grpc 1.18.0 → 1.19.0.pre1

data/src/core/lib/iomgr/udp_server.cc

@@ -481,8 +481,9 @@ void GrpcUdpListener::OnRead(grpc_error* error, void* do_read_arg) {
   if (udp_handler_->Read()) {
     /* There maybe more packets to read. Schedule read_more_cb_ closure to run
      * after finishing this event loop. */
-    GRPC_CLOSURE_INIT(&do_read_closure_, do_read, do_read_arg,
-                      grpc_executor_scheduler(GRPC_EXECUTOR_LONG));
+    GRPC_CLOSURE_INIT(
+        &do_read_closure_, do_read, do_read_arg,
+        grpc_core::Executor::Scheduler(grpc_core::ExecutorJobType::LONG));
     GRPC_CLOSURE_SCHED(&do_read_closure_, GRPC_ERROR_NONE);
   } else {
     /* Finish reading all the packets, re-arm the notification event so we can
@@ -542,8 +543,9 @@ void GrpcUdpListener::OnCanWrite(grpc_error* error, void* do_write_arg) {
   }
 
   /* Schedule actual write in another thread. */
-  GRPC_CLOSURE_INIT(&do_write_closure_, do_write, do_write_arg,
-                    grpc_executor_scheduler(GRPC_EXECUTOR_LONG));
+  GRPC_CLOSURE_INIT(
+      &do_write_closure_, do_write, do_write_arg,
+      grpc_core::Executor::Scheduler(grpc_core::ExecutorJobType::LONG));
 
   GRPC_CLOSURE_SCHED(&do_write_closure_, GRPC_ERROR_NONE);
 }

data/src/core/lib/json/json.cc

@@ -35,24 +35,21 @@ grpc_json* grpc_json_create(grpc_json_type type) {
 }
 
 void grpc_json_destroy(grpc_json* json) {
+  if (json == nullptr) return;
   while (json->child) {
     grpc_json_destroy(json->child);
   }
-
   if (json->next) {
     json->next->prev = json->prev;
   }
-
   if (json->prev) {
     json->prev->next = json->next;
   } else if (json->parent) {
     json->parent->child = json->next;
   }
-
   if (json->owns_value) {
     gpr_free((void*)json->value);
   }
-
   gpr_free(json);
 }
 

data/src/core/lib/security/credentials/alts/alts_credentials.cc

@@ -31,7 +31,7 @@
 #include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
 
 #define GRPC_CREDENTIALS_TYPE_ALTS "Alts"
-#define GRPC_ALTS_HANDSHAKER_SERVICE_URL "metadata.google.internal:8080"
+#define GRPC_ALTS_HANDSHAKER_SERVICE_URL "metadata.google.internal.:8080"
 
 grpc_alts_credentials::grpc_alts_credentials(
     const grpc_alts_credentials_options* options,

data/src/core/lib/security/credentials/alts/check_gcp_environment_no_op.cc

@@ -25,8 +25,8 @@
 #include <grpc/support/log.h>
 
 bool grpc_alts_is_running_on_gcp() {
-  gpr_log(GPR_ERROR,
-          "Platforms other than Linux and Windows are not supported");
+  gpr_log(GPR_INFO,
+          "ALTS: Platforms other than Linux and Windows are not supported");
   return false;
 }
 

data/src/core/lib/security/credentials/composite/composite_credentials.h

@@ -49,6 +49,10 @@ class grpc_composite_channel_credentials : public grpc_channel_credentials {
       const char* target, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  grpc_channel_args* update_arguments(grpc_channel_args* args) override {
+    return inner_creds_->update_arguments(args);
+  }
+
   const grpc_channel_credentials* inner_creds() const {
     return inner_creds_.get();
   }

data/src/core/lib/security/credentials/credentials.h

@@ -60,7 +60,7 @@ typedef enum {
 
 #define GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS 60
 
-#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal"
+#define GRPC_COMPUTE_ENGINE_METADATA_HOST "metadata.google.internal."
 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
   "/computeMetadata/v1/instance/service-accounts/default/token"
 
@@ -123,6 +123,14 @@ struct grpc_channel_credentials
     return Ref();
   }
 
+  // Allows credentials to optionally modify a parent channel's args.
+  // By default, leave channel args as is. The callee takes ownership
+  // of the passed-in channel args, and the caller takes ownership
+  // of the returned channel args.
+  virtual grpc_channel_args* update_arguments(grpc_channel_args* args) {
+    return args;
+  }
+
   const char* type() const { return type_; }
 
   GRPC_ABSTRACT_BASE_CLASS

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -46,7 +46,7 @@
 
 /* -- Constants. -- */
 
-#define GRPC_COMPUTE_ENGINE_DETECTION_HOST "metadata.google.internal"
+#define GRPC_COMPUTE_ENGINE_DETECTION_HOST "metadata.google.internal."
 
 /* -- Default credentials. -- */
 
@@ -114,6 +114,19 @@ grpc_google_default_channel_credentials::create_security_connector(
   return sc;
 }
 
+grpc_channel_args* grpc_google_default_channel_credentials::update_arguments(
+    grpc_channel_args* args) {
+  grpc_channel_args* updated = args;
+  if (grpc_channel_args_find(args, GRPC_ARG_DNS_ENABLE_SRV_QUERIES) ==
+      nullptr) {
+    grpc_arg new_srv_arg = grpc_channel_arg_integer_create(
+        const_cast<char*>(GRPC_ARG_DNS_ENABLE_SRV_QUERIES), true);
+    updated = grpc_channel_args_copy_and_add(args, &new_srv_arg, 1);
+    grpc_channel_args_destroy(args);
+  }
+  return updated;
+}
+
 static void on_metadata_server_detection_http_response(void* user_data,
                                                        grpc_error* error) {
   metadata_server_detector* detector =
@@ -259,7 +272,7 @@ end:
   GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1);
   if (creds_path != nullptr) gpr_free(creds_path);
   grpc_slice_unref_internal(creds_data);
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   *creds = result;
   return error;
 }

data/src/core/lib/security/credentials/google_default/google_default_credentials.h

@@ -58,6 +58,8 @@ class grpc_google_default_channel_credentials
       const char* target, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  grpc_channel_args* update_arguments(grpc_channel_args* args) override;
+
   const grpc_channel_credentials* alts_creds() const {
     return alts_creds_.get();
   }

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -121,7 +121,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_string(
   char* scratchpad = gpr_strdup(json_string);
   grpc_json* json = grpc_json_parse_string(scratchpad);
   grpc_auth_json_key result = grpc_auth_json_key_create_from_json(json);
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   gpr_free(scratchpad);
   return result;
 }

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -174,6 +174,7 @@ grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
     gpr_free(clean_json);
   }
   GPR_ASSERT(reserved == nullptr);
+  grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx;
   return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
              grpc_auth_json_key_create_from_string(json_key), token_lifetime)

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -353,6 +353,7 @@ static verifier_cb_ctx* verifier_cb_ctx_create(
     grpc_jwt_claims* claims, const char* audience, grpc_slice signature,
     const char* signed_jwt, size_t signed_jwt_len, void* user_data,
     grpc_jwt_verification_done_cb cb) {
+  grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx;
   verifier_cb_ctx* ctx =
       static_cast<verifier_cb_ctx*>(gpr_zalloc(sizeof(verifier_cb_ctx)));
@@ -666,7 +667,7 @@ static void on_keys_retrieved(void* user_data, grpc_error* error) {
   }
 
 end:
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   EVP_PKEY_free(verification_key);
   ctx->user_cb(ctx->user_data, status, claims);
   verifier_cb_ctx_destroy(ctx);
@@ -719,7 +720,7 @@ static void on_openid_config_retrieved(void* user_data, grpc_error* error) {
   return;
 
 error:
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   ctx->user_cb(ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR, nullptr);
   verifier_cb_ctx_destroy(ctx);
 }

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -80,7 +80,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_string(
   grpc_json* json = grpc_json_parse_string(scratchpad);
   grpc_auth_refresh_token result =
       grpc_auth_refresh_token_create_from_json(json);
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   gpr_free(scratchpad);
   return result;
 }
@@ -199,7 +199,7 @@ end:
   }
   if (null_terminated_body != nullptr) gpr_free(null_terminated_body);
   if (new_access_token != nullptr) gpr_free(new_access_token);
-  if (json != nullptr) grpc_json_destroy(json);
+  grpc_json_destroy(json);
   return status;
 }
 

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -114,6 +114,7 @@ static void plugin_md_request_metadata_ready(void* request,
                                              grpc_status_code status,
                                              const char* error_details) {
   /* called from application code */
+  grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx(GRPC_EXEC_CTX_FLAG_IS_FINISHED |
                               GRPC_EXEC_CTX_FLAG_THREAD_RESOURCE_LOOP);
   grpc_plugin_credentials::pending_request* r =

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -0,0 +1,192 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+/** -- gRPC TLS key materials config API implementation. -- **/
+void grpc_tls_key_materials_config::set_key_materials(
+    grpc_core::UniquePtr<char> pem_root_certs,
+    PemKeyCertPairList pem_key_cert_pair_list) {
+  pem_key_cert_pair_list_ = std::move(pem_key_cert_pair_list);
+  pem_root_certs_ = std::move(pem_root_certs);
+}
+
+/** -- gRPC TLS credential reload config API implementation. -- **/
+grpc_tls_credential_reload_config::grpc_tls_credential_reload_config(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_credential_reload_arg* arg),
+    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+    void (*destruct)(void* config_user_data))
+    : config_user_data_(const_cast<void*>(config_user_data)),
+      schedule_(schedule),
+      cancel_(cancel),
+      destruct_(destruct) {}
+
+grpc_tls_credential_reload_config::~grpc_tls_credential_reload_config() {
+  if (destruct_ != nullptr) {
+    destruct_((void*)config_user_data_);
+  }
+}
+
+/** -- gRPC TLS server authorization check API implementation. -- **/
+grpc_tls_server_authorization_check_config::
+    grpc_tls_server_authorization_check_config(
+        const void* config_user_data,
+        int (*schedule)(void* config_user_data,
+                        grpc_tls_server_authorization_check_arg* arg),
+        void (*cancel)(void* config_user_data,
+                       grpc_tls_server_authorization_check_arg* arg),
+        void (*destruct)(void* config_user_data))
+    : config_user_data_(const_cast<void*>(config_user_data)),
+      schedule_(schedule),
+      cancel_(cancel),
+      destruct_(destruct) {}
+
+grpc_tls_server_authorization_check_config::
+    ~grpc_tls_server_authorization_check_config() {
+  if (destruct_ != nullptr) {
+    destruct_((void*)config_user_data_);
+  }
+}
+
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
+  return grpc_core::New<grpc_tls_credentials_options>();
+}
+
+int grpc_tls_credentials_options_set_cert_request_type(
+    grpc_tls_credentials_options* options,
+    grpc_ssl_client_certificate_request_type type) {
+  if (options == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_cert_request_type()");
+    return 0;
+  }
+  options->set_cert_request_type(type);
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_key_materials_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_key_materials_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_key_materials_config()");
+    return 0;
+  }
+  options->set_key_materials_config(config->Ref());
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_credential_reload_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_credential_reload_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_credential_reload_config()");
+    return 0;
+  }
+  options->set_credential_reload_config(config->Ref());
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_server_authorization_check_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_server_authorization_check_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(
+        GPR_ERROR,
+        "Invalid nullptr arguments to "
+        "grpc_tls_credentials_options_set_server_authorization_check_config()");
+    return 0;
+  }
+  options->set_server_authorization_check_config(config->Ref());
+  return 1;
+}
+
+grpc_tls_key_materials_config* grpc_tls_key_materials_config_create() {
+  return grpc_core::New<grpc_tls_key_materials_config>();
+}
+
+int grpc_tls_key_materials_config_set_key_materials(
+    grpc_tls_key_materials_config* config, const char* root_certs,
+    const grpc_ssl_pem_key_cert_pair** key_cert_pairs, size_t num) {
+  if (config == nullptr || key_cert_pairs == nullptr || num == 0) {
+    gpr_log(GPR_ERROR,
+            "Invalid arguments to "
+            "grpc_tls_key_materials_config_set_key_materials()");
+    return 0;
+  }
+  grpc_core::UniquePtr<char> pem_root(const_cast<char*>(root_certs));
+  grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
+  for (size_t i = 0; i < num; i++) {
+    grpc_core::PemKeyCertPair key_cert_pair(
+        const_cast<grpc_ssl_pem_key_cert_pair*>(key_cert_pairs[i]));
+    cert_pair_list.emplace_back(std::move(key_cert_pair));
+  }
+  config->set_key_materials(std::move(pem_root), std::move(cert_pair_list));
+  gpr_free(key_cert_pairs);
+  return 1;
+}
+
+grpc_tls_credential_reload_config* grpc_tls_credential_reload_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_credential_reload_arg* arg),
+    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+    void (*destruct)(void* config_user_data)) {
+  if (schedule == nullptr) {
+    gpr_log(
+        GPR_ERROR,
+        "Schedule API is nullptr in creating TLS credential reload config.");
+    return nullptr;
+  }
+  return grpc_core::New<grpc_tls_credential_reload_config>(
+      config_user_data, schedule, cancel, destruct);
+}
+
+grpc_tls_server_authorization_check_config*
+grpc_tls_server_authorization_check_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_server_authorization_check_arg* arg),
+    void (*cancel)(void* config_user_data,
+                   grpc_tls_server_authorization_check_arg* arg),
+    void (*destruct)(void* config_user_data)) {
+  if (schedule == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Schedule API is nullptr in creating TLS server authorization "
+            "check config.");
+    return nullptr;
+  }
+  return grpc_core::New<grpc_tls_server_authorization_check_config>(
+      config_user_data, schedule, cancel, destruct);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -0,0 +1,213 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/gprpp/inlined_vector.h"
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+
+/** TLS key materials config. **/
+struct grpc_tls_key_materials_config
+    : public grpc_core::RefCounted<grpc_tls_key_materials_config> {
+ public:
+  typedef grpc_core::InlinedVector<grpc_core::PemKeyCertPair, 1>
+      PemKeyCertPairList;
+
+  /** Getters for member fields. **/
+  const char* pem_root_certs() const { return pem_root_certs_.get(); }
+  const PemKeyCertPairList& pem_key_cert_pair_list() const {
+    return pem_key_cert_pair_list_;
+  }
+
+  /** Setters for member fields. **/
+  void set_key_materials(grpc_core::UniquePtr<char> pem_root_certs,
+                         PemKeyCertPairList pem_key_cert_pair_list);
+
+ private:
+  PemKeyCertPairList pem_key_cert_pair_list_;
+  grpc_core::UniquePtr<char> pem_root_certs_;
+};
+
+/** TLS credential reload config. **/
+struct grpc_tls_credential_reload_config
+    : public grpc_core::RefCounted<grpc_tls_credential_reload_config> {
+ public:
+  grpc_tls_credential_reload_config(
+      const void* config_user_data,
+      int (*schedule)(void* config_user_data,
+                      grpc_tls_credential_reload_arg* arg),
+      void (*cancel)(void* config_user_data,
+                     grpc_tls_credential_reload_arg* arg),
+      void (*destruct)(void* config_user_data));
+  ~grpc_tls_credential_reload_config();
+
+  int Schedule(grpc_tls_credential_reload_arg* arg) const {
+    return schedule_(config_user_data_, arg);
+  }
+  void Cancel(grpc_tls_credential_reload_arg* arg) const {
+    if (cancel_ == nullptr) {
+      gpr_log(GPR_ERROR, "cancel API is nullptr.");
+      return;
+    }
+    cancel_(config_user_data_, arg);
+  }
+
+ private:
+  /** config-specific, read-only user data that works for all channels created
+     with a credential using the config. */
+  void* config_user_data_;
+  /** callback function for invoking credential reload API. The implementation
+     of this method has to be non-blocking, but can be performed synchronously
+     or asynchronously.
+     If processing occurs synchronously, it populates \a arg->key_materials, \a
+     arg->status, and \a arg->error_details and returns zero.
+     If processing occurs asynchronously, it returns a non-zero value.
+     Application then invokes \a arg->cb when processing is completed. Note that
+     \a arg->cb cannot be invoked before \a schedule returns.
+  */
+  int (*schedule_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+  /** callback function for cancelling a credential reload request scheduled via
+     an asynchronous \a schedule. \a arg is used to pinpoint an exact reloading
+     request to be cancelled, and the operation may not have any effect if the
+     request has already been processed. */
+  void (*cancel_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+  /** callback function for cleaning up any data associated with credential
+     reload config. */
+  void (*destruct_)(void* config_user_data);
+};
+
+/** TLS server authorization check config. **/
+struct grpc_tls_server_authorization_check_config
+    : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
+ public:
+  grpc_tls_server_authorization_check_config(
+      const void* config_user_data,
+      int (*schedule)(void* config_user_data,
+                      grpc_tls_server_authorization_check_arg* arg),
+      void (*cancel)(void* config_user_data,
+                     grpc_tls_server_authorization_check_arg* arg),
+      void (*destruct)(void* config_user_data));
+  ~grpc_tls_server_authorization_check_config();
+
+  int Schedule(grpc_tls_server_authorization_check_arg* arg) const {
+    return schedule_(config_user_data_, arg);
+  }
+  void Cancel(grpc_tls_server_authorization_check_arg* arg) const {
+    if (cancel_ == nullptr) {
+      gpr_log(GPR_ERROR, "cancel API is nullptr.");
+      return;
+    }
+    cancel_(config_user_data_, arg);
+  }
+
+ private:
+  /** config-specific, read-only user data that works for all channels created
+     with a Credential using the config. */
+  void* config_user_data_;
+
+  /** callback function for invoking server authorization check. The
+     implementation of this method has to be non-blocking, but can be performed
+     synchronously or asynchronously.
+     If processing occurs synchronously, it populates \a arg->result, \a
+     arg->status, and \a arg->error_details, and returns zero.
+     If processing occurs asynchronously, it returns a non-zero value.
+     Application then invokes \a arg->cb when processing is completed. Note that
+     \a arg->cb cannot be invoked before \a schedule() returns.
+  */
+  int (*schedule_)(void* config_user_data,
+                   grpc_tls_server_authorization_check_arg* arg);
+
+  /** callback function for canceling a server authorization check request. */
+  void (*cancel_)(void* config_user_data,
+                  grpc_tls_server_authorization_check_arg* arg);
+
+  /** callback function for cleaning up any data associated with server
+     authorization check config. */
+  void (*destruct_)(void* config_user_data);
+};
+
+/* TLS credentials options. */
+struct grpc_tls_credentials_options
+    : public grpc_core::RefCounted<grpc_tls_credentials_options> {
+ public:
+  ~grpc_tls_credentials_options() {
+    if (key_materials_config_.get() != nullptr) {
+      key_materials_config_.get()->Unref();
+    }
+    if (credential_reload_config_.get() != nullptr) {
+      credential_reload_config_.get()->Unref();
+    }
+    if (server_authorization_check_config_.get() != nullptr) {
+      server_authorization_check_config_.get()->Unref();
+    }
+  }
+
+  /* Getters for member fields. */
+  grpc_ssl_client_certificate_request_type cert_request_type() const {
+    return cert_request_type_;
+  }
+  const grpc_tls_key_materials_config* key_materials_config() const {
+    return key_materials_config_.get();
+  }
+  const grpc_tls_credential_reload_config* credential_reload_config() const {
+    return credential_reload_config_.get();
+  }
+  const grpc_tls_server_authorization_check_config*
+  server_authorization_check_config() const {
+    return server_authorization_check_config_.get();
+  }
+  grpc_tls_key_materials_config* mutable_key_materials_config() {
+    return key_materials_config_.get();
+  }
+
+  /* Setters for member fields. */
+  void set_cert_request_type(
+      const grpc_ssl_client_certificate_request_type type) {
+    cert_request_type_ = type;
+  }
+  void set_key_materials_config(
+      grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
+    key_materials_config_ = std::move(config);
+  }
+  void set_credential_reload_config(
+      grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> config) {
+    credential_reload_config_ = std::move(config);
+  }
+  void set_server_authorization_check_config(
+      grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+          config) {
+    server_authorization_check_config_ = std::move(config);
+  }
+
+ private:
+  grpc_ssl_client_certificate_request_type cert_request_type_;
+  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
+  grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
+      credential_reload_config_;
+  grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+      server_authorization_check_config_;
+};
+
+#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H \
+        */