See #36176. The only difference is a temporary shim for Secure credentials types, which was already discussed and approved separately.
Closes#36242
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36242 from drfloob:reland/36176 f07bebe289
PiperOrigin-RevId: 621879911
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.4.6 to 42.0.4.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p>
<blockquote>
<p>42.0.4 - 2024-02-20</p>
<pre><code>
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
<p>.. _v42-0-3:</p>
<p>42.0.3 - 2024-02-15
</code></pre></p>
<ul>
<li>Fixed an initialization issue that caused key loading failures for some
users.</li>
</ul>
<p>.. _v42-0-2:</p>
<p>42.0.2 - 2024-01-30</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
<p>.. _v42-0-1:</p>
<p>42.0.1 - 2024-01-24
</code></pre></p>
<ul>
<li>Fixed an issue with incorrect keyword-argument naming with <code>EllipticCurvePrivateKey</code>
:meth:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign</code>.</li>
<li>Resolved compatibility issue with loading certain RSA public keys in
:func:<code>~cryptography.hazmat.primitives.serialization.load_pem_public_key</code>.</li>
</ul>
<p>.. _v42-0-0:</p>
<p>42.0.0 - 2024-01-22</p>
<pre><code>
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="fe18470f7d"><code>fe18470</code></a> Bump for 42.0.4 release (<a href="https://redirect.github.com/pyca/cryptography/issues/10445">#10445</a>)</li>
<li><a href="aaa2dd06ed"><code>aaa2dd0</code></a> Fix ASN.1 issues in PKCS#7 and S/MIME signing (<a href="https://redirect.github.com/pyca/cryptography/issues/10373">#10373</a>) (<a href="https://redirect.github.com/pyca/cryptography/issues/10442">#10442</a>)</li>
<li><a href="7a4d012991"><code>7a4d012</code></a> Fixes <a href="https://redirect.github.com/pyca/cryptography/issues/10422">#10422</a> -- don't crash when a PKCS#12 key and cert don't match (<a href="https://redirect.github.com/pyca/cryptography/issues/10423">#10423</a>) ...</li>
<li><a href="df314bb182"><code>df314bb</code></a> backport actions m1 switch to 42.0.x (<a href="https://redirect.github.com/pyca/cryptography/issues/10415">#10415</a>)</li>
<li><a href="c49a7a5271"><code>c49a7a5</code></a> changelog and version bump for 42.0.3 (<a href="https://redirect.github.com/pyca/cryptography/issues/10396">#10396</a>)</li>
<li><a href="396bcf64c5"><code>396bcf6</code></a> fix provider loading take two (<a href="https://redirect.github.com/pyca/cryptography/issues/10390">#10390</a>) (<a href="https://redirect.github.com/pyca/cryptography/issues/10395">#10395</a>)</li>
<li><a href="0e0e46f5f7"><code>0e0e46f</code></a> backport: initialize openssl's legacy provider in rust (<a href="https://redirect.github.com/pyca/cryptography/issues/10323">#10323</a>) (<a href="https://redirect.github.com/pyca/cryptography/issues/10333">#10333</a>)</li>
<li><a href="2202123b50"><code>2202123</code></a> changelog and version bump 42.0.2 (<a href="https://redirect.github.com/pyca/cryptography/issues/10268">#10268</a>)</li>
<li><a href="f7032bdd40"><code>f7032bd</code></a> bump openssl in CI (<a href="https://redirect.github.com/pyca/cryptography/issues/10298">#10298</a>) (<a href="https://redirect.github.com/pyca/cryptography/issues/10299">#10299</a>)</li>
<li><a href="002e886f16"><code>002e886</code></a> Fixes <a href="https://redirect.github.com/pyca/cryptography/issues/10294">#10294</a> -- correct accidental change to exchange kwarg (<a href="https://redirect.github.com/pyca/cryptography/issues/10295">#10295</a>) (<a href="https://redirect.github.com/pyca/cryptography/issues/10296">#10296</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/3.4.6...42.0.4">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/grpc/grpc/network/alerts).
</details>
Closes#36153
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36153 from grpc:dependabot/pip/tools/internal_ci/helper_scripts/cryptography-42.0.4 7a8a0d3528
PiperOrigin-RevId: 621637071
When parsing `action` fails we don't touch that memory in the object loader, yet we still call `PostLoad` to fill in any other errors. In that case we are currently relying on undefined behavior to have this test work -- why msan didn't flag it upsets me.
Default `action` to some safe value to avoid the undefined behavior, and log the bad action in the error message to ease debugging here in the future.
Closes#36244
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36244 from ctiller:rbac-undef d94b04a508
PiperOrigin-RevId: 621599880
This paves the way for removing `GetEndpoint()` from the transport API, which is a prereq for removing `grpc_endpoint_shutdown()`.
Closes#36237
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36237 from markdroth:endpoint_filter_cleanup_rbac 46a41400e0
PiperOrigin-RevId: 621537397
Following up to #33961 `Party` no longer needs to refer to `Arena`, and decoupling gives us a few more degrees of freedom in the design of a final `CallSpine`.
Also flesh out `LogStateChange` usage so that all state transitions are traced when that tracer is enabled.
Closes#36229
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36229 from ctiller:arenaless-party 51ae8eb898
PiperOrigin-RevId: 621525912
Soon we'll want to wind back some of the custom header ordering rules that we enforce in gRPC to make some workflow issues easier. As a first step, remove the `port_platform.h` as first header requirement -- where we need it, CI will show a problem -- and removing it lets us remove one of the bigger ordering constraints we have.
Closes#36234
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36234 from ctiller:port-platform-requirement 93eb96a7b4
PiperOrigin-RevId: 621327253
These tests are slow and can timeout, this diff increase the number of concurrent jobs to 4 and 8, which may help avoid timeouts.
These parameters are also configured differently in [many other tests](https://github.com/search?q=repo%3Agrpc%2Fgrpc+inner_jobs&type=code).
```
2024-03-10 07:00:56,453 START: run_tests_c_macos_dbg_native
2024-03-10 07:06:44,335 PASSED: run_tests_c_macos_dbg_native [time=347.9sec, retries=0:0]
2024-03-10 07:06:44,335 START: run_tests_c_macos_opt_native
2024-03-10 07:12:54,717 PASSED: run_tests_c_macos_opt_native [time=370.4sec, retries=0:0]
2024-03-10 07:12:54,717 START: run_tests_c++_macos_dbg_native
2024-03-10 09:19:00,785 PASSED: run_tests_c++_macos_dbg_native [time=7566.1sec, retries=0:0]
2024-03-10 09:19:00,788 START: run_tests_c++_macos_opt_native
ERROR: Aborting VM command due to timeout of 14400 seconds
```
Closes#36190
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36190 from HannahShiSFB:basic-c-cpp-macos-jobs c026a6afbc
PiperOrigin-RevId: 621306368
modeled after absl/time
<!--
If you know who should review your pull request, please assign it to that
person, otherwise the pull request would get assigned randomly.
If your pull request is for a specific language, please add the appropriate
lang label.
-->
Closes#36219
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36219 from yijiem:fix-infinities e102d7fe21
PiperOrigin-RevId: 621287985
Issue https://github.com/grpc/grpc/issues/34304
Allows to disable systemd support,
as well as linking with libsystemd,
when it is not required.
The option has three possible values:
AUTO - Default, Will try to find libsystemd. If found, systemd support will be enabled.
ON - Enable systemd support. Build will fail if libsystemd is not found.
OFF - Disable systemd support.
Closes#34384
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/34384 from kirpichik:cmake-use-systemd-option 96f5f4bd68
PiperOrigin-RevId: 621274356
Ref: b/332425004
Adding a workaround for x86 builds that run into trouble with using an installed abseil library.
Closes#36220
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36220 from yashykt:FixPortabilityLinux 672ccdb3ff
PiperOrigin-RevId: 621259080
This was a concept that I thought we'd need, but as work has continued it's clear that the right api is CallDestination (or variants thereof)
Closes#36226
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36226 from ctiller:call_factory c30a893f3a
PiperOrigin-RevId: 621255162
Also addressing a TODO from previous PRs where `authority` is not being populated in the `ChannelScope`.
Closes#36189
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36189 from yashykt:OTelChannelScope e76f9ce0ca
PiperOrigin-RevId: 621231764
In Cython 3, cdef functions that really will not raise exceptions must be declared as `noexcept`. Fixed by this commit.
Update requirements to `cython >= 3.0` in requirements*.txt and setup.py.
Fixes issue #33918.
<!--
If you know who should review your pull request, please assign it to that
person, otherwise the pull request would get assigned randomly.
If your pull request is for a specific language, please add the appropriate
lang label.
-->
Closes#35995
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/35995 from badshah400:master b3277bac15
PiperOrigin-RevId: 621214091
Forked from #35957
This PR refactors the credentials types to remove Secure and Insecure Channel and Call credentials types. We standardize on a `c_creds()` accessor method for all credentials types, which can now be treated uniformly. This notably removes special-case handling of insecure credentials.
The special code-paths for insecure creds are no longer necessary in the wake of #25586.
Closes#36176
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36176 from drfloob:fork/35957/creds-API fd64d59c23
PiperOrigin-RevId: 621008166
It looks like we're settling on moving this functionality into the channel itself - so removing the filter makes sense (especially since it had some significant bugs)
Closes#36213
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36213 from ctiller:x-ex 3040dcec95
PiperOrigin-RevId: 620996358
Protobuf for Ruby bumped the major version to 4. [package](https://rubygems.org/gems/google-protobuf) so the Ruby gemspec should be updated to have 4 instead of 3.
But gRPC's other dependencies don't work with Protobuf 4.x so I fixed the version of google-protobuf for gRPC Ruby to 3.25 which was the last version gRPC used.
Closes#36215
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36215 from veblush:ruby-protobuf 171a6d63bc
PiperOrigin-RevId: 620987535
- client initial metadata is always supplied at initiator construction
- stack configuration is lazily supplied
Closes#36005
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36005 from ctiller:chan3-no-push 423869d77b
PiperOrigin-RevId: 620971618
Instead, build a library and re-use that across compilations.
This still invokes a link step per target, and we'll want to deal with that at some point too, but at least this makes some progress to not being as wasteful with our compilation resources.
Additionally: remove bm_pollset -- it was having some problems compiling, and we really don't need it anymore.
Closes#36197
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36197 from ctiller:maintain-this-shite 9955026e23
PiperOrigin-RevId: 620946543
Previously we wrote `DualRefCounted : public Orphanable`, but this is wrong: `Orphan`-ing is a private implementation detail to `DualRefCounted`, but a public interface to `Orphanable`.
This bug means that it's possible to write `OrphanablePtr<T>` when `T` is derived from `DualRefCounted`, leading to hard to diagnose bugs - especially when moving a previously `Orphanable` type to be `DualRefCounted`.
This change removes the inheritance from `Orphanable`, and instead adds an overridable method `Orphaned` that implementors of `DualRefCounted` can implement.
In this way we get:
* compiler errors if someone chooses to write `OrphanablePtr` for one of these types
* compiler errors if someone implements `Orphan()` instead of `Orphaned()` in the wrong place (or vice versa)
Closes#36194
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36194 from ctiller:orf b96b831a96
PiperOrigin-RevId: 620916632
Internally, use `std::vector` instead of `ChunkedVector` to hold extra metadatum.
I'm not totally convinced this is the right move, so it's going to be a try it and monitor for a month or so thing... I might roll back if performance is actually affected (but I think we'll see some wins and losses and overall about a wash).
Closes#36118
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36118 from ctiller:YUPYUPYUP 68e0acd0a2
PiperOrigin-RevId: 620902195
This removes two Executor::Run dependencies, and requires that all ServerCallbackCall implementations implement the new `RunAsync` method. There's one other known other implementation of ServerCallbackCall that will need to be updated.
We could also support an "inefficient" path that uses the default engine (not implemented here), for all subclasses that do not want to update. As far as anyone is aware, the ServerCallbackCall class was never intended to be subclassed externally.
Closes#36126
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36126 from drfloob:server-callback-on-ee 6242a78a3f
PiperOrigin-RevId: 619621598
<!--
If you know who should review your pull request, please assign it to that
person, otherwise the pull request would get assigned randomly.
If your pull request is for a specific language, please add the appropriate
lang label.
-->
Closes#36179
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36179 from yousukseung:work-serializer-dispatch-extend cb47ee8dbb
PiperOrigin-RevId: 619309808
Remove rolled out experiments v3_compression_filter, v3_server_auth_filter; Extend WIP v3_channel_idle_filter for a bit, and extend work_serializer_clears_time_cache until OSS issues with work_serializer_dispatch are resolved.
Closes#36166
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36166 from ctiller:updat3 2c7223f63b
PiperOrigin-RevId: 619057925
<!--
If you know who should review your pull request, please assign it to that
person, otherwise the pull request would get assigned randomly.
If your pull request is for a specific language, please add the appropriate
lang label.
-->
Closes#36070
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36070 from yijiem:grpc-metrics 72653727b1
PiperOrigin-RevId: 618529035
We've seen some recent crashes with the work_serializer_dispatch experiment where the picker is null when we try to do an LB pick. The only code-path we've found where the picker is set to null is the one triggered by the channel_idle filter, so we think we may be hitting a race condition where the call is started on the client_channel filter after the request to go idle has hit the WorkSerializer but before it has actually run.
If that is the cause, then the right fix is to ensure that once we dispatch the request to go idle, we enqueue any subsequent RPC and dispatch a request to exit idle. However, that will require a bit of work, and it will be easier to do as part of the new call v3 channel stack, so we don't want to invest time in fixing this in the current implementation.
For now, we add a work-around where we fail the RPC if the picker is null, which is better than crashing but not ideal.
Closes#36167
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36167 from markdroth:client_channel_idle_race_workaround 0207dd3bdd
PiperOrigin-RevId: 618271781
#35923 removed the use of mach_absolute_time in gpr.
There is still one usage in protobuf, which they have removed the usage in https://github.com/protocolbuffers/protobuf/pull/15554 but we haven't update yet.
However gRPC library does not depends on protobuf but upb, so we should no longer need NSPrivacyAccessedAPICategorySystemBootTime any more.
Closes#36080
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36080 from HannahShiSFB:remove-privacy-for-mach_absolute_time dacccafeec
PiperOrigin-RevId: 617995787
AJ Heller
Arvind Bright
dependabot[bot]
Esun Kim
Craig Tiller
Mark D. Roth
Hannah Shi
Yijie Ma
Kirill
Yash Tibrewal
Vojtěch Boček
Atri Bhattacharya
Alexander Polcyn
tony
Tanvi Jagtap
Vignesh Babu
Yousuk Seung