grpc 1.35.0 → 1.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +60 -57
- data/include/grpc/grpc_security.h +16 -11
- data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
- data/src/core/ext/filters/client_channel/resolver.cc +2 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
- data/src/core/ext/filters/client_channel/server_address.cc +6 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +738 -567
- data/src/core/ext/xds/xds_api.h +46 -84
- data/src/core/ext/xds/xds_bootstrap.cc +59 -40
- data/src/core/ext/xds/xds_bootstrap.h +12 -4
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +13 -11
- data/src/core/ext/xds/xds_client.h +3 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
- data/src/core/lib/channel/handshaker.cc +2 -5
- data/src/core/lib/channel/handshaker.h +1 -1
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/ev_apple.cc +10 -7
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +4 -4
- data/src/core/lib/security/authorization/matchers.cc +339 -0
- data/src/core/lib/security/authorization/matchers.h +158 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
- data/src/core/lib/security/transport/security_handshaker.cc +1 -3
- data/src/core/lib/slice/slice_intern.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/server.cc +3 -3
- data/src/core/lib/surface/server.h +3 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/fake_transport_security.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +725 -723
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- metadata +77 -65
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
data/src/core/ext/xds/xds_api.h
CHANGED
|
@@ -36,6 +36,7 @@
|
|
|
36
36
|
#include "src/core/ext/filters/client_channel/server_address.h"
|
|
37
37
|
#include "src/core/ext/xds/xds_bootstrap.h"
|
|
38
38
|
#include "src/core/ext/xds/xds_client_stats.h"
|
|
39
|
+
#include "src/core/lib/security/authorization/matchers.h"
|
|
39
40
|
|
|
40
41
|
namespace grpc_core {
|
|
41
42
|
|
|
@@ -69,52 +70,7 @@ class XdsApi {
|
|
|
69
70
|
struct Route {
|
|
70
71
|
// Matchers for this route.
|
|
71
72
|
struct Matchers {
|
|
72
|
-
|
|
73
|
-
enum class PathMatcherType {
|
|
74
|
-
PATH, // path stored in string_matcher field
|
|
75
|
-
PREFIX, // prefix stored in string_matcher field
|
|
76
|
-
REGEX, // regex stored in regex_matcher field
|
|
77
|
-
};
|
|
78
|
-
PathMatcherType type;
|
|
79
|
-
std::string string_matcher;
|
|
80
|
-
std::unique_ptr<RE2> regex_matcher;
|
|
81
|
-
bool case_sensitive = true;
|
|
82
|
-
|
|
83
|
-
PathMatcher() = default;
|
|
84
|
-
PathMatcher(const PathMatcher& other);
|
|
85
|
-
PathMatcher& operator=(const PathMatcher& other);
|
|
86
|
-
bool operator==(const PathMatcher& other) const;
|
|
87
|
-
std::string ToString() const;
|
|
88
|
-
};
|
|
89
|
-
|
|
90
|
-
struct HeaderMatcher {
|
|
91
|
-
enum class HeaderMatcherType {
|
|
92
|
-
EXACT, // value stored in string_matcher field
|
|
93
|
-
REGEX, // uses regex_match field
|
|
94
|
-
RANGE, // uses range_start and range_end fields
|
|
95
|
-
PRESENT, // uses present_match field
|
|
96
|
-
PREFIX, // prefix stored in string_matcher field
|
|
97
|
-
SUFFIX, // suffix stored in string_matcher field
|
|
98
|
-
};
|
|
99
|
-
std::string name;
|
|
100
|
-
HeaderMatcherType type;
|
|
101
|
-
int64_t range_start;
|
|
102
|
-
int64_t range_end;
|
|
103
|
-
std::string string_matcher;
|
|
104
|
-
std::unique_ptr<RE2> regex_match;
|
|
105
|
-
bool present_match;
|
|
106
|
-
// invert_match field may or may not exisit, so initialize it to
|
|
107
|
-
// false.
|
|
108
|
-
bool invert_match = false;
|
|
109
|
-
|
|
110
|
-
HeaderMatcher() = default;
|
|
111
|
-
HeaderMatcher(const HeaderMatcher& other);
|
|
112
|
-
HeaderMatcher& operator=(const HeaderMatcher& other);
|
|
113
|
-
bool operator==(const HeaderMatcher& other) const;
|
|
114
|
-
std::string ToString() const;
|
|
115
|
-
};
|
|
116
|
-
|
|
117
|
-
PathMatcher path_matcher;
|
|
73
|
+
StringMatcher path_matcher;
|
|
118
74
|
std::vector<HeaderMatcher> header_matchers;
|
|
119
75
|
absl::optional<uint32_t> fraction_per_million;
|
|
120
76
|
|
|
@@ -175,42 +131,6 @@ class XdsApi {
|
|
|
175
131
|
VirtualHost* FindVirtualHostForDomain(const std::string& domain);
|
|
176
132
|
};
|
|
177
133
|
|
|
178
|
-
class StringMatcher {
|
|
179
|
-
public:
|
|
180
|
-
enum class StringMatcherType {
|
|
181
|
-
EXACT, // value stored in string_matcher_ field
|
|
182
|
-
PREFIX, // value stored in string_matcher_ field
|
|
183
|
-
SUFFIX, // value stored in string_matcher_ field
|
|
184
|
-
SAFE_REGEX, // pattern stored in regex_matcher_ field
|
|
185
|
-
CONTAINS, // value stored in string_matcher_ field
|
|
186
|
-
};
|
|
187
|
-
|
|
188
|
-
StringMatcher() = default;
|
|
189
|
-
StringMatcher(const StringMatcher& other);
|
|
190
|
-
StringMatcher(StringMatcherType type, const std::string& matcher,
|
|
191
|
-
bool ignore_case = false);
|
|
192
|
-
StringMatcher& operator=(const StringMatcher& other);
|
|
193
|
-
bool operator==(const StringMatcher& other) const;
|
|
194
|
-
|
|
195
|
-
bool Match(absl::string_view value) const;
|
|
196
|
-
|
|
197
|
-
std::string ToString() const;
|
|
198
|
-
|
|
199
|
-
StringMatcherType type() const { return type_; }
|
|
200
|
-
|
|
201
|
-
// Valid for EXACT, PREFIX, SUFFIX and CONTAINS
|
|
202
|
-
const std::string& string_matcher() const { return string_matcher_; }
|
|
203
|
-
|
|
204
|
-
// Valid for SAFE_REGEX
|
|
205
|
-
RE2* regex_matcher() const { return regex_matcher_.get(); }
|
|
206
|
-
|
|
207
|
-
private:
|
|
208
|
-
StringMatcherType type_ = StringMatcherType::EXACT;
|
|
209
|
-
std::string string_matcher_;
|
|
210
|
-
std::unique_ptr<RE2> regex_matcher_;
|
|
211
|
-
bool ignore_case_ = false;
|
|
212
|
-
};
|
|
213
|
-
|
|
214
134
|
struct CommonTlsContext {
|
|
215
135
|
struct CertificateValidationContext {
|
|
216
136
|
std::vector<StringMatcher> match_subject_alt_names;
|
|
@@ -264,9 +184,27 @@ class XdsApi {
|
|
|
264
184
|
bool Empty() const;
|
|
265
185
|
};
|
|
266
186
|
|
|
187
|
+
struct DownstreamTlsContext {
|
|
188
|
+
CommonTlsContext common_tls_context;
|
|
189
|
+
bool require_client_certificate = false;
|
|
190
|
+
|
|
191
|
+
bool operator==(const DownstreamTlsContext& other) const {
|
|
192
|
+
return common_tls_context == other.common_tls_context &&
|
|
193
|
+
require_client_certificate == other.require_client_certificate;
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
std::string ToString() const;
|
|
197
|
+
bool Empty() const;
|
|
198
|
+
};
|
|
199
|
+
|
|
267
200
|
// TODO(roth): When we can use absl::variant<>, consider using that
|
|
268
201
|
// here, to enforce the fact that only one of the two fields can be set.
|
|
269
202
|
struct LdsUpdate {
|
|
203
|
+
enum class ListenerType {
|
|
204
|
+
kTcpListener = 0,
|
|
205
|
+
kHttpApiListener,
|
|
206
|
+
} type;
|
|
207
|
+
DownstreamTlsContext downstream_tls_context;
|
|
270
208
|
// The name to use in the RDS request.
|
|
271
209
|
std::string route_config_name;
|
|
272
210
|
// Storing the Http Connection Manager Common Http Protocol Option
|
|
@@ -277,10 +215,13 @@ class XdsApi {
|
|
|
277
215
|
absl::optional<RdsUpdate> rds_update;
|
|
278
216
|
|
|
279
217
|
bool operator==(const LdsUpdate& other) const {
|
|
280
|
-
return
|
|
218
|
+
return downstream_tls_context == other.downstream_tls_context &&
|
|
219
|
+
route_config_name == other.route_config_name &&
|
|
281
220
|
rds_update == other.rds_update &&
|
|
282
221
|
http_max_stream_duration == other.http_max_stream_duration;
|
|
283
222
|
}
|
|
223
|
+
|
|
224
|
+
std::string ToString() const;
|
|
284
225
|
};
|
|
285
226
|
|
|
286
227
|
using LdsUpdateMap = std::map<std::string /*server_name*/, LdsUpdate>;
|
|
@@ -288,6 +229,9 @@ class XdsApi {
|
|
|
288
229
|
using RdsUpdateMap = std::map<std::string /*route_config_name*/, RdsUpdate>;
|
|
289
230
|
|
|
290
231
|
struct CdsUpdate {
|
|
232
|
+
enum ClusterType { EDS, LOGICAL_DNS, AGGREGATE };
|
|
233
|
+
ClusterType cluster_type;
|
|
234
|
+
// For cluster type EDS.
|
|
291
235
|
// The name to use in the EDS request.
|
|
292
236
|
// If empty, the cluster name will be used.
|
|
293
237
|
std::string eds_service_name;
|
|
@@ -298,15 +242,27 @@ class XdsApi {
|
|
|
298
242
|
// If set to the empty string, will use the same server we obtained the CDS
|
|
299
243
|
// data from.
|
|
300
244
|
absl::optional<std::string> lrs_load_reporting_server_name;
|
|
245
|
+
// The LB policy to use (e.g., "ROUND_ROBIN" or "RING_HASH").
|
|
246
|
+
std::string lb_policy;
|
|
247
|
+
// Used for RING_HASH LB policy only.
|
|
248
|
+
uint64_t min_ring_size = 1024;
|
|
249
|
+
uint64_t max_ring_size = 8388608;
|
|
250
|
+
enum HashFunction { XX_HASH, MURMUR_HASH_2 };
|
|
251
|
+
HashFunction hash_function;
|
|
301
252
|
// Maximum number of outstanding requests can be made to the upstream
|
|
302
253
|
// cluster.
|
|
303
254
|
uint32_t max_concurrent_requests = 1024;
|
|
255
|
+
// For cluster type AGGREGATE.
|
|
256
|
+
// The prioritized list of cluster names.
|
|
257
|
+
std::vector<std::string> prioritized_cluster_names;
|
|
304
258
|
|
|
305
259
|
bool operator==(const CdsUpdate& other) const {
|
|
306
|
-
return
|
|
260
|
+
return cluster_type == other.cluster_type &&
|
|
261
|
+
eds_service_name == other.eds_service_name &&
|
|
307
262
|
common_tls_context == other.common_tls_context &&
|
|
308
263
|
lrs_load_reporting_server_name ==
|
|
309
264
|
other.lrs_load_reporting_server_name &&
|
|
265
|
+
prioritized_cluster_names == other.prioritized_cluster_names &&
|
|
310
266
|
max_concurrent_requests == other.max_concurrent_requests;
|
|
311
267
|
}
|
|
312
268
|
|
|
@@ -424,6 +380,11 @@ class XdsApi {
|
|
|
424
380
|
// Parses an ADS response.
|
|
425
381
|
// If the response can't be parsed at the top level, the resulting
|
|
426
382
|
// type_url will be empty.
|
|
383
|
+
// If there is any other type of validation error, the parse_error
|
|
384
|
+
// field will be set to something other than GRPC_ERROR_NONE and the
|
|
385
|
+
// resource_names_failed field will be populated.
|
|
386
|
+
// Otherwise, one of the *_update_map fields will be populated, based
|
|
387
|
+
// on the type_url field.
|
|
427
388
|
struct AdsParseResult {
|
|
428
389
|
grpc_error* parse_error = GRPC_ERROR_NONE;
|
|
429
390
|
std::string version;
|
|
@@ -433,6 +394,7 @@ class XdsApi {
|
|
|
433
394
|
RdsUpdateMap rds_update_map;
|
|
434
395
|
CdsUpdateMap cds_update_map;
|
|
435
396
|
EdsUpdateMap eds_update_map;
|
|
397
|
+
std::set<std::string> resource_names_failed;
|
|
436
398
|
};
|
|
437
399
|
AdsParseResult ParseAdsResponse(
|
|
438
400
|
const grpc_slice& encoded_response,
|
|
@@ -48,8 +48,8 @@ bool XdsChannelCredsRegistry::IsSupported(const std::string& creds_type) {
|
|
|
48
48
|
creds_type == "fake";
|
|
49
49
|
}
|
|
50
50
|
|
|
51
|
-
bool XdsChannelCredsRegistry::IsValidConfig(const std::string& creds_type
|
|
52
|
-
const Json& config) {
|
|
51
|
+
bool XdsChannelCredsRegistry::IsValidConfig(const std::string& /*creds_type*/,
|
|
52
|
+
const Json& /*config*/) {
|
|
53
53
|
// Currently, none of the creds types actually take a config, but we
|
|
54
54
|
// ignore whatever might be specified in the bootstrap file for
|
|
55
55
|
// forward compatibility reasons.
|
|
@@ -58,7 +58,7 @@ bool XdsChannelCredsRegistry::IsValidConfig(const std::string& creds_type,
|
|
|
58
58
|
|
|
59
59
|
RefCountedPtr<grpc_channel_credentials>
|
|
60
60
|
XdsChannelCredsRegistry::MakeChannelCreds(const std::string& creds_type,
|
|
61
|
-
const Json& config) {
|
|
61
|
+
const Json& /*config*/) {
|
|
62
62
|
if (creds_type == "google_default") {
|
|
63
63
|
return grpc_google_default_credentials_create(nullptr);
|
|
64
64
|
} else if (creds_type == "insecure") {
|
|
@@ -132,36 +132,14 @@ std::string BootstrapString(const XdsBootstrap& bootstrap) {
|
|
|
132
132
|
return absl::StrJoin(parts, "");
|
|
133
133
|
}
|
|
134
134
|
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
grpc_error** error) {
|
|
140
|
-
grpc_core::UniquePtr<char> path(gpr_getenv("GRPC_XDS_BOOTSTRAP"));
|
|
141
|
-
if (path == nullptr) {
|
|
142
|
-
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
143
|
-
"Environment variable GRPC_XDS_BOOTSTRAP not defined");
|
|
144
|
-
return nullptr;
|
|
145
|
-
}
|
|
146
|
-
if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
|
|
147
|
-
gpr_log(GPR_INFO,
|
|
148
|
-
"[xds_client %p] Got bootstrap file location from "
|
|
149
|
-
"GRPC_XDS_BOOTSTRAP environment variable: %s",
|
|
150
|
-
client, path.get());
|
|
151
|
-
}
|
|
152
|
-
grpc_slice contents;
|
|
153
|
-
*error = grpc_load_file(path.get(), /*add_null_terminator=*/true, &contents);
|
|
154
|
-
if (*error != GRPC_ERROR_NONE) return nullptr;
|
|
155
|
-
absl::string_view contents_str_view = StringViewFromSlice(contents);
|
|
156
|
-
if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
|
|
157
|
-
gpr_log(GPR_DEBUG, "[xds_client %p] Bootstrap file contents: %s", client,
|
|
158
|
-
std::string(contents_str_view).c_str());
|
|
159
|
-
}
|
|
160
|
-
Json json = Json::Parse(contents_str_view, error);
|
|
161
|
-
grpc_slice_unref_internal(contents);
|
|
135
|
+
std::unique_ptr<XdsBootstrap> ParseJsonAndCreate(
|
|
136
|
+
XdsClient* client, TraceFlag* tracer, absl::string_view json_string,
|
|
137
|
+
absl::string_view bootstrap_source, grpc_error** error) {
|
|
138
|
+
Json json = Json::Parse(json_string, error);
|
|
162
139
|
if (*error != GRPC_ERROR_NONE) {
|
|
163
140
|
grpc_error* error_out = GRPC_ERROR_CREATE_REFERENCING_FROM_COPIED_STRING(
|
|
164
|
-
absl::StrCat("Failed to parse bootstrap
|
|
141
|
+
absl::StrCat("Failed to parse bootstrap from ", bootstrap_source)
|
|
142
|
+
.c_str(),
|
|
165
143
|
error, 1);
|
|
166
144
|
GRPC_ERROR_UNREF(*error);
|
|
167
145
|
*error = error_out;
|
|
@@ -177,6 +155,55 @@ std::unique_ptr<XdsBootstrap> XdsBootstrap::ReadFromFile(XdsClient* client,
|
|
|
177
155
|
return result;
|
|
178
156
|
}
|
|
179
157
|
|
|
158
|
+
} // namespace
|
|
159
|
+
|
|
160
|
+
std::unique_ptr<XdsBootstrap> XdsBootstrap::Create(XdsClient* client,
|
|
161
|
+
TraceFlag* tracer,
|
|
162
|
+
const char* fallback_config,
|
|
163
|
+
grpc_error** error) {
|
|
164
|
+
// First, try GRPC_XDS_BOOTSTRAP env var.
|
|
165
|
+
grpc_core::UniquePtr<char> path(gpr_getenv("GRPC_XDS_BOOTSTRAP"));
|
|
166
|
+
if (path != nullptr) {
|
|
167
|
+
if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
|
|
168
|
+
gpr_log(GPR_INFO,
|
|
169
|
+
"[xds_client %p] Got bootstrap file location from "
|
|
170
|
+
"GRPC_XDS_BOOTSTRAP environment variable: %s",
|
|
171
|
+
client, path.get());
|
|
172
|
+
}
|
|
173
|
+
grpc_slice contents;
|
|
174
|
+
*error =
|
|
175
|
+
grpc_load_file(path.get(), /*add_null_terminator=*/true, &contents);
|
|
176
|
+
if (*error != GRPC_ERROR_NONE) return nullptr;
|
|
177
|
+
absl::string_view contents_str_view = StringViewFromSlice(contents);
|
|
178
|
+
if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
|
|
179
|
+
gpr_log(GPR_DEBUG, "[xds_client %p] Bootstrap file contents: %s", client,
|
|
180
|
+
std::string(contents_str_view).c_str());
|
|
181
|
+
}
|
|
182
|
+
std::string bootstrap_source = absl::StrCat("file ", path.get());
|
|
183
|
+
auto result = ParseJsonAndCreate(client, tracer, contents_str_view,
|
|
184
|
+
bootstrap_source, error);
|
|
185
|
+
grpc_slice_unref_internal(contents);
|
|
186
|
+
return result;
|
|
187
|
+
}
|
|
188
|
+
// Next, try GRPC_XDS_BOOTSTRAP_CONFIG env var.
|
|
189
|
+
grpc_core::UniquePtr<char> env_config(
|
|
190
|
+
gpr_getenv("GRPC_XDS_BOOTSTRAP_CONFIG"));
|
|
191
|
+
if (env_config != nullptr) {
|
|
192
|
+
return ParseJsonAndCreate(client, tracer, env_config.get(),
|
|
193
|
+
"GRPC_XDS_BOOTSTRAP_CONFIG env var", error);
|
|
194
|
+
}
|
|
195
|
+
// Finally, try fallback config.
|
|
196
|
+
if (fallback_config != nullptr) {
|
|
197
|
+
return ParseJsonAndCreate(client, tracer, fallback_config,
|
|
198
|
+
"fallback config", error);
|
|
199
|
+
}
|
|
200
|
+
// No bootstrap config found.
|
|
201
|
+
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
202
|
+
"Environment variables GRPC_XDS_BOOTSTRAP or GRPC_XDS_BOOTSTRAP_CONFIG "
|
|
203
|
+
"not defined");
|
|
204
|
+
return nullptr;
|
|
205
|
+
}
|
|
206
|
+
|
|
180
207
|
XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
|
|
181
208
|
if (json.type() != Json::Type::OBJECT) {
|
|
182
209
|
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
@@ -357,15 +384,7 @@ grpc_error* XdsBootstrap::ParseServerFeaturesArray(Json* json,
|
|
|
357
384
|
Json& child = json->mutable_array()->at(i);
|
|
358
385
|
if (child.type() == Json::Type::STRING &&
|
|
359
386
|
child.string_value() == "xds_v3") {
|
|
360
|
-
|
|
361
|
-
// are sure that the v3 code actually works.
|
|
362
|
-
grpc_core::UniquePtr<char> enable_str(
|
|
363
|
-
gpr_getenv("GRPC_XDS_EXPERIMENTAL_V3_SUPPORT"));
|
|
364
|
-
bool enabled = false;
|
|
365
|
-
if (gpr_parse_bool_value(enable_str.get(), &enabled) && enabled) {
|
|
366
|
-
server->server_features.insert(
|
|
367
|
-
std::move(*child.mutable_string_value()));
|
|
368
|
-
}
|
|
387
|
+
server->server_features.insert(std::move(*child.mutable_string_value()));
|
|
369
388
|
}
|
|
370
389
|
}
|
|
371
390
|
return GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
@@ -67,11 +67,19 @@ class XdsBootstrap {
|
|
|
67
67
|
bool ShouldUseV3() const;
|
|
68
68
|
};
|
|
69
69
|
|
|
70
|
+
// Creates bootstrap object, obtaining the bootstrap JSON as appropriate
|
|
71
|
+
// for the environment:
|
|
72
|
+
// - If the GRPC_XDS_BOOTSTRAP env var is set, reads the file it specifies
|
|
73
|
+
// to obtain the bootstrap JSON.
|
|
74
|
+
// - Otherwise, if the GRPC_XDS_BOOTSTRAP_CONFIG env var is set, reads the
|
|
75
|
+
// content of that env var to obtain the bootstrap JSON.
|
|
76
|
+
// - Otherwise, the JSON will be read from fallback_config (if non-null).
|
|
70
77
|
// If *error is not GRPC_ERROR_NONE after returning, then there was an
|
|
71
|
-
// error reading the file.
|
|
72
|
-
static std::unique_ptr<XdsBootstrap>
|
|
73
|
-
|
|
74
|
-
|
|
78
|
+
// error (e.g., no config found or error reading the file).
|
|
79
|
+
static std::unique_ptr<XdsBootstrap> Create(XdsClient* client,
|
|
80
|
+
TraceFlag* tracer,
|
|
81
|
+
const char* fallback_config,
|
|
82
|
+
grpc_error** error);
|
|
75
83
|
|
|
76
84
|
// Do not instantiate directly -- use ReadFromFile() above instead.
|
|
77
85
|
XdsBootstrap(Json json, grpc_error** error);
|
|
@@ -37,15 +37,16 @@ class RootCertificatesWatcher
|
|
|
37
37
|
// presently, the watcher is immediately deleted when
|
|
38
38
|
// CancelTlsCertificatesWatch() is called, but that can potentially change in
|
|
39
39
|
// the future.
|
|
40
|
-
|
|
41
|
-
RefCountedPtr<grpc_tls_certificate_distributor> parent
|
|
42
|
-
|
|
40
|
+
RootCertificatesWatcher(
|
|
41
|
+
RefCountedPtr<grpc_tls_certificate_distributor> parent,
|
|
42
|
+
std::string cert_name)
|
|
43
|
+
: parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
|
|
43
44
|
|
|
44
45
|
void OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
|
|
45
46
|
absl::optional<PemKeyCertPairList>
|
|
46
47
|
/* key_cert_pairs */) override {
|
|
47
48
|
if (root_certs.has_value()) {
|
|
48
|
-
parent_->SetKeyMaterials(
|
|
49
|
+
parent_->SetKeyMaterials(cert_name_, std::string(root_certs.value()),
|
|
49
50
|
absl::nullopt);
|
|
50
51
|
}
|
|
51
52
|
}
|
|
@@ -53,7 +54,7 @@ class RootCertificatesWatcher
|
|
|
53
54
|
void OnError(grpc_error* root_cert_error,
|
|
54
55
|
grpc_error* identity_cert_error) override {
|
|
55
56
|
if (root_cert_error != GRPC_ERROR_NONE) {
|
|
56
|
-
parent_->SetErrorForCert(
|
|
57
|
+
parent_->SetErrorForCert(cert_name_, root_cert_error /* pass the ref */,
|
|
57
58
|
absl::nullopt);
|
|
58
59
|
}
|
|
59
60
|
GRPC_ERROR_UNREF(identity_cert_error);
|
|
@@ -61,6 +62,7 @@ class RootCertificatesWatcher
|
|
|
61
62
|
|
|
62
63
|
private:
|
|
63
64
|
RefCountedPtr<grpc_tls_certificate_distributor> parent_;
|
|
65
|
+
std::string cert_name_;
|
|
64
66
|
};
|
|
65
67
|
|
|
66
68
|
class IdentityCertificatesWatcher
|
|
@@ -71,22 +73,23 @@ class IdentityCertificatesWatcher
|
|
|
71
73
|
// presently, the watcher is immediately deleted when
|
|
72
74
|
// CancelTlsCertificatesWatch() is called, but that can potentially change in
|
|
73
75
|
// the future.
|
|
74
|
-
|
|
75
|
-
RefCountedPtr<grpc_tls_certificate_distributor> parent
|
|
76
|
-
|
|
76
|
+
IdentityCertificatesWatcher(
|
|
77
|
+
RefCountedPtr<grpc_tls_certificate_distributor> parent,
|
|
78
|
+
std::string cert_name)
|
|
79
|
+
: parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
|
|
77
80
|
|
|
78
81
|
void OnCertificatesChanged(
|
|
79
82
|
absl::optional<absl::string_view> /* root_certs */,
|
|
80
83
|
absl::optional<PemKeyCertPairList> key_cert_pairs) override {
|
|
81
84
|
if (key_cert_pairs.has_value()) {
|
|
82
|
-
parent_->SetKeyMaterials(
|
|
85
|
+
parent_->SetKeyMaterials(cert_name_, absl::nullopt, key_cert_pairs);
|
|
83
86
|
}
|
|
84
87
|
}
|
|
85
88
|
|
|
86
89
|
void OnError(grpc_error* root_cert_error,
|
|
87
90
|
grpc_error* identity_cert_error) override {
|
|
88
91
|
if (identity_cert_error != GRPC_ERROR_NONE) {
|
|
89
|
-
parent_->SetErrorForCert(
|
|
92
|
+
parent_->SetErrorForCert(cert_name_, absl::nullopt,
|
|
90
93
|
identity_cert_error /* pass the ref */);
|
|
91
94
|
}
|
|
92
95
|
GRPC_ERROR_UNREF(root_cert_error);
|
|
@@ -94,34 +97,35 @@ class IdentityCertificatesWatcher
|
|
|
94
97
|
|
|
95
98
|
private:
|
|
96
99
|
RefCountedPtr<grpc_tls_certificate_distributor> parent_;
|
|
100
|
+
std::string cert_name_;
|
|
97
101
|
};
|
|
98
102
|
|
|
99
103
|
} // namespace
|
|
100
104
|
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
distributor_->SetWatchStatusCallback(
|
|
114
|
-
absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
|
|
105
|
+
//
|
|
106
|
+
// XdsCertificateProvider::ClusterCertificateState
|
|
107
|
+
//
|
|
108
|
+
|
|
109
|
+
XdsCertificateProvider::ClusterCertificateState::~ClusterCertificateState() {
|
|
110
|
+
if (root_cert_watcher_ != nullptr) {
|
|
111
|
+
root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
|
|
112
|
+
}
|
|
113
|
+
if (identity_cert_watcher_ != nullptr) {
|
|
114
|
+
identity_cert_distributor_->CancelTlsCertificatesWatch(
|
|
115
|
+
identity_cert_watcher_);
|
|
116
|
+
}
|
|
115
117
|
}
|
|
116
118
|
|
|
117
|
-
XdsCertificateProvider
|
|
118
|
-
|
|
119
|
+
bool XdsCertificateProvider::ClusterCertificateState::IsSafeToRemove() const {
|
|
120
|
+
return !watching_root_certs_ && !watching_identity_certs_ &&
|
|
121
|
+
root_cert_distributor_ == nullptr &&
|
|
122
|
+
identity_cert_distributor_ == nullptr;
|
|
119
123
|
}
|
|
120
124
|
|
|
121
|
-
void XdsCertificateProvider::
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
+
void XdsCertificateProvider::ClusterCertificateState::
|
|
126
|
+
UpdateRootCertNameAndDistributor(
|
|
127
|
+
const std::string& cert_name, absl::string_view root_cert_name,
|
|
128
|
+
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
|
|
125
129
|
if (root_cert_name_ == root_cert_name &&
|
|
126
130
|
root_cert_distributor_ == root_cert_distributor) {
|
|
127
131
|
return;
|
|
@@ -133,10 +137,10 @@ void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
|
|
|
133
137
|
root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
|
|
134
138
|
}
|
|
135
139
|
if (root_cert_distributor != nullptr) {
|
|
136
|
-
UpdateRootCertWatcher(root_cert_distributor.get());
|
|
140
|
+
UpdateRootCertWatcher(cert_name, root_cert_distributor.get());
|
|
137
141
|
} else {
|
|
138
142
|
root_cert_watcher_ = nullptr;
|
|
139
|
-
distributor_->SetErrorForCert(
|
|
143
|
+
xds_certificate_provider_->distributor_->SetErrorForCert(
|
|
140
144
|
"",
|
|
141
145
|
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
142
146
|
"No certificate provider available for root certificates"),
|
|
@@ -147,10 +151,11 @@ void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
|
|
|
147
151
|
root_cert_distributor_ = std::move(root_cert_distributor);
|
|
148
152
|
}
|
|
149
153
|
|
|
150
|
-
void XdsCertificateProvider::
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
+
void XdsCertificateProvider::ClusterCertificateState::
|
|
155
|
+
UpdateIdentityCertNameAndDistributor(
|
|
156
|
+
const std::string& cert_name, absl::string_view identity_cert_name,
|
|
157
|
+
RefCountedPtr<grpc_tls_certificate_distributor>
|
|
158
|
+
identity_cert_distributor) {
|
|
154
159
|
if (identity_cert_name_ == identity_cert_name &&
|
|
155
160
|
identity_cert_distributor_ == identity_cert_distributor) {
|
|
156
161
|
return;
|
|
@@ -163,10 +168,10 @@ void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
|
|
|
163
168
|
identity_cert_watcher_);
|
|
164
169
|
}
|
|
165
170
|
if (identity_cert_distributor != nullptr) {
|
|
166
|
-
UpdateIdentityCertWatcher(identity_cert_distributor.get());
|
|
171
|
+
UpdateIdentityCertWatcher(cert_name, identity_cert_distributor.get());
|
|
167
172
|
} else {
|
|
168
173
|
identity_cert_watcher_ = nullptr;
|
|
169
|
-
distributor_->SetErrorForCert(
|
|
174
|
+
xds_certificate_provider_->distributor_->SetErrorForCert(
|
|
170
175
|
"", absl::nullopt,
|
|
171
176
|
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
172
177
|
"No certificate provider available for identity certificates"));
|
|
@@ -176,42 +181,45 @@ void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
|
|
|
176
181
|
identity_cert_distributor_ = std::move(identity_cert_distributor);
|
|
177
182
|
}
|
|
178
183
|
|
|
179
|
-
void XdsCertificateProvider::
|
|
180
|
-
std::
|
|
181
|
-
|
|
182
|
-
|
|
184
|
+
void XdsCertificateProvider::ClusterCertificateState::UpdateRootCertWatcher(
|
|
185
|
+
const std::string& cert_name,
|
|
186
|
+
grpc_tls_certificate_distributor* root_cert_distributor) {
|
|
187
|
+
auto watcher = absl::make_unique<RootCertificatesWatcher>(
|
|
188
|
+
xds_certificate_provider_->distributor_, cert_name);
|
|
189
|
+
root_cert_watcher_ = watcher.get();
|
|
190
|
+
root_cert_distributor->WatchTlsCertificates(std::move(watcher),
|
|
191
|
+
root_cert_name_, absl::nullopt);
|
|
183
192
|
}
|
|
184
193
|
|
|
185
|
-
void XdsCertificateProvider::
|
|
186
|
-
|
|
187
|
-
|
|
194
|
+
void XdsCertificateProvider::ClusterCertificateState::UpdateIdentityCertWatcher(
|
|
195
|
+
const std::string& cert_name,
|
|
196
|
+
grpc_tls_certificate_distributor* identity_cert_distributor) {
|
|
197
|
+
auto watcher = absl::make_unique<IdentityCertificatesWatcher>(
|
|
198
|
+
xds_certificate_provider_->distributor_, cert_name);
|
|
199
|
+
identity_cert_watcher_ = watcher.get();
|
|
200
|
+
identity_cert_distributor->WatchTlsCertificates(
|
|
201
|
+
std::move(watcher), absl::nullopt, identity_cert_name_);
|
|
202
|
+
}
|
|
203
|
+
|
|
204
|
+
void XdsCertificateProvider::ClusterCertificateState::WatchStatusCallback(
|
|
205
|
+
const std::string& cert_name, bool root_being_watched,
|
|
206
|
+
bool identity_being_watched) {
|
|
188
207
|
// We aren't specially handling the case where root_cert_distributor is same
|
|
189
208
|
// as identity_cert_distributor. Always using two separate watchers
|
|
190
209
|
// irrespective of the fact results in a straightforward design, and using a
|
|
191
210
|
// single watcher does not seem to provide any benefit other than cutting down
|
|
192
211
|
// on the number of callbacks.
|
|
193
|
-
MutexLock lock(&mu_);
|
|
194
|
-
if (!cert_name.empty()) {
|
|
195
|
-
grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
|
|
196
|
-
absl::StrCat("Illegal certificate name: \'", cert_name,
|
|
197
|
-
"\'. Should be empty.")
|
|
198
|
-
.c_str());
|
|
199
|
-
distributor_->SetErrorForCert(cert_name, GRPC_ERROR_REF(error),
|
|
200
|
-
GRPC_ERROR_REF(error));
|
|
201
|
-
GRPC_ERROR_UNREF(error);
|
|
202
|
-
return;
|
|
203
|
-
}
|
|
204
212
|
if (root_being_watched && !watching_root_certs_) {
|
|
205
213
|
// We need to start watching root certs.
|
|
206
214
|
watching_root_certs_ = true;
|
|
207
215
|
if (root_cert_distributor_ == nullptr) {
|
|
208
|
-
distributor_->SetErrorForCert(
|
|
209
|
-
|
|
216
|
+
xds_certificate_provider_->distributor_->SetErrorForCert(
|
|
217
|
+
cert_name,
|
|
210
218
|
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
211
219
|
"No certificate provider available for root certificates"),
|
|
212
220
|
absl::nullopt);
|
|
213
221
|
} else {
|
|
214
|
-
UpdateRootCertWatcher(root_cert_distributor_.get());
|
|
222
|
+
UpdateRootCertWatcher(cert_name, root_cert_distributor_.get());
|
|
215
223
|
}
|
|
216
224
|
} else if (!root_being_watched && watching_root_certs_) {
|
|
217
225
|
// We need to cancel root certs watch.
|
|
@@ -225,12 +233,12 @@ void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
|
|
|
225
233
|
if (identity_being_watched && !watching_identity_certs_) {
|
|
226
234
|
watching_identity_certs_ = true;
|
|
227
235
|
if (identity_cert_distributor_ == nullptr) {
|
|
228
|
-
distributor_->SetErrorForCert(
|
|
229
|
-
|
|
236
|
+
xds_certificate_provider_->distributor_->SetErrorForCert(
|
|
237
|
+
cert_name, absl::nullopt,
|
|
230
238
|
GRPC_ERROR_CREATE_FROM_STATIC_STRING(
|
|
231
239
|
"No certificate provider available for identity certificates"));
|
|
232
240
|
} else {
|
|
233
|
-
UpdateIdentityCertWatcher(identity_cert_distributor_.get());
|
|
241
|
+
UpdateIdentityCertWatcher(cert_name, identity_cert_distributor_.get());
|
|
234
242
|
}
|
|
235
243
|
} else if (!identity_being_watched && watching_identity_certs_) {
|
|
236
244
|
watching_identity_certs_ = false;
|
|
@@ -243,20 +251,118 @@ void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
|
|
|
243
251
|
}
|
|
244
252
|
}
|
|
245
253
|
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
254
|
+
//
|
|
255
|
+
// XdsCertificateProvider
|
|
256
|
+
//
|
|
257
|
+
|
|
258
|
+
XdsCertificateProvider::XdsCertificateProvider()
|
|
259
|
+
: distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
|
|
260
|
+
distributor_->SetWatchStatusCallback(
|
|
261
|
+
absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
|
|
252
262
|
}
|
|
253
263
|
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
264
|
+
XdsCertificateProvider::~XdsCertificateProvider() {
|
|
265
|
+
distributor_->SetWatchStatusCallback(nullptr);
|
|
266
|
+
}
|
|
267
|
+
|
|
268
|
+
bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
|
|
269
|
+
MutexLock lock(&mu_);
|
|
270
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
271
|
+
if (it == certificate_state_map_.end()) return false;
|
|
272
|
+
return it->second->ProvidesRootCerts();
|
|
273
|
+
}
|
|
274
|
+
|
|
275
|
+
void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
|
|
276
|
+
const std::string& cert_name, absl::string_view root_cert_name,
|
|
277
|
+
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
|
|
278
|
+
MutexLock lock(&mu_);
|
|
279
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
280
|
+
if (it == certificate_state_map_.end()) {
|
|
281
|
+
it = certificate_state_map_
|
|
282
|
+
.emplace(cert_name,
|
|
283
|
+
absl::make_unique<ClusterCertificateState>(this))
|
|
284
|
+
.first;
|
|
285
|
+
}
|
|
286
|
+
it->second->UpdateRootCertNameAndDistributor(cert_name, root_cert_name,
|
|
287
|
+
root_cert_distributor);
|
|
288
|
+
// Delete unused entries.
|
|
289
|
+
if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
|
|
290
|
+
}
|
|
291
|
+
|
|
292
|
+
bool XdsCertificateProvider::ProvidesIdentityCerts(
|
|
293
|
+
const std::string& cert_name) {
|
|
294
|
+
MutexLock lock(&mu_);
|
|
295
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
296
|
+
if (it == certificate_state_map_.end()) return false;
|
|
297
|
+
return it->second->ProvidesIdentityCerts();
|
|
298
|
+
}
|
|
299
|
+
|
|
300
|
+
void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
|
|
301
|
+
const std::string& cert_name, absl::string_view identity_cert_name,
|
|
302
|
+
RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor) {
|
|
303
|
+
MutexLock lock(&mu_);
|
|
304
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
305
|
+
if (it == certificate_state_map_.end()) {
|
|
306
|
+
it = certificate_state_map_
|
|
307
|
+
.emplace(cert_name,
|
|
308
|
+
absl::make_unique<ClusterCertificateState>(this))
|
|
309
|
+
.first;
|
|
310
|
+
}
|
|
311
|
+
it->second->UpdateIdentityCertNameAndDistributor(
|
|
312
|
+
cert_name, identity_cert_name, identity_cert_distributor);
|
|
313
|
+
// Delete unused entries.
|
|
314
|
+
if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
|
|
315
|
+
}
|
|
316
|
+
|
|
317
|
+
bool XdsCertificateProvider::GetRequireClientCertificate(
|
|
318
|
+
const std::string& cert_name) {
|
|
319
|
+
MutexLock lock(&mu_);
|
|
320
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
321
|
+
if (it == certificate_state_map_.end()) return false;
|
|
322
|
+
return it->second->require_client_certificate();
|
|
323
|
+
}
|
|
324
|
+
|
|
325
|
+
void XdsCertificateProvider::UpdateRequireClientCertificate(
|
|
326
|
+
const std::string& cert_name, bool require_client_certificate) {
|
|
327
|
+
MutexLock lock(&mu_);
|
|
328
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
329
|
+
if (it == certificate_state_map_.end()) return;
|
|
330
|
+
it->second->set_require_client_certificate(require_client_certificate);
|
|
331
|
+
}
|
|
332
|
+
|
|
333
|
+
std::vector<StringMatcher> XdsCertificateProvider::GetSanMatchers(
|
|
334
|
+
const std::string& cluster) {
|
|
335
|
+
MutexLock lock(&san_matchers_mu_);
|
|
336
|
+
auto it = san_matcher_map_.find(cluster);
|
|
337
|
+
if (it == san_matcher_map_.end()) return {};
|
|
338
|
+
return it->second;
|
|
339
|
+
}
|
|
340
|
+
|
|
341
|
+
void XdsCertificateProvider::UpdateSubjectAlternativeNameMatchers(
|
|
342
|
+
const std::string& cluster, std::vector<StringMatcher> matchers) {
|
|
343
|
+
MutexLock lock(&san_matchers_mu_);
|
|
344
|
+
if (matchers.empty()) {
|
|
345
|
+
san_matcher_map_.erase(cluster);
|
|
346
|
+
} else {
|
|
347
|
+
san_matcher_map_[cluster] = std::move(matchers);
|
|
348
|
+
}
|
|
349
|
+
}
|
|
350
|
+
|
|
351
|
+
void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
|
|
352
|
+
bool root_being_watched,
|
|
353
|
+
bool identity_being_watched) {
|
|
354
|
+
MutexLock lock(&mu_);
|
|
355
|
+
auto it = certificate_state_map_.find(cert_name);
|
|
356
|
+
if (it == certificate_state_map_.end()) {
|
|
357
|
+
it = certificate_state_map_
|
|
358
|
+
.emplace(cert_name,
|
|
359
|
+
absl::make_unique<ClusterCertificateState>(this))
|
|
360
|
+
.first;
|
|
361
|
+
}
|
|
362
|
+
it->second->WatchStatusCallback(cert_name, root_being_watched,
|
|
363
|
+
identity_being_watched);
|
|
364
|
+
// Delete unused entries.
|
|
365
|
+
if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
|
|
260
366
|
}
|
|
261
367
|
|
|
262
368
|
namespace {
|