grpc 1.35.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (335) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +60 -57
  3. data/include/grpc/grpc_security.h +16 -11
  4. data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
  5. data/src/core/ext/filters/client_channel/client_channel.h +0 -2
  6. data/src/core/ext/filters/client_channel/config_selector.h +1 -1
  7. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
  8. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
  9. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
  10. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
  11. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
  12. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
  13. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
  14. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
  15. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
  16. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
  17. data/src/core/ext/filters/client_channel/resolver.cc +2 -5
  18. data/src/core/ext/filters/client_channel/resolver.h +1 -12
  19. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
  20. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
  21. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
  22. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
  23. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
  24. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
  25. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
  26. data/src/core/ext/filters/client_channel/server_address.cc +6 -0
  27. data/src/core/ext/filters/client_channel/server_address.h +31 -0
  28. data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
  29. data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
  30. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
  31. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
  32. data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
  33. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
  34. data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
  35. data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
  36. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
  37. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
  38. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
  39. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
  40. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
  41. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
  42. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
  43. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
  44. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
  45. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
  46. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
  47. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
  48. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
  49. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
  50. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
  51. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
  52. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
  53. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
  54. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
  55. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
  56. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
  57. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
  58. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
  59. data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
  60. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
  61. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
  62. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
  63. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
  64. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
  65. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
  66. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
  67. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
  68. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
  69. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
  70. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
  71. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
  72. data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
  73. data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
  74. data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
  75. data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
  76. data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
  77. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
  78. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
  79. data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
  80. data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
  81. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
  82. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
  83. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
  84. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
  85. data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
  86. data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
  87. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
  88. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
  89. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
  90. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
  91. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
  92. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
  93. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
  94. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
  95. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
  96. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
  97. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
  98. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
  99. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
  100. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
  101. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
  102. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
  103. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
  104. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
  105. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
  106. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
  107. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
  108. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
  109. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
  110. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
  111. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
  112. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
  113. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
  114. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
  115. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
  116. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
  117. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
  118. data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
  119. data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
  120. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
  121. data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
  122. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
  123. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
  124. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
  125. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
  126. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
  127. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
  128. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
  129. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
  130. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
  131. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
  132. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
  133. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
  134. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
  135. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
  136. data/src/core/ext/xds/xds_api.cc +738 -567
  137. data/src/core/ext/xds/xds_api.h +46 -84
  138. data/src/core/ext/xds/xds_bootstrap.cc +59 -40
  139. data/src/core/ext/xds/xds_bootstrap.h +12 -4
  140. data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
  141. data/src/core/ext/xds/xds_certificate_provider.h +83 -44
  142. data/src/core/ext/xds/xds_client.cc +13 -11
  143. data/src/core/ext/xds/xds_client.h +3 -0
  144. data/src/core/ext/xds/xds_client_stats.cc +2 -1
  145. data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
  146. data/src/core/lib/channel/handshaker.cc +2 -5
  147. data/src/core/lib/channel/handshaker.h +1 -1
  148. data/src/core/lib/gpr/log.cc +6 -1
  149. data/src/core/lib/gprpp/mpscq.cc +2 -2
  150. data/src/core/lib/gprpp/ref_counted.h +1 -1
  151. data/src/core/lib/gprpp/sync.h +129 -40
  152. data/src/core/lib/gprpp/time_util.cc +77 -0
  153. data/src/core/lib/gprpp/time_util.h +42 -0
  154. data/src/core/lib/http/httpcli_security_connector.cc +2 -2
  155. data/src/core/lib/iomgr/ev_apple.cc +10 -7
  156. data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
  157. data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
  158. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
  159. data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
  160. data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
  161. data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
  162. data/src/core/lib/iomgr/tcp_posix.cc +4 -4
  163. data/src/core/lib/security/authorization/matchers.cc +339 -0
  164. data/src/core/lib/security/authorization/matchers.h +158 -0
  165. data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
  166. data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
  167. data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
  168. data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
  169. data/src/core/lib/security/credentials/credentials.h +2 -1
  170. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
  171. data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
  172. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
  173. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
  174. data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
  175. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
  176. data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
  177. data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
  178. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
  179. data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
  180. data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
  181. data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
  182. data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
  183. data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
  184. data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
  185. data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
  186. data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
  187. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
  188. data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
  189. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
  190. data/src/core/lib/security/transport/security_handshaker.cc +1 -3
  191. data/src/core/lib/slice/slice_intern.cc +1 -1
  192. data/src/core/lib/surface/init.cc +13 -15
  193. data/src/core/lib/surface/server.cc +3 -3
  194. data/src/core/lib/surface/server.h +3 -0
  195. data/src/core/lib/surface/version.cc +2 -2
  196. data/src/core/lib/transport/metadata.cc +6 -2
  197. data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
  198. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
  199. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
  200. data/src/core/tsi/fake_transport_security.cc +1 -1
  201. data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
  202. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
  203. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
  204. data/src/core/tsi/ssl_transport_security.cc +0 -3
  205. data/src/core/tsi/ssl_transport_security.h +0 -3
  206. data/src/ruby/lib/grpc/version.rb +1 -1
  207. data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
  208. data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
  209. data/third_party/boringssl-with-bazel/err_data.c +725 -723
  210. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
  211. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
  212. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
  213. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
  214. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
  215. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
  216. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
  217. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
  218. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
  219. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
  220. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
  221. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
  222. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
  223. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
  224. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
  225. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
  226. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
  227. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
  228. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
  229. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
  230. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
  231. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
  232. data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
  233. data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
  234. data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
  235. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
  236. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
  237. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
  238. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
  239. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
  240. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
  241. data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
  242. data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
  243. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
  244. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
  245. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
  246. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
  247. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
  248. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
  249. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
  250. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
  251. data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
  252. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
  253. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
  254. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
  255. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
  256. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
  257. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
  258. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
  259. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
  260. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
  261. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
  262. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
  263. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
  264. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
  265. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
  266. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
  267. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
  268. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
  269. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
  270. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
  271. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
  272. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
  273. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
  274. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
  275. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
  276. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
  277. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
  278. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
  279. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
  280. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
  281. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
  282. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
  283. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
  284. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
  285. data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
  286. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
  287. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
  288. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
  289. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
  290. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
  291. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
  292. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
  293. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
  294. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
  295. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
  296. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
  297. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
  298. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
  299. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
  300. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
  301. data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
  302. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
  303. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
  304. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
  305. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
  306. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
  307. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
  308. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
  309. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
  310. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
  311. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
  312. metadata +77 -65
  313. data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
  314. data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
  315. data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
  316. data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
  317. data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
  318. data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
  319. data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
  320. data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
  321. data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
  322. data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
  323. data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
  324. data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
  325. data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
  326. data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
  327. data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
  328. data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
  329. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
  330. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
  331. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
  332. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
  333. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
  334. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
  335. data/src/core/lib/iomgr/iomgr_posix.h +0 -26
@@ -36,6 +36,7 @@
36
36
  #include "src/core/ext/filters/client_channel/server_address.h"
37
37
  #include "src/core/ext/xds/xds_bootstrap.h"
38
38
  #include "src/core/ext/xds/xds_client_stats.h"
39
+ #include "src/core/lib/security/authorization/matchers.h"
39
40
 
40
41
  namespace grpc_core {
41
42
 
@@ -69,52 +70,7 @@ class XdsApi {
69
70
  struct Route {
70
71
  // Matchers for this route.
71
72
  struct Matchers {
72
- struct PathMatcher {
73
- enum class PathMatcherType {
74
- PATH, // path stored in string_matcher field
75
- PREFIX, // prefix stored in string_matcher field
76
- REGEX, // regex stored in regex_matcher field
77
- };
78
- PathMatcherType type;
79
- std::string string_matcher;
80
- std::unique_ptr<RE2> regex_matcher;
81
- bool case_sensitive = true;
82
-
83
- PathMatcher() = default;
84
- PathMatcher(const PathMatcher& other);
85
- PathMatcher& operator=(const PathMatcher& other);
86
- bool operator==(const PathMatcher& other) const;
87
- std::string ToString() const;
88
- };
89
-
90
- struct HeaderMatcher {
91
- enum class HeaderMatcherType {
92
- EXACT, // value stored in string_matcher field
93
- REGEX, // uses regex_match field
94
- RANGE, // uses range_start and range_end fields
95
- PRESENT, // uses present_match field
96
- PREFIX, // prefix stored in string_matcher field
97
- SUFFIX, // suffix stored in string_matcher field
98
- };
99
- std::string name;
100
- HeaderMatcherType type;
101
- int64_t range_start;
102
- int64_t range_end;
103
- std::string string_matcher;
104
- std::unique_ptr<RE2> regex_match;
105
- bool present_match;
106
- // invert_match field may or may not exisit, so initialize it to
107
- // false.
108
- bool invert_match = false;
109
-
110
- HeaderMatcher() = default;
111
- HeaderMatcher(const HeaderMatcher& other);
112
- HeaderMatcher& operator=(const HeaderMatcher& other);
113
- bool operator==(const HeaderMatcher& other) const;
114
- std::string ToString() const;
115
- };
116
-
117
- PathMatcher path_matcher;
73
+ StringMatcher path_matcher;
118
74
  std::vector<HeaderMatcher> header_matchers;
119
75
  absl::optional<uint32_t> fraction_per_million;
120
76
 
@@ -175,42 +131,6 @@ class XdsApi {
175
131
  VirtualHost* FindVirtualHostForDomain(const std::string& domain);
176
132
  };
177
133
 
178
- class StringMatcher {
179
- public:
180
- enum class StringMatcherType {
181
- EXACT, // value stored in string_matcher_ field
182
- PREFIX, // value stored in string_matcher_ field
183
- SUFFIX, // value stored in string_matcher_ field
184
- SAFE_REGEX, // pattern stored in regex_matcher_ field
185
- CONTAINS, // value stored in string_matcher_ field
186
- };
187
-
188
- StringMatcher() = default;
189
- StringMatcher(const StringMatcher& other);
190
- StringMatcher(StringMatcherType type, const std::string& matcher,
191
- bool ignore_case = false);
192
- StringMatcher& operator=(const StringMatcher& other);
193
- bool operator==(const StringMatcher& other) const;
194
-
195
- bool Match(absl::string_view value) const;
196
-
197
- std::string ToString() const;
198
-
199
- StringMatcherType type() const { return type_; }
200
-
201
- // Valid for EXACT, PREFIX, SUFFIX and CONTAINS
202
- const std::string& string_matcher() const { return string_matcher_; }
203
-
204
- // Valid for SAFE_REGEX
205
- RE2* regex_matcher() const { return regex_matcher_.get(); }
206
-
207
- private:
208
- StringMatcherType type_ = StringMatcherType::EXACT;
209
- std::string string_matcher_;
210
- std::unique_ptr<RE2> regex_matcher_;
211
- bool ignore_case_ = false;
212
- };
213
-
214
134
  struct CommonTlsContext {
215
135
  struct CertificateValidationContext {
216
136
  std::vector<StringMatcher> match_subject_alt_names;
@@ -264,9 +184,27 @@ class XdsApi {
264
184
  bool Empty() const;
265
185
  };
266
186
 
187
+ struct DownstreamTlsContext {
188
+ CommonTlsContext common_tls_context;
189
+ bool require_client_certificate = false;
190
+
191
+ bool operator==(const DownstreamTlsContext& other) const {
192
+ return common_tls_context == other.common_tls_context &&
193
+ require_client_certificate == other.require_client_certificate;
194
+ }
195
+
196
+ std::string ToString() const;
197
+ bool Empty() const;
198
+ };
199
+
267
200
  // TODO(roth): When we can use absl::variant<>, consider using that
268
201
  // here, to enforce the fact that only one of the two fields can be set.
269
202
  struct LdsUpdate {
203
+ enum class ListenerType {
204
+ kTcpListener = 0,
205
+ kHttpApiListener,
206
+ } type;
207
+ DownstreamTlsContext downstream_tls_context;
270
208
  // The name to use in the RDS request.
271
209
  std::string route_config_name;
272
210
  // Storing the Http Connection Manager Common Http Protocol Option
@@ -277,10 +215,13 @@ class XdsApi {
277
215
  absl::optional<RdsUpdate> rds_update;
278
216
 
279
217
  bool operator==(const LdsUpdate& other) const {
280
- return route_config_name == other.route_config_name &&
218
+ return downstream_tls_context == other.downstream_tls_context &&
219
+ route_config_name == other.route_config_name &&
281
220
  rds_update == other.rds_update &&
282
221
  http_max_stream_duration == other.http_max_stream_duration;
283
222
  }
223
+
224
+ std::string ToString() const;
284
225
  };
285
226
 
286
227
  using LdsUpdateMap = std::map<std::string /*server_name*/, LdsUpdate>;
@@ -288,6 +229,9 @@ class XdsApi {
288
229
  using RdsUpdateMap = std::map<std::string /*route_config_name*/, RdsUpdate>;
289
230
 
290
231
  struct CdsUpdate {
232
+ enum ClusterType { EDS, LOGICAL_DNS, AGGREGATE };
233
+ ClusterType cluster_type;
234
+ // For cluster type EDS.
291
235
  // The name to use in the EDS request.
292
236
  // If empty, the cluster name will be used.
293
237
  std::string eds_service_name;
@@ -298,15 +242,27 @@ class XdsApi {
298
242
  // If set to the empty string, will use the same server we obtained the CDS
299
243
  // data from.
300
244
  absl::optional<std::string> lrs_load_reporting_server_name;
245
+ // The LB policy to use (e.g., "ROUND_ROBIN" or "RING_HASH").
246
+ std::string lb_policy;
247
+ // Used for RING_HASH LB policy only.
248
+ uint64_t min_ring_size = 1024;
249
+ uint64_t max_ring_size = 8388608;
250
+ enum HashFunction { XX_HASH, MURMUR_HASH_2 };
251
+ HashFunction hash_function;
301
252
  // Maximum number of outstanding requests can be made to the upstream
302
253
  // cluster.
303
254
  uint32_t max_concurrent_requests = 1024;
255
+ // For cluster type AGGREGATE.
256
+ // The prioritized list of cluster names.
257
+ std::vector<std::string> prioritized_cluster_names;
304
258
 
305
259
  bool operator==(const CdsUpdate& other) const {
306
- return eds_service_name == other.eds_service_name &&
260
+ return cluster_type == other.cluster_type &&
261
+ eds_service_name == other.eds_service_name &&
307
262
  common_tls_context == other.common_tls_context &&
308
263
  lrs_load_reporting_server_name ==
309
264
  other.lrs_load_reporting_server_name &&
265
+ prioritized_cluster_names == other.prioritized_cluster_names &&
310
266
  max_concurrent_requests == other.max_concurrent_requests;
311
267
  }
312
268
 
@@ -424,6 +380,11 @@ class XdsApi {
424
380
  // Parses an ADS response.
425
381
  // If the response can't be parsed at the top level, the resulting
426
382
  // type_url will be empty.
383
+ // If there is any other type of validation error, the parse_error
384
+ // field will be set to something other than GRPC_ERROR_NONE and the
385
+ // resource_names_failed field will be populated.
386
+ // Otherwise, one of the *_update_map fields will be populated, based
387
+ // on the type_url field.
427
388
  struct AdsParseResult {
428
389
  grpc_error* parse_error = GRPC_ERROR_NONE;
429
390
  std::string version;
@@ -433,6 +394,7 @@ class XdsApi {
433
394
  RdsUpdateMap rds_update_map;
434
395
  CdsUpdateMap cds_update_map;
435
396
  EdsUpdateMap eds_update_map;
397
+ std::set<std::string> resource_names_failed;
436
398
  };
437
399
  AdsParseResult ParseAdsResponse(
438
400
  const grpc_slice& encoded_response,
@@ -48,8 +48,8 @@ bool XdsChannelCredsRegistry::IsSupported(const std::string& creds_type) {
48
48
  creds_type == "fake";
49
49
  }
50
50
 
51
- bool XdsChannelCredsRegistry::IsValidConfig(const std::string& creds_type,
52
- const Json& config) {
51
+ bool XdsChannelCredsRegistry::IsValidConfig(const std::string& /*creds_type*/,
52
+ const Json& /*config*/) {
53
53
  // Currently, none of the creds types actually take a config, but we
54
54
  // ignore whatever might be specified in the bootstrap file for
55
55
  // forward compatibility reasons.
@@ -58,7 +58,7 @@ bool XdsChannelCredsRegistry::IsValidConfig(const std::string& creds_type,
58
58
 
59
59
  RefCountedPtr<grpc_channel_credentials>
60
60
  XdsChannelCredsRegistry::MakeChannelCreds(const std::string& creds_type,
61
- const Json& config) {
61
+ const Json& /*config*/) {
62
62
  if (creds_type == "google_default") {
63
63
  return grpc_google_default_credentials_create(nullptr);
64
64
  } else if (creds_type == "insecure") {
@@ -132,36 +132,14 @@ std::string BootstrapString(const XdsBootstrap& bootstrap) {
132
132
  return absl::StrJoin(parts, "");
133
133
  }
134
134
 
135
- } // namespace
136
-
137
- std::unique_ptr<XdsBootstrap> XdsBootstrap::ReadFromFile(XdsClient* client,
138
- TraceFlag* tracer,
139
- grpc_error** error) {
140
- grpc_core::UniquePtr<char> path(gpr_getenv("GRPC_XDS_BOOTSTRAP"));
141
- if (path == nullptr) {
142
- *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
143
- "Environment variable GRPC_XDS_BOOTSTRAP not defined");
144
- return nullptr;
145
- }
146
- if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
147
- gpr_log(GPR_INFO,
148
- "[xds_client %p] Got bootstrap file location from "
149
- "GRPC_XDS_BOOTSTRAP environment variable: %s",
150
- client, path.get());
151
- }
152
- grpc_slice contents;
153
- *error = grpc_load_file(path.get(), /*add_null_terminator=*/true, &contents);
154
- if (*error != GRPC_ERROR_NONE) return nullptr;
155
- absl::string_view contents_str_view = StringViewFromSlice(contents);
156
- if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
157
- gpr_log(GPR_DEBUG, "[xds_client %p] Bootstrap file contents: %s", client,
158
- std::string(contents_str_view).c_str());
159
- }
160
- Json json = Json::Parse(contents_str_view, error);
161
- grpc_slice_unref_internal(contents);
135
+ std::unique_ptr<XdsBootstrap> ParseJsonAndCreate(
136
+ XdsClient* client, TraceFlag* tracer, absl::string_view json_string,
137
+ absl::string_view bootstrap_source, grpc_error** error) {
138
+ Json json = Json::Parse(json_string, error);
162
139
  if (*error != GRPC_ERROR_NONE) {
163
140
  grpc_error* error_out = GRPC_ERROR_CREATE_REFERENCING_FROM_COPIED_STRING(
164
- absl::StrCat("Failed to parse bootstrap file ", path.get()).c_str(),
141
+ absl::StrCat("Failed to parse bootstrap from ", bootstrap_source)
142
+ .c_str(),
165
143
  error, 1);
166
144
  GRPC_ERROR_UNREF(*error);
167
145
  *error = error_out;
@@ -177,6 +155,55 @@ std::unique_ptr<XdsBootstrap> XdsBootstrap::ReadFromFile(XdsClient* client,
177
155
  return result;
178
156
  }
179
157
 
158
+ } // namespace
159
+
160
+ std::unique_ptr<XdsBootstrap> XdsBootstrap::Create(XdsClient* client,
161
+ TraceFlag* tracer,
162
+ const char* fallback_config,
163
+ grpc_error** error) {
164
+ // First, try GRPC_XDS_BOOTSTRAP env var.
165
+ grpc_core::UniquePtr<char> path(gpr_getenv("GRPC_XDS_BOOTSTRAP"));
166
+ if (path != nullptr) {
167
+ if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
168
+ gpr_log(GPR_INFO,
169
+ "[xds_client %p] Got bootstrap file location from "
170
+ "GRPC_XDS_BOOTSTRAP environment variable: %s",
171
+ client, path.get());
172
+ }
173
+ grpc_slice contents;
174
+ *error =
175
+ grpc_load_file(path.get(), /*add_null_terminator=*/true, &contents);
176
+ if (*error != GRPC_ERROR_NONE) return nullptr;
177
+ absl::string_view contents_str_view = StringViewFromSlice(contents);
178
+ if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
179
+ gpr_log(GPR_DEBUG, "[xds_client %p] Bootstrap file contents: %s", client,
180
+ std::string(contents_str_view).c_str());
181
+ }
182
+ std::string bootstrap_source = absl::StrCat("file ", path.get());
183
+ auto result = ParseJsonAndCreate(client, tracer, contents_str_view,
184
+ bootstrap_source, error);
185
+ grpc_slice_unref_internal(contents);
186
+ return result;
187
+ }
188
+ // Next, try GRPC_XDS_BOOTSTRAP_CONFIG env var.
189
+ grpc_core::UniquePtr<char> env_config(
190
+ gpr_getenv("GRPC_XDS_BOOTSTRAP_CONFIG"));
191
+ if (env_config != nullptr) {
192
+ return ParseJsonAndCreate(client, tracer, env_config.get(),
193
+ "GRPC_XDS_BOOTSTRAP_CONFIG env var", error);
194
+ }
195
+ // Finally, try fallback config.
196
+ if (fallback_config != nullptr) {
197
+ return ParseJsonAndCreate(client, tracer, fallback_config,
198
+ "fallback config", error);
199
+ }
200
+ // No bootstrap config found.
201
+ *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
202
+ "Environment variables GRPC_XDS_BOOTSTRAP or GRPC_XDS_BOOTSTRAP_CONFIG "
203
+ "not defined");
204
+ return nullptr;
205
+ }
206
+
180
207
  XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
181
208
  if (json.type() != Json::Type::OBJECT) {
182
209
  *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
@@ -357,15 +384,7 @@ grpc_error* XdsBootstrap::ParseServerFeaturesArray(Json* json,
357
384
  Json& child = json->mutable_array()->at(i);
358
385
  if (child.type() == Json::Type::STRING &&
359
386
  child.string_value() == "xds_v3") {
360
- // TODO(roth): Remove env var check once we do interop testing and
361
- // are sure that the v3 code actually works.
362
- grpc_core::UniquePtr<char> enable_str(
363
- gpr_getenv("GRPC_XDS_EXPERIMENTAL_V3_SUPPORT"));
364
- bool enabled = false;
365
- if (gpr_parse_bool_value(enable_str.get(), &enabled) && enabled) {
366
- server->server_features.insert(
367
- std::move(*child.mutable_string_value()));
368
- }
387
+ server->server_features.insert(std::move(*child.mutable_string_value()));
369
388
  }
370
389
  }
371
390
  return GRPC_ERROR_CREATE_FROM_VECTOR(
@@ -67,11 +67,19 @@ class XdsBootstrap {
67
67
  bool ShouldUseV3() const;
68
68
  };
69
69
 
70
+ // Creates bootstrap object, obtaining the bootstrap JSON as appropriate
71
+ // for the environment:
72
+ // - If the GRPC_XDS_BOOTSTRAP env var is set, reads the file it specifies
73
+ // to obtain the bootstrap JSON.
74
+ // - Otherwise, if the GRPC_XDS_BOOTSTRAP_CONFIG env var is set, reads the
75
+ // content of that env var to obtain the bootstrap JSON.
76
+ // - Otherwise, the JSON will be read from fallback_config (if non-null).
70
77
  // If *error is not GRPC_ERROR_NONE after returning, then there was an
71
- // error reading the file.
72
- static std::unique_ptr<XdsBootstrap> ReadFromFile(XdsClient* client,
73
- TraceFlag* tracer,
74
- grpc_error** error);
78
+ // error (e.g., no config found or error reading the file).
79
+ static std::unique_ptr<XdsBootstrap> Create(XdsClient* client,
80
+ TraceFlag* tracer,
81
+ const char* fallback_config,
82
+ grpc_error** error);
75
83
 
76
84
  // Do not instantiate directly -- use ReadFromFile() above instead.
77
85
  XdsBootstrap(Json json, grpc_error** error);
@@ -37,15 +37,16 @@ class RootCertificatesWatcher
37
37
  // presently, the watcher is immediately deleted when
38
38
  // CancelTlsCertificatesWatch() is called, but that can potentially change in
39
39
  // the future.
40
- explicit RootCertificatesWatcher(
41
- RefCountedPtr<grpc_tls_certificate_distributor> parent)
42
- : parent_(std::move(parent)) {}
40
+ RootCertificatesWatcher(
41
+ RefCountedPtr<grpc_tls_certificate_distributor> parent,
42
+ std::string cert_name)
43
+ : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
43
44
 
44
45
  void OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
45
46
  absl::optional<PemKeyCertPairList>
46
47
  /* key_cert_pairs */) override {
47
48
  if (root_certs.has_value()) {
48
- parent_->SetKeyMaterials("", std::string(root_certs.value()),
49
+ parent_->SetKeyMaterials(cert_name_, std::string(root_certs.value()),
49
50
  absl::nullopt);
50
51
  }
51
52
  }
@@ -53,7 +54,7 @@ class RootCertificatesWatcher
53
54
  void OnError(grpc_error* root_cert_error,
54
55
  grpc_error* identity_cert_error) override {
55
56
  if (root_cert_error != GRPC_ERROR_NONE) {
56
- parent_->SetErrorForCert("", root_cert_error /* pass the ref */,
57
+ parent_->SetErrorForCert(cert_name_, root_cert_error /* pass the ref */,
57
58
  absl::nullopt);
58
59
  }
59
60
  GRPC_ERROR_UNREF(identity_cert_error);
@@ -61,6 +62,7 @@ class RootCertificatesWatcher
61
62
 
62
63
  private:
63
64
  RefCountedPtr<grpc_tls_certificate_distributor> parent_;
65
+ std::string cert_name_;
64
66
  };
65
67
 
66
68
  class IdentityCertificatesWatcher
@@ -71,22 +73,23 @@ class IdentityCertificatesWatcher
71
73
  // presently, the watcher is immediately deleted when
72
74
  // CancelTlsCertificatesWatch() is called, but that can potentially change in
73
75
  // the future.
74
- explicit IdentityCertificatesWatcher(
75
- RefCountedPtr<grpc_tls_certificate_distributor> parent)
76
- : parent_(std::move(parent)) {}
76
+ IdentityCertificatesWatcher(
77
+ RefCountedPtr<grpc_tls_certificate_distributor> parent,
78
+ std::string cert_name)
79
+ : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
77
80
 
78
81
  void OnCertificatesChanged(
79
82
  absl::optional<absl::string_view> /* root_certs */,
80
83
  absl::optional<PemKeyCertPairList> key_cert_pairs) override {
81
84
  if (key_cert_pairs.has_value()) {
82
- parent_->SetKeyMaterials("", absl::nullopt, key_cert_pairs);
85
+ parent_->SetKeyMaterials(cert_name_, absl::nullopt, key_cert_pairs);
83
86
  }
84
87
  }
85
88
 
86
89
  void OnError(grpc_error* root_cert_error,
87
90
  grpc_error* identity_cert_error) override {
88
91
  if (identity_cert_error != GRPC_ERROR_NONE) {
89
- parent_->SetErrorForCert("", absl::nullopt,
92
+ parent_->SetErrorForCert(cert_name_, absl::nullopt,
90
93
  identity_cert_error /* pass the ref */);
91
94
  }
92
95
  GRPC_ERROR_UNREF(root_cert_error);
@@ -94,34 +97,35 @@ class IdentityCertificatesWatcher
94
97
 
95
98
  private:
96
99
  RefCountedPtr<grpc_tls_certificate_distributor> parent_;
100
+ std::string cert_name_;
97
101
  };
98
102
 
99
103
  } // namespace
100
104
 
101
- XdsCertificateProvider::XdsCertificateProvider(
102
- absl::string_view root_cert_name,
103
- RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor,
104
- absl::string_view identity_cert_name,
105
- RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor,
106
- std::vector<XdsApi::StringMatcher> san_matchers)
107
- : root_cert_name_(root_cert_name),
108
- identity_cert_name_(identity_cert_name),
109
- root_cert_distributor_(std::move(root_cert_distributor)),
110
- identity_cert_distributor_(std::move(identity_cert_distributor)),
111
- san_matchers_(std::move(san_matchers)),
112
- distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
113
- distributor_->SetWatchStatusCallback(
114
- absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
105
+ //
106
+ // XdsCertificateProvider::ClusterCertificateState
107
+ //
108
+
109
+ XdsCertificateProvider::ClusterCertificateState::~ClusterCertificateState() {
110
+ if (root_cert_watcher_ != nullptr) {
111
+ root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
112
+ }
113
+ if (identity_cert_watcher_ != nullptr) {
114
+ identity_cert_distributor_->CancelTlsCertificatesWatch(
115
+ identity_cert_watcher_);
116
+ }
115
117
  }
116
118
 
117
- XdsCertificateProvider::~XdsCertificateProvider() {
118
- distributor_->SetWatchStatusCallback(nullptr);
119
+ bool XdsCertificateProvider::ClusterCertificateState::IsSafeToRemove() const {
120
+ return !watching_root_certs_ && !watching_identity_certs_ &&
121
+ root_cert_distributor_ == nullptr &&
122
+ identity_cert_distributor_ == nullptr;
119
123
  }
120
124
 
121
- void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
122
- absl::string_view root_cert_name,
123
- RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
124
- MutexLock lock(&mu_);
125
+ void XdsCertificateProvider::ClusterCertificateState::
126
+ UpdateRootCertNameAndDistributor(
127
+ const std::string& cert_name, absl::string_view root_cert_name,
128
+ RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
125
129
  if (root_cert_name_ == root_cert_name &&
126
130
  root_cert_distributor_ == root_cert_distributor) {
127
131
  return;
@@ -133,10 +137,10 @@ void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
133
137
  root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
134
138
  }
135
139
  if (root_cert_distributor != nullptr) {
136
- UpdateRootCertWatcher(root_cert_distributor.get());
140
+ UpdateRootCertWatcher(cert_name, root_cert_distributor.get());
137
141
  } else {
138
142
  root_cert_watcher_ = nullptr;
139
- distributor_->SetErrorForCert(
143
+ xds_certificate_provider_->distributor_->SetErrorForCert(
140
144
  "",
141
145
  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
142
146
  "No certificate provider available for root certificates"),
@@ -147,10 +151,11 @@ void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
147
151
  root_cert_distributor_ = std::move(root_cert_distributor);
148
152
  }
149
153
 
150
- void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
151
- absl::string_view identity_cert_name,
152
- RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor) {
153
- MutexLock lock(&mu_);
154
+ void XdsCertificateProvider::ClusterCertificateState::
155
+ UpdateIdentityCertNameAndDistributor(
156
+ const std::string& cert_name, absl::string_view identity_cert_name,
157
+ RefCountedPtr<grpc_tls_certificate_distributor>
158
+ identity_cert_distributor) {
154
159
  if (identity_cert_name_ == identity_cert_name &&
155
160
  identity_cert_distributor_ == identity_cert_distributor) {
156
161
  return;
@@ -163,10 +168,10 @@ void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
163
168
  identity_cert_watcher_);
164
169
  }
165
170
  if (identity_cert_distributor != nullptr) {
166
- UpdateIdentityCertWatcher(identity_cert_distributor.get());
171
+ UpdateIdentityCertWatcher(cert_name, identity_cert_distributor.get());
167
172
  } else {
168
173
  identity_cert_watcher_ = nullptr;
169
- distributor_->SetErrorForCert(
174
+ xds_certificate_provider_->distributor_->SetErrorForCert(
170
175
  "", absl::nullopt,
171
176
  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
172
177
  "No certificate provider available for identity certificates"));
@@ -176,42 +181,45 @@ void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
176
181
  identity_cert_distributor_ = std::move(identity_cert_distributor);
177
182
  }
178
183
 
179
- void XdsCertificateProvider::UpdateSubjectAlternativeNameMatchers(
180
- std::vector<XdsApi::StringMatcher> matchers) {
181
- MutexLock lock(&san_matchers_mu_);
182
- san_matchers_ = std::move(matchers);
184
+ void XdsCertificateProvider::ClusterCertificateState::UpdateRootCertWatcher(
185
+ const std::string& cert_name,
186
+ grpc_tls_certificate_distributor* root_cert_distributor) {
187
+ auto watcher = absl::make_unique<RootCertificatesWatcher>(
188
+ xds_certificate_provider_->distributor_, cert_name);
189
+ root_cert_watcher_ = watcher.get();
190
+ root_cert_distributor->WatchTlsCertificates(std::move(watcher),
191
+ root_cert_name_, absl::nullopt);
183
192
  }
184
193
 
185
- void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
186
- bool root_being_watched,
187
- bool identity_being_watched) {
194
+ void XdsCertificateProvider::ClusterCertificateState::UpdateIdentityCertWatcher(
195
+ const std::string& cert_name,
196
+ grpc_tls_certificate_distributor* identity_cert_distributor) {
197
+ auto watcher = absl::make_unique<IdentityCertificatesWatcher>(
198
+ xds_certificate_provider_->distributor_, cert_name);
199
+ identity_cert_watcher_ = watcher.get();
200
+ identity_cert_distributor->WatchTlsCertificates(
201
+ std::move(watcher), absl::nullopt, identity_cert_name_);
202
+ }
203
+
204
+ void XdsCertificateProvider::ClusterCertificateState::WatchStatusCallback(
205
+ const std::string& cert_name, bool root_being_watched,
206
+ bool identity_being_watched) {
188
207
  // We aren't specially handling the case where root_cert_distributor is same
189
208
  // as identity_cert_distributor. Always using two separate watchers
190
209
  // irrespective of the fact results in a straightforward design, and using a
191
210
  // single watcher does not seem to provide any benefit other than cutting down
192
211
  // on the number of callbacks.
193
- MutexLock lock(&mu_);
194
- if (!cert_name.empty()) {
195
- grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
196
- absl::StrCat("Illegal certificate name: \'", cert_name,
197
- "\'. Should be empty.")
198
- .c_str());
199
- distributor_->SetErrorForCert(cert_name, GRPC_ERROR_REF(error),
200
- GRPC_ERROR_REF(error));
201
- GRPC_ERROR_UNREF(error);
202
- return;
203
- }
204
212
  if (root_being_watched && !watching_root_certs_) {
205
213
  // We need to start watching root certs.
206
214
  watching_root_certs_ = true;
207
215
  if (root_cert_distributor_ == nullptr) {
208
- distributor_->SetErrorForCert(
209
- "",
216
+ xds_certificate_provider_->distributor_->SetErrorForCert(
217
+ cert_name,
210
218
  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
211
219
  "No certificate provider available for root certificates"),
212
220
  absl::nullopt);
213
221
  } else {
214
- UpdateRootCertWatcher(root_cert_distributor_.get());
222
+ UpdateRootCertWatcher(cert_name, root_cert_distributor_.get());
215
223
  }
216
224
  } else if (!root_being_watched && watching_root_certs_) {
217
225
  // We need to cancel root certs watch.
@@ -225,12 +233,12 @@ void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
225
233
  if (identity_being_watched && !watching_identity_certs_) {
226
234
  watching_identity_certs_ = true;
227
235
  if (identity_cert_distributor_ == nullptr) {
228
- distributor_->SetErrorForCert(
229
- "", absl::nullopt,
236
+ xds_certificate_provider_->distributor_->SetErrorForCert(
237
+ cert_name, absl::nullopt,
230
238
  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
231
239
  "No certificate provider available for identity certificates"));
232
240
  } else {
233
- UpdateIdentityCertWatcher(identity_cert_distributor_.get());
241
+ UpdateIdentityCertWatcher(cert_name, identity_cert_distributor_.get());
234
242
  }
235
243
  } else if (!identity_being_watched && watching_identity_certs_) {
236
244
  watching_identity_certs_ = false;
@@ -243,20 +251,118 @@ void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
243
251
  }
244
252
  }
245
253
 
246
- void XdsCertificateProvider::UpdateRootCertWatcher(
247
- grpc_tls_certificate_distributor* root_cert_distributor) {
248
- auto watcher = absl::make_unique<RootCertificatesWatcher>(distributor());
249
- root_cert_watcher_ = watcher.get();
250
- root_cert_distributor->WatchTlsCertificates(std::move(watcher),
251
- root_cert_name_, absl::nullopt);
254
+ //
255
+ // XdsCertificateProvider
256
+ //
257
+
258
+ XdsCertificateProvider::XdsCertificateProvider()
259
+ : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
260
+ distributor_->SetWatchStatusCallback(
261
+ absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
252
262
  }
253
263
 
254
- void XdsCertificateProvider::UpdateIdentityCertWatcher(
255
- grpc_tls_certificate_distributor* identity_cert_distributor) {
256
- auto watcher = absl::make_unique<IdentityCertificatesWatcher>(distributor());
257
- identity_cert_watcher_ = watcher.get();
258
- identity_cert_distributor->WatchTlsCertificates(
259
- std::move(watcher), absl::nullopt, identity_cert_name_);
264
+ XdsCertificateProvider::~XdsCertificateProvider() {
265
+ distributor_->SetWatchStatusCallback(nullptr);
266
+ }
267
+
268
+ bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
269
+ MutexLock lock(&mu_);
270
+ auto it = certificate_state_map_.find(cert_name);
271
+ if (it == certificate_state_map_.end()) return false;
272
+ return it->second->ProvidesRootCerts();
273
+ }
274
+
275
+ void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
276
+ const std::string& cert_name, absl::string_view root_cert_name,
277
+ RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
278
+ MutexLock lock(&mu_);
279
+ auto it = certificate_state_map_.find(cert_name);
280
+ if (it == certificate_state_map_.end()) {
281
+ it = certificate_state_map_
282
+ .emplace(cert_name,
283
+ absl::make_unique<ClusterCertificateState>(this))
284
+ .first;
285
+ }
286
+ it->second->UpdateRootCertNameAndDistributor(cert_name, root_cert_name,
287
+ root_cert_distributor);
288
+ // Delete unused entries.
289
+ if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
290
+ }
291
+
292
+ bool XdsCertificateProvider::ProvidesIdentityCerts(
293
+ const std::string& cert_name) {
294
+ MutexLock lock(&mu_);
295
+ auto it = certificate_state_map_.find(cert_name);
296
+ if (it == certificate_state_map_.end()) return false;
297
+ return it->second->ProvidesIdentityCerts();
298
+ }
299
+
300
+ void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
301
+ const std::string& cert_name, absl::string_view identity_cert_name,
302
+ RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor) {
303
+ MutexLock lock(&mu_);
304
+ auto it = certificate_state_map_.find(cert_name);
305
+ if (it == certificate_state_map_.end()) {
306
+ it = certificate_state_map_
307
+ .emplace(cert_name,
308
+ absl::make_unique<ClusterCertificateState>(this))
309
+ .first;
310
+ }
311
+ it->second->UpdateIdentityCertNameAndDistributor(
312
+ cert_name, identity_cert_name, identity_cert_distributor);
313
+ // Delete unused entries.
314
+ if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
315
+ }
316
+
317
+ bool XdsCertificateProvider::GetRequireClientCertificate(
318
+ const std::string& cert_name) {
319
+ MutexLock lock(&mu_);
320
+ auto it = certificate_state_map_.find(cert_name);
321
+ if (it == certificate_state_map_.end()) return false;
322
+ return it->second->require_client_certificate();
323
+ }
324
+
325
+ void XdsCertificateProvider::UpdateRequireClientCertificate(
326
+ const std::string& cert_name, bool require_client_certificate) {
327
+ MutexLock lock(&mu_);
328
+ auto it = certificate_state_map_.find(cert_name);
329
+ if (it == certificate_state_map_.end()) return;
330
+ it->second->set_require_client_certificate(require_client_certificate);
331
+ }
332
+
333
+ std::vector<StringMatcher> XdsCertificateProvider::GetSanMatchers(
334
+ const std::string& cluster) {
335
+ MutexLock lock(&san_matchers_mu_);
336
+ auto it = san_matcher_map_.find(cluster);
337
+ if (it == san_matcher_map_.end()) return {};
338
+ return it->second;
339
+ }
340
+
341
+ void XdsCertificateProvider::UpdateSubjectAlternativeNameMatchers(
342
+ const std::string& cluster, std::vector<StringMatcher> matchers) {
343
+ MutexLock lock(&san_matchers_mu_);
344
+ if (matchers.empty()) {
345
+ san_matcher_map_.erase(cluster);
346
+ } else {
347
+ san_matcher_map_[cluster] = std::move(matchers);
348
+ }
349
+ }
350
+
351
+ void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
352
+ bool root_being_watched,
353
+ bool identity_being_watched) {
354
+ MutexLock lock(&mu_);
355
+ auto it = certificate_state_map_.find(cert_name);
356
+ if (it == certificate_state_map_.end()) {
357
+ it = certificate_state_map_
358
+ .emplace(cert_name,
359
+ absl::make_unique<ClusterCertificateState>(this))
360
+ .first;
361
+ }
362
+ it->second->WatchStatusCallback(cert_name, root_being_watched,
363
+ identity_being_watched);
364
+ // Delete unused entries.
365
+ if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
260
366
  }
261
367
 
262
368
  namespace {