx", (unsigned long) grpc_byte_buffer_reader_readall);
   printf("%lx", (unsigned long) grpc_raw_byte_buffer_from_reader);
+  printf("%lx", (unsigned long) grpc_google_default_credentials_create);
   printf("%lx", (unsigned long) grpc_compression_algorithm_is_message);
   printf("%lx", (unsigned long) grpc_compression_algorithm_is_stream);
   printf("%lx", (unsigned long) grpc_compression_algorithm_parse);
@@ -183,7 +185,6 @@ int main(int argc, char **argv) {
   printf("%lx", (unsigned long) grpc_ssl_session_cache_destroy);
   printf("%lx", (unsigned long) grpc_ssl_session_cache_create_channel_arg);
   printf("%lx", (unsigned long) grpc_call_credentials_release);
-  printf("%lx", (unsigned long) grpc_google_default_credentials_create);
   printf("%lx", (unsigned long) grpc_set_ssl_roots_override_callback);
   printf("%lx", (unsigned long) grpc_ssl_credentials_create);
   printf("%lx", (unsigned long) grpc_ssl_credentials_create_ex);

tools/doxygen/Doxyfile.c++

@@ -880,6 +880,7 @@ include/grpc++/support/time.h \
 include/grpc/byte_buffer.h \
 include/grpc/byte_buffer_reader.h \
 include/grpc/census.h \
+include/grpc/channel_credentials/google_default.h \
 include/grpc/compression.h \
 include/grpc/event_engine/endpoint_config.h \
 include/grpc/event_engine/event_engine.h \

tools/doxygen/Doxyfile.c++.internal

@@ -880,6 +880,7 @@ include/grpc++/support/time.h \
 include/grpc/byte_buffer.h \
 include/grpc/byte_buffer_reader.h \
 include/grpc/census.h \
+include/grpc/channel_credentials/google_default.h \
 include/grpc/compression.h \
 include/grpc/event_engine/endpoint_config.h \
 include/grpc/event_engine/event_engine.h \

tools/doxygen/Doxyfile.core

@@ -810,6 +810,7 @@ doc/xds-test-descriptions.md \
 include/grpc/byte_buffer.h \
 include/grpc/byte_buffer_reader.h \
 include/grpc/census.h \
+include/grpc/channel_credentials/google_default.h \
 include/grpc/compression.h \
 include/grpc/event_engine/endpoint_config.h \
 include/grpc/event_engine/event_engine.h \

tools/doxygen/Doxyfile.core.internal

@@ -810,6 +810,7 @@ doc/xds-test-descriptions.md \
 include/grpc/byte_buffer.h \
 include/grpc/byte_buffer_reader.h \
 include/grpc/census.h \
+include/grpc/channel_credentials/google_default.h \
 include/grpc/compression.h \
 include/grpc/event_engine/endpoint_config.h \
 include/grpc/event_engine/event_engine.h \