grpc: Update API

Jozott00 · Jozott00 · commit dc2a76ac468e · 2025-11-11T17:39:53.000+01:00
diff --git a/grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallCredentials.kt b/grpc/grpc-client/src/commonMain/kotlin/kotlinx/rpc/grpc/client/GrpcCallCredentials.kt
@@ -5,6 +5,8 @@
 package kotlinx.rpc.grpc.client
 
 import kotlinx.rpc.grpc.GrpcMetadata
+import kotlinx.rpc.grpc.descriptor.MethodDescriptor
+import kotlinx.rpc.grpc.plus
 
 /**
  * Provides per-call authentication credentials for gRPC calls.
@@ -20,12 +22,36 @@ import kotlinx.rpc.grpc.GrpcMetadata
  *
  * ```kotlin
  * class BearerTokenCredentials(private val token: String) : GrpcCallCredentials {
- *     override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
- *         append("Authorization", "Bearer $token")
+ *     override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+ *         return buildGrpcMetadata {
+ *             append("Authorization", "Bearer $token")
+ *         }
  *     }
  * }
  * ```
  *
+ * ## Context-Aware Credentials
+ *
+ * Use the [Context] to implement sophisticated authentication strategies:
+ *
+ * ```kotlin
+ * class MethodScopedCredentials : GrpcCallCredentials {
+ *     override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+ *         val scope = when (method.name) {
+ *             "GetUser" -> "read:users"
+ *             "UpdateUser" -> "write:users"
+ *             else -> "default"
+ *         }
+ *         val token = fetchTokenWithScope(scope)
+ *         return buildGrpcMetadata {
+ *             append("Authorization", "Bearer $token")
+ *         }
+ *     }
+ * }
+ * ```
+ *
+ * ## Combining Credentials
+ *
  * Credentials can be combined using the [plus] operator or [combine] function:
  *
  * ```kotlin
@@ -37,52 +63,70 @@ import kotlinx.rpc.grpc.GrpcMetadata
  * By default, call credentials require transport security (TLS) to prevent credential leakage.
  * Override [requiresTransportSecurity] to `false` only for testing or non-production environments.
  *
- * @see applyOnMetadata
+ * @see getRequestMetadata
+ * @see Context
  * @see requiresTransportSecurity
  * @see plus
  * @see combine
  */
 public interface GrpcCallCredentials {
 
     /**
-     * Applies authentication metadata to the gRPC call.
+     * Retrieves authentication metadata for the gRPC call.
+     *
+     * This method is invoked before each gRPC call to generate authentication headers or metadata.
+     * Implementations should return a [GrpcMetadata] object containing the necessary authentication
+     * information for the request.
      *
-     * This method is invoked before each gRPC call to add authentication headers or metadata.
-     * Implementations should append the necessary authentication information to the [GrpcMetadata] receiver.
+     * The method is suspending to allow asynchronous operations such as:
+     * - Token retrieval from secure storage
+     * - OAuth token refresh or exchange
+     * - Dynamic token generation or signing
+     * - Network calls to authentication services
      *
-     * The method is suspending to allow asynchronous token retrieval or refresh operations,
-     * such as fetching tokens from secure storage or performing OAuth token exchanges.
+     * ## Context Information
+     *
+     * The [Context] receiver provides access to call-specific information:
+     * - [Context.method]: The method being invoked (for method-specific auth)
+     * - [Context.authority]: The target authority (for tenant-aware auth)
      *
      * ## Examples
      *
-     * Adding a bearer token:
+     * Simple bearer token:
      * ```kotlin
-     * override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
-     *     append("Authorization", "Bearer $token")
+     * override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+     *     return buildGrpcMetadata {
+     *         append("Authorization", "Bearer $token")
+     *     }
      * }
      * ```
      *
      * Throwing a [kotlinx.rpc.grpc.StatusException] to fail the call:
      * ```kotlin
-     * override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
-     *     if (!isValid) {
-     *         throw StatusException(Status(StatusCode.UNAUTHENTICATED, "Invalid credentials"))
+     * override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+     *     val token = try {
+     *         refreshToken()
+     *     } catch (e: Exception) {
+     *         throw StatusException(Status(StatusCode.UNAUTHENTICATED, "Token refresh failed"))
+     *     }
+     *
+     *     return buildGrpcMetadata {
+     *         append("Authorization", "Bearer $token")
      *     }
-     *     append("Authorization", "Bearer $token")
      * }
      * ```
      *
-     * @param callOptions The options for the current call, providing context and configuration.
-     * @receiver The metadata to which authentication information should be added.
+     * @receiver Context information about the call being authenticated.
+     * @return Metadata containing authentication information to attach to the request.
      * @throws kotlinx.rpc.grpc.StatusException to abort the call with a specific gRPC status.
      */
-    public suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions)
+    public suspend fun Context.getRequestMetadata(): GrpcMetadata
 
     /**
      * Indicates whether this credential requires transport security (TLS).
      *
      * When `true` (the default), the credential will only be applied to calls over secure transports.
-     * If transport security is not present, the call will fail with `UNAUTHENTICATED`.
+     * If transport security is not present, the call will fail with [kotlinx.rpc.grpc.StatusCode.UNAUTHENTICATED].
      *
      * Set to `false` only for credentials that are safe to send over insecure connections,
      * such as in testing environments or for non-sensitive authentication mechanisms.
@@ -91,6 +135,20 @@ public interface GrpcCallCredentials {
      */
     public val requiresTransportSecurity: Boolean
         get() = true
+
+    /**
+     * Context information available when retrieving call credentials.
+     *
+     * Provides metadata about the RPC call to enable method-specific authentication strategies.
+     *
+     * @property method The method descriptor of the RPC being invoked.
+     * @property authority The authority (host:port) for this call.
+     */
+    // TODO: check whether we should add GrpcCallOptions in the context (KRPC-232)
+    public data class Context(
+        val method: MethodDescriptor<*, *>,
+        val authority: String,
+    )
 }
 
 /**
@@ -154,8 +212,8 @@ public fun GrpcCallCredentials.combine(other: GrpcCallCredentials): GrpcCallCred
  * ```
  */
 public object  EmptyCallCredentials : GrpcCallCredentials {
-    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
-        // do nothing
+    override suspend fun GrpcCallCredentials.Context.getRequestMetadata(): GrpcMetadata {
+        return GrpcMetadata()
     }
     override val requiresTransportSecurity: Boolean = false
 }
@@ -164,15 +222,10 @@ internal class CombinedCallCredentials(
     private val first: GrpcCallCredentials,
     private val second: GrpcCallCredentials
 ) : GrpcCallCredentials {
-    override suspend fun GrpcMetadata.applyOnMetadata(
-        callOptions: GrpcCallOptions
-    ) {
-        with(first) {
-            this@applyOnMetadata.applyOnMetadata(callOptions)
-        }
-        with(second) {
-            this@applyOnMetadata.applyOnMetadata(callOptions)
-        }
+    override suspend fun GrpcCallCredentials.Context.getRequestMetadata(): GrpcMetadata {
+        val firstMetadata = with(first) { getRequestMetadata() }
+        val secondMetadata = with(second) { getRequestMetadata() }
+        return firstMetadata + secondMetadata
     }
 
     override val requiresTransportSecurity: Boolean = first.requiresTransportSecurity || second.requiresTransportSecurity
diff --git a/grpc/grpc-client/src/jvmMain/kotlin/kotlinx/rpc/grpc/client/credentials.jvm.kt b/grpc/grpc-client/src/jvmMain/kotlin/kotlinx/rpc/grpc/client/credentials.jvm.kt
@@ -8,7 +8,6 @@ import io.grpc.CallCredentials
 import io.grpc.ChannelCredentials
 import io.grpc.CompositeChannelCredentials
 import io.grpc.InsecureChannelCredentials
-import io.grpc.Metadata
 import io.grpc.SecurityLevel
 import io.grpc.TlsChannelCredentials
 import kotlinx.coroutines.CoroutineScope
@@ -73,8 +72,8 @@ internal fun GrpcCallCredentials.toJvm(): CallCredentials {
                         "Transport security required but not present"
                     }
 
-                    val metadata = Metadata()
-                    metadata.applyOnMetadata(GrpcCallOptions(/* populate from requestInfo if needed */))
+                    val context = GrpcCallCredentials.Context(requestInfo.methodDescriptor, requestInfo.authority)
+                    val metadata = context.getRequestMetadata()
                     applier.apply(metadata)
                 } catch (e: StatusException) {
                     applier.fail(e.status)
diff --git a/grpc/grpc-core/src/commonMain/kotlin/kotlinx/rpc/grpc/GrpcMetadata.kt b/grpc/grpc-core/src/commonMain/kotlin/kotlinx/rpc/grpc/GrpcMetadata.kt
@@ -51,6 +51,16 @@ import kotlinx.rpc.grpc.codec.MessageCodec
 @Suppress("RedundantConstructorKeyword")
 public expect class GrpcMetadata constructor()
 
+/**
+ * Constructs and configures a new [GrpcMetadata] instance.
+ * The provided [block] is executed to apply custom modifications to the metadata object.
+ *
+ * @param block A lambda function allowing customization of the [GrpcMetadata] object.
+ *              The lambda operates on the metadata instance being built.
+ * @return The configured [GrpcMetadata] instance.
+ */
+public fun buildGrpcMetadata(block: GrpcMetadata.() -> Unit): GrpcMetadata = GrpcMetadata().apply(block)
+
 /**
  * A typed key for metadata entries that uses a [MessageCodec] to encode and decode values.
  *
diff --git a/grpc/grpc-core/src/commonTest/kotlin/kotlinx/rpc/grpc/test/proto/GrpcCallCredentialsTest.kt b/grpc/grpc-core/src/commonTest/kotlin/kotlinx/rpc/grpc/test/proto/GrpcCallCredentialsTest.kt
@@ -10,12 +10,20 @@ import kotlinx.rpc.grpc.Status
 import kotlinx.rpc.grpc.StatusCode
 import kotlinx.rpc.grpc.StatusException
 import kotlinx.rpc.grpc.append
+import kotlinx.rpc.grpc.buildGrpcMetadata
+import kotlinx.rpc.grpc.client.BearerTokenCredentials
 import kotlinx.rpc.grpc.client.GrpcCallCredentials
-import kotlinx.rpc.grpc.client.GrpcCallOptions
+import kotlinx.rpc.grpc.client.GrpcCallCredentials.Context
 import kotlinx.rpc.grpc.client.GrpcClient
+import kotlinx.rpc.grpc.client.JwtCredentials
 import kotlinx.rpc.grpc.client.TlsClientCredentials
 import kotlinx.rpc.grpc.client.plus
 import kotlinx.rpc.grpc.getAll
+import kotlin.io.encoding.Base64
+import kotlin.io.encoding.ExperimentalEncodingApi
+import kotlin.time.Duration.Companion.milliseconds
+import kotlin.time.Duration.Companion.seconds
+import kotlin.time.TimeSource
 import kotlinx.rpc.grpc.server.TlsServerCredentials
 import kotlinx.rpc.grpc.test.EchoRequest
 import kotlinx.rpc.grpc.test.EchoService
@@ -113,7 +121,7 @@ class GrpcCallCredentialsTest : GrpcProtoTest() {
     @Test
     fun `test throw status exception - should fail with status`() {
         val throwingCallCredentials = object : GrpcCallCredentials {
-            override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
+            override suspend fun Context.getRequestMetadata(): GrpcMetadata {
                 throw StatusException(Status(StatusCode.UNIMPLEMENTED, "This is my custom exception"))
             }
 
@@ -164,6 +172,54 @@ class GrpcCallCredentialsTest : GrpcProtoTest() {
             test = ::unaryCall
         )}
     }
+
+    @Test
+    fun `test context contains correct method descriptor - should succeed`() {
+        var capturedMethod: String? = null
+
+        val contextCapturingCredentials = object : GrpcCallCredentials {
+            override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+                println(authority)
+                capturedMethod = method.getFullMethodName()
+                return GrpcMetadata()
+            }
+
+            override val requiresTransportSecurity: Boolean = false
+        }
+
+        runGrpcTest(
+            configure = {
+                credentials = plaintext() + contextCapturingCredentials
+            },
+            test = ::unaryCall
+        )
+
+        assertEquals("kotlinx.rpc.grpc.test.EchoService/UnaryEcho", capturedMethod)
+    }
+
+    @Test
+    fun `test context contains correct authority - should succeed`() {
+        var capturedAuthority: String? = null
+
+        val contextCapturingCredentials = object : GrpcCallCredentials {
+            override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+                capturedAuthority = authority
+                return GrpcMetadata()
+            }
+
+            override val requiresTransportSecurity: Boolean = false
+        }
+
+        runGrpcTest(
+            configure = {
+                credentials = plaintext() + contextCapturingCredentials
+                overrideAuthority = "test.example.com"
+            },
+            test = ::unaryCall
+        )
+
+        assertEquals("test.example.com", capturedAuthority)
+    }
 }
 
 private suspend fun unaryCall(grpcClient: GrpcClient) {
@@ -175,17 +231,21 @@ private suspend fun unaryCall(grpcClient: GrpcClient) {
 class NoTLSBearerTokenCredentials(
     val token: String = "token"
 ): GrpcCallCredentials {
-    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
-        // potentially fetching the token from a secure storage
-        append("Authorization", "Bearer $token")
+    override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+        return buildGrpcMetadata {
+            // potentially fetching the token from a secure storage
+            append("Authorization", "Bearer $token")
+        }
     }
 
     override val requiresTransportSecurity: Boolean
         get() = false
 }
 
 class TlsBearerTokenCredentials: GrpcCallCredentials {
-    override suspend fun GrpcMetadata.applyOnMetadata(callOptions: GrpcCallOptions) {
-        append("Authorization", "Bearer token")
+    override suspend fun Context.getRequestMetadata(): GrpcMetadata {
+        return buildGrpcMetadata {
+            append("Authorization", "Bearer token")
+        }
     }
 }
