grpc: CallCredentials implementation on JVM

Author: Jozott00

grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallCredentials.kt

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2023-2025 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package kotlinx.rpc.grpc.client
+
+import kotlinx.rpc.grpc.GrpcMetadata
+
+public interface GrpcCallCredentials {
+
+    public suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions)
+
+    public val requiresTransportSecurity: Boolean
+        get() = true
+}
+
+public operator fun GrpcCallCredentials.plus(other: GrpcCallCredentials): GrpcCallCredentials {
+    return CombinedCallCredentials(this, other)
+}
+
+public fun GrpcCallCredentials.combine(other: GrpcCallCredentials): GrpcCallCredentials = this + other
+
+public object  EmptyCallCredentials : GrpcCallCredentials {
+    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
+        // do nothing
+    }
+    override val requiresTransportSecurity: Boolean = false
+}
+
+internal class CombinedCallCredentials(
+    private val first: GrpcCallCredentials,
+    private val second: GrpcCallCredentials
+) : GrpcCallCredentials {
+    override suspend fun GrpcMetadata.applyOnMetadata(
+        callOptions: GrpcCallOptions
+    ) {
+        with(first) {
+            this@applyOnMetadata.applyOnMetadata(callOptions)
+        }
+        with(second) {
+            this@applyOnMetadata.applyOnMetadata(callOptions)
+        }
+    }
+
+    override val requiresTransportSecurity: Boolean = first.requiresTransportSecurity || second.requiresTransportSecurity
+
+}

grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallOptions.kt

@@ -49,4 +49,6 @@ public class GrpcCallOptions {
      * @see GrpcCompression
      */
     public var compression: GrpcCompression = GrpcCompression.None
+
+    public var callCredentials: GrpcCallCredentials = EmptyCallCredentials
 }

grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/credentials.kt

@@ -8,6 +8,11 @@ import kotlinx.rpc.internal.utils.InternalRpcApi
 
 public expect abstract class ClientCredentials
 
+public expect operator fun ClientCredentials.plus(other: GrpcCallCredentials): ClientCredentials
+
+public fun ClientCredentials.combine(other: GrpcCallCredentials): ClientCredentials = this + other
+
+
 public expect class InsecureClientCredentials : ClientCredentials
 
 // we need a wrapper for InsecureChannelCredentials as our constructor would conflict with the private

grpc/grpc-client/src/jvmMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallOptions.jvm.kt

@@ -18,5 +18,8 @@ public fun GrpcCallOptions.toJvm(): CallOptions {
     if (compression !is GrpcCompression.None) {
         default = default.withCompression(compression.name)
     }
+    if (callCredentials !is EmptyCallCredentials) {
+        default = default.withCallCredentials(callCredentials.toJvm())
+    }
     return default
 }

grpc/grpc-client/src/jvmMain/kotlin/kotlinx/rpc/grpc/client/credentials.jvm.kt

@@ -4,10 +4,20 @@
 
 package kotlinx.rpc.grpc.client
 
+import io.grpc.CallCredentials
 import io.grpc.ChannelCredentials
+import io.grpc.CompositeChannelCredentials
 import io.grpc.InsecureChannelCredentials
+import io.grpc.Metadata
+import io.grpc.SecurityLevel
 import io.grpc.TlsChannelCredentials
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.asCoroutineDispatcher
+import kotlinx.coroutines.launch
+import kotlinx.rpc.grpc.Status
+import kotlinx.rpc.grpc.StatusException
 import kotlinx.rpc.internal.utils.InternalRpcApi
+import java.util.concurrent.Executor
 
 public actual typealias ClientCredentials = ChannelCredentials
 
@@ -48,3 +58,34 @@ private class JvmTlsCLientCredentialBuilder : TlsClientCredentialsBuilder {
         return cb.build()
     }
 }
+
+internal fun GrpcCallCredentials.toJvm(): CallCredentials {
+    return object : CallCredentials() {
+        override fun applyRequestMetadata(
+            requestInfo: RequestInfo,
+            appExecutor: Executor,
+            applier: MetadataApplier
+        ) {
+            val dispatcher = appExecutor.asCoroutineDispatcher()
+            CoroutineScope(dispatcher).launch {
+                try {
+                    check(!requiresTransportSecurity || requestInfo.securityLevel != SecurityLevel.NONE) {
+                        "Transport security required but not present"
+                    }
+
+                    val metadata = Metadata()
+                    metadata.applyOnMetadata(GrpcCallOptions(/* populate from requestInfo if needed */))
+                    applier.apply(metadata)
+                } catch (e: StatusException) {
+                    applier.fail(e.status)
+                } catch (e: Exception) {
+                    applier.fail(Status.UNAUTHENTICATED.withCause(e))
+                }
+            }
+        }
+    }
+}
+
+public actual operator fun ClientCredentials.plus(other: GrpcCallCredentials): ClientCredentials {
+    return CompositeChannelCredentials.create(this, other.toJvm())
+}

grpc/grpc-client/src/nativeMain/kotlin/kotlinx/rpc/grpc/client/credentials.native.kt

@@ -73,3 +73,10 @@ private class NativeTlsClientCredentialsBuilder : TlsClientCredentialsBuilder {
         return TlsClientCredentials(creds)
     }
 }
+
+public actual operator fun ClientCredentials.plus(other: GrpcCallCredentials): ClientCredentials {
+    TODO("Not yet implemented")
+}
+
+internal actual val ClientCredentials.callCredentials: GrpcCallCredentials?
+    get() = TODO("Not yet implemented")

grpc/grpc-core/src/commonTest/kotlin/kotlinx/rpc/grpc/test/proto/CallCredentialsTest.kt

@@ -0,0 +1,199 @@
+/*
+ * Copyright 2023-2025 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package kotlinx.rpc.grpc.test.proto
+
+import kotlinx.rpc.RpcServer
+import kotlinx.rpc.grpc.GrpcMetadata
+import kotlinx.rpc.grpc.Status
+import kotlinx.rpc.grpc.StatusCode
+import kotlinx.rpc.grpc.StatusException
+import kotlinx.rpc.grpc.append
+import kotlinx.rpc.grpc.client.GrpcCallCredentials
+import kotlinx.rpc.grpc.client.GrpcCallOptions
+import kotlinx.rpc.grpc.client.GrpcClient
+import kotlinx.rpc.grpc.client.TlsClientCredentials
+import kotlinx.rpc.grpc.client.plus
+import kotlinx.rpc.grpc.getAll
+import kotlinx.rpc.grpc.server.TlsServerCredentials
+import kotlinx.rpc.grpc.test.EchoRequest
+import kotlinx.rpc.grpc.test.EchoService
+import kotlinx.rpc.grpc.test.EchoServiceImpl
+import kotlinx.rpc.grpc.test.SERVER_CERT_PEM
+import kotlinx.rpc.grpc.test.SERVER_KEY_PEM
+import kotlinx.rpc.grpc.test.assertGrpcFailure
+import kotlinx.rpc.grpc.test.invoke
+import kotlinx.rpc.registerService
+import kotlinx.rpc.withService
+import kotlin.test.Test
+import kotlin.test.assertEquals
+
+/**
+ * Tests that the client can configure the compression of requests.
+ *
+ * This test is hard to realize on native, as the gRPC-Core doesn't expose internal headers like
+ * `grpc-encoding` to the user application. This means we cannot verify that the client or sever
+ * actually sent those headers on native. Instead, we capture the grpc trace output (written to stderr)
+ * and verify that the client and server actually used the compression algorithm.
+ */
+class GrpcCallCredentialsTest : GrpcProtoTest() {
+    override fun RpcServer.registerServices() {
+        return registerService<EchoService> { EchoServiceImpl() }
+    }
+
+    @Test
+    fun `test simple combined call credentials - should succeed`() {
+        var grpcMetadata: GrpcMetadata? = null
+        runGrpcTest(
+            configure = {
+                credentials = plaintext() + NoTLSBearerTokenCredentials()
+            },
+            serverInterceptors = serverInterceptor {
+                grpcMetadata = requestHeaders
+                proceed(it)
+            },
+            test = ::unaryCall
+        )
+
+        val authHeaders = grpcMetadata?.getAll("authorization")
+        assertEquals(1, authHeaders?.size)
+        assertEquals("Bearer token", authHeaders?.single())
+    }
+
+    @Test
+    fun `test combine multiple call credentials - should succeed`() {
+        var grpcMetadata: GrpcMetadata? = null
+        val callCreds = (NoTLSBearerTokenCredentials("token-1") + NoTLSBearerTokenCredentials("token-2"))
+        runGrpcTest(
+            configure = {
+                credentials = plaintext() + callCreds
+            },
+            serverInterceptors = serverInterceptor {
+                grpcMetadata = requestHeaders
+                proceed(it)
+            },
+            test = ::unaryCall
+        )
+        val authHeaders = grpcMetadata?.getAll("authorization")
+        assertEquals(2, authHeaders?.size)
+        assertEquals("Bearer token-1", authHeaders?.first())
+        assertEquals("Bearer token-2", authHeaders?.get(1))
+    }
+
+    @Test
+    fun `test plaintext call credentials - should fail`() {
+        assertGrpcFailure(StatusCode.UNAUTHENTICATED, "Transport security required but not present") {
+            runGrpcTest(
+                configure = {
+                    credentials = plaintext() + TlsBearerTokenCredentials()
+                },
+                test = ::unaryCall
+            )
+        }
+    }
+
+    @Test
+    fun `test tls call credentials - should succeed`() {
+        val serverTls = TlsServerCredentials(SERVER_CERT_PEM, SERVER_KEY_PEM)
+        val clientTls = TlsClientCredentials { trustManager(SERVER_CERT_PEM) }
+        val clientCombined = clientTls + TlsBearerTokenCredentials()
+
+        var grpcMetadata: GrpcMetadata? = null
+        runGrpcTest(
+            configure = {
+                credentials = clientCombined
+                overrideAuthority = "foo.test.google.fr"
+            },
+            serverCreds = serverTls,
+            serverInterceptors = serverInterceptor {
+                grpcMetadata = requestHeaders
+                proceed(it)
+            },
+            test = ::unaryCall
+        )
+
+        val authHeaders = grpcMetadata?.getAll("authorization")
+        assertEquals(1, authHeaders?.size)
+        assertEquals("Bearer token", authHeaders?.single())
+    }
+
+    @Test
+    fun `test throw status exception - should fail with status`() {
+        val throwingCallCredentials = object : GrpcCallCredentials {
+            override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
+                throw StatusException(Status(StatusCode.UNIMPLEMENTED, "This is my custom exception"))
+            }
+
+            override val requiresTransportSecurity: Boolean
+                get() = false
+        }
+
+        assertGrpcFailure(StatusCode.UNIMPLEMENTED, "This is my custom exception") {
+            runGrpcTest(
+                configure = {
+                    credentials = plaintext() + throwingCallCredentials
+                },
+                serverInterceptors = serverInterceptor {
+                    proceed(it)
+                },
+                test = ::unaryCall
+            )
+        }
+    }
+
+    @Test
+    fun `test interceptor call credentials - should succeed`() {
+        var grpcMetadata: GrpcMetadata? = null
+        runGrpcTest(
+            clientInterceptors = clientInterceptor {
+                callOptions.callCredentials += NoTLSBearerTokenCredentials()
+                proceed(it)
+            },
+            serverInterceptors = serverInterceptor {
+                grpcMetadata = requestHeaders
+                proceed(it)
+            },
+            test = ::unaryCall
+        )
+        val authHeaders = grpcMetadata?.getAll("authorization")
+        assertEquals(1, authHeaders?.size)
+        assertEquals("Bearer token", authHeaders?.single())
+    }
+
+    @Test
+    fun `test interceptor call credentials without TLS - should fail`() {
+        assertGrpcFailure(StatusCode.UNAUTHENTICATED, "Transport security required but not present") {
+        runGrpcTest(
+            clientInterceptors = clientInterceptor {
+                callOptions.callCredentials += TlsBearerTokenCredentials()
+                proceed(it)
+            },
+            test = ::unaryCall
+        )}
+    }
+}
+
+private suspend fun unaryCall(grpcClient: GrpcClient) {
+    val service = grpcClient.withService<EchoService>()
+    val response = service.UnaryEcho(EchoRequest { message = "Echo" })
+    assertEquals("Echo", response.message)
+}
+
+class NoTLSBearerTokenCredentials(
+    val token: String = "token"
+): GrpcCallCredentials {
+    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
+        // potentially fetching the token from a secure storage
+        append("Authorization", "Bearer $token")
+    }
+
+    override val requiresTransportSecurity: Boolean
+        get() = false
+}
+
+class TlsBearerTokenCredentials: GrpcCallCredentials {
+    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
+        append("Authorization", "Bearer token")
+    }
+}