grpc: Implement native side

Author: Jozott00

grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallCredentials.kt

@@ -78,11 +78,7 @@ public interface GrpcCallCredentials {
      * Implementations should return a [GrpcMetadata] object containing the necessary authentication
      * information for the request.
      *
-     * The method is suspending to allow asynchronous operations such as:
-     * - Token retrieval from secure storage
-     * - OAuth token refresh or exchange
-     * - Dynamic token generation or signing
-     * - Network calls to authentication services
+     * The method is suspending to allow asynchronous operations such as token retrieval from secure storage.
      *
      * ## Context Information
      *
@@ -145,9 +141,10 @@ public interface GrpcCallCredentials {
      * @property authority The authority (host:port) for this call.
      */
     // TODO: check whether we should add GrpcCallOptions in the context (KRPC-232)
+    // TODO: determine if possible and necessary to add the MethodDescriptor
     public data class Context(
-        val method: MethodDescriptor<*, *>,
         val authority: String,
+        val methodName: String,
     )
 }
 

grpc/grpc-client/src/nativeMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallCredentials.native.kt

@@ -0,0 +1,138 @@
+/*
+ * Copyright 2023-2025 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+@file:OptIn(ExperimentalForeignApi::class)
+
+package kotlinx.rpc.grpc.client
+
+import cnames.structs.grpc_call_credentials
+import kotlinx.cinterop.*
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.launch
+import kotlinx.rpc.grpc.GrpcMetadata
+import kotlinx.rpc.grpc.StatusException
+import kotlinx.rpc.grpc.internal.destroyEntries
+import kotlinx.rpc.grpc.internal.toRaw
+import kotlinx.rpc.grpc.statusCode
+import libkgrpc.*
+import platform.posix.size_tVar
+
+// Stable reference holder for Kotlin objects
+private class CredentialsPluginState(
+    val kotlinCreds: GrpcCallCredentials,
+    val scope: CoroutineScope
+)
+
+private fun getMetadataCallback(
+    state: COpaquePointer?,
+    context: CValue<grpc_auth_metadata_context>,
+    cb: grpc_credentials_plugin_metadata_cb?,
+    user_data: COpaquePointer?,
+    creds_md: CValuesRef<grpc_metadata>?,
+    num_creds_md: CPointer<size_tVar>?,
+    status: CPointer<grpc_status_code.Var>?,
+    error_details: CPointer<CPointerVar<ByteVar>>?
+): Int {
+    val pluginState = state!!.asStableRef<CredentialsPluginState>().get()
+
+    // Launch coroutine to call suspend function asynchronously
+    pluginState.scope.launch {
+        // Extract context information
+        val serviceUrl = context.useContents { service_url?.toKString() ?: "" }
+        val methodName = context.useContents { method_name?.toKString() ?: "" }
+        val authority = extractAuthority(serviceUrl)
+
+        // Create Kotlin context
+        val kotlinContext = GrpcCallCredentials.Context(
+            authority = authority,
+            methodName = methodName,
+        )
+
+        var metadata = GrpcMetadata()
+        var status = grpc_status_code.GRPC_STATUS_OK
+        var errorDetails: String? = null
+        try {
+            // Call the Kotlin suspend function
+            metadata = with(pluginState.kotlinCreds) {
+                kotlinContext.getRequestMetadata()
+            }
+        } catch (e: StatusException) {
+            status = e.getStatus().statusCode.toRaw()
+            errorDetails = e.message
+        } catch (e: Exception) {
+            status = grpc_status_code.GRPC_STATUS_UNAUTHENTICATED
+            errorDetails = e.message
+        }
+
+        // Convert GrpcMetadata to grpc_metadata array
+        memScoped {
+            val metadataArray = with(metadata) {
+                this@memScoped.allocRawGrpcMetadata()
+            }
+
+            try {
+                // Invoke the callback with success
+                cb?.invoke(
+                    user_data,
+                    metadataArray.metadata,
+                    metadataArray.count,
+                    status,
+                    errorDetails?.cstr?.ptr
+                )
+            } finally {
+                metadataArray.destroyEntries()
+            }
+        }
+    }
+
+    // Return 0 to indicate asynchronous processing
+    return 0
+}
+
+private fun debugStringCallback(state: COpaquePointer?): CPointer<ByteVar>? {
+    return gpr_strdup("KotlinCallCredentials")
+}
+
+private fun extractAuthority(serviceUrl: String): String {
+    // service_url format: "https://example.com:443/service"
+    return serviceUrl
+        .removePrefix("http://")
+        .removePrefix("https://")
+        .substringBefore("/")
+}
+
+private fun destroyCallback(state: COpaquePointer?) {
+    state?.asStableRef<CredentialsPluginState>()?.dispose()
+}
+
+internal fun GrpcCallCredentials.createRaw(
+    scope: CoroutineScope
+): CPointer<grpc_call_credentials>? = memScoped {
+    // Create stable reference to keep Kotlin object alive
+    val pluginState = CredentialsPluginState(this@createRaw, scope)
+    val stableRef = StableRef.create(pluginState)
+
+    // Create plugin structure
+    val plugin = alloc<grpc_metadata_credentials_plugin> {
+        get_metadata = staticCFunction(::getMetadataCallback)
+        debug_string = staticCFunction(::debugStringCallback)
+        destroy = staticCFunction(::destroyCallback)
+        state = stableRef.asCPointer()
+        type = "kgrpc_call_credentials".cstr.ptr
+    }
+
+    // Determine security level
+    val minSecurityLevel = if (this@createRaw.requiresTransportSecurity) {
+        GRPC_PRIVACY_AND_INTEGRITY
+    } else {
+        GRPC_SECURITY_NONE
+    }
+
+    // Create and return credentials
+    grpc_metadata_credentials_create_from_plugin(
+        plugin.readValue(),
+        minSecurityLevel,
+        null
+    )
+}

grpc/grpc-client/src/nativeMain/kotlin/kotlinx/rpc/grpc/client/credentials.native.kt

@@ -18,28 +18,50 @@ import libkgrpc.grpc_tls_credentials_options_destroy
 import kotlin.experimental.ExperimentalNativeApi
 import kotlin.native.ref.createCleaner
 
-public actual abstract class ClientCredentials internal constructor(
-    internal val raw: CPointer<grpc_channel_credentials>,
-) {
-    @Suppress("unused")
-    internal val rawCleaner = createCleaner(raw) {
-        grpc_channel_credentials_release(it)
+public actual abstract class ClientCredentials {
+    internal abstract val clientCredentials: ClientCredentials
+    internal abstract val callCredentials: GrpcCallCredentials?
+
+    internal abstract fun takeRaw(): CPointer<grpc_channel_credentials>
+}
+
+public actual class InsecureClientCredentials() : ClientCredentials() {
+    override val clientCredentials: ClientCredentials
+        get() = this
+    override val callCredentials: GrpcCallCredentials?
+        get() = null
+
+    override fun takeRaw(): CPointer<grpc_channel_credentials> {
+        return grpc_insecure_credentials_create() ?: error("grpc_insecure_credentials_create() returned null")
     }
 }
 
-public actual class InsecureClientCredentials internal constructor(
-    raw: CPointer<grpc_channel_credentials>,
-) : ClientCredentials(raw)
+public actual class TlsClientCredentials(
+    private var credentials: CPointer<grpc_channel_credentials>?
+) : ClientCredentials() {
+
+    @Suppress("unused")
+    private val rawCleaner = createCleaner(credentials) {
+        if (it != null) {
+            grpc_channel_credentials_release(it)
+        }
+    }
+
+    override val clientCredentials: ClientCredentials
+        get() = this
+    override val callCredentials: GrpcCallCredentials?
+        get() = null
 
-public actual class TlsClientCredentials internal constructor(
-    raw: CPointer<grpc_channel_credentials>,
-) : ClientCredentials(raw)
+    override fun takeRaw(): CPointer<grpc_channel_credentials> {
+        val credentials = this.credentials
+        this.credentials = null
+        return credentials ?: error("Credentials are already taken")
+    }
+}
 
 @InternalRpcApi
 public actual fun createInsecureClientCredentials(): ClientCredentials {
-    return InsecureClientCredentials(
-        grpc_insecure_credentials_create() ?: error("grpc_insecure_credentials_create() returned null")
-    )
+    return InsecureClientCredentials()
 }
 
 internal actual fun TlsClientCredentialsBuilder(): TlsClientCredentialsBuilder = NativeTlsClientCredentialsBuilder()
@@ -74,6 +96,16 @@ private class NativeTlsClientCredentialsBuilder : TlsClientCredentialsBuilder {
     }
 }
 
+internal class CombinedClientCredentials(
+    override val clientCredentials: ClientCredentials,
+    override val callCredentials: GrpcCallCredentials,
+): ClientCredentials() {
+    override fun takeRaw(): CPointer<grpc_channel_credentials> {
+        // doesn't return a composite key but just the client credentials key.
+        return clientCredentials.takeRaw()
+    }
+}
+
 public actual operator fun ClientCredentials.plus(other: GrpcCallCredentials): ClientCredentials {
-    TODO("Not yet implemented")
+    return CombinedClientCredentials(clientCredentials, callCredentials?.combine(other) ?: other)
 }

grpc/grpc-client/src/nativeMain/kotlin/kotlinx/rpc/grpc/client/internal/ManagedChannel.native.kt

@@ -3,12 +3,16 @@
  */
 
 @file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
+@file:OptIn(ExperimentalForeignApi::class)
 
 package kotlinx.rpc.grpc.client.internal
 
+import kotlinx.cinterop.ExperimentalForeignApi
+import kotlinx.coroutines.GlobalScope
 import kotlinx.rpc.grpc.client.ClientCredentials
 import kotlinx.rpc.grpc.client.GrpcClientConfiguration
 import kotlinx.rpc.grpc.client.TlsClientCredentials
+import kotlinx.rpc.grpc.client.createRaw
 import kotlinx.rpc.grpc.internal.internalError
 import kotlinx.rpc.internal.utils.InternalRpcApi
 
@@ -40,7 +44,11 @@ internal class NativeManagedChannelBuilder(
             target,
             authority = config?.overrideAuthority,
             keepAlive = config?.keepAlive,
-            credentials = credentials.value,
+            rawChannelCredentials = credentials.value.clientCredentials.takeRaw(),
+            rawCallCredentials = credentials.value.clientCredentials.callCredentials?.createRaw(
+                // TODO: Replace GlobalScope with something more appropriate.
+                GlobalScope,
+            )
         )
     }
 

grpc/grpc-client/src/nativeMain/kotlin/kotlinx/rpc/grpc/client/internal/NativeManagedChannel.kt

@@ -6,7 +6,9 @@
 
 package kotlinx.rpc.grpc.client.internal
 
+import cnames.structs.grpc_call_credentials
 import cnames.structs.grpc_channel
+import cnames.structs.grpc_channel_credentials
 import kotlinx.atomicfu.atomic
 import kotlinx.cinterop.CPointer
 import kotlinx.cinterop.ExperimentalForeignApi
@@ -22,7 +24,6 @@ import kotlinx.coroutines.Job
 import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.cancelChildren
 import kotlinx.coroutines.withTimeoutOrNull
-import kotlinx.rpc.grpc.client.ClientCredentials
 import kotlinx.rpc.grpc.client.GrpcCallOptions
 import kotlinx.rpc.grpc.client.GrpcClientConfiguration
 import kotlinx.rpc.grpc.client.rawDeadline
@@ -37,7 +38,9 @@ import libkgrpc.grpc_arg_type
 import libkgrpc.grpc_channel_args
 import libkgrpc.grpc_channel_create
 import libkgrpc.grpc_channel_create_call
+import libkgrpc.grpc_channel_credentials_release
 import libkgrpc.grpc_channel_destroy
+import libkgrpc.grpc_composite_channel_credentials_create
 import libkgrpc.grpc_slice_unref
 import kotlin.coroutines.cancellation.CancellationException
 import kotlin.experimental.ExperimentalNativeApi
@@ -49,14 +52,15 @@ import kotlin.time.Duration
  * Native implementation of [ManagedChannel].
  *
  * @param target The target address to connect to.
- * @param credentials The credentials to use for the connection.
+ * @param rawChannelCredentials The credentials to use for the connection.
  */
 internal class NativeManagedChannel(
     target: String,
     val authority: String?,
     val keepAlive: GrpcClientConfiguration.KeepAlive?,
-    // we must store them, otherwise the credentials are getting released
-    credentials: ClientCredentials,
+    // this is not a composite channel credentials
+    val rawChannelCredentials: CPointer<grpc_channel_credentials>,
+    val rawCallCredentials: CPointer<grpc_call_credentials>?,
 ) : ManagedChannel, ManagedChannelPlatform() {
 
     // a reference to make sure the grpc_init() was called. (it is released after shutdown)
@@ -70,6 +74,10 @@ internal class NativeManagedChannel(
     // the channel's completion queue, handling all request operations
     private val cq = CompletionQueue()
 
+    private val rawCompositeCredentials = rawCallCredentials?.let {
+        grpc_composite_channel_credentials_create(rawChannelCredentials, it, null)
+    }
+
     internal val raw: CPointer<grpc_channel> = memScoped {
         val args = mutableListOf<GrpcArg>()
 
@@ -100,14 +108,28 @@ internal class NativeManagedChannel(
 
         var rawArgs = if (args.isNotEmpty()) args.toRaw(this) else null
 
-        grpc_channel_create(target, credentials.raw, rawArgs?.ptr)
+        // if we have composite credentials, which bundles call credentials and channel credentials,
+        // we use it. Otherwise, we use the channel credentials alone.
+        var credentials = rawCompositeCredentials ?: rawChannelCredentials
+        grpc_channel_create(target, credentials, rawArgs?.ptr)
             ?: error("Failed to create channel")
     }
 
     @Suppress("unused")
     private val rawCleaner = createCleaner(raw) {
         grpc_channel_destroy(it)
     }
+    @Suppress("unused")
+    internal val rawCredentialsCleaner = createCleaner(rawChannelCredentials) {
+        grpc_channel_credentials_release(it)
+    }
+
+    @Suppress("unused")
+    internal val rawCompositeCredentialsCleaner = createCleaner(rawCompositeCredentials) {
+        if (it != null) {
+            grpc_channel_credentials_release(it)
+        }
+    }
 
     override val platformApi: ManagedChannelPlatform = this
 

grpc/grpc-core/src/commonTest/kotlin/kotlinx/rpc/grpc/test/proto/GrpcCallCredentialsTest.kt

@@ -11,19 +11,12 @@ import kotlinx.rpc.grpc.StatusCode
 import kotlinx.rpc.grpc.StatusException
 import kotlinx.rpc.grpc.append
 import kotlinx.rpc.grpc.buildGrpcMetadata
-import kotlinx.rpc.grpc.client.BearerTokenCredentials
 import kotlinx.rpc.grpc.client.GrpcCallCredentials
 import kotlinx.rpc.grpc.client.GrpcCallCredentials.Context
 import kotlinx.rpc.grpc.client.GrpcClient
-import kotlinx.rpc.grpc.client.JwtCredentials
 import kotlinx.rpc.grpc.client.TlsClientCredentials
 import kotlinx.rpc.grpc.client.plus
 import kotlinx.rpc.grpc.getAll
-import kotlin.io.encoding.Base64
-import kotlin.io.encoding.ExperimentalEncodingApi
-import kotlin.time.Duration.Companion.milliseconds
-import kotlin.time.Duration.Companion.seconds
-import kotlin.time.TimeSource
 import kotlinx.rpc.grpc.server.TlsServerCredentials
 import kotlinx.rpc.grpc.test.EchoRequest
 import kotlinx.rpc.grpc.test.EchoService

grpc/grpc-core/src/nativeInterop/cinterop/libkgrpc.def

@@ -1,9 +1,9 @@
 headers = kgrpc.h grpc/grpc.h grpc/credentials.h grpc/byte_buffer_reader.h \
-    grpc/support/alloc.h grpc/impl/propagation_bits.h
+    grpc/support/alloc.h grpc/impl/propagation_bits.h grpc/support/string_util.h
 
 headerFilter= kgrpc.h grpc/slice.h grpc/byte_buffer.h grpc/grpc.h \
     grpc/impl/grpc_types.h grpc/credentials.h grpc/support/time.h grpc/byte_buffer_reader.h \
-    grpc/support/alloc.h grpc/impl/propagation_bits.h
+    grpc/support/alloc.h grpc/impl/propagation_bits.h grpc/support/string_util.h
 
 noStringConversion = grpc_slice_from_copied_buffer my_grpc_slice_from_copied_buffer
 strictEnums = grpc_status_code grpc_connectivity_state grpc_call_error