grpc 1.35.0 → 1.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +60 -57
- data/include/grpc/grpc_security.h +16 -11
- data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
- data/src/core/ext/filters/client_channel/resolver.cc +2 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
- data/src/core/ext/filters/client_channel/server_address.cc +6 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +738 -567
- data/src/core/ext/xds/xds_api.h +46 -84
- data/src/core/ext/xds/xds_bootstrap.cc +59 -40
- data/src/core/ext/xds/xds_bootstrap.h +12 -4
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +13 -11
- data/src/core/ext/xds/xds_client.h +3 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
- data/src/core/lib/channel/handshaker.cc +2 -5
- data/src/core/lib/channel/handshaker.h +1 -1
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/ev_apple.cc +10 -7
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +4 -4
- data/src/core/lib/security/authorization/matchers.cc +339 -0
- data/src/core/lib/security/authorization/matchers.h +158 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
- data/src/core/lib/security/transport/security_handshaker.cc +1 -3
- data/src/core/lib/slice/slice_intern.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/server.cc +3 -3
- data/src/core/lib/surface/server.h +3 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/fake_transport_security.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +725 -723
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- metadata +77 -65
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
|
@@ -31,44 +31,34 @@ namespace grpc_core {
|
|
|
31
31
|
|
|
32
32
|
class XdsCertificateProvider : public grpc_tls_certificate_provider {
|
|
33
33
|
public:
|
|
34
|
-
XdsCertificateProvider(
|
|
35
|
-
absl::string_view root_cert_name,
|
|
36
|
-
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor,
|
|
37
|
-
absl::string_view identity_cert_name,
|
|
38
|
-
RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor,
|
|
39
|
-
std::vector<XdsApi::StringMatcher> san_matchers);
|
|
40
|
-
|
|
34
|
+
XdsCertificateProvider();
|
|
41
35
|
~XdsCertificateProvider() override;
|
|
42
36
|
|
|
43
|
-
void UpdateRootCertNameAndDistributor(
|
|
44
|
-
absl::string_view root_cert_name,
|
|
45
|
-
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
|
|
46
|
-
void UpdateIdentityCertNameAndDistributor(
|
|
47
|
-
absl::string_view identity_cert_name,
|
|
48
|
-
RefCountedPtr<grpc_tls_certificate_distributor>
|
|
49
|
-
identity_cert_distributor);
|
|
50
|
-
void UpdateSubjectAlternativeNameMatchers(
|
|
51
|
-
std::vector<XdsApi::StringMatcher> matchers);
|
|
52
|
-
|
|
53
37
|
grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
|
|
54
38
|
const override {
|
|
55
39
|
return distributor_;
|
|
56
40
|
}
|
|
57
41
|
|
|
58
|
-
bool ProvidesRootCerts()
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
42
|
+
bool ProvidesRootCerts(const std::string& cert_name);
|
|
43
|
+
void UpdateRootCertNameAndDistributor(
|
|
44
|
+
const std::string& cert_name, absl::string_view root_cert_name,
|
|
45
|
+
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
|
|
62
46
|
|
|
63
|
-
bool ProvidesIdentityCerts()
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
47
|
+
bool ProvidesIdentityCerts(const std::string& cert_name);
|
|
48
|
+
void UpdateIdentityCertNameAndDistributor(
|
|
49
|
+
const std::string& cert_name, absl::string_view identity_cert_name,
|
|
50
|
+
RefCountedPtr<grpc_tls_certificate_distributor>
|
|
51
|
+
identity_cert_distributor);
|
|
67
52
|
|
|
68
|
-
std::
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
53
|
+
bool GetRequireClientCertificate(const std::string& cert_name);
|
|
54
|
+
// Updating \a require_client_certificate for a non-existing \a cert_name has
|
|
55
|
+
// no effect.
|
|
56
|
+
void UpdateRequireClientCertificate(const std::string& cert_name,
|
|
57
|
+
bool require_client_certificate);
|
|
58
|
+
|
|
59
|
+
std::vector<StringMatcher> GetSanMatchers(const std::string& cluster);
|
|
60
|
+
void UpdateSubjectAlternativeNameMatchers(
|
|
61
|
+
const std::string& cluster, std::vector<StringMatcher> matchers);
|
|
72
62
|
|
|
73
63
|
grpc_arg MakeChannelArg() const;
|
|
74
64
|
|
|
@@ -76,14 +66,71 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
|
|
|
76
66
|
const grpc_channel_args* args);
|
|
77
67
|
|
|
78
68
|
private:
|
|
69
|
+
class ClusterCertificateState {
|
|
70
|
+
public:
|
|
71
|
+
explicit ClusterCertificateState(
|
|
72
|
+
XdsCertificateProvider* xds_certificate_provider)
|
|
73
|
+
: xds_certificate_provider_(xds_certificate_provider) {}
|
|
74
|
+
|
|
75
|
+
~ClusterCertificateState();
|
|
76
|
+
|
|
77
|
+
// Returns true if the certs aren't being watched and there are no
|
|
78
|
+
// distributors configured.
|
|
79
|
+
bool IsSafeToRemove() const;
|
|
80
|
+
|
|
81
|
+
bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; }
|
|
82
|
+
bool ProvidesIdentityCerts() const {
|
|
83
|
+
return identity_cert_distributor_ != nullptr;
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
void UpdateRootCertNameAndDistributor(
|
|
87
|
+
const std::string& cert_name, absl::string_view root_cert_name,
|
|
88
|
+
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
|
|
89
|
+
void UpdateIdentityCertNameAndDistributor(
|
|
90
|
+
const std::string& cert_name, absl::string_view identity_cert_name,
|
|
91
|
+
RefCountedPtr<grpc_tls_certificate_distributor>
|
|
92
|
+
identity_cert_distributor);
|
|
93
|
+
|
|
94
|
+
void UpdateRootCertWatcher(
|
|
95
|
+
const std::string& cert_name,
|
|
96
|
+
grpc_tls_certificate_distributor* root_cert_distributor);
|
|
97
|
+
void UpdateIdentityCertWatcher(
|
|
98
|
+
const std::string& cert_name,
|
|
99
|
+
grpc_tls_certificate_distributor* identity_cert_distributor);
|
|
100
|
+
|
|
101
|
+
bool require_client_certificate() const {
|
|
102
|
+
return require_client_certificate_;
|
|
103
|
+
}
|
|
104
|
+
void set_require_client_certificate(bool require_client_certificate) {
|
|
105
|
+
require_client_certificate_ = require_client_certificate;
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
void WatchStatusCallback(const std::string& cert_name,
|
|
109
|
+
bool root_being_watched,
|
|
110
|
+
bool identity_being_watched);
|
|
111
|
+
|
|
112
|
+
private:
|
|
113
|
+
XdsCertificateProvider* xds_certificate_provider_;
|
|
114
|
+
bool watching_root_certs_ = false;
|
|
115
|
+
bool watching_identity_certs_ = false;
|
|
116
|
+
std::string root_cert_name_;
|
|
117
|
+
std::string identity_cert_name_;
|
|
118
|
+
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
|
|
119
|
+
RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
|
|
120
|
+
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
|
|
121
|
+
root_cert_watcher_ = nullptr;
|
|
122
|
+
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
|
|
123
|
+
identity_cert_watcher_ = nullptr;
|
|
124
|
+
bool require_client_certificate_ = false;
|
|
125
|
+
};
|
|
126
|
+
|
|
79
127
|
void WatchStatusCallback(std::string cert_name, bool root_being_watched,
|
|
80
128
|
bool identity_being_watched);
|
|
81
|
-
void UpdateRootCertWatcher(
|
|
82
|
-
grpc_tls_certificate_distributor* root_cert_distributor);
|
|
83
|
-
void UpdateIdentityCertWatcher(
|
|
84
|
-
grpc_tls_certificate_distributor* identity_cert_distributor);
|
|
85
129
|
|
|
86
130
|
Mutex mu_;
|
|
131
|
+
std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>>
|
|
132
|
+
certificate_state_map_;
|
|
133
|
+
|
|
87
134
|
// Use a separate mutex for san_matchers_ to avoid deadlocks since
|
|
88
135
|
// san_matchers_ needs to be accessed when a handshake is being done and we
|
|
89
136
|
// run into a possible deadlock scenario if using the same mutex. The mutex
|
|
@@ -93,18 +140,10 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
|
|
|
93
140
|
// -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() ->
|
|
94
141
|
// subject_alternative_names_matchers()
|
|
95
142
|
Mutex san_matchers_mu_;
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
std::string identity_cert_name_;
|
|
100
|
-
RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
|
|
101
|
-
RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
|
|
102
|
-
std::vector<XdsApi::StringMatcher> san_matchers_;
|
|
143
|
+
std::map<std::string /*cluster_name*/, std::vector<StringMatcher>>
|
|
144
|
+
san_matcher_map_;
|
|
145
|
+
|
|
103
146
|
RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
|
|
104
|
-
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
|
|
105
|
-
root_cert_watcher_ = nullptr;
|
|
106
|
-
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
|
|
107
|
-
identity_cert_watcher_ = nullptr;
|
|
108
147
|
};
|
|
109
148
|
|
|
110
149
|
} // namespace grpc_core
|
|
@@ -72,6 +72,7 @@ namespace {
|
|
|
72
72
|
Mutex* g_mu = nullptr;
|
|
73
73
|
const grpc_channel_args* g_channel_args = nullptr;
|
|
74
74
|
XdsClient* g_xds_client = nullptr;
|
|
75
|
+
char* g_fallback_bootstrap_config = nullptr;
|
|
75
76
|
|
|
76
77
|
} // namespace
|
|
77
78
|
|
|
@@ -881,15 +882,8 @@ void XdsClient::ChannelState::AdsCallState::AcceptLdsUpdate(
|
|
|
881
882
|
auto& state = lds_state.subscribed_resources[listener_name];
|
|
882
883
|
if (state != nullptr) state->Finish();
|
|
883
884
|
if (GRPC_TRACE_FLAG_ENABLED(grpc_xds_client_trace)) {
|
|
884
|
-
gpr_log(GPR_INFO, "[xds_client %p] LDS resource %s:
|
|
885
|
-
|
|
886
|
-
(!lds_update.route_config_name.empty()
|
|
887
|
-
? lds_update.route_config_name.c_str()
|
|
888
|
-
: "<inlined>"));
|
|
889
|
-
if (lds_update.rds_update.has_value()) {
|
|
890
|
-
gpr_log(GPR_INFO, "RouteConfiguration: %s",
|
|
891
|
-
lds_update.rds_update->ToString().c_str());
|
|
892
|
-
}
|
|
885
|
+
gpr_log(GPR_INFO, "[xds_client %p] LDS resource %s: %s", xds_client(),
|
|
886
|
+
listener_name.c_str(), lds_update.ToString().c_str());
|
|
893
887
|
}
|
|
894
888
|
// Record the RDS resource names seen.
|
|
895
889
|
if (!lds_update.route_config_name.empty()) {
|
|
@@ -1740,8 +1734,8 @@ XdsClient::XdsClient(grpc_error** error)
|
|
|
1740
1734
|
: nullptr),
|
|
1741
1735
|
request_timeout_(GetRequestTimeout()),
|
|
1742
1736
|
interested_parties_(grpc_pollset_set_create()),
|
|
1743
|
-
bootstrap_(
|
|
1744
|
-
|
|
1737
|
+
bootstrap_(XdsBootstrap::Create(this, &grpc_xds_client_trace,
|
|
1738
|
+
g_fallback_bootstrap_config, error)),
|
|
1745
1739
|
certificate_provider_store_(MakeOrphanable<CertificateProviderStore>(
|
|
1746
1740
|
bootstrap_ == nullptr
|
|
1747
1741
|
? CertificateProviderStore::PluginDefinitionMap()
|
|
@@ -2207,6 +2201,8 @@ void XdsClientGlobalInit() { g_mu = new Mutex; }
|
|
|
2207
2201
|
void XdsClientGlobalShutdown() {
|
|
2208
2202
|
delete g_mu;
|
|
2209
2203
|
g_mu = nullptr;
|
|
2204
|
+
gpr_free(g_fallback_bootstrap_config);
|
|
2205
|
+
g_fallback_bootstrap_config = nullptr;
|
|
2210
2206
|
}
|
|
2211
2207
|
|
|
2212
2208
|
RefCountedPtr<XdsClient> XdsClient::GetOrCreate(grpc_error** error) {
|
|
@@ -2232,6 +2228,12 @@ void UnsetGlobalXdsClientForTest() {
|
|
|
2232
2228
|
g_xds_client = nullptr;
|
|
2233
2229
|
}
|
|
2234
2230
|
|
|
2231
|
+
void SetXdsFallbackBootstrapConfig(const char* config) {
|
|
2232
|
+
MutexLock lock(g_mu);
|
|
2233
|
+
gpr_free(g_fallback_bootstrap_config);
|
|
2234
|
+
g_fallback_bootstrap_config = gpr_strdup(config);
|
|
2235
|
+
}
|
|
2236
|
+
|
|
2235
2237
|
} // namespace internal
|
|
2236
2238
|
|
|
2237
2239
|
} // namespace grpc_core
|
|
@@ -329,6 +329,9 @@ class XdsClient : public DualRefCounted<XdsClient> {
|
|
|
329
329
|
namespace internal {
|
|
330
330
|
void SetXdsChannelArgsForTest(grpc_channel_args* args);
|
|
331
331
|
void UnsetGlobalXdsClientForTest();
|
|
332
|
+
// Sets bootstrap config to be used when no env var is set.
|
|
333
|
+
// Does not take ownership of config.
|
|
334
|
+
void SetXdsFallbackBootstrapConfig(const char* config);
|
|
332
335
|
} // namespace internal
|
|
333
336
|
|
|
334
337
|
} // namespace grpc_core
|
|
@@ -137,7 +137,8 @@ XdsClusterLocalityStats::GetSnapshotAndReset() {
|
|
|
137
137
|
// not related to a single reporting interval.
|
|
138
138
|
total_requests_in_progress_.Load(MemoryOrder::RELAXED),
|
|
139
139
|
GetAndResetCounter(&total_error_requests_),
|
|
140
|
-
GetAndResetCounter(&total_issued_requests_)
|
|
140
|
+
GetAndResetCounter(&total_issued_requests_),
|
|
141
|
+
{}};
|
|
141
142
|
MutexLock lock(&backend_metrics_mu_);
|
|
142
143
|
snapshot.backend_metrics = std::move(backend_metrics_);
|
|
143
144
|
return snapshot;
|
|
@@ -18,11 +18,18 @@
|
|
|
18
18
|
|
|
19
19
|
#include <grpc/support/port_platform.h>
|
|
20
20
|
|
|
21
|
+
#include "src/core/ext/xds/xds_certificate_provider.h"
|
|
21
22
|
#include "src/core/ext/xds/xds_client.h"
|
|
23
|
+
#include "src/core/lib/channel/channel_args.h"
|
|
24
|
+
#include "src/core/lib/security/credentials/xds/xds_credentials.h"
|
|
22
25
|
#include "src/core/lib/surface/api_trace.h"
|
|
23
26
|
#include "src/core/lib/surface/server.h"
|
|
24
27
|
|
|
25
28
|
namespace grpc_core {
|
|
29
|
+
|
|
30
|
+
TraceFlag grpc_xds_server_config_fetcher_trace(false,
|
|
31
|
+
"xds_server_config_fetcher");
|
|
32
|
+
|
|
26
33
|
namespace {
|
|
27
34
|
|
|
28
35
|
class XdsServerConfigFetcher : public grpc_server_config_fetcher {
|
|
@@ -32,18 +39,18 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
|
|
|
32
39
|
GPR_ASSERT(xds_client_ != nullptr);
|
|
33
40
|
}
|
|
34
41
|
|
|
35
|
-
void StartWatch(std::string listening_address,
|
|
42
|
+
void StartWatch(std::string listening_address, grpc_channel_args* args,
|
|
36
43
|
std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
|
|
37
44
|
watcher) override {
|
|
38
45
|
grpc_server_config_fetcher::WatcherInterface* watcher_ptr = watcher.get();
|
|
39
|
-
auto listener_watcher =
|
|
40
|
-
|
|
46
|
+
auto listener_watcher = absl::make_unique<ListenerWatcher>(
|
|
47
|
+
std::move(watcher), args, xds_client_);
|
|
41
48
|
auto* listener_watcher_ptr = listener_watcher.get();
|
|
42
49
|
// TODO(yashykt): Get the resource name id from bootstrap
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
50
|
+
listening_address = absl::StrCat(
|
|
51
|
+
"grpc/server?xds.resource.listening_address=", listening_address);
|
|
52
|
+
xds_client_->WatchListenerData(listening_address,
|
|
53
|
+
std::move(listener_watcher));
|
|
47
54
|
MutexLock lock(&mu_);
|
|
48
55
|
auto& watcher_state = watchers_[watcher_ptr];
|
|
49
56
|
watcher_state.listening_address = listening_address;
|
|
@@ -73,12 +80,45 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
|
|
|
73
80
|
public:
|
|
74
81
|
explicit ListenerWatcher(
|
|
75
82
|
std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
|
|
76
|
-
server_config_watcher
|
|
77
|
-
|
|
83
|
+
server_config_watcher,
|
|
84
|
+
grpc_channel_args* args, RefCountedPtr<XdsClient> xds_client)
|
|
85
|
+
: server_config_watcher_(std::move(server_config_watcher)),
|
|
86
|
+
args_(args),
|
|
87
|
+
xds_client_(std::move(xds_client)) {}
|
|
88
|
+
|
|
89
|
+
~ListenerWatcher() override { grpc_channel_args_destroy(args_); }
|
|
90
|
+
|
|
91
|
+
// Deleted due to special handling required for args_. Copy the channel args
|
|
92
|
+
// if we ever need these.
|
|
93
|
+
ListenerWatcher(const ListenerWatcher&) = delete;
|
|
94
|
+
ListenerWatcher& operator=(const ListenerWatcher&) = delete;
|
|
78
95
|
|
|
79
96
|
void OnListenerChanged(XdsApi::LdsUpdate listener) override {
|
|
80
|
-
|
|
81
|
-
|
|
97
|
+
if (GRPC_TRACE_FLAG_ENABLED(grpc_xds_server_config_fetcher_trace)) {
|
|
98
|
+
gpr_log(
|
|
99
|
+
GPR_INFO,
|
|
100
|
+
"[ListenerWatcher %p] Received LDS update from xds client %p: %s",
|
|
101
|
+
this, xds_client_.get(), listener.ToString().c_str());
|
|
102
|
+
}
|
|
103
|
+
grpc_error* error = GRPC_ERROR_NONE;
|
|
104
|
+
bool update_needed = UpdateXdsCertificateProvider(listener, &error);
|
|
105
|
+
if (error != GRPC_ERROR_NONE) {
|
|
106
|
+
OnError(error);
|
|
107
|
+
return;
|
|
108
|
+
}
|
|
109
|
+
// Only send an update, if something changed.
|
|
110
|
+
if (updated_once_ && !update_needed) {
|
|
111
|
+
return;
|
|
112
|
+
}
|
|
113
|
+
updated_once_ = true;
|
|
114
|
+
grpc_channel_args* updated_args = nullptr;
|
|
115
|
+
if (xds_certificate_provider_ != nullptr) {
|
|
116
|
+
grpc_arg arg_to_add = xds_certificate_provider_->MakeChannelArg();
|
|
117
|
+
updated_args = grpc_channel_args_copy_and_add(args_, &arg_to_add, 1);
|
|
118
|
+
} else {
|
|
119
|
+
updated_args = grpc_channel_args_copy(args_);
|
|
120
|
+
}
|
|
121
|
+
server_config_watcher_->UpdateConfig(updated_args);
|
|
82
122
|
}
|
|
83
123
|
|
|
84
124
|
void OnError(grpc_error* error) override {
|
|
@@ -97,8 +137,103 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
|
|
|
97
137
|
}
|
|
98
138
|
|
|
99
139
|
private:
|
|
140
|
+
// Returns true if the xds certificate provider changed in a way that
|
|
141
|
+
// required a new security connector to be created, false otherwise.
|
|
142
|
+
bool UpdateXdsCertificateProvider(const XdsApi::LdsUpdate& listener,
|
|
143
|
+
grpc_error** error) {
|
|
144
|
+
// Early out if channel is not configured to use xDS security.
|
|
145
|
+
grpc_server_credentials* server_creds =
|
|
146
|
+
grpc_find_server_credentials_in_args(args_);
|
|
147
|
+
if (server_creds == nullptr ||
|
|
148
|
+
server_creds->type() != kCredentialsTypeXds) {
|
|
149
|
+
xds_certificate_provider_ = nullptr;
|
|
150
|
+
return false;
|
|
151
|
+
}
|
|
152
|
+
if (xds_certificate_provider_ == nullptr) {
|
|
153
|
+
xds_certificate_provider_ = MakeRefCounted<XdsCertificateProvider>();
|
|
154
|
+
}
|
|
155
|
+
// Configure root cert.
|
|
156
|
+
absl::string_view root_provider_instance_name =
|
|
157
|
+
listener.downstream_tls_context.common_tls_context
|
|
158
|
+
.combined_validation_context
|
|
159
|
+
.validation_context_certificate_provider_instance.instance_name;
|
|
160
|
+
absl::string_view root_provider_cert_name =
|
|
161
|
+
listener.downstream_tls_context.common_tls_context
|
|
162
|
+
.combined_validation_context
|
|
163
|
+
.validation_context_certificate_provider_instance
|
|
164
|
+
.certificate_name;
|
|
165
|
+
RefCountedPtr<grpc_tls_certificate_provider> new_root_provider;
|
|
166
|
+
if (!root_provider_instance_name.empty()) {
|
|
167
|
+
new_root_provider =
|
|
168
|
+
xds_client_->certificate_provider_store()
|
|
169
|
+
.CreateOrGetCertificateProvider(root_provider_instance_name);
|
|
170
|
+
if (new_root_provider == nullptr) {
|
|
171
|
+
*error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
|
|
172
|
+
absl::StrCat("Certificate provider instance name: \"",
|
|
173
|
+
root_provider_instance_name, "\" not recognized.")
|
|
174
|
+
.c_str());
|
|
175
|
+
return false;
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
// Configure identity cert.
|
|
179
|
+
absl::string_view identity_provider_instance_name =
|
|
180
|
+
listener.downstream_tls_context.common_tls_context
|
|
181
|
+
.tls_certificate_certificate_provider_instance.instance_name;
|
|
182
|
+
absl::string_view identity_provider_cert_name =
|
|
183
|
+
listener.downstream_tls_context.common_tls_context
|
|
184
|
+
.tls_certificate_certificate_provider_instance.certificate_name;
|
|
185
|
+
RefCountedPtr<grpc_tls_certificate_provider> new_identity_provider;
|
|
186
|
+
if (!identity_provider_instance_name.empty()) {
|
|
187
|
+
new_identity_provider = xds_client_->certificate_provider_store()
|
|
188
|
+
.CreateOrGetCertificateProvider(
|
|
189
|
+
identity_provider_instance_name);
|
|
190
|
+
if (new_identity_provider == nullptr) {
|
|
191
|
+
*error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
|
|
192
|
+
absl::StrCat("Certificate provider instance name: \"",
|
|
193
|
+
identity_provider_instance_name,
|
|
194
|
+
"\" not recognized.")
|
|
195
|
+
.c_str());
|
|
196
|
+
return false;
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
bool security_connector_update_required = false;
|
|
200
|
+
if (((new_root_provider == nullptr) !=
|
|
201
|
+
(root_certificate_provider_ == nullptr)) ||
|
|
202
|
+
((new_identity_provider == nullptr) !=
|
|
203
|
+
(identity_certificate_provider_ == nullptr)) ||
|
|
204
|
+
(listener.downstream_tls_context.require_client_certificate !=
|
|
205
|
+
xds_certificate_provider_->GetRequireClientCertificate(""))) {
|
|
206
|
+
security_connector_update_required = true;
|
|
207
|
+
}
|
|
208
|
+
if (root_certificate_provider_ != new_root_provider) {
|
|
209
|
+
root_certificate_provider_ = std::move(new_root_provider);
|
|
210
|
+
}
|
|
211
|
+
if (identity_certificate_provider_ != new_identity_provider) {
|
|
212
|
+
identity_certificate_provider_ = std::move(new_identity_provider);
|
|
213
|
+
}
|
|
214
|
+
xds_certificate_provider_->UpdateRootCertNameAndDistributor(
|
|
215
|
+
"", root_provider_cert_name,
|
|
216
|
+
root_certificate_provider_ == nullptr
|
|
217
|
+
? nullptr
|
|
218
|
+
: root_certificate_provider_->distributor());
|
|
219
|
+
xds_certificate_provider_->UpdateIdentityCertNameAndDistributor(
|
|
220
|
+
"", identity_provider_cert_name,
|
|
221
|
+
identity_certificate_provider_ == nullptr
|
|
222
|
+
? nullptr
|
|
223
|
+
: identity_certificate_provider_->distributor());
|
|
224
|
+
xds_certificate_provider_->UpdateRequireClientCertificate(
|
|
225
|
+
"", listener.downstream_tls_context.require_client_certificate);
|
|
226
|
+
return security_connector_update_required;
|
|
227
|
+
}
|
|
228
|
+
|
|
100
229
|
std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
|
|
101
230
|
server_config_watcher_;
|
|
231
|
+
grpc_channel_args* args_;
|
|
232
|
+
RefCountedPtr<XdsClient> xds_client_;
|
|
233
|
+
RefCountedPtr<grpc_tls_certificate_provider> root_certificate_provider_;
|
|
234
|
+
RefCountedPtr<grpc_tls_certificate_provider> identity_certificate_provider_;
|
|
235
|
+
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
|
|
236
|
+
bool updated_once_ = false;
|
|
102
237
|
};
|
|
103
238
|
|
|
104
239
|
struct WatcherState {
|
|
@@ -125,6 +260,7 @@ grpc_server_config_fetcher* grpc_server_config_fetcher_xds_create() {
|
|
|
125
260
|
if (error != GRPC_ERROR_NONE) {
|
|
126
261
|
gpr_log(GPR_ERROR, "Failed to create xds client: %s",
|
|
127
262
|
grpc_error_string(error));
|
|
263
|
+
GRPC_ERROR_UNREF(error);
|
|
128
264
|
return nullptr;
|
|
129
265
|
}
|
|
130
266
|
return new grpc_core::XdsServerConfigFetcher(std::move(xds_client));
|
|
@@ -53,7 +53,7 @@ std::string HandshakerArgsString(HandshakerArgs* args) {
|
|
|
53
53
|
|
|
54
54
|
} // namespace
|
|
55
55
|
|
|
56
|
-
HandshakeManager::HandshakeManager() {
|
|
56
|
+
HandshakeManager::HandshakeManager() {}
|
|
57
57
|
|
|
58
58
|
/// Add \a mgr to the server side list of all pending handshake managers, the
|
|
59
59
|
/// list starts with \a *head.
|
|
@@ -104,10 +104,7 @@ void HandshakeManager::Add(RefCountedPtr<Handshaker> handshaker) {
|
|
|
104
104
|
handshakers_.push_back(std::move(handshaker));
|
|
105
105
|
}
|
|
106
106
|
|
|
107
|
-
HandshakeManager::~HandshakeManager() {
|
|
108
|
-
handshakers_.clear();
|
|
109
|
-
gpr_mu_destroy(&mu_);
|
|
110
|
-
}
|
|
107
|
+
HandshakeManager::~HandshakeManager() { handshakers_.clear(); }
|
|
111
108
|
|
|
112
109
|
void HandshakeManager::Shutdown(grpc_error* why) {
|
|
113
110
|
{
|