grpc 1.36.0 → 1.38.0

data/src/core/ext/xds/xds_http_fault_filter.h

@@ -0,0 +1,63 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_CORE_EXT_XDS_XDS_HTTP_FAULT_FILTER_H
+#define GRPC_CORE_EXT_XDS_XDS_HTTP_FAULT_FILTER_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc.h>
+
+#include "absl/status/statusor.h"
+#include "src/core/ext/xds/xds_http_filters.h"
+#include "upb/def.h"
+
+namespace grpc_core {
+
+extern const char* kXdsHttpFaultFilterConfigName;
+
+class XdsHttpFaultFilter : public XdsHttpFilterImpl {
+ public:
+  // Overrides the PopulateSymtab method
+  void PopulateSymtab(upb_symtab* symtab) const override;
+
+  // Overrides the GenerateFilterConfig method
+  absl::StatusOr<FilterConfig> GenerateFilterConfig(
+      upb_strview serialized_filter_config, upb_arena* arena) const override;
+
+  // Overrides the GenerateFilterConfigOverride method
+  absl::StatusOr<FilterConfig> GenerateFilterConfigOverride(
+      upb_strview serialized_filter_config, upb_arena* arena) const override;
+
+  // Overrides the channel_filter method
+  const grpc_channel_filter* channel_filter() const override;
+
+  // Overrides the ModifyChannelArgs method
+  grpc_channel_args* ModifyChannelArgs(grpc_channel_args* args) const override;
+
+  // Overrides the GenerateServiceConfig method
+  absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
+      const FilterConfig& hcm_filter_config,
+      const FilterConfig* filter_config_override) const override;
+
+  bool IsSupportedOnClients() const override { return true; }
+
+  bool IsSupportedOnServers() const override { return false; }
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_EXT_XDS_XDS_HTTP_FAULT_FILTER_H */

data/src/core/ext/xds/xds_http_filters.cc

@@ -0,0 +1,114 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/xds_http_filters.h"
+
+#include "envoy/extensions/filters/http/router/v3/router.upb.h"
+#include "envoy/extensions/filters/http/router/v3/router.upbdefs.h"
+#include "src/core/ext/xds/xds_http_fault_filter.h"
+
+namespace grpc_core {
+
+const char* kXdsHttpRouterFilterConfigName =
+    "envoy.extensions.filters.http.router.v3.Router";
+
+namespace {
+
+class XdsHttpRouterFilter : public XdsHttpFilterImpl {
+ public:
+  void PopulateSymtab(upb_symtab* symtab) const override {
+    envoy_extensions_filters_http_router_v3_Router_getmsgdef(symtab);
+  }
+
+  absl::StatusOr<FilterConfig> GenerateFilterConfig(
+      upb_strview serialized_filter_config, upb_arena* arena) const override {
+    if (envoy_extensions_filters_http_router_v3_Router_parse(
+            serialized_filter_config.data, serialized_filter_config.size,
+            arena) == nullptr) {
+      return absl::InvalidArgumentError("could not parse router filter config");
+    }
+    return FilterConfig{kXdsHttpRouterFilterConfigName, Json()};
+  }
+
+  absl::StatusOr<FilterConfig> GenerateFilterConfigOverride(
+      upb_strview /*serialized_filter_config*/,
+      upb_arena* /*arena*/) const override {
+    return absl::InvalidArgumentError(
+        "router filter does not support config override");
+  }
+
+  // No-op -- this filter is special-cased by the xds resolver.
+  const grpc_channel_filter* channel_filter() const override { return nullptr; }
+
+  // No-op -- this filter is special-cased by the xds resolver.
+  absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
+      const FilterConfig& /*hcm_filter_config*/,
+      const FilterConfig* /*filter_config_override*/) const override {
+    return absl::UnimplementedError("router filter should never be called");
+  }
+
+  bool IsSupportedOnClients() const override { return true; }
+
+  bool IsSupportedOnServers() const override { return true; }
+};
+
+using FilterOwnerList = std::vector<std::unique_ptr<XdsHttpFilterImpl>>;
+using FilterRegistryMap = std::map<absl::string_view, XdsHttpFilterImpl*>;
+
+FilterOwnerList* g_filters = nullptr;
+FilterRegistryMap* g_filter_registry = nullptr;
+
+}  // namespace
+
+void XdsHttpFilterRegistry::RegisterFilter(
+    std::unique_ptr<XdsHttpFilterImpl> filter,
+    const std::set<absl::string_view>& config_proto_type_names) {
+  for (auto config_proto_type_name : config_proto_type_names) {
+    (*g_filter_registry)[config_proto_type_name] = filter.get();
+  }
+  g_filters->push_back(std::move(filter));
+}
+
+const XdsHttpFilterImpl* XdsHttpFilterRegistry::GetFilterForType(
+    absl::string_view proto_type_name) {
+  auto it = g_filter_registry->find(proto_type_name);
+  if (it == g_filter_registry->end()) return nullptr;
+  return it->second;
+}
+
+void XdsHttpFilterRegistry::PopulateSymtab(upb_symtab* symtab) {
+  for (const auto& filter : *g_filters) {
+    filter->PopulateSymtab(symtab);
+  }
+}
+
+void XdsHttpFilterRegistry::Init() {
+  g_filters = new FilterOwnerList;
+  g_filter_registry = new FilterRegistryMap;
+  RegisterFilter(absl::make_unique<XdsHttpRouterFilter>(),
+                 {kXdsHttpRouterFilterConfigName});
+  RegisterFilter(absl::make_unique<XdsHttpFaultFilter>(),
+                 {kXdsHttpFaultFilterConfigName});
+}
+
+void XdsHttpFilterRegistry::Shutdown() {
+  delete g_filter_registry;
+  delete g_filters;
+}
+
+}  // namespace grpc_core

data/src/core/ext/xds/xds_http_filters.h

@@ -0,0 +1,130 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_CORE_EXT_XDS_XDS_HTTP_FILTERS_H
+#define GRPC_CORE_EXT_XDS_XDS_HTTP_FILTERS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+#include <set>
+#include <string>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "google/protobuf/any.upb.h"
+#include "upb/def.h"
+
+#include <grpc/grpc.h>
+
+#include "src/core/lib/channel/channel_stack.h"
+#include "src/core/lib/json/json.h"
+
+namespace grpc_core {
+
+extern const char* kXdsHttpRouterFilterConfigName;
+
+class XdsHttpFilterImpl {
+ public:
+  struct FilterConfig {
+    absl::string_view config_proto_type_name;
+    Json config;
+
+    bool operator==(const FilterConfig& other) const {
+      return config_proto_type_name == other.config_proto_type_name &&
+             config == other.config;
+    }
+    std::string ToString() const {
+      return absl::StrCat("{config_proto_type_name=", config_proto_type_name,
+                          " config=", config.Dump(), "}");
+    }
+  };
+
+  // Service config data for the filter, returned by GenerateServiceConfig().
+  struct ServiceConfigJsonEntry {
+    // The top-level field name in the method config.
+    // Filter implementations should use their primary config proto type
+    // name for this.
+    // The value of this field in the method config will be a JSON array,
+    // which will be populated with the elements returned by each filter
+    // instance.
+    std::string service_config_field_name;
+    // The element to add to the JSON array.
+    std::string element;
+  };
+
+  virtual ~XdsHttpFilterImpl() = default;
+
+  // Loads the proto message into the upb symtab.
+  virtual void PopulateSymtab(upb_symtab* symtab) const = 0;
+
+  // Generates a Config from the xDS filter config proto.
+  // Used for the top-level config in the HCM HTTP filter list.
+  virtual absl::StatusOr<FilterConfig> GenerateFilterConfig(
+      upb_strview serialized_filter_config, upb_arena* arena) const = 0;
+
+  // Generates a Config from the xDS filter config proto.
+  // Used for the typed_per_filter_config override in VirtualHost and Route.
+  virtual absl::StatusOr<FilterConfig> GenerateFilterConfigOverride(
+      upb_strview serialized_filter_config, upb_arena* arena) const = 0;
+
+  // C-core channel filter implementation.
+  virtual const grpc_channel_filter* channel_filter() const = 0;
+
+  // Modifies channel args that may affect service config parsing (not
+  // visible to the channel as a whole).
+  // Takes ownership of args.  Caller takes ownership of return value.
+  virtual grpc_channel_args* ModifyChannelArgs(grpc_channel_args* args) const {
+    return args;
+  }
+
+  // Function to convert the Configs into a JSON string to be added to the
+  // per-method part of the service config.
+  // The hcm_filter_config comes from the HttpConnectionManager config.
+  // The filter_config_override comes from the first of the ClusterWeight,
+  // Route, or VirtualHost entries that it is found in, or null if
+  // there is no override in any of those locations.
+  virtual absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
+      const FilterConfig& hcm_filter_config,
+      const FilterConfig* filter_config_override) const = 0;
+
+  // Returns true if the filter is supported on clients; false otherwise
+  virtual bool IsSupportedOnClients() const = 0;
+
+  // Returns true if the filter is supported on servers; false otherwise
+  virtual bool IsSupportedOnServers() const = 0;
+};
+
+class XdsHttpFilterRegistry {
+ public:
+  static void RegisterFilter(
+      std::unique_ptr<XdsHttpFilterImpl> filter,
+      const std::set<absl::string_view>& config_proto_type_names);
+
+  static const XdsHttpFilterImpl* GetFilterForType(
+      absl::string_view proto_type_name);
+
+  static void PopulateSymtab(upb_symtab* symtab);
+
+  // Global init and shutdown.
+  static void Init();
+  static void Shutdown();
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_EXT_XDS_XDS_HTTP_FILTERS_H */

data/src/core/ext/xds/xds_server_config_fetcher.cc

@@ -18,12 +18,19 @@
 
 #include <grpc/support/port_platform.h>
 
+#include "absl/strings/str_replace.h"
+
 #include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/ext/xds/xds_client.h"
+#include "src/core/lib/address_utils/sockaddr_utils.h"
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/gprpp/host_port.h"
+#include "src/core/lib/iomgr/sockaddr.h"
+#include "src/core/lib/iomgr/socket_utils.h"
 #include "src/core/lib/security/credentials/xds/xds_credentials.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/surface/server.h"
+#include "src/core/lib/uri/uri_parser.h"
 
 namespace grpc_core {
 
@@ -32,10 +39,317 @@ TraceFlag grpc_xds_server_config_fetcher_trace(false,
 
 namespace {
 
+class FilterChainMatchManager
+    : public grpc_server_config_fetcher::ConnectionManager {
+ public:
+  FilterChainMatchManager(
+      RefCountedPtr<XdsClient> xds_client,
+      XdsApi::LdsUpdate::FilterChainMap filter_chain_map,
+      absl::optional<XdsApi::LdsUpdate::FilterChainData> default_filter_chain)
+      : xds_client_(xds_client),
+        filter_chain_map_(std::move(filter_chain_map)),
+        default_filter_chain_(std::move(default_filter_chain)) {}
+
+  absl::StatusOr<grpc_channel_args*> UpdateChannelArgsForConnection(
+      grpc_channel_args* args, grpc_endpoint* tcp) override;
+
+  const XdsApi::LdsUpdate::FilterChainMap& filter_chain_map() const {
+    return filter_chain_map_;
+  }
+
+  const absl::optional<XdsApi::LdsUpdate::FilterChainData>&
+  default_filter_chain() const {
+    return default_filter_chain_;
+  }
+
+ private:
+  struct CertificateProviders {
+    // We need to save our own refs to the root and instance certificate
+    // providers since the xds certificate provider just stores a ref to their
+    // distributors.
+    RefCountedPtr<grpc_tls_certificate_provider> root;
+    RefCountedPtr<grpc_tls_certificate_provider> instance;
+    RefCountedPtr<XdsCertificateProvider> xds;
+  };
+
+  absl::StatusOr<RefCountedPtr<XdsCertificateProvider>>
+  CreateOrGetXdsCertificateProviderFromFilterChainData(
+      const XdsApi::LdsUpdate::FilterChainData* filter_chain);
+
+  const RefCountedPtr<XdsClient> xds_client_;
+  const XdsApi::LdsUpdate::FilterChainMap filter_chain_map_;
+  const absl::optional<XdsApi::LdsUpdate::FilterChainData>
+      default_filter_chain_;
+  Mutex mu_;
+  std::map<const XdsApi::LdsUpdate::FilterChainData*, CertificateProviders>
+      certificate_providers_map_ ABSL_GUARDED_BY(mu_);
+};
+
+bool IsLoopbackIp(const grpc_resolved_address* address) {
+  const grpc_sockaddr* sock_addr =
+      reinterpret_cast<const grpc_sockaddr*>(&address->addr);
+  if (sock_addr->sa_family == GRPC_AF_INET) {
+    const grpc_sockaddr_in* addr4 =
+        reinterpret_cast<const grpc_sockaddr_in*>(sock_addr);
+    if (addr4->sin_addr.s_addr == grpc_htonl(INADDR_LOOPBACK)) {
+      return true;
+    }
+  } else if (sock_addr->sa_family == GRPC_AF_INET6) {
+    const grpc_sockaddr_in6* addr6 =
+        reinterpret_cast<const grpc_sockaddr_in6*>(sock_addr);
+    if (memcmp(&addr6->sin6_addr, &in6addr_loopback,
+               sizeof(in6addr_loopback)) == 0) {
+      return true;
+    }
+  }
+  return false;
+}
+
+const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourcePort(
+    const XdsApi::LdsUpdate::FilterChainMap::SourcePortsMap& source_ports_map,
+    absl::string_view port_str) {
+  int port = 0;
+  if (!absl::SimpleAtoi(port_str, &port)) return nullptr;
+  auto it = source_ports_map.find(port);
+  if (it != source_ports_map.end()) {
+    return it->second.data.get();
+  }
+  // Search for the catch-all port 0 since we didn't get a direct match
+  it = source_ports_map.find(0);
+  if (it != source_ports_map.end()) {
+    return it->second.data.get();
+  }
+  return nullptr;
+}
+
+const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourceIp(
+    const XdsApi::LdsUpdate::FilterChainMap::SourceIpVector& source_ip_vector,
+    const grpc_resolved_address* source_ip, absl::string_view port) {
+  const XdsApi::LdsUpdate::FilterChainMap::SourceIp* best_match = nullptr;
+  for (const auto& entry : source_ip_vector) {
+    // Special case for catch-all
+    if (!entry.prefix_range.has_value()) {
+      if (best_match == nullptr) {
+        best_match = &entry;
+      }
+      continue;
+    }
+    if (best_match != nullptr && best_match->prefix_range.has_value() &&
+        best_match->prefix_range->prefix_len >=
+            entry.prefix_range->prefix_len) {
+      continue;
+    }
+    if (grpc_sockaddr_match_subnet(source_ip, &entry.prefix_range->address,
+                                   entry.prefix_range->prefix_len)) {
+      best_match = &entry;
+    }
+  }
+  if (best_match == nullptr) return nullptr;
+  return FindFilterChainDataForSourcePort(best_match->ports_map, port);
+}
+
+const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForSourceType(
+    const XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceTypesArray&
+        source_types_array,
+    grpc_endpoint* tcp, absl::string_view destination_ip) {
+  auto source_uri = URI::Parse(grpc_endpoint_get_peer(tcp));
+  if (!source_uri.ok() ||
+      (source_uri->scheme() != "ipv4" && source_uri->scheme() != "ipv6")) {
+    return nullptr;
+  }
+  std::string host;
+  std::string port;
+  if (!SplitHostPort(source_uri->path(), &host, &port)) {
+    return nullptr;
+  }
+  grpc_resolved_address source_addr;
+  grpc_error_handle error = grpc_string_to_sockaddr(
+      &source_addr, host.c_str(), 0 /* port doesn't matter here */);
+  if (error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_DEBUG, "Could not parse string to socket address: %s",
+            host.c_str());
+    GRPC_ERROR_UNREF(error);
+    return nullptr;
+  }
+  // Use kAny only if kSameIporLoopback and kExternal are empty
+  if (source_types_array[static_cast<int>(
+                             XdsApi::LdsUpdate::FilterChainMap::
+                                 ConnectionSourceType::kSameIpOrLoopback)]
+          .empty() &&
+      source_types_array[static_cast<int>(XdsApi::LdsUpdate::FilterChainMap::
+                                              ConnectionSourceType::kExternal)]
+          .empty()) {
+    return FindFilterChainDataForSourceIp(
+        source_types_array[static_cast<int>(
+            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::kAny)],
+        &source_addr, port);
+  }
+  if (IsLoopbackIp(&source_addr) || host == destination_ip) {
+    return FindFilterChainDataForSourceIp(
+        source_types_array[static_cast<int>(
+            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::
+                kSameIpOrLoopback)],
+        &source_addr, port);
+  } else {
+    return FindFilterChainDataForSourceIp(
+        source_types_array[static_cast<int>(
+            XdsApi::LdsUpdate::FilterChainMap::ConnectionSourceType::
+                kExternal)],
+        &source_addr, port);
+  }
+}
+
+const XdsApi::LdsUpdate::FilterChainData* FindFilterChainDataForDestinationIp(
+    const XdsApi::LdsUpdate::FilterChainMap::DestinationIpVector
+        destination_ip_vector,
+    grpc_endpoint* tcp) {
+  auto destination_uri = URI::Parse(grpc_endpoint_get_local_address(tcp));
+  if (!destination_uri.ok() || (destination_uri->scheme() != "ipv4" &&
+                                destination_uri->scheme() != "ipv6")) {
+    return nullptr;
+  }
+  std::string host;
+  std::string port;
+  if (!SplitHostPort(destination_uri->path(), &host, &port)) {
+    return nullptr;
+  }
+  grpc_resolved_address destination_addr;
+  grpc_error_handle error = grpc_string_to_sockaddr(
+      &destination_addr, host.c_str(), 0 /* port doesn't matter here */);
+  if (error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_DEBUG, "Could not parse string to socket address: %s",
+            host.c_str());
+    GRPC_ERROR_UNREF(error);
+    return nullptr;
+  }
+  const XdsApi::LdsUpdate::FilterChainMap::DestinationIp* best_match = nullptr;
+  for (const auto& entry : destination_ip_vector) {
+    // Special case for catch-all
+    if (!entry.prefix_range.has_value()) {
+      if (best_match == nullptr) {
+        best_match = &entry;
+      }
+      continue;
+    }
+    if (best_match != nullptr && best_match->prefix_range.has_value() &&
+        best_match->prefix_range->prefix_len >=
+            entry.prefix_range->prefix_len) {
+      continue;
+    }
+    if (grpc_sockaddr_match_subnet(&destination_addr,
+                                   &entry.prefix_range->address,
+                                   entry.prefix_range->prefix_len)) {
+      best_match = &entry;
+    }
+  }
+  if (best_match == nullptr) return nullptr;
+  return FindFilterChainDataForSourceType(best_match->source_types_array, tcp,
+                                          host);
+}
+
+absl::StatusOr<RefCountedPtr<XdsCertificateProvider>>
+FilterChainMatchManager::CreateOrGetXdsCertificateProviderFromFilterChainData(
+    const XdsApi::LdsUpdate::FilterChainData* filter_chain) {
+  MutexLock lock(&mu_);
+  auto it = certificate_providers_map_.find(filter_chain);
+  if (it != certificate_providers_map_.end()) {
+    return it->second.xds;
+  }
+  CertificateProviders certificate_providers;
+  // Configure root cert.
+  absl::string_view root_provider_instance_name =
+      filter_chain->downstream_tls_context.common_tls_context
+          .combined_validation_context
+          .validation_context_certificate_provider_instance.instance_name;
+  absl::string_view root_provider_cert_name =
+      filter_chain->downstream_tls_context.common_tls_context
+          .combined_validation_context
+          .validation_context_certificate_provider_instance.certificate_name;
+  if (!root_provider_instance_name.empty()) {
+    certificate_providers.root =
+        xds_client_->certificate_provider_store()
+            .CreateOrGetCertificateProvider(root_provider_instance_name);
+    if (certificate_providers.root == nullptr) {
+      return absl::NotFoundError(
+          absl::StrCat("Certificate provider instance name: \"",
+                       root_provider_instance_name, "\" not recognized."));
+    }
+  }
+  // Configure identity cert.
+  absl::string_view identity_provider_instance_name =
+      filter_chain->downstream_tls_context.common_tls_context
+          .tls_certificate_certificate_provider_instance.instance_name;
+  absl::string_view identity_provider_cert_name =
+      filter_chain->downstream_tls_context.common_tls_context
+          .tls_certificate_certificate_provider_instance.certificate_name;
+  if (!identity_provider_instance_name.empty()) {
+    certificate_providers.instance =
+        xds_client_->certificate_provider_store()
+            .CreateOrGetCertificateProvider(identity_provider_instance_name);
+    if (certificate_providers.instance == nullptr) {
+      return absl::NotFoundError(
+          absl::StrCat("Certificate provider instance name: \"",
+                       identity_provider_instance_name, "\" not recognized."));
+    }
+  }
+  certificate_providers.xds = MakeRefCounted<XdsCertificateProvider>();
+  certificate_providers.xds->UpdateRootCertNameAndDistributor(
+      "", root_provider_cert_name,
+      certificate_providers.root == nullptr
+          ? nullptr
+          : certificate_providers.root->distributor());
+  certificate_providers.xds->UpdateIdentityCertNameAndDistributor(
+      "", identity_provider_cert_name,
+      certificate_providers.instance == nullptr
+          ? nullptr
+          : certificate_providers.instance->distributor());
+  certificate_providers.xds->UpdateRequireClientCertificate(
+      "", filter_chain->downstream_tls_context.require_client_certificate);
+  auto xds_certificate_provider = certificate_providers.xds;
+  certificate_providers_map_.emplace(filter_chain,
+                                     std::move(certificate_providers));
+  return xds_certificate_provider;
+}
+
+absl::StatusOr<grpc_channel_args*>
+FilterChainMatchManager::UpdateChannelArgsForConnection(grpc_channel_args* args,
+                                                        grpc_endpoint* tcp) {
+  const auto* filter_chain = FindFilterChainDataForDestinationIp(
+      filter_chain_map_.destination_ip_vector, tcp);
+  if (filter_chain == nullptr && default_filter_chain_.has_value()) {
+    filter_chain = &default_filter_chain_.value();
+  }
+  if (filter_chain == nullptr) {
+    grpc_channel_args_destroy(args);
+    return absl::UnavailableError("No matching filter chain found");
+  }
+  // Nothing to update if credentials are not xDS.
+  grpc_server_credentials* server_creds =
+      grpc_find_server_credentials_in_args(args);
+  if (server_creds == nullptr || server_creds->type() != kCredentialsTypeXds) {
+    return args;
+  }
+  absl::StatusOr<RefCountedPtr<XdsCertificateProvider>> result =
+      CreateOrGetXdsCertificateProviderFromFilterChainData(filter_chain);
+  if (!result.ok()) {
+    grpc_channel_args_destroy(args);
+    return result.status();
+  }
+  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider =
+      std::move(*result);
+  GPR_ASSERT(xds_certificate_provider != nullptr);
+  grpc_arg arg_to_add = xds_certificate_provider->MakeChannelArg();
+  grpc_channel_args* updated_args =
+      grpc_channel_args_copy_and_add(args, &arg_to_add, 1);
+  grpc_channel_args_destroy(args);
+  return updated_args;
+}
+
 class XdsServerConfigFetcher : public grpc_server_config_fetcher {
  public:
-  explicit XdsServerConfigFetcher(RefCountedPtr<XdsClient> xds_client)
-      : xds_client_(std::move(xds_client)) {
+  explicit XdsServerConfigFetcher(RefCountedPtr<XdsClient> xds_client,
+                                  grpc_server_xds_status_notifier notifier)
+      : xds_client_(std::move(xds_client)), serving_status_notifier_(notifier) {
     GPR_ASSERT(xds_client_ != nullptr);
   }
 
@@ -44,11 +358,12 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
                       watcher) override {
     grpc_server_config_fetcher::WatcherInterface* watcher_ptr = watcher.get();
     auto listener_watcher = absl::make_unique<ListenerWatcher>(
-        std::move(watcher), args, xds_client_);
+        std::move(watcher), args, xds_client_, serving_status_notifier_,
+        listening_address);
     auto* listener_watcher_ptr = listener_watcher.get();
-    // TODO(yashykt): Get the resource name id from bootstrap
-    listening_address = absl::StrCat(
-        "grpc/server?xds.resource.listening_address=", listening_address);
+    listening_address = absl::StrReplaceAll(
+        xds_client_->bootstrap().server_listener_resource_name_template(),
+        {{"%s", listening_address}});
     xds_client_->WatchListenerData(listening_address,
                                    std::move(listener_watcher));
     MutexLock lock(&mu_);
@@ -81,10 +396,14 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
     explicit ListenerWatcher(
         std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
             server_config_watcher,
-        grpc_channel_args* args, RefCountedPtr<XdsClient> xds_client)
+        grpc_channel_args* args, RefCountedPtr<XdsClient> xds_client,
+        grpc_server_xds_status_notifier serving_status_notifier,
+        std::string listening_address)
         : server_config_watcher_(std::move(server_config_watcher)),
           args_(args),
-          xds_client_(std::move(xds_client)) {}
+          xds_client_(std::move(xds_client)),
+          serving_status_notifier_(serving_status_notifier),
+          listening_address_(std::move(listening_address)) {}
 
     ~ListenerWatcher() override { grpc_channel_args_destroy(args_); }
 
@@ -100,140 +419,90 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
             "[ListenerWatcher %p] Received LDS update from xds client %p: %s",
             this, xds_client_.get(), listener.ToString().c_str());
       }
-      grpc_error* error = GRPC_ERROR_NONE;
-      bool update_needed = UpdateXdsCertificateProvider(listener, &error);
-      if (error != GRPC_ERROR_NONE) {
-        OnError(error);
+      if (listener.address != listening_address_) {
+        OnFatalError(absl::FailedPreconditionError(
+            "Address in LDS update does not match listening address"));
         return;
       }
-      // Only send an update, if something changed.
-      if (updated_once_ && !update_needed) {
-        return;
+      if (filter_chain_match_manager_ == nullptr) {
+        if (serving_status_notifier_.on_serving_status_update != nullptr) {
+          serving_status_notifier_.on_serving_status_update(
+              serving_status_notifier_.user_data, listening_address_.c_str(),
+              GRPC_STATUS_OK, "");
+        } else {
+          gpr_log(GPR_INFO,
+                  "xDS Listener resource obtained; will start serving on %s",
+                  listening_address_.c_str());
+        }
       }
-      updated_once_ = true;
-      grpc_channel_args* updated_args = nullptr;
-      if (xds_certificate_provider_ != nullptr) {
-        grpc_arg arg_to_add = xds_certificate_provider_->MakeChannelArg();
-        updated_args = grpc_channel_args_copy_and_add(args_, &arg_to_add, 1);
-      } else {
-        updated_args = grpc_channel_args_copy(args_);
+      if (filter_chain_match_manager_ == nullptr ||
+          !(listener.filter_chain_map ==
+                filter_chain_match_manager_->filter_chain_map() &&
+            listener.default_filter_chain ==
+                filter_chain_match_manager_->default_filter_chain())) {
+        filter_chain_match_manager_ = MakeRefCounted<FilterChainMatchManager>(
+            xds_client_, std::move(listener.filter_chain_map),
+            std::move(listener.default_filter_chain));
+        server_config_watcher_->UpdateConnectionManager(
+            filter_chain_match_manager_);
       }
-      server_config_watcher_->UpdateConfig(updated_args);
     }
 
-    void OnError(grpc_error* error) override {
-      gpr_log(GPR_ERROR, "ListenerWatcher:%p XdsClient reports error: %s", this,
-              grpc_error_string(error));
+    void OnError(grpc_error_handle error) override {
+      if (filter_chain_match_manager_ != nullptr) {
+        gpr_log(GPR_ERROR,
+                "ListenerWatcher:%p XdsClient reports error: %s for %s; "
+                "ignoring in favor of existing resource",
+                this, grpc_error_std_string(error).c_str(),
+                listening_address_.c_str());
+      } else {
+        if (serving_status_notifier_.on_serving_status_update != nullptr) {
+          serving_status_notifier_.on_serving_status_update(
+              serving_status_notifier_.user_data, listening_address_.c_str(),
+              GRPC_STATUS_UNAVAILABLE, grpc_error_std_string(error).c_str());
+        } else {
+          gpr_log(
+              GPR_ERROR,
+              "ListenerWatcher:%p error obtaining xDS Listener resource: %s; "
+              "not serving on %s",
+              this, grpc_error_std_string(error).c_str(),
+              listening_address_.c_str());
+        }
+      }
       GRPC_ERROR_UNREF(error);
-      // TODO(yashykt): We might want to bubble this error to the application.
     }
 
-    void OnResourceDoesNotExist() override {
-      gpr_log(GPR_ERROR,
-              "ListenerWatcher:%p XdsClient reports requested listener does "
-              "not exist",
-              this);
-      // TODO(yashykt): We might want to bubble this error to the application.
-    }
-
-   private:
-    // Returns true if the xds certificate provider changed in a way that
-    // required a new security connector to be created, false otherwise.
-    bool UpdateXdsCertificateProvider(const XdsApi::LdsUpdate& listener,
-                                      grpc_error** error) {
-      // Early out if channel is not configured to use xDS security.
-      grpc_server_credentials* server_creds =
-          grpc_find_server_credentials_in_args(args_);
-      if (server_creds == nullptr ||
-          server_creds->type() != kCredentialsTypeXds) {
-        xds_certificate_provider_ = nullptr;
-        return false;
-      }
-      if (xds_certificate_provider_ == nullptr) {
-        xds_certificate_provider_ = MakeRefCounted<XdsCertificateProvider>();
+    void OnFatalError(absl::Status status) {
+      gpr_log(
+          GPR_ERROR,
+          "ListenerWatcher:%p Encountered fatal error %s; not serving on %s",
+          this, status.ToString().c_str(), listening_address_.c_str());
+      if (filter_chain_match_manager_ != nullptr) {
+        // The server has started listening already, so we need to gracefully
+        // stop serving.
+        server_config_watcher_->StopServing();
+        filter_chain_match_manager_.reset();
       }
-      // Configure root cert.
-      absl::string_view root_provider_instance_name =
-          listener.downstream_tls_context.common_tls_context
-              .combined_validation_context
-              .validation_context_certificate_provider_instance.instance_name;
-      absl::string_view root_provider_cert_name =
-          listener.downstream_tls_context.common_tls_context
-              .combined_validation_context
-              .validation_context_certificate_provider_instance
-              .certificate_name;
-      RefCountedPtr<grpc_tls_certificate_provider> new_root_provider;
-      if (!root_provider_instance_name.empty()) {
-        new_root_provider =
-            xds_client_->certificate_provider_store()
-                .CreateOrGetCertificateProvider(root_provider_instance_name);
-        if (new_root_provider == nullptr) {
-          *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-              absl::StrCat("Certificate provider instance name: \"",
-                           root_provider_instance_name, "\" not recognized.")
-                  .c_str());
-          return false;
-        }
+      if (serving_status_notifier_.on_serving_status_update != nullptr) {
+        serving_status_notifier_.on_serving_status_update(
+            serving_status_notifier_.user_data, listening_address_.c_str(),
+            static_cast<grpc_status_code>(status.raw_code()),
+            std::string(status.message()).c_str());
       }
-      // Configure identity cert.
-      absl::string_view identity_provider_instance_name =
-          listener.downstream_tls_context.common_tls_context
-              .tls_certificate_certificate_provider_instance.instance_name;
-      absl::string_view identity_provider_cert_name =
-          listener.downstream_tls_context.common_tls_context
-              .tls_certificate_certificate_provider_instance.certificate_name;
-      RefCountedPtr<grpc_tls_certificate_provider> new_identity_provider;
-      if (!identity_provider_instance_name.empty()) {
-        new_identity_provider = xds_client_->certificate_provider_store()
-                                    .CreateOrGetCertificateProvider(
-                                        identity_provider_instance_name);
-        if (new_identity_provider == nullptr) {
-          *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-              absl::StrCat("Certificate provider instance name: \"",
-                           identity_provider_instance_name,
-                           "\" not recognized.")
-                  .c_str());
-          return false;
-        }
-      }
-      bool security_connector_update_required = false;
-      if (((new_root_provider == nullptr) !=
-           (root_certificate_provider_ == nullptr)) ||
-          ((new_identity_provider == nullptr) !=
-           (identity_certificate_provider_ == nullptr)) ||
-          (listener.downstream_tls_context.require_client_certificate !=
-           xds_certificate_provider_->GetRequireClientCertificate(""))) {
-        security_connector_update_required = true;
-      }
-      if (root_certificate_provider_ != new_root_provider) {
-        root_certificate_provider_ = std::move(new_root_provider);
-      }
-      if (identity_certificate_provider_ != new_identity_provider) {
-        identity_certificate_provider_ = std::move(new_identity_provider);
-      }
-      xds_certificate_provider_->UpdateRootCertNameAndDistributor(
-          "", root_provider_cert_name,
-          root_certificate_provider_ == nullptr
-              ? nullptr
-              : root_certificate_provider_->distributor());
-      xds_certificate_provider_->UpdateIdentityCertNameAndDistributor(
-          "", identity_provider_cert_name,
-          identity_certificate_provider_ == nullptr
-              ? nullptr
-              : identity_certificate_provider_->distributor());
-      xds_certificate_provider_->UpdateRequireClientCertificate(
-          "", listener.downstream_tls_context.require_client_certificate);
-      return security_connector_update_required;
     }
 
+    void OnResourceDoesNotExist() override {
+      OnFatalError(absl::NotFoundError("Requested listener does not exist"));
+    }
+
+   private:
     std::unique_ptr<grpc_server_config_fetcher::WatcherInterface>
         server_config_watcher_;
     grpc_channel_args* args_;
     RefCountedPtr<XdsClient> xds_client_;
-    RefCountedPtr<grpc_tls_certificate_provider> root_certificate_provider_;
-    RefCountedPtr<grpc_tls_certificate_provider> identity_certificate_provider_;
-    RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
-    bool updated_once_ = false;
+    grpc_server_xds_status_notifier serving_status_notifier_;
+    std::string listening_address_;
+    RefCountedPtr<FilterChainMatchManager> filter_chain_match_manager_;
   };
 
   struct WatcherState {
@@ -242,26 +511,36 @@ class XdsServerConfigFetcher : public grpc_server_config_fetcher {
   };
 
   RefCountedPtr<XdsClient> xds_client_;
+  grpc_server_xds_status_notifier serving_status_notifier_;
   Mutex mu_;
   std::map<grpc_server_config_fetcher::WatcherInterface*, WatcherState>
-      watchers_;
+      watchers_ ABSL_GUARDED_BY(mu_);
 };
 
 }  // namespace
 }  // namespace grpc_core
 
-grpc_server_config_fetcher* grpc_server_config_fetcher_xds_create() {
+grpc_server_config_fetcher* grpc_server_config_fetcher_xds_create(
+    grpc_server_xds_status_notifier notifier, const grpc_channel_args* args) {
   grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx;
   GRPC_API_TRACE("grpc_server_config_fetcher_xds_create()", 0, ());
-  grpc_error* error = GRPC_ERROR_NONE;
+  grpc_error_handle error = GRPC_ERROR_NONE;
   grpc_core::RefCountedPtr<grpc_core::XdsClient> xds_client =
-      grpc_core::XdsClient::GetOrCreate(&error);
+      grpc_core::XdsClient::GetOrCreate(args, &error);
   if (error != GRPC_ERROR_NONE) {
     gpr_log(GPR_ERROR, "Failed to create xds client: %s",
-            grpc_error_string(error));
+            grpc_error_std_string(error).c_str());
     GRPC_ERROR_UNREF(error);
     return nullptr;
   }
-  return new grpc_core::XdsServerConfigFetcher(std::move(xds_client));
+  if (xds_client->bootstrap()
+          .server_listener_resource_name_template()
+          .empty()) {
+    gpr_log(GPR_ERROR,
+            "server_listener_resource_name_template not provided in bootstrap "
+            "file.");
+    return nullptr;
+  }
+  return new grpc_core::XdsServerConfigFetcher(std::move(xds_client), notifier);
 }