RubyGems - grpc - Versions diffs - 1.35.0 → 1.36.0 - Mend

grpc 1.35.0 → 1.36.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (335) hide show

data/src/core/lib/security/authorization/mock_cel/activation.h CHANGED Viewed

@@ -48,7 +48,7 @@ class Activation : public BaseActivation {
   Activation& operator=(const Activation&) = delete;
   // Insert value into Activation.
-  void InsertValue(absl::string_view name, const CelValue& value) {}
+  void InsertValue(absl::string_view /*name*/, const CelValue& /*value*/) {}
 };
 }  // namespace mock_cel

data/src/core/lib/security/authorization/mock_cel/cel_value.h CHANGED Viewed

@@ -61,23 +61,25 @@ class CelValue {
   // We rely on copy elision to avoid extra copying.
   static CelValue CreateNull() { return CelValue(nullptr); }
-  static CelValue CreateInt64(int64_t value) { return CreateNull(); }
+  static CelValue CreateInt64(int64_t /*value*/) { return CreateNull(); }
-  static CelValue CreateUint64(uint64_t value) { return CreateNull(); }
+  static CelValue CreateUint64(uint64_t /*value*/) { return CreateNull(); }
-  static CelValue CreateStringView(absl::string_view value) {
+  static CelValue CreateStringView(absl::string_view /*value*/) {
     return CreateNull();
   }
-  static CelValue CreateString(const std::string* str) { return CreateNull(); }
+  static CelValue CreateString(const std::string* /*str*/) {
+    return CreateNull();
+  }
-  static CelValue CreateMap(const CelMap* value) { return CreateNull(); }
+  static CelValue CreateMap(const CelMap* /*value*/) { return CreateNull(); }
  private:
   // Constructs CelValue wrapping value supplied as argument.
   // Value type T should be supported by specification of ValueHolder.
   template <class T>
-  explicit CelValue(T value) {}
+  explicit CelValue(T /*value*/) {}
 };
 // CelMap implementation that uses STL map container as backing storage.
@@ -86,7 +88,7 @@ class ContainerBackedMapImpl : public CelMap {
   ContainerBackedMapImpl() = default;
   static std::unique_ptr<CelMap> Create(
-      absl::Span<std::pair<CelValue, CelValue>> key_values) {
+      absl::Span<std::pair<CelValue, CelValue>> /*key_values*/) {
     return absl::make_unique<ContainerBackedMapImpl>();
   }
 };

data/src/core/lib/security/credentials/alts/alts_credentials.cc CHANGED Viewed

@@ -70,7 +70,8 @@ grpc_alts_server_credentials::grpc_alts_server_credentials(
 }
 grpc_core::RefCountedPtr<grpc_server_security_connector>
-grpc_alts_server_credentials::create_security_connector() {
+grpc_alts_server_credentials::create_security_connector(
+    const grpc_channel_args* /* args */) {
   return grpc_alts_server_security_connector_create(this->Ref());
 }

data/src/core/lib/security/credentials/alts/alts_credentials.h CHANGED Viewed

@@ -56,7 +56,7 @@ class grpc_alts_server_credentials final : public grpc_server_credentials {
   ~grpc_alts_server_credentials() override;
   grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() override;
+  create_security_connector(const grpc_channel_args* /* args */) override;
   const grpc_alts_credentials_options* options() const { return options_; }
   grpc_alts_credentials_options* mutable_options() { return options_; }

data/src/core/lib/security/credentials/credentials.h CHANGED Viewed

@@ -227,8 +227,9 @@ struct grpc_server_credentials
   ~grpc_server_credentials() override { DestroyProcessor(); }
+  // Ownership of \a args is not passed.
   virtual grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() = 0;
+  create_security_connector(const grpc_channel_args* args) = 0;
   const char* type() const { return type_; }

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc CHANGED Viewed

@@ -120,7 +120,7 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
 }
 void AwsExternalAccountCredentials::RetrieveSubjectToken(
-    HTTPRequestContext* ctx, const Options& options,
+    HTTPRequestContext* ctx, const Options& /*options*/,
     std::function<void(std::string, grpc_error*)> cb) {
   if (ctx == nullptr) {
     FinishRetrieveSubjectToken(

data/src/core/lib/security/credentials/external/external_account_credentials.cc CHANGED Viewed

@@ -316,7 +316,7 @@ void ExternalAccountCredentials::OnExchangeTokenInternal(grpc_error* error) {
           std::string(ctx_->response.body, ctx_->response.body_length).c_str());
       metadata_req_->response.hdrs = static_cast<grpc_http_header*>(
           gpr_malloc(sizeof(grpc_http_header) * ctx_->response.hdr_count));
-      for (int i = 0; i < ctx_->response.hdr_count; i++) {
+      for (size_t i = 0; i < ctx_->response.hdr_count; i++) {
         metadata_req_->response.hdrs[i].key =
             gpr_strdup(ctx_->response.hdrs[i].key);
         metadata_req_->response.hdrs[i].value =
@@ -443,7 +443,7 @@ void ExternalAccountCredentials::OnImpersenateServiceAccountInternal(
   metadata_req_->response.body_length = body.length();
   metadata_req_->response.hdrs = static_cast<grpc_http_header*>(
       gpr_malloc(sizeof(grpc_http_header) * ctx_->response.hdr_count));
-  for (int i = 0; i < ctx_->response.hdr_count; i++) {
+  for (size_t i = 0; i < ctx_->response.hdr_count; i++) {
     metadata_req_->response.hdrs[i].key =
         gpr_strdup(ctx_->response.hdrs[i].key);
     metadata_req_->response.hdrs[i].value =

data/src/core/lib/security/credentials/external/file_external_account_credentials.cc CHANGED Viewed

@@ -91,7 +91,7 @@ FileExternalAccountCredentials::FileExternalAccountCredentials(
 }
 void FileExternalAccountCredentials::RetrieveSubjectToken(
-    HTTPRequestContext* ctx, const Options& options,
+    HTTPRequestContext* /*ctx*/, const Options& /*options*/,
     std::function<void(std::string, grpc_error*)> cb) {
   struct SliceWrapper {
     ~SliceWrapper() { grpc_slice_unref_internal(slice); }

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc CHANGED Viewed

@@ -112,7 +112,7 @@ UrlExternalAccountCredentials::UrlExternalAccountCredentials(
 }
 void UrlExternalAccountCredentials::RetrieveSubjectToken(
-    HTTPRequestContext* ctx, const Options& options,
+    HTTPRequestContext* ctx, const Options& /*options*/,
     std::function<void(std::string, grpc_error*)> cb) {
   if (ctx == nullptr) {
     FinishRetrieveSubjectToken(

data/src/core/lib/security/credentials/fake/fake_credentials.cc CHANGED Viewed

@@ -59,7 +59,7 @@ class grpc_fake_server_credentials final : public grpc_server_credentials {
   ~grpc_fake_server_credentials() override = default;
   grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() override {
+  create_security_connector(const grpc_channel_args* /*args*/) override {
     return grpc_fake_server_security_connector_create(this->Ref());
   }
 };

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc CHANGED Viewed

@@ -61,7 +61,7 @@ using grpc_core::Json;
  * means the detection is done via network test that is unreliable and the
  * unreliable result should not be referred by successive calls. */
 static int g_metadata_server_available = 0;
-static gpr_mu g_state_mu;
+static grpc_core::Mutex* g_state_mu;
 /* Protect a metadata_server_detector instance that can be modified by more than
  * one gRPC threads */
 static gpr_mu* g_polling_mu;
@@ -69,7 +69,9 @@ static gpr_once g_once = GPR_ONCE_INIT;
 static grpc_core::internal::grpc_gce_tenancy_checker g_gce_tenancy_checker =
     grpc_alts_is_running_on_gcp;
-static void init_default_credentials(void) { gpr_mu_init(&g_state_mu); }
+static void init_default_credentials(void) {
+  g_state_mu = new grpc_core::Mutex();
+}
 struct metadata_server_detector {
   grpc_polling_entity pollent;
@@ -282,7 +284,7 @@ end:
 static void update_tenancy() {
   gpr_once_init(&g_once, init_default_credentials);
-  grpc_core::MutexLock lock(&g_state_mu);
+  grpc_core::MutexLock lock(g_state_mu);
   /* Try a platform-provided hint for GCE. */
   if (!g_metadata_server_available) {
@@ -297,7 +299,7 @@ static void update_tenancy() {
 }
 static bool metadata_server_available() {
-  grpc_core::MutexLock lock(&g_state_mu);
+  grpc_core::MutexLock lock(g_state_mu);
   return static_cast<bool>(g_metadata_server_available);
 }
@@ -387,9 +389,8 @@ void set_gce_tenancy_checker_for_testing(grpc_gce_tenancy_checker checker) {
 void grpc_flush_cached_google_default_credentials(void) {
   grpc_core::ExecCtx exec_ctx;
   gpr_once_init(&g_once, init_default_credentials);
-  gpr_mu_lock(&g_state_mu);
+  grpc_core::MutexLock lock(g_state_mu);
   g_metadata_server_available = 0;
-  gpr_mu_unlock(&g_state_mu);
 }
 }  // namespace internal

data/src/core/lib/security/credentials/insecure/insecure_credentials.cc CHANGED Viewed

@@ -46,8 +46,8 @@ class InsecureServerCredentials final : public grpc_server_credentials {
   InsecureServerCredentials()
       : grpc_server_credentials(kCredentialsTypeInsecure) {}
-  RefCountedPtr<grpc_server_security_connector> create_security_connector()
-      override {
+  RefCountedPtr<grpc_server_security_connector> create_security_connector(
+      const grpc_channel_args* /* args */) override {
     return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
   }
 };

data/src/core/lib/security/credentials/jwt/json_token.cc CHANGED Viewed

@@ -33,14 +33,11 @@
 #include "src/core/lib/security/util/json_util.h"
 #include "src/core/lib/slice/b64.h"
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
 extern "C" {
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 }
-#pragma clang diagnostic pop
 using grpc_core::Json;

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc CHANGED Viewed

@@ -28,14 +28,11 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c"
 extern "C" {
 #include <openssl/bn.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 }
-#pragma clang diagnostic pop
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/manual_constructor.h"

data/src/core/lib/security/credentials/local/local_credentials.cc CHANGED Viewed

@@ -39,7 +39,8 @@ grpc_local_credentials::create_security_connector(
 }
 grpc_core::RefCountedPtr<grpc_server_security_connector>
-grpc_local_server_credentials::create_security_connector() {
+grpc_local_server_credentials::create_security_connector(
+    const grpc_channel_args* /* args */) {
   return grpc_local_server_security_connector_create(this->Ref());
 }

data/src/core/lib/security/credentials/local/local_credentials.h CHANGED Viewed

@@ -50,7 +50,7 @@ class grpc_local_server_credentials final : public grpc_server_credentials {
   ~grpc_local_server_credentials() override = default;
   grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() override;
+  create_security_connector(const grpc_channel_args* /* args */) override;
   grpc_local_connect_type connect_type() const { return connect_type_; }

data/src/core/lib/security/credentials/ssl/ssl_credentials.cc CHANGED Viewed

@@ -190,7 +190,8 @@ grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
   gpr_free(config_.pem_root_certs);
 }
 grpc_core::RefCountedPtr<grpc_server_security_connector>
-grpc_ssl_server_credentials::create_security_connector() {
+grpc_ssl_server_credentials::create_security_connector(
+    const grpc_channel_args* /* args */) {
   return grpc_ssl_server_security_connector_create(this->Ref());
 }

data/src/core/lib/security/credentials/ssl/ssl_credentials.h CHANGED Viewed

@@ -69,7 +69,7 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
   ~grpc_ssl_server_credentials() override;
   grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() override;
+  create_security_connector(const grpc_channel_args* /* args */) override;
   bool has_cert_config_fetcher() const {
     return certificate_config_fetcher_.cb != nullptr;

data/src/core/lib/security/credentials/tls/tls_credentials.cc CHANGED Viewed

@@ -106,7 +106,8 @@ TlsServerCredentials::TlsServerCredentials(
 TlsServerCredentials::~TlsServerCredentials() {}
 grpc_core::RefCountedPtr<grpc_server_security_connector>
-TlsServerCredentials::create_security_connector() {
+TlsServerCredentials::create_security_connector(
+    const grpc_channel_args* /* args */) {
   return grpc_core::TlsServerSecurityConnector::
       CreateTlsServerSecurityConnector(this->Ref(), options_);
 }

data/src/core/lib/security/credentials/tls/tls_credentials.h CHANGED Viewed

@@ -51,7 +51,7 @@ class TlsServerCredentials final : public grpc_server_credentials {
   ~TlsServerCredentials() override;
   grpc_core::RefCountedPtr<grpc_server_security_connector>
-  create_security_connector() override;
+  create_security_connector(const grpc_channel_args* /* args */) override;
   grpc_tls_credentials_options* options() const { return options_.get(); }

data/src/core/lib/security/credentials/xds/xds_credentials.cc CHANGED Viewed

@@ -20,6 +20,7 @@
 #include "src/core/lib/security/credentials/xds/xds_credentials.h"
+#include "src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h"
 #include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
@@ -35,11 +36,11 @@ namespace {
 bool XdsVerifySubjectAlternativeNames(
     const char* const* subject_alternative_names,
     size_t subject_alternative_names_size,
-    const std::vector<XdsApi::StringMatcher>& matchers) {
+    const std::vector<StringMatcher>& matchers) {
   if (matchers.empty()) return true;
   for (size_t i = 0; i < subject_alternative_names_size; ++i) {
     for (const auto& matcher : matchers) {
-      if (matcher.type() == XdsApi::StringMatcher::StringMatcherType::EXACT) {
+      if (matcher.type() == StringMatcher::Type::EXACT) {
         // For EXACT match, use DNS rules for verifying SANs
         // TODO(zhenlian): Right now, the SSL layer does not save the type of
         // the SAN, so we are doing a DNS style verification for all SANs when
@@ -60,39 +61,51 @@ bool XdsVerifySubjectAlternativeNames(
   return false;
 }
-int ServerAuthCheckSchedule(void* config_user_data,
-                            grpc_tls_server_authorization_check_arg* arg) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(config_user_data);
-  if (XdsVerifySubjectAlternativeNames(
-          arg->subject_alternative_names, arg->subject_alternative_names_size,
-          xds_certificate_provider->subject_alternative_name_matchers())) {
-    arg->success = 1;
-    arg->status = GRPC_STATUS_OK;
-  } else {
-    arg->success = 0;
-    arg->status = GRPC_STATUS_UNAUTHENTICATED;
-    if (arg->error_details) {
-      arg->error_details->set_error_details(
-          "SANs from certificate did not match SANs from xDS control plane");
-    }
+class ServerAuthCheck {
+ public:
+  ServerAuthCheck(
+      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
+      std::string cluster_name)
+      : xds_certificate_provider_(std::move(xds_certificate_provider)),
+        cluster_name_(std::move(cluster_name)) {}
+  static int Schedule(void* config_user_data,
+                      grpc_tls_server_authorization_check_arg* arg) {
+    return static_cast<ServerAuthCheck*>(config_user_data)->ScheduleImpl(arg);
   }
-  return 0; /* synchronous check */
-}
+  static void Destroy(void* config_user_data) {
+    delete static_cast<ServerAuthCheck*>(config_user_data);
+  }
-void ServerAuthCheckDestroy(void* config_user_data) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(config_user_data);
-  xds_certificate_provider->Unref();
-}
+ private:
+  int ScheduleImpl(grpc_tls_server_authorization_check_arg* arg) {
+    if (XdsVerifySubjectAlternativeNames(
+            arg->subject_alternative_names, arg->subject_alternative_names_size,
+            xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
+      arg->success = 1;
+      arg->status = GRPC_STATUS_OK;
+    } else {
+      arg->success = 0;
+      arg->status = GRPC_STATUS_UNAUTHENTICATED;
+      if (arg->error_details) {
+        arg->error_details->set_error_details(
+            "SANs from certificate did not match SANs from xDS control plane");
+      }
+    }
+    return 0; /* synchronous check */
+  }
+  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
+  std::string cluster_name_;
+};
 }  // namespace
 bool TestOnlyXdsVerifySubjectAlternativeNames(
     const char* const* subject_alternative_names,
     size_t subject_alternative_names_size,
-    const std::vector<XdsApi::StringMatcher>& matchers) {
+    const std::vector<StringMatcher>& matchers) {
   return XdsVerifySubjectAlternativeNames(
       subject_alternative_names, subject_alternative_names_size, matchers);
 }
@@ -105,49 +118,79 @@ RefCountedPtr<grpc_channel_security_connector>
 XdsCredentials::create_security_connector(
     RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
     const grpc_channel_args* args, grpc_channel_args** new_args) {
-  auto xds_certificate_provider =
-      XdsCertificateProvider::GetFromChannelArgs(args);
+  struct ChannelArgsDeleter {
+    const grpc_channel_args* args;
+    bool owned;
+    ~ChannelArgsDeleter() {
+      if (owned) grpc_channel_args_destroy(args);
+    }
+  };
+  ChannelArgsDeleter temp_args{args, false};
   // TODO(yashykt): This arg will no longer need to be added after b/173119596
   // is fixed.
   grpc_arg override_arg = grpc_channel_arg_string_create(
       const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
       const_cast<char*>(target_name));
   const char* override_arg_name = GRPC_SSL_TARGET_NAME_OVERRIDE_ARG;
-  const grpc_channel_args* temp_args = args;
   if (grpc_channel_args_find(args, override_arg_name) == nullptr) {
-    temp_args = grpc_channel_args_copy_and_add_and_remove(
+    temp_args.args = grpc_channel_args_copy_and_add_and_remove(
         args, &override_arg_name, 1, &override_arg, 1);
+    temp_args.owned = true;
   }
   RefCountedPtr<grpc_channel_security_connector> security_connector;
+  auto xds_certificate_provider =
+      XdsCertificateProvider::GetFromChannelArgs(args);
   if (xds_certificate_provider != nullptr) {
-    auto tls_credentials_options =
-        MakeRefCounted<grpc_tls_credentials_options>();
-    tls_credentials_options->set_certificate_provider(xds_certificate_provider);
-    if (xds_certificate_provider->ProvidesRootCerts()) {
-      tls_credentials_options->set_watch_root_cert(true);
-    }
-    if (xds_certificate_provider->ProvidesIdentityCerts()) {
-      tls_credentials_options->set_watch_identity_pair(true);
+    std::string cluster_name =
+        grpc_channel_args_find_string(args, GRPC_ARG_XDS_CLUSTER_NAME);
+    GPR_ASSERT(cluster_name.data() != nullptr);
+    const bool watch_root =
+        xds_certificate_provider->ProvidesRootCerts(cluster_name);
+    const bool watch_identity =
+        xds_certificate_provider->ProvidesIdentityCerts(cluster_name);
+    if (watch_root || watch_identity) {
+      auto tls_credentials_options =
+          MakeRefCounted<grpc_tls_credentials_options>();
+      tls_credentials_options->set_certificate_provider(
+          xds_certificate_provider);
+      if (watch_root) {
+        tls_credentials_options->set_watch_root_cert(true);
+        tls_credentials_options->set_root_cert_name(cluster_name);
+      }
+      if (watch_identity) {
+        tls_credentials_options->set_watch_identity_pair(true);
+        tls_credentials_options->set_identity_cert_name(cluster_name);
+      }
+      tls_credentials_options->set_server_verification_option(
+          GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
+      auto* server_auth_check = new ServerAuthCheck(xds_certificate_provider,
+                                                    std::move(cluster_name));
+      tls_credentials_options->set_server_authorization_check_config(
+          MakeRefCounted<grpc_tls_server_authorization_check_config>(
+              server_auth_check, ServerAuthCheck::Schedule, nullptr,
+              ServerAuthCheck::Destroy));
+      // TODO(yashkt): Creating a new TlsCreds object each time we create a
+      // security connector means that the security connector's cmp() method
+      // returns unequal for each instance, which means that every time an LB
+      // policy updates, all the subchannels will be recreated.  This is
+      // going to lead to a lot of connection churn.  Instead, we should
+      // either (a) change the TLS security connector's cmp() method to be
+      // smarter somehow, so that it compares unequal only when the
+      // tls_credentials_options have changed, or (b) cache the TlsCreds
+      // objects in the XdsCredentials object so that we can reuse the
+      // same one when creating new security connectors, swapping out the
+      // TlsCreds object only when the tls_credentials_options change.
+      // Option (a) would probably be better, although it may require some
+      // structural changes to the security connector API.
+      auto tls_credentials =
+          MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
+      return tls_credentials->create_security_connector(
+          std::move(call_creds), target_name, temp_args.args, new_args);
     }
-    tls_credentials_options->set_server_verification_option(
-        GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
-    tls_credentials_options->set_server_authorization_check_config(
-        MakeRefCounted<grpc_tls_server_authorization_check_config>(
-            xds_certificate_provider->Ref().release(), ServerAuthCheckSchedule,
-            nullptr, ServerAuthCheckDestroy));
-    auto tls_credentials =
-        MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
-    security_connector = tls_credentials->create_security_connector(
-        std::move(call_creds), target_name, temp_args, new_args);
-  } else {
-    GPR_ASSERT(fallback_credentials_ != nullptr);
-    security_connector = fallback_credentials_->create_security_connector(
-        std::move(call_creds), target_name, temp_args, new_args);
   }
-  if (temp_args != args) {
-    grpc_channel_args_destroy(temp_args);
-  }
-  return security_connector;
+  GPR_ASSERT(fallback_credentials_ != nullptr);
+  return fallback_credentials_->create_security_connector(
+      std::move(call_creds), target_name, temp_args.args, new_args);
 }
 //
@@ -155,9 +198,35 @@ XdsCredentials::create_security_connector(
 //
 RefCountedPtr<grpc_server_security_connector>
-XdsServerCredentials::create_security_connector() {
-  // TODO(yashkt): Fill this
-  return fallback_credentials_->create_security_connector();
+XdsServerCredentials::create_security_connector(const grpc_channel_args* args) {
+  auto xds_certificate_provider =
+      XdsCertificateProvider::GetFromChannelArgs(args);
+  // Identity certs are a must for TLS.
+  if (xds_certificate_provider != nullptr &&
+      xds_certificate_provider->ProvidesIdentityCerts("")) {
+    auto tls_credentials_options =
+        MakeRefCounted<grpc_tls_credentials_options>();
+    tls_credentials_options->set_watch_identity_pair(true);
+    tls_credentials_options->set_certificate_provider(xds_certificate_provider);
+    if (xds_certificate_provider->ProvidesRootCerts("")) {
+      tls_credentials_options->set_watch_root_cert(true);
+      if (xds_certificate_provider->GetRequireClientCertificate("")) {
+        tls_credentials_options->set_cert_request_type(
+            GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
+      } else {
+        tls_credentials_options->set_cert_request_type(
+            GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
+      }
+    } else {
+      // Do not request client certificate if there is no way to verify.
+      tls_credentials_options->set_cert_request_type(
+          GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
+    }
+    auto tls_credentials = MakeRefCounted<TlsServerCredentials>(
+        std::move(tls_credentials_options));
+    return tls_credentials->create_security_connector(args);
+  }
+  return fallback_credentials_->create_security_connector(args);
 }
 }  // namespace grpc_core