grpc 1.36.0 → 1.38.0

data/src/core/ext/xds/xds_api.h

@@ -33,10 +33,12 @@
 
 #include <grpc/slice_buffer.h>
 
+#include "envoy/admin/v3/config_dump.upb.h"
 #include "src/core/ext/filters/client_channel/server_address.h"
 #include "src/core/ext/xds/xds_bootstrap.h"
 #include "src/core/ext/xds/xds_client_stats.h"
-#include "src/core/lib/security/authorization/matchers.h"
+#include "src/core/ext/xds/xds_http_filters.h"
+#include "src/core/lib/matchers/matchers.h"
 
 namespace grpc_core {
 
@@ -58,13 +60,16 @@ class XdsApi {
     int64_t seconds = 0;
     int32_t nanos = 0;
     bool operator==(const Duration& other) const {
-      return (seconds == other.seconds && nanos == other.nanos);
+      return seconds == other.seconds && nanos == other.nanos;
     }
     std::string ToString() const {
       return absl::StrFormat("Duration seconds: %ld, nanos %d", seconds, nanos);
     }
   };
 
+  using TypedPerFilterConfig =
+      std::map<std::string, XdsHttpFilterImpl::FilterConfig>;
+
   // TODO(donnadionne): When we can use absl::variant<>, consider using that
   // for: PathMatcher, HeaderMatcher, cluster_name and weighted_clusters
   struct Route {
@@ -75,14 +80,38 @@ class XdsApi {
       absl::optional<uint32_t> fraction_per_million;
 
       bool operator==(const Matchers& other) const {
-        return (path_matcher == other.path_matcher &&
-                header_matchers == other.header_matchers &&
-                fraction_per_million == other.fraction_per_million);
+        return path_matcher == other.path_matcher &&
+               header_matchers == other.header_matchers &&
+               fraction_per_million == other.fraction_per_million;
       }
       std::string ToString() const;
     };
 
+    struct HashPolicy {
+      enum Type { HEADER, CHANNEL_ID };
+      Type type;
+      bool terminal = false;
+      // Fields used for type HEADER.
+      std::string header_name;
+      std::unique_ptr<RE2> regex = nullptr;
+      std::string regex_substitution;
+
+      HashPolicy() {}
+
+      // Copyable.
+      HashPolicy(const HashPolicy& other);
+      HashPolicy& operator=(const HashPolicy& other);
+
+      // Moveable.
+      HashPolicy(HashPolicy&& other) noexcept;
+      HashPolicy& operator=(HashPolicy&& other) noexcept;
+
+      bool operator==(const HashPolicy& other) const;
+      std::string ToString() const;
+    };
+
     Matchers matchers;
+    std::vector<HashPolicy> hash_policies;
 
     // Action for this route.
     // TODO(roth): When we can use absl::variant<>, consider using that
@@ -91,8 +120,11 @@ class XdsApi {
     struct ClusterWeight {
       std::string name;
       uint32_t weight;
+      TypedPerFilterConfig typed_per_filter_config;
+
       bool operator==(const ClusterWeight& other) const {
-        return (name == other.name && weight == other.weight);
+        return name == other.name && weight == other.weight &&
+               typed_per_filter_config == other.typed_per_filter_config;
       }
       std::string ToString() const;
     };
@@ -103,11 +135,13 @@ class XdsApi {
     // not set.
     absl::optional<Duration> max_stream_duration;
 
+    TypedPerFilterConfig typed_per_filter_config;
+
     bool operator==(const Route& other) const {
-      return (matchers == other.matchers &&
-              cluster_name == other.cluster_name &&
-              weighted_clusters == other.weighted_clusters &&
-              max_stream_duration == other.max_stream_duration);
+      return matchers == other.matchers && cluster_name == other.cluster_name &&
+             weighted_clusters == other.weighted_clusters &&
+             max_stream_duration == other.max_stream_duration &&
+             typed_per_filter_config == other.typed_per_filter_config;
     }
     std::string ToString() const;
   };
@@ -116,9 +150,11 @@ class XdsApi {
     struct VirtualHost {
       std::vector<std::string> domains;
       std::vector<Route> routes;
+      TypedPerFilterConfig typed_per_filter_config;
 
       bool operator==(const VirtualHost& other) const {
-        return domains == other.domains && routes == other.routes;
+        return domains == other.domains && routes == other.routes &&
+               typed_per_filter_config == other.typed_per_filter_config;
       }
     };
 
@@ -204,29 +240,157 @@ class XdsApi {
       kTcpListener = 0,
       kHttpApiListener,
     } type;
-    DownstreamTlsContext downstream_tls_context;
-    // The name to use in the RDS request.
-    std::string route_config_name;
-    // Storing the Http Connection Manager Common Http Protocol Option
-    // max_stream_duration
-    Duration http_max_stream_duration;
-    // The RouteConfiguration to use for this listener.
-    // Present only if it is inlined in the LDS response.
-    absl::optional<RdsUpdate> rds_update;
+
+    struct HttpConnectionManager {
+      // The name to use in the RDS request.
+      std::string route_config_name;
+      // Storing the Http Connection Manager Common Http Protocol Option
+      // max_stream_duration
+      Duration http_max_stream_duration;
+      // The RouteConfiguration to use for this listener.
+      // Present only if it is inlined in the LDS response.
+      absl::optional<RdsUpdate> rds_update;
+
+      struct HttpFilter {
+        std::string name;
+        XdsHttpFilterImpl::FilterConfig config;
+
+        bool operator==(const HttpFilter& other) const {
+          return name == other.name && config == other.config;
+        }
+
+        std::string ToString() const;
+      };
+      std::vector<HttpFilter> http_filters;
+
+      bool operator==(const HttpConnectionManager& other) const {
+        return route_config_name == other.route_config_name &&
+               http_max_stream_duration == other.http_max_stream_duration &&
+               rds_update == other.rds_update &&
+               http_filters == other.http_filters;
+      }
+
+      std::string ToString() const;
+    };
+
+    // Populated for type=kHttpApiListener.
+    HttpConnectionManager http_connection_manager;
+
+    // Populated for type=kTcpListener.
+    // host:port listening_address set when type is kTcpListener
+    std::string address;
+
+    struct FilterChainData {
+      DownstreamTlsContext downstream_tls_context;
+      // This is in principle the filter list.
+      // We currently require exactly one filter, which is the HCM.
+      HttpConnectionManager http_connection_manager;
+
+      bool operator==(const FilterChainData& other) const {
+        return downstream_tls_context == other.downstream_tls_context &&
+               http_connection_manager == other.http_connection_manager;
+      }
+
+      std::string ToString() const;
+    } filter_chain_data;
+
+    // A multi-level map used to determine which filter chain to use for a given
+    // incoming connection. Determining the right filter chain for a given
+    // connection checks the following properties, in order:
+    // - destination port (never matched, so not present in map)
+    // - destination IP address
+    // - server name (never matched, so not present in map)
+    // - transport protocol (allows only "raw_buffer" or unset, prefers the
+    //   former, so only one of those two types is present in map)
+    // - application protocol (never matched, so not present in map)
+    // - connection source type (any, local or external)
+    // - source IP address
+    // - source port
+    // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchainmatch
+    // for more details
+    struct FilterChainMap {
+      struct FilterChainDataSharedPtr {
+        std::shared_ptr<FilterChainData> data;
+        bool operator==(const FilterChainDataSharedPtr& other) const {
+          return *data == *other.data;
+        }
+      };
+      struct CidrRange {
+        grpc_resolved_address address;
+        uint32_t prefix_len;
+
+        bool operator==(const CidrRange& other) const {
+          return memcmp(&address, &other.address, sizeof(address)) == 0 &&
+                 prefix_len == other.prefix_len;
+        }
+
+        std::string ToString() const;
+      };
+      using SourcePortsMap = std::map<uint16_t, FilterChainDataSharedPtr>;
+      struct SourceIp {
+        absl::optional<CidrRange> prefix_range;
+        SourcePortsMap ports_map;
+
+        bool operator==(const SourceIp& other) const {
+          return prefix_range == other.prefix_range &&
+                 ports_map == other.ports_map;
+        }
+      };
+      using SourceIpVector = std::vector<SourceIp>;
+      enum class ConnectionSourceType {
+        kAny = 0,
+        kSameIpOrLoopback,
+        kExternal
+      };
+      using ConnectionSourceTypesArray = std::array<SourceIpVector, 3>;
+      struct DestinationIp {
+        absl::optional<CidrRange> prefix_range;
+        // We always fail match on server name, so those filter chains are not
+        // included here.
+        ConnectionSourceTypesArray source_types_array;
+
+        bool operator==(const DestinationIp& other) const {
+          return prefix_range == other.prefix_range &&
+                 source_types_array == other.source_types_array;
+        }
+      };
+      // We always fail match on destination ports map
+      using DestinationIpVector = std::vector<DestinationIp>;
+      DestinationIpVector destination_ip_vector;
+
+      bool operator==(const FilterChainMap& other) const {
+        return destination_ip_vector == other.destination_ip_vector;
+      }
+
+      std::string ToString() const;
+    } filter_chain_map;
+
+    absl::optional<FilterChainData> default_filter_chain;
 
     bool operator==(const LdsUpdate& other) const {
-      return downstream_tls_context == other.downstream_tls_context &&
-             route_config_name == other.route_config_name &&
-             rds_update == other.rds_update &&
-             http_max_stream_duration == other.http_max_stream_duration;
+      return http_connection_manager == other.http_connection_manager &&
+             address == other.address &&
+             filter_chain_map == other.filter_chain_map &&
+             default_filter_chain == other.default_filter_chain;
     }
 
     std::string ToString() const;
   };
 
-  using LdsUpdateMap = std::map<std::string /*server_name*/, LdsUpdate>;
+  struct LdsResourceData {
+    LdsUpdate resource;
+    std::string serialized_proto;
+  };
+
+  using LdsUpdateMap = std::map<std::string /*server_name*/, LdsResourceData>;
+
+  struct RdsResourceData {
+    RdsUpdate resource;
+    std::string serialized_proto;
+  };
 
-  using RdsUpdateMap = std::map<std::string /*route_config_name*/, RdsUpdate>;
+  using RdsUpdateMap =
+      std::map<std::string /*route_config_name*/, RdsResourceData>;
 
   struct CdsUpdate {
     enum ClusterType { EDS, LOGICAL_DNS, AGGREGATE };
@@ -269,7 +433,12 @@ class XdsApi {
     std::string ToString() const;
   };
 
-  using CdsUpdateMap = std::map<std::string /*cluster_name*/, CdsUpdate>;
+  struct CdsResourceData {
+    CdsUpdate resource;
+    std::string serialized_proto;
+  };
+
+  using CdsUpdateMap = std::map<std::string /*cluster_name*/, CdsResourceData>;
 
   struct EdsUpdate {
     struct Priority {
@@ -353,7 +522,13 @@ class XdsApi {
     std::string ToString() const;
   };
 
-  using EdsUpdateMap = std::map<std::string /*eds_service_name*/, EdsUpdate>;
+  struct EdsResourceData {
+    EdsUpdate resource;
+    std::string serialized_proto;
+  };
+
+  using EdsUpdateMap =
+      std::map<std::string /*eds_service_name*/, EdsResourceData>;
 
   struct ClusterLoadReport {
     XdsClusterDropStats::Snapshot dropped_requests;
@@ -366,18 +541,66 @@ class XdsApi {
       std::pair<std::string /*cluster_name*/, std::string /*eds_service_name*/>,
       ClusterLoadReport>;
 
-  XdsApi(XdsClient* client, TraceFlag* tracer, const XdsBootstrap::Node* node);
+  // The metadata of the xDS resource; used by the xDS config dump.
+  struct ResourceMetadata {
+    // Resource status from the view of a xDS client, which tells the
+    // synchronization status between the xDS client and the xDS server.
+    enum ClientResourceStatus {
+      // Client requested this resource but hasn't received any update from
+      // management server. The client will not fail requests, but will queue
+      // them
+      // until update arrives or the client times out waiting for the resource.
+      REQUESTED = 1,
+      // This resource has been requested by the client but has either not been
+      // delivered by the server or was previously delivered by the server and
+      // then subsequently removed from resources provided by the server.
+      DOES_NOT_EXIST,
+      // Client received this resource and replied with ACK.
+      ACKED,
+      // Client received this resource and replied with NACK.
+      NACKED
+    };
 
-  // Creates an ADS request.
-  // Takes ownership of \a error.
-  grpc_slice CreateAdsRequest(const XdsBootstrap::XdsServer& server,
-                              const std::string& type_url,
-                              const std::set<absl::string_view>& resource_names,
-                              const std::string& version,
-                              const std::string& nonce, grpc_error* error,
-                              bool populate_node);
+    // The client status of this resource.
+    ClientResourceStatus client_status = REQUESTED;
+    // The serialized bytes of the last successfully updated raw xDS resource.
+    std::string serialized_proto;
+    // The timestamp when the resource was last successfully updated.
+    grpc_millis update_time = 0;
+    // The last successfully updated version of the resource.
+    std::string version;
+    // The rejected version string of the last failed update attempt.
+    std::string failed_version;
+    // Details about the last failed update attempt.
+    std::string failed_details;
+    // Timestamp of the last failed update attempt.
+    grpc_millis failed_update_time = 0;
+  };
+  using ResourceMetadataMap =
+      std::map<absl::string_view /*resource_name*/, const ResourceMetadata*>;
+  struct ResourceTypeMetadata {
+    absl::string_view version;
+    ResourceMetadataMap resource_metadata_map;
+  };
+  using ResourceTypeMetadataMap =
+      std::map<absl::string_view /*type_url*/, ResourceTypeMetadata>;
+  static_assert(static_cast<ResourceMetadata::ClientResourceStatus>(
+                    envoy_admin_v3_REQUESTED) ==
+                    ResourceMetadata::ClientResourceStatus::REQUESTED,
+                "");
+  static_assert(static_cast<ResourceMetadata::ClientResourceStatus>(
+                    envoy_admin_v3_DOES_NOT_EXIST) ==
+                    ResourceMetadata::ClientResourceStatus::DOES_NOT_EXIST,
+                "");
+  static_assert(static_cast<ResourceMetadata::ClientResourceStatus>(
+                    envoy_admin_v3_ACKED) ==
+                    ResourceMetadata::ClientResourceStatus::ACKED,
+                "");
+  static_assert(static_cast<ResourceMetadata::ClientResourceStatus>(
+                    envoy_admin_v3_NACKED) ==
+                    ResourceMetadata::ClientResourceStatus::NACKED,
+                "");
 
-  // Parses an ADS response.
   // If the response can't be parsed at the top level, the resulting
   // type_url will be empty.
   // If there is any other type of validation error, the parse_error
@@ -386,7 +609,7 @@ class XdsApi {
   // Otherwise, one of the *_update_map fields will be populated, based
   // on the type_url field.
   struct AdsParseResult {
-    grpc_error* parse_error = GRPC_ERROR_NONE;
+    grpc_error_handle parse_error = GRPC_ERROR_NONE;
     std::string version;
     std::string nonce;
     std::string type_url;
@@ -396,8 +619,21 @@ class XdsApi {
     EdsUpdateMap eds_update_map;
     std::set<std::string> resource_names_failed;
   };
+
+  XdsApi(XdsClient* client, TraceFlag* tracer, const XdsBootstrap::Node* node);
+
+  // Creates an ADS request.
+  // Takes ownership of \a error.
+  grpc_slice CreateAdsRequest(const XdsBootstrap::XdsServer& server,
+                              const std::string& type_url,
+                              const std::set<absl::string_view>& resource_names,
+                              const std::string& version,
+                              const std::string& nonce, grpc_error_handle error,
+                              bool populate_node);
+
+  // Parses an ADS response.
   AdsParseResult ParseAdsResponse(
-      const grpc_slice& encoded_response,
+      const XdsBootstrap::XdsServer& server, const grpc_slice& encoded_response,
       const std::set<absl::string_view>& expected_listener_names,
       const std::set<absl::string_view>& expected_route_configuration_names,
       const std::set<absl::string_view>& expected_cluster_names,
@@ -412,10 +648,14 @@ class XdsApi {
   // Parses the LRS response and returns \a
   // load_reporting_interval for client-side load reporting. If there is any
   // error, the output config is invalid.
-  grpc_error* ParseLrsResponse(const grpc_slice& encoded_response,
-                               bool* send_all_clusters,
-                               std::set<std::string>* cluster_names,
-                               grpc_millis* load_reporting_interval);
+  grpc_error_handle ParseLrsResponse(const grpc_slice& encoded_response,
+                                     bool* send_all_clusters,
+                                     std::set<std::string>* cluster_names,
+                                     grpc_millis* load_reporting_interval);
+
+  // Assemble the client config proto message and return the serialized result.
+  std::string AssembleClientConfig(
+      const ResourceTypeMetadataMap& resource_type_metadata_map);
 
  private:
   XdsClient* client_;

data/src/core/ext/xds/xds_bootstrap.cc

@@ -30,7 +30,6 @@
 
 #include "src/core/ext/xds/certificate_provider_registry.h"
 #include "src/core/ext/xds/xds_api.h"
-#include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/credentials/credentials.h"
@@ -81,136 +80,27 @@ bool XdsBootstrap::XdsServer::ShouldUseV3() const {
 // XdsBootstrap
 //
 
-namespace {
-
-std::string BootstrapString(const XdsBootstrap& bootstrap) {
-  std::vector<std::string> parts;
-  if (bootstrap.node() != nullptr) {
-    parts.push_back(absl::StrFormat(
-        "node={\n"
-        "  id=\"%s\",\n"
-        "  cluster=\"%s\",\n"
-        "  locality={\n"
-        "    region=\"%s\",\n"
-        "    zone=\"%s\",\n"
-        "    subzone=\"%s\"\n"
-        "  },\n"
-        "  metadata=%s,\n"
-        "},\n",
-        bootstrap.node()->id, bootstrap.node()->cluster,
-        bootstrap.node()->locality_region, bootstrap.node()->locality_zone,
-        bootstrap.node()->locality_subzone, bootstrap.node()->metadata.Dump()));
-  }
-  parts.push_back(absl::StrFormat(
-      "servers=[\n"
-      "  {\n"
-      "    uri=\"%s\",\n"
-      "    creds_type=%s,\n",
-      bootstrap.server().server_uri, bootstrap.server().channel_creds_type));
-  if (bootstrap.server().channel_creds_config.type() != Json::Type::JSON_NULL) {
-    parts.push_back(
-        absl::StrFormat("    creds_config=%s,",
-                        bootstrap.server().channel_creds_config.Dump()));
-  }
-  if (!bootstrap.server().server_features.empty()) {
-    parts.push_back(absl::StrCat(
-        "    server_features=[",
-        absl::StrJoin(bootstrap.server().server_features, ", "), "],\n"));
-  }
-  parts.push_back("  }\n],\n");
-  parts.push_back("certificate_providers={\n");
-  for (const auto& entry : bootstrap.certificate_providers()) {
-    parts.push_back(
-        absl::StrFormat("  %s={\n"
-                        "    plugin_name=%s\n"
-                        "    config=%s\n"
-                        "  },\n",
-                        entry.first, entry.second.plugin_name,
-                        entry.second.config->ToString()));
-  }
-  parts.push_back("}");
-  return absl::StrJoin(parts, "");
-}
-
-std::unique_ptr<XdsBootstrap> ParseJsonAndCreate(
-    XdsClient* client, TraceFlag* tracer, absl::string_view json_string,
-    absl::string_view bootstrap_source, grpc_error** error) {
+std::unique_ptr<XdsBootstrap> XdsBootstrap::Create(
+    absl::string_view json_string, grpc_error_handle* error) {
   Json json = Json::Parse(json_string, error);
   if (*error != GRPC_ERROR_NONE) {
-    grpc_error* error_out = GRPC_ERROR_CREATE_REFERENCING_FROM_COPIED_STRING(
-        absl::StrCat("Failed to parse bootstrap from ", bootstrap_source)
-            .c_str(),
-        error, 1);
+    grpc_error_handle error_out =
+        GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+            "Failed to parse bootstrap JSON string", error, 1);
     GRPC_ERROR_UNREF(*error);
     *error = error_out;
     return nullptr;
   }
-  std::unique_ptr<XdsBootstrap> result =
-      absl::make_unique<XdsBootstrap>(std::move(json), error);
-  if (*error == GRPC_ERROR_NONE && GRPC_TRACE_FLAG_ENABLED(*tracer)) {
-    gpr_log(GPR_INFO,
-            "[xds_client %p] Bootstrap config for creating xds client:\n%s",
-            client, BootstrapString(*result).c_str());
-  }
-  return result;
-}
-
-}  // namespace
-
-std::unique_ptr<XdsBootstrap> XdsBootstrap::Create(XdsClient* client,
-                                                   TraceFlag* tracer,
-                                                   const char* fallback_config,
-                                                   grpc_error** error) {
-  // First, try GRPC_XDS_BOOTSTRAP env var.
-  grpc_core::UniquePtr<char> path(gpr_getenv("GRPC_XDS_BOOTSTRAP"));
-  if (path != nullptr) {
-    if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
-      gpr_log(GPR_INFO,
-              "[xds_client %p] Got bootstrap file location from "
-              "GRPC_XDS_BOOTSTRAP environment variable: %s",
-              client, path.get());
-    }
-    grpc_slice contents;
-    *error =
-        grpc_load_file(path.get(), /*add_null_terminator=*/true, &contents);
-    if (*error != GRPC_ERROR_NONE) return nullptr;
-    absl::string_view contents_str_view = StringViewFromSlice(contents);
-    if (GRPC_TRACE_FLAG_ENABLED(*tracer)) {
-      gpr_log(GPR_DEBUG, "[xds_client %p] Bootstrap file contents: %s", client,
-              std::string(contents_str_view).c_str());
-    }
-    std::string bootstrap_source = absl::StrCat("file ", path.get());
-    auto result = ParseJsonAndCreate(client, tracer, contents_str_view,
-                                     bootstrap_source, error);
-    grpc_slice_unref_internal(contents);
-    return result;
-  }
-  // Next, try GRPC_XDS_BOOTSTRAP_CONFIG env var.
-  grpc_core::UniquePtr<char> env_config(
-      gpr_getenv("GRPC_XDS_BOOTSTRAP_CONFIG"));
-  if (env_config != nullptr) {
-    return ParseJsonAndCreate(client, tracer, env_config.get(),
-                              "GRPC_XDS_BOOTSTRAP_CONFIG env var", error);
-  }
-  // Finally, try fallback config.
-  if (fallback_config != nullptr) {
-    return ParseJsonAndCreate(client, tracer, fallback_config,
-                              "fallback config", error);
-  }
-  // No bootstrap config found.
-  *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-      "Environment variables GRPC_XDS_BOOTSTRAP or GRPC_XDS_BOOTSTRAP_CONFIG "
-      "not defined");
-  return nullptr;
+  return absl::make_unique<XdsBootstrap>(std::move(json), error);
 }
 
-XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
+XdsBootstrap::XdsBootstrap(Json json, grpc_error_handle* error) {
   if (json.type() != Json::Type::OBJECT) {
     *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "malformed JSON in bootstrap file");
     return;
   }
-  std::vector<grpc_error*> error_list;
+  std::vector<grpc_error_handle> error_list;
   auto it = json.mutable_object()->find("xds_servers");
   if (it == json.mutable_object()->end()) {
     error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
@@ -219,7 +109,7 @@ XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
     error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "\"xds_servers\" field is not an array"));
   } else {
-    grpc_error* parse_error = ParseXdsServerList(&it->second);
+    grpc_error_handle parse_error = ParseXdsServerList(&it->second);
     if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
   }
   it = json.mutable_object()->find("node");
@@ -228,10 +118,20 @@ XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "\"node\" field is not an object"));
     } else {
-      grpc_error* parse_error = ParseNode(&it->second);
+      grpc_error_handle parse_error = ParseNode(&it->second);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
   }
+  it = json.mutable_object()->find("server_listener_resource_name_template");
+  if (it != json.mutable_object()->end()) {
+    if (it->second.type() != Json::Type::STRING) {
+      error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "\"server_listener_resource_name_template\" field is not a string"));
+    } else {
+      server_listener_resource_name_template_ =
+          std::move(*it->second.mutable_string_value());
+    }
+  }
   if (XdsSecurityEnabled()) {
     it = json.mutable_object()->find("certificate_providers");
     if (it != json.mutable_object()->end()) {
@@ -239,7 +139,7 @@ XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
         error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
             "\"certificate_providers\" field is not an object"));
       } else {
-        grpc_error* parse_error = ParseCertificateProviders(&it->second);
+        grpc_error_handle parse_error = ParseCertificateProviders(&it->second);
         if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
       }
     }
@@ -248,15 +148,15 @@ XdsBootstrap::XdsBootstrap(Json json, grpc_error** error) {
                                          &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseXdsServerList(Json* json) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseXdsServerList(Json* json) {
+  std::vector<grpc_error_handle> error_list;
   for (size_t i = 0; i < json->mutable_array()->size(); ++i) {
     Json& child = json->mutable_array()->at(i);
     if (child.type() != Json::Type::OBJECT) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
           absl::StrCat("array element ", i, " is not an object").c_str()));
     } else {
-      grpc_error* parse_error = ParseXdsServer(&child, i);
+      grpc_error_handle parse_error = ParseXdsServer(&child, i);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
   }
@@ -264,8 +164,8 @@ grpc_error* XdsBootstrap::ParseXdsServerList(Json* json) {
                                        &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseXdsServer(Json* json, size_t idx) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseXdsServer(Json* json, size_t idx) {
+  std::vector<grpc_error_handle> error_list;
   servers_.emplace_back();
   XdsServer& server = servers_[servers_.size() - 1];
   auto it = json->mutable_object()->find("server_uri");
@@ -286,7 +186,8 @@ grpc_error* XdsBootstrap::ParseXdsServer(Json* json, size_t idx) {
     error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "\"channel_creds\" field is not an array"));
   } else {
-    grpc_error* parse_error = ParseChannelCredsArray(&it->second, &server);
+    grpc_error_handle parse_error =
+        ParseChannelCredsArray(&it->second, &server);
     if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
   }
   it = json->mutable_object()->find("server_features");
@@ -295,14 +196,15 @@ grpc_error* XdsBootstrap::ParseXdsServer(Json* json, size_t idx) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "\"server_features\" field is not an array"));
     } else {
-      grpc_error* parse_error = ParseServerFeaturesArray(&it->second, &server);
+      grpc_error_handle parse_error =
+          ParseServerFeaturesArray(&it->second, &server);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
   }
   // Can't use GRPC_ERROR_CREATE_FROM_VECTOR() here, because the error
   // string is not static in this case.
   if (error_list.empty()) return GRPC_ERROR_NONE;
-  grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
       absl::StrCat("errors parsing index ", idx).c_str());
   for (size_t i = 0; i < error_list.size(); ++i) {
     error = grpc_error_add_child(error, error_list[i]);
@@ -310,16 +212,16 @@ grpc_error* XdsBootstrap::ParseXdsServer(Json* json, size_t idx) {
   return error;
 }
 
-grpc_error* XdsBootstrap::ParseChannelCredsArray(Json* json,
-                                                 XdsServer* server) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseChannelCredsArray(Json* json,
+                                                       XdsServer* server) {
+  std::vector<grpc_error_handle> error_list;
   for (size_t i = 0; i < json->mutable_array()->size(); ++i) {
     Json& child = json->mutable_array()->at(i);
     if (child.type() != Json::Type::OBJECT) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
           absl::StrCat("array element ", i, " is not an object").c_str()));
     } else {
-      grpc_error* parse_error = ParseChannelCreds(&child, i, server);
+      grpc_error_handle parse_error = ParseChannelCreds(&child, i, server);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
   }
@@ -331,9 +233,9 @@ grpc_error* XdsBootstrap::ParseChannelCredsArray(Json* json,
                                        &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseChannelCreds(Json* json, size_t idx,
-                                            XdsServer* server) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseChannelCreds(Json* json, size_t idx,
+                                                  XdsServer* server) {
+  std::vector<grpc_error_handle> error_list;
   std::string type;
   auto it = json->mutable_object()->find("type");
   if (it == json->mutable_object()->end()) {
@@ -369,7 +271,7 @@ grpc_error* XdsBootstrap::ParseChannelCreds(Json* json, size_t idx,
   // Can't use GRPC_ERROR_CREATE_FROM_VECTOR() here, because the error
   // string is not static in this case.
   if (error_list.empty()) return GRPC_ERROR_NONE;
-  grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
       absl::StrCat("errors parsing index ", idx).c_str());
   for (size_t i = 0; i < error_list.size(); ++i) {
     error = grpc_error_add_child(error, error_list[i]);
@@ -377,9 +279,9 @@ grpc_error* XdsBootstrap::ParseChannelCreds(Json* json, size_t idx,
   return error;
 }
 
-grpc_error* XdsBootstrap::ParseServerFeaturesArray(Json* json,
-                                                   XdsServer* server) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseServerFeaturesArray(Json* json,
+                                                         XdsServer* server) {
+  std::vector<grpc_error_handle> error_list;
   for (size_t i = 0; i < json->mutable_array()->size(); ++i) {
     Json& child = json->mutable_array()->at(i);
     if (child.type() == Json::Type::STRING &&
@@ -391,8 +293,8 @@ grpc_error* XdsBootstrap::ParseServerFeaturesArray(Json* json,
       "errors parsing \"server_features\" array", &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseNode(Json* json) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseNode(Json* json) {
+  std::vector<grpc_error_handle> error_list;
   node_ = absl::make_unique<Node>();
   auto it = json->mutable_object()->find("id");
   if (it != json->mutable_object()->end()) {
@@ -418,7 +320,7 @@ grpc_error* XdsBootstrap::ParseNode(Json* json) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
           "\"locality\" field is not an object"));
     } else {
-      grpc_error* parse_error = ParseLocality(&it->second);
+      grpc_error_handle parse_error = ParseLocality(&it->second);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
   }
@@ -435,8 +337,8 @@ grpc_error* XdsBootstrap::ParseNode(Json* json) {
                                        &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseLocality(Json* json) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseLocality(Json* json) {
+  std::vector<grpc_error_handle> error_list;
   auto it = json->mutable_object()->find("region");
   if (it != json->mutable_object()->end()) {
     if (it->second.type() != Json::Type::STRING) {
@@ -455,21 +357,21 @@ grpc_error* XdsBootstrap::ParseLocality(Json* json) {
       node_->locality_zone = std::move(*it->second.mutable_string_value());
     }
   }
-  it = json->mutable_object()->find("subzone");
+  it = json->mutable_object()->find("sub_zone");
   if (it != json->mutable_object()->end()) {
     if (it->second.type() != Json::Type::STRING) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "\"subzone\" field is not a string"));
+          "\"sub_zone\" field is not a string"));
     } else {
-      node_->locality_subzone = std::move(*it->second.mutable_string_value());
+      node_->locality_sub_zone = std::move(*it->second.mutable_string_value());
     }
   }
   return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing \"locality\" object",
                                        &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseCertificateProviders(Json* json) {
-  std::vector<grpc_error*> error_list;
+grpc_error_handle XdsBootstrap::ParseCertificateProviders(Json* json) {
+  std::vector<grpc_error_handle> error_list;
   for (auto& certificate_provider : *(json->mutable_object())) {
     if (certificate_provider.second.type() != Json::Type::OBJECT) {
       error_list.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
@@ -477,7 +379,7 @@ grpc_error* XdsBootstrap::ParseCertificateProviders(Json* json) {
                        "\" is not an object")
               .c_str()));
     } else {
-      grpc_error* parse_error = ParseCertificateProvider(
+      grpc_error_handle parse_error = ParseCertificateProvider(
           certificate_provider.first, &certificate_provider.second);
       if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
     }
@@ -486,9 +388,9 @@ grpc_error* XdsBootstrap::ParseCertificateProviders(Json* json) {
       "errors parsing \"certificate_providers\" object", &error_list);
 }
 
-grpc_error* XdsBootstrap::ParseCertificateProvider(
+grpc_error_handle XdsBootstrap::ParseCertificateProvider(
     const std::string& instance_name, Json* certificate_provider_json) {
-  std::vector<grpc_error*> error_list;
+  std::vector<grpc_error_handle> error_list;
   auto it = certificate_provider_json->mutable_object()->find("plugin_name");
   if (it == certificate_provider_json->mutable_object()->end()) {
     error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
@@ -509,14 +411,14 @@ grpc_error* XdsBootstrap::ParseCertificateProvider(
           error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
               "\"config\" field is not an object"));
         } else {
-          grpc_error* parse_error = GRPC_ERROR_NONE;
+          grpc_error_handle parse_error = GRPC_ERROR_NONE;
           config = factory->CreateCertificateProviderConfig(it->second,
                                                             &parse_error);
           if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
         }
       } else {
         // "config" is an optional field, so create an empty JSON object.
-        grpc_error* parse_error = GRPC_ERROR_NONE;
+        grpc_error_handle parse_error = GRPC_ERROR_NONE;
         config = factory->CreateCertificateProviderConfig(Json::Object(),
                                                           &parse_error);
         if (parse_error != GRPC_ERROR_NONE) error_list.push_back(parse_error);
@@ -528,7 +430,7 @@ grpc_error* XdsBootstrap::ParseCertificateProvider(
   // Can't use GRPC_ERROR_CREATE_FROM_VECTOR() here, because the error
   // string is not static in this case.
   if (error_list.empty()) return GRPC_ERROR_NONE;
-  grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+  grpc_error_handle error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
       absl::StrCat("errors parsing element \"", instance_name, "\"").c_str());
   for (size_t i = 0; i < error_list.size(); ++i) {
     error = grpc_error_add_child(error, error_list[i]);
@@ -536,4 +438,56 @@ grpc_error* XdsBootstrap::ParseCertificateProvider(
   return error;
 }
 
+std::string XdsBootstrap::ToString() const {
+  std::vector<std::string> parts;
+  if (node_ != nullptr) {
+    parts.push_back(absl::StrFormat(
+        "node={\n"
+        "  id=\"%s\",\n"
+        "  cluster=\"%s\",\n"
+        "  locality={\n"
+        "    region=\"%s\",\n"
+        "    zone=\"%s\",\n"
+        "    sub_zone=\"%s\"\n"
+        "  },\n"
+        "  metadata=%s,\n"
+        "},\n",
+        node_->id, node_->cluster, node_->locality_region, node_->locality_zone,
+        node_->locality_sub_zone, node_->metadata.Dump()));
+  }
+  parts.push_back(
+      absl::StrFormat("servers=[\n"
+                      "  {\n"
+                      "    uri=\"%s\",\n"
+                      "    creds_type=%s,\n",
+                      server().server_uri, server().channel_creds_type));
+  if (server().channel_creds_config.type() != Json::Type::JSON_NULL) {
+    parts.push_back(absl::StrFormat("    creds_config=%s,",
+                                    server().channel_creds_config.Dump()));
+  }
+  if (!server().server_features.empty()) {
+    parts.push_back(absl::StrCat("    server_features=[",
+                                 absl::StrJoin(server().server_features, ", "),
+                                 "],\n"));
+  }
+  parts.push_back("  }\n],\n");
+  if (!server_listener_resource_name_template_.empty()) {
+    parts.push_back(
+        absl::StrFormat("server_listener_resource_name_template=\"%s\",\n",
+                        server_listener_resource_name_template_));
+  }
+  parts.push_back("certificate_providers={\n");
+  for (const auto& entry : certificate_providers_) {
+    parts.push_back(
+        absl::StrFormat("  %s={\n"
+                        "    plugin_name=%s\n"
+                        "    config=%s\n"
+                        "  },\n",
+                        entry.first, entry.second.plugin_name,
+                        entry.second.config->ToString()));
+  }
+  parts.push_back("}");
+  return absl::StrJoin(parts, "");
+}
+
 }  // namespace grpc_core