RubyGems - grpc - Versions diffs - 1.60.2 → 1.61.0.pre2 - Mend

grpc 1.60.2 → 1.61.0.pre2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

data/src/core/ext/xds/xds_certificate_provider.cc CHANGED Viewed

@@ -43,16 +43,15 @@ class RootCertificatesWatcher
   // presently, the watcher is immediately deleted when
   // CancelTlsCertificatesWatch() is called, but that can potentially change in
   // the future.
-  RootCertificatesWatcher(
-      RefCountedPtr<grpc_tls_certificate_distributor> parent,
-      std::string cert_name)
-      : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
+  explicit RootCertificatesWatcher(
+      RefCountedPtr<grpc_tls_certificate_distributor> parent)
+      : parent_(std::move(parent)) {}
   void OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
                              absl::optional<PemKeyCertPairList>
                              /* key_cert_pairs */) override {
     if (root_certs.has_value()) {
-      parent_->SetKeyMaterials(cert_name_, std::string(root_certs.value()),
+      parent_->SetKeyMaterials("", std::string(root_certs.value()),
                                absl::nullopt);
     }
   }
@@ -60,14 +59,13 @@ class RootCertificatesWatcher
   void OnError(grpc_error_handle root_cert_error,
                grpc_error_handle /*identity_cert_error*/) override {
     if (!root_cert_error.ok()) {
-      parent_->SetErrorForCert(cert_name_, root_cert_error /* pass the ref */,
+      parent_->SetErrorForCert("", root_cert_error /* pass the ref */,
                                absl::nullopt);
     }
   }
  private:
   RefCountedPtr<grpc_tls_certificate_distributor> parent_;
-  std::string cert_name_;
 };
 class IdentityCertificatesWatcher
@@ -78,339 +76,142 @@ class IdentityCertificatesWatcher
   // presently, the watcher is immediately deleted when
   // CancelTlsCertificatesWatch() is called, but that can potentially change in
   // the future.
-  IdentityCertificatesWatcher(
-      RefCountedPtr<grpc_tls_certificate_distributor> parent,
-      std::string cert_name)
-      : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
+  explicit IdentityCertificatesWatcher(
+      RefCountedPtr<grpc_tls_certificate_distributor> parent)
+      : parent_(std::move(parent)) {}
   void OnCertificatesChanged(
       absl::optional<absl::string_view> /* root_certs */,
       absl::optional<PemKeyCertPairList> key_cert_pairs) override {
     if (key_cert_pairs.has_value()) {
-      parent_->SetKeyMaterials(cert_name_, absl::nullopt, key_cert_pairs);
+      parent_->SetKeyMaterials("", absl::nullopt, key_cert_pairs);
     }
   }
   void OnError(grpc_error_handle /*root_cert_error*/,
                grpc_error_handle identity_cert_error) override {
     if (!identity_cert_error.ok()) {
-      parent_->SetErrorForCert(cert_name_, absl::nullopt,
+      parent_->SetErrorForCert("", absl::nullopt,
                                identity_cert_error /* pass the ref */);
     }
   }
  private:
   RefCountedPtr<grpc_tls_certificate_distributor> parent_;
-  std::string cert_name_;
 };
 }  // namespace
 //
-// XdsCertificateProvider::ClusterCertificateState
+// XdsCertificateProvider
 //
-XdsCertificateProvider::ClusterCertificateState::~ClusterCertificateState() {
-  if (root_cert_watcher_ != nullptr) {
-    root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-  }
-  if (identity_cert_watcher_ != nullptr) {
-    identity_cert_distributor_->CancelTlsCertificatesWatch(
-        identity_cert_watcher_);
-  }
+XdsCertificateProvider::XdsCertificateProvider(
+    RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+    absl::string_view root_cert_name,
+    RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+    absl::string_view identity_cert_name,
+    std::vector<StringMatcher> san_matchers)
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
+      root_cert_provider_(std::move(root_cert_provider)),
+      root_cert_name_(root_cert_name),
+      identity_cert_provider_(std::move(identity_cert_provider)),
+      identity_cert_name_(identity_cert_name),
+      san_matchers_(std::move(san_matchers)),
+      require_client_certificate_(false) {
+  distributor_->SetWatchStatusCallback(
+      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
 }
-bool XdsCertificateProvider::ClusterCertificateState::IsSafeToRemove() const {
-  return !watching_root_certs_ && !watching_identity_certs_ &&
-         root_cert_distributor_ == nullptr &&
-         identity_cert_distributor_ == nullptr;
+XdsCertificateProvider::XdsCertificateProvider(
+    RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+    absl::string_view root_cert_name,
+    RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+    absl::string_view identity_cert_name, bool require_client_certificate)
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
+      root_cert_provider_(std::move(root_cert_provider)),
+      root_cert_name_(root_cert_name),
+      identity_cert_provider_(std::move(identity_cert_provider)),
+      identity_cert_name_(identity_cert_name),
+      require_client_certificate_(require_client_certificate) {
+  distributor_->SetWatchStatusCallback(
+      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
 }
-void XdsCertificateProvider::ClusterCertificateState::
-    UpdateRootCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view root_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
-  if (root_cert_name_ == root_cert_name &&
-      root_cert_distributor_ == root_cert_distributor) {
-    return;
-  }
-  root_cert_name_ = std::string(root_cert_name);
-  if (watching_root_certs_) {
-    // The root certificates are being watched. Swap out the watcher.
-    if (root_cert_distributor_ != nullptr) {
-      root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-    }
-    if (root_cert_distributor != nullptr) {
-      UpdateRootCertWatcher(cert_name, root_cert_distributor.get());
-    } else {
-      root_cert_watcher_ = nullptr;
-      xds_certificate_provider_->distributor_->SetErrorForCert(
-          "",
+XdsCertificateProvider::~XdsCertificateProvider() {
+  distributor_->SetWatchStatusCallback(nullptr);
+}
+UniqueTypeName XdsCertificateProvider::type() const {
+  static UniqueTypeName::Factory kFactory("Xds");
+  return kFactory.Create();
+}
+void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
+                                                 bool root_being_watched,
+                                                 bool identity_being_watched) {
+  if (!cert_name.empty()) {
+    if (root_being_watched) {
+      distributor_->SetErrorForCert(
+          cert_name,
           GRPC_ERROR_CREATE(
               "No certificate provider available for root certificates"),
           absl::nullopt);
     }
-  }
-  // Swap out the root certificate distributor
-  root_cert_distributor_ = std::move(root_cert_distributor);
-}
-void XdsCertificateProvider::ClusterCertificateState::
-    UpdateIdentityCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view identity_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor>
-            identity_cert_distributor) {
-  if (identity_cert_name_ == identity_cert_name &&
-      identity_cert_distributor_ == identity_cert_distributor) {
-    return;
-  }
-  identity_cert_name_ = std::string(identity_cert_name);
-  if (watching_identity_certs_) {
-    // The identity certificates are being watched. Swap out the watcher.
-    if (identity_cert_distributor_ != nullptr) {
-      identity_cert_distributor_->CancelTlsCertificatesWatch(
-          identity_cert_watcher_);
-    }
-    if (identity_cert_distributor != nullptr) {
-      UpdateIdentityCertWatcher(cert_name, identity_cert_distributor.get());
-    } else {
-      identity_cert_watcher_ = nullptr;
-      xds_certificate_provider_->distributor_->SetErrorForCert(
-          "", absl::nullopt,
+    if (identity_being_watched) {
+      distributor_->SetErrorForCert(
+          cert_name, absl::nullopt,
           GRPC_ERROR_CREATE(
               "No certificate provider available for identity certificates"));
     }
+    return;
   }
-  // Swap out the identity certificate distributor
-  identity_cert_distributor_ = std::move(identity_cert_distributor);
-}
-void XdsCertificateProvider::ClusterCertificateState::UpdateRootCertWatcher(
-    const std::string& cert_name,
-    grpc_tls_certificate_distributor* root_cert_distributor) {
-  auto watcher = std::make_unique<RootCertificatesWatcher>(
-      xds_certificate_provider_->distributor_, cert_name);
-  root_cert_watcher_ = watcher.get();
-  root_cert_distributor->WatchTlsCertificates(std::move(watcher),
-                                              root_cert_name_, absl::nullopt);
-}
-void XdsCertificateProvider::ClusterCertificateState::UpdateIdentityCertWatcher(
-    const std::string& cert_name,
-    grpc_tls_certificate_distributor* identity_cert_distributor) {
-  auto watcher = std::make_unique<IdentityCertificatesWatcher>(
-      xds_certificate_provider_->distributor_, cert_name);
-  identity_cert_watcher_ = watcher.get();
-  identity_cert_distributor->WatchTlsCertificates(
-      std::move(watcher), absl::nullopt, identity_cert_name_);
-}
-void XdsCertificateProvider::ClusterCertificateState::WatchStatusCallback(
-    const std::string& cert_name, bool root_being_watched,
-    bool identity_being_watched) {
   // We aren't specially handling the case where root_cert_distributor is same
   // as identity_cert_distributor. Always using two separate watchers
   // irrespective of the fact results in a straightforward design, and using a
   // single watcher does not seem to provide any benefit other than cutting down
   // on the number of callbacks.
-  if (root_being_watched && !watching_root_certs_) {
-    // We need to start watching root certs.
-    watching_root_certs_ = true;
-    if (root_cert_distributor_ == nullptr) {
-      xds_certificate_provider_->distributor_->SetErrorForCert(
+  if (root_being_watched && root_cert_watcher_ == nullptr) {
+    // Start watching root cert.
+    if (root_cert_provider_ == nullptr) {
+      distributor_->SetErrorForCert(
           cert_name,
           GRPC_ERROR_CREATE(
               "No certificate provider available for root certificates"),
           absl::nullopt);
     } else {
-      UpdateRootCertWatcher(cert_name, root_cert_distributor_.get());
-    }
-  } else if (!root_being_watched && watching_root_certs_) {
-    // We need to cancel root certs watch.
-    watching_root_certs_ = false;
-    if (root_cert_distributor_ != nullptr) {
-      root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-      root_cert_watcher_ = nullptr;
+      auto watcher = std::make_unique<RootCertificatesWatcher>(distributor_);
+      root_cert_watcher_ = watcher.get();
+      root_cert_provider_->distributor()->WatchTlsCertificates(
+          std::move(watcher), root_cert_name_, absl::nullopt);
     }
-    GPR_ASSERT(root_cert_watcher_ == nullptr);
-  }
-  if (identity_being_watched && !watching_identity_certs_) {
-    watching_identity_certs_ = true;
-    if (identity_cert_distributor_ == nullptr) {
-      xds_certificate_provider_->distributor_->SetErrorForCert(
+  } else if (!root_being_watched && root_cert_watcher_ != nullptr) {
+    // Cancel root cert watch.
+    GPR_ASSERT(root_cert_provider_ != nullptr);
+    root_cert_provider_->distributor()->CancelTlsCertificatesWatch(
+        root_cert_watcher_);
+    root_cert_watcher_ = nullptr;
+  }
+  if (identity_being_watched && identity_cert_watcher_ == nullptr) {
+    // Start watching identity cert.
+    if (identity_cert_provider_ == nullptr) {
+      distributor_->SetErrorForCert(
           cert_name, absl::nullopt,
           GRPC_ERROR_CREATE(
               "No certificate provider available for identity certificates"));
     } else {
-      UpdateIdentityCertWatcher(cert_name, identity_cert_distributor_.get());
+      auto watcher =
+          std::make_unique<IdentityCertificatesWatcher>(distributor_);
+      identity_cert_watcher_ = watcher.get();
+      identity_cert_provider_->distributor()->WatchTlsCertificates(
+          std::move(watcher), absl::nullopt, identity_cert_name_);
     }
-  } else if (!identity_being_watched && watching_identity_certs_) {
-    watching_identity_certs_ = false;
-    if (identity_cert_distributor_ != nullptr) {
-      identity_cert_distributor_->CancelTlsCertificatesWatch(
-          identity_cert_watcher_);
-      identity_cert_watcher_ = nullptr;
-    }
-    GPR_ASSERT(identity_cert_watcher_ == nullptr);
-  }
-}
-//
-// XdsCertificateProvider
-//
-XdsCertificateProvider::XdsCertificateProvider()
-    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
-  distributor_->SetWatchStatusCallback(
-      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
-}
-XdsCertificateProvider::~XdsCertificateProvider() {
-  distributor_->SetWatchStatusCallback(nullptr);
-}
-UniqueTypeName XdsCertificateProvider::type() const {
-  static UniqueTypeName::Factory kFactory("Xds");
-  return kFactory.Create();
-}
-bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->ProvidesRootCerts();
-}
-void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
-    const std::string& cert_name, absl::string_view root_cert_name,
-    RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
-  }
-  it->second->UpdateRootCertNameAndDistributor(cert_name, root_cert_name,
-                                               root_cert_distributor);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-bool XdsCertificateProvider::ProvidesIdentityCerts(
-    const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->ProvidesIdentityCerts();
-}
-void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
-    const std::string& cert_name, absl::string_view identity_cert_name,
-    RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
-  }
-  it->second->UpdateIdentityCertNameAndDistributor(
-      cert_name, identity_cert_name, identity_cert_distributor);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-bool XdsCertificateProvider::GetRequireClientCertificate(
-    const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->require_client_certificate();
-}
-void XdsCertificateProvider::UpdateRequireClientCertificate(
-    const std::string& cert_name, bool require_client_certificate) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return;
-  it->second->set_require_client_certificate(require_client_certificate);
-}
-std::vector<StringMatcher> XdsCertificateProvider::GetSanMatchers(
-    const std::string& cluster) {
-  MutexLock lock(&san_matchers_mu_);
-  auto it = san_matcher_map_.find(cluster);
-  if (it == san_matcher_map_.end()) return {};
-  return it->second;
-}
-void XdsCertificateProvider::UpdateSubjectAlternativeNameMatchers(
-    const std::string& cluster, std::vector<StringMatcher> matchers) {
-  MutexLock lock(&san_matchers_mu_);
-  if (matchers.empty()) {
-    san_matcher_map_.erase(cluster);
-  } else {
-    san_matcher_map_[cluster] = std::move(matchers);
-  }
-}
-void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
-                                                 bool root_being_watched,
-                                                 bool identity_being_watched) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
+  } else if (!identity_being_watched && identity_cert_watcher_ != nullptr) {
+    GPR_ASSERT(identity_cert_provider_ != nullptr);
+    identity_cert_provider_->distributor()->CancelTlsCertificatesWatch(
+        identity_cert_watcher_);
+    identity_cert_watcher_ = nullptr;
   }
-  it->second->WatchStatusCallback(cert_name, root_being_watched,
-                                  identity_being_watched);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-namespace {
-void* XdsCertificateProviderArgCopy(void* p) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(p);
-  return xds_certificate_provider->Ref().release();
-}
-void XdsCertificateProviderArgDestroy(void* p) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(p);
-  xds_certificate_provider->Unref();
-}
-int XdsCertificateProviderArgCmp(void* p, void* q) {
-  return QsortCompare(p, q);
-}
-const grpc_arg_pointer_vtable kChannelArgVtable = {
-    XdsCertificateProviderArgCopy, XdsCertificateProviderArgDestroy,
-    XdsCertificateProviderArgCmp};
-}  // namespace
-grpc_arg XdsCertificateProvider::MakeChannelArg() const {
-  return grpc_channel_arg_pointer_create(
-      const_cast<char*>(GRPC_ARG_XDS_CERTIFICATE_PROVIDER),
-      const_cast<XdsCertificateProvider*>(this), &kChannelArgVtable);
-}
-RefCountedPtr<XdsCertificateProvider>
-XdsCertificateProvider::GetFromChannelArgs(const grpc_channel_args* args) {
-  XdsCertificateProvider* xds_certificate_provider =
-      grpc_channel_args_find_pointer<XdsCertificateProvider>(
-          args, GRPC_ARG_XDS_CERTIFICATE_PROVIDER);
-  return xds_certificate_provider != nullptr ? xds_certificate_provider->Ref()
-                                             : nullptr;
 }
 }  // namespace grpc_core

data/src/core/ext/xds/xds_certificate_provider.h CHANGED Viewed

@@ -40,24 +40,26 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
-#define GRPC_ARG_XDS_CERTIFICATE_PROVIDER \
-  "grpc.internal.xds_certificate_provider"
 namespace grpc_core {
 class XdsCertificateProvider : public grpc_tls_certificate_provider {
  public:
-  XdsCertificateProvider();
-  ~XdsCertificateProvider() override;
-  static absl::string_view ChannelArgName() {
-    return GRPC_ARG_XDS_CERTIFICATE_PROVIDER;
-  }
+  // ctor for client side
+  XdsCertificateProvider(
+      RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+      absl::string_view root_cert_name,
+      RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+      absl::string_view identity_cert_name,
+      std::vector<StringMatcher> san_matchers);
+  // ctor for server side
+  XdsCertificateProvider(
+      RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+      absl::string_view root_cert_name,
+      RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+      absl::string_view identity_cert_name, bool require_client_certificate);
-  static int ChannelArgsCompare(const XdsCertificateProvider* a,
-                                const XdsCertificateProvider* b) {
-    return QsortCompare(a, b);
-  }
+  ~XdsCertificateProvider() override;
   RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
     return distributor_;
@@ -65,91 +67,27 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
   UniqueTypeName type() const override;
-  bool ProvidesRootCerts(const std::string& cert_name);
-  void UpdateRootCertNameAndDistributor(
-      const std::string& cert_name, absl::string_view root_cert_name,
-      RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
-  bool ProvidesIdentityCerts(const std::string& cert_name);
-  void UpdateIdentityCertNameAndDistributor(
-      const std::string& cert_name, absl::string_view identity_cert_name,
-      RefCountedPtr<grpc_tls_certificate_distributor>
-          identity_cert_distributor);
-  bool GetRequireClientCertificate(const std::string& cert_name);
-  // Updating \a require_client_certificate for a non-existing \a cert_name has
-  // no effect.
-  void UpdateRequireClientCertificate(const std::string& cert_name,
-                                      bool require_client_certificate);
-  std::vector<StringMatcher> GetSanMatchers(const std::string& cluster);
-  void UpdateSubjectAlternativeNameMatchers(
-      const std::string& cluster, std::vector<StringMatcher> matchers);
-  grpc_arg MakeChannelArg() const;
+  bool ProvidesRootCerts() const { return root_cert_provider_ != nullptr; }
+  bool ProvidesIdentityCerts() const {
+    return identity_cert_provider_ != nullptr;
+  }
+  bool require_client_certificate() const {
+    return require_client_certificate_;
+  }
+  const std::vector<StringMatcher>& san_matchers() const {
+    return san_matchers_;
+  }
-  static RefCountedPtr<XdsCertificateProvider> GetFromChannelArgs(
-      const grpc_channel_args* args);
+  static absl::string_view ChannelArgName() {
+    return "grpc.internal.xds_certificate_provider";
+  }
+  static int ChannelArgsCompare(const XdsCertificateProvider* a,
+                                const XdsCertificateProvider* b) {
+    if (a == nullptr || b == nullptr) return QsortCompare(a, b);
+    return a->Compare(b);
+  }
  private:
-  class ClusterCertificateState {
-   public:
-    explicit ClusterCertificateState(
-        XdsCertificateProvider* xds_certificate_provider)
-        : xds_certificate_provider_(xds_certificate_provider) {}
-    ~ClusterCertificateState();
-    // Returns true if the certs aren't being watched and there are no
-    // distributors configured.
-    bool IsSafeToRemove() const;
-    bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; }
-    bool ProvidesIdentityCerts() const {
-      return identity_cert_distributor_ != nullptr;
-    }
-    void UpdateRootCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view root_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
-    void UpdateIdentityCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view identity_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor>
-            identity_cert_distributor);
-    void UpdateRootCertWatcher(
-        const std::string& cert_name,
-        grpc_tls_certificate_distributor* root_cert_distributor);
-    void UpdateIdentityCertWatcher(
-        const std::string& cert_name,
-        grpc_tls_certificate_distributor* identity_cert_distributor);
-    bool require_client_certificate() const {
-      return require_client_certificate_;
-    }
-    void set_require_client_certificate(bool require_client_certificate) {
-      require_client_certificate_ = require_client_certificate;
-    }
-    void WatchStatusCallback(const std::string& cert_name,
-                             bool root_being_watched,
-                             bool identity_being_watched);
-   private:
-    XdsCertificateProvider* xds_certificate_provider_;
-    bool watching_root_certs_ = false;
-    bool watching_identity_certs_ = false;
-    std::string root_cert_name_;
-    std::string identity_cert_name_;
-    RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
-    RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
-    grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
-        root_cert_watcher_ = nullptr;
-    grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
-        identity_cert_watcher_ = nullptr;
-    bool require_client_certificate_ = false;
-  };
   int CompareImpl(const grpc_tls_certificate_provider* other) const override {
     // TODO(yashykt): Maybe do something better here.
     return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
@@ -160,22 +98,17 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
                            bool identity_being_watched);
   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
-  Mutex mu_;
-  std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>>
-      certificate_state_map_ ABSL_GUARDED_BY(mu_);
-  // Use a separate mutex for san_matchers_ to avoid deadlocks since
-  // san_matchers_ needs to be accessed when a handshake is being done and we
-  // run into a possible deadlock scenario if using the same mutex. The mutex
-  // deadlock cycle is formed as -
-  // WatchStatusCallback() -> SetKeyMaterials() ->
-  // TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnCertificatesChanged()
-  // -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() ->
-  // subject_alternative_names_matchers()
-  Mutex san_matchers_mu_;
-  std::map<std::string /*cluster_name*/, std::vector<StringMatcher>>
-      san_matcher_map_ ABSL_GUARDED_BY(san_matchers_mu_);
+  RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider_;
+  std::string root_cert_name_;
+  RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider_;
+  std::string identity_cert_name_;
+  std::vector<StringMatcher> san_matchers_;
+  bool require_client_certificate_ = false;
+  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+      root_cert_watcher_ = nullptr;
+  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+      identity_cert_watcher_ = nullptr;
 };
 }  // namespace grpc_core