RubyGems - grpc - Versions diffs - 1.60.2 → 1.61.0.pre2 - Mend

grpc 1.60.2 → 1.61.0.pre2

Files changed (279) hide show

data/src/core/ext/xds/xds_certificate_provider.cc CHANGED Viewed

@@ -43,16 +43,15 @@ class RootCertificatesWatcher
   // presently, the watcher is immediately deleted when
   // CancelTlsCertificatesWatch() is called, but that can potentially change in
   // the future.
-  RootCertificatesWatcher(
-      RefCountedPtr<grpc_tls_certificate_distributor> parent,
-      std::string cert_name)
-      : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
+  explicit RootCertificatesWatcher(
+      RefCountedPtr<grpc_tls_certificate_distributor> parent)
+      : parent_(std::move(parent)) {}
   void OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
                              absl::optional<PemKeyCertPairList>
                              /* key_cert_pairs */) override {
     if (root_certs.has_value()) {
-      parent_->SetKeyMaterials(cert_name_, std::string(root_certs.value()),
+      parent_->SetKeyMaterials("", std::string(root_certs.value()),
                                absl::nullopt);
     }
   }
@@ -60,14 +59,13 @@ class RootCertificatesWatcher
   void OnError(grpc_error_handle root_cert_error,
                grpc_error_handle /*identity_cert_error*/) override {
     if (!root_cert_error.ok()) {
-      parent_->SetErrorForCert(cert_name_, root_cert_error /* pass the ref */,
+      parent_->SetErrorForCert("", root_cert_error /* pass the ref */,
                                absl::nullopt);
     }
   }
  private:
   RefCountedPtr<grpc_tls_certificate_distributor> parent_;
-  std::string cert_name_;
 };
 class IdentityCertificatesWatcher
@@ -78,339 +76,142 @@ class IdentityCertificatesWatcher
   // presently, the watcher is immediately deleted when
   // CancelTlsCertificatesWatch() is called, but that can potentially change in
   // the future.
-  IdentityCertificatesWatcher(
-      RefCountedPtr<grpc_tls_certificate_distributor> parent,
-      std::string cert_name)
-      : parent_(std::move(parent)), cert_name_(std::move(cert_name)) {}
+  explicit IdentityCertificatesWatcher(
+      RefCountedPtr<grpc_tls_certificate_distributor> parent)
+      : parent_(std::move(parent)) {}
   void OnCertificatesChanged(
       absl::optional<absl::string_view> /* root_certs */,
       absl::optional<PemKeyCertPairList> key_cert_pairs) override {
     if (key_cert_pairs.has_value()) {
-      parent_->SetKeyMaterials(cert_name_, absl::nullopt, key_cert_pairs);
+      parent_->SetKeyMaterials("", absl::nullopt, key_cert_pairs);
     }
   }
   void OnError(grpc_error_handle /*root_cert_error*/,
                grpc_error_handle identity_cert_error) override {
     if (!identity_cert_error.ok()) {
-      parent_->SetErrorForCert(cert_name_, absl::nullopt,
+      parent_->SetErrorForCert("", absl::nullopt,
                                identity_cert_error /* pass the ref */);
     }
   }
  private:
   RefCountedPtr<grpc_tls_certificate_distributor> parent_;
-  std::string cert_name_;
 };
 }  // namespace
 //
-// XdsCertificateProvider::ClusterCertificateState
+// XdsCertificateProvider
 //
-XdsCertificateProvider::ClusterCertificateState::~ClusterCertificateState() {
-  if (root_cert_watcher_ != nullptr) {
-    root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-  }
-  if (identity_cert_watcher_ != nullptr) {
-    identity_cert_distributor_->CancelTlsCertificatesWatch(
-        identity_cert_watcher_);
-  }
+XdsCertificateProvider::XdsCertificateProvider(
+    RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+    absl::string_view root_cert_name,
+    RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+    absl::string_view identity_cert_name,
+    std::vector<StringMatcher> san_matchers)
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
+      root_cert_provider_(std::move(root_cert_provider)),
+      root_cert_name_(root_cert_name),
+      identity_cert_provider_(std::move(identity_cert_provider)),
+      identity_cert_name_(identity_cert_name),
+      san_matchers_(std::move(san_matchers)),
+      require_client_certificate_(false) {
+  distributor_->SetWatchStatusCallback(
+      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
 }
-bool XdsCertificateProvider::ClusterCertificateState::IsSafeToRemove() const {
-  return !watching_root_certs_ && !watching_identity_certs_ &&
-         root_cert_distributor_ == nullptr &&
-         identity_cert_distributor_ == nullptr;
+XdsCertificateProvider::XdsCertificateProvider(
+    RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+    absl::string_view root_cert_name,
+    RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+    absl::string_view identity_cert_name, bool require_client_certificate)
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
+      root_cert_provider_(std::move(root_cert_provider)),
+      root_cert_name_(root_cert_name),
+      identity_cert_provider_(std::move(identity_cert_provider)),
+      identity_cert_name_(identity_cert_name),
+      require_client_certificate_(require_client_certificate) {
+  distributor_->SetWatchStatusCallback(
+      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
 }
-void XdsCertificateProvider::ClusterCertificateState::
-    UpdateRootCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view root_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
-  if (root_cert_name_ == root_cert_name &&
-      root_cert_distributor_ == root_cert_distributor) {
-    return;
-  }
-  root_cert_name_ = std::string(root_cert_name);
-  if (watching_root_certs_) {
-    // The root certificates are being watched. Swap out the watcher.
-    if (root_cert_distributor_ != nullptr) {
-      root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-    }
-    if (root_cert_distributor != nullptr) {
-      UpdateRootCertWatcher(cert_name, root_cert_distributor.get());
-    } else {
-      root_cert_watcher_ = nullptr;
-      xds_certificate_provider_->distributor_->SetErrorForCert(
-          "",
+XdsCertificateProvider::~XdsCertificateProvider() {
+  distributor_->SetWatchStatusCallback(nullptr);
+}
+UniqueTypeName XdsCertificateProvider::type() const {
+  static UniqueTypeName::Factory kFactory("Xds");
+  return kFactory.Create();
+}
+void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
+                                                 bool root_being_watched,
+                                                 bool identity_being_watched) {
+  if (!cert_name.empty()) {
+    if (root_being_watched) {
+      distributor_->SetErrorForCert(
+          cert_name,
           GRPC_ERROR_CREATE(
               "No certificate provider available for root certificates"),
           absl::nullopt);
     }
-  }
-  // Swap out the root certificate distributor
-  root_cert_distributor_ = std::move(root_cert_distributor);
-}
-void XdsCertificateProvider::ClusterCertificateState::
-    UpdateIdentityCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view identity_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor>
-            identity_cert_distributor) {
-  if (identity_cert_name_ == identity_cert_name &&
-      identity_cert_distributor_ == identity_cert_distributor) {
-    return;
-  }
-  identity_cert_name_ = std::string(identity_cert_name);
-  if (watching_identity_certs_) {
-    // The identity certificates are being watched. Swap out the watcher.
-    if (identity_cert_distributor_ != nullptr) {
-      identity_cert_distributor_->CancelTlsCertificatesWatch(
-          identity_cert_watcher_);
-    }
-    if (identity_cert_distributor != nullptr) {
-      UpdateIdentityCertWatcher(cert_name, identity_cert_distributor.get());
-    } else {
-      identity_cert_watcher_ = nullptr;
-      xds_certificate_provider_->distributor_->SetErrorForCert(
-          "", absl::nullopt,
+    if (identity_being_watched) {
+      distributor_->SetErrorForCert(
+          cert_name, absl::nullopt,
           GRPC_ERROR_CREATE(
               "No certificate provider available for identity certificates"));
     }
+    return;
   }
-  // Swap out the identity certificate distributor
-  identity_cert_distributor_ = std::move(identity_cert_distributor);
-}
-void XdsCertificateProvider::ClusterCertificateState::UpdateRootCertWatcher(
-    const std::string& cert_name,
-    grpc_tls_certificate_distributor* root_cert_distributor) {
-  auto watcher = std::make_unique<RootCertificatesWatcher>(
-      xds_certificate_provider_->distributor_, cert_name);
-  root_cert_watcher_ = watcher.get();
-  root_cert_distributor->WatchTlsCertificates(std::move(watcher),
-                                              root_cert_name_, absl::nullopt);
-}
-void XdsCertificateProvider::ClusterCertificateState::UpdateIdentityCertWatcher(
-    const std::string& cert_name,
-    grpc_tls_certificate_distributor* identity_cert_distributor) {
-  auto watcher = std::make_unique<IdentityCertificatesWatcher>(
-      xds_certificate_provider_->distributor_, cert_name);
-  identity_cert_watcher_ = watcher.get();
-  identity_cert_distributor->WatchTlsCertificates(
-      std::move(watcher), absl::nullopt, identity_cert_name_);
-}
-void XdsCertificateProvider::ClusterCertificateState::WatchStatusCallback(
-    const std::string& cert_name, bool root_being_watched,
-    bool identity_being_watched) {
   // We aren't specially handling the case where root_cert_distributor is same
   // as identity_cert_distributor. Always using two separate watchers
   // irrespective of the fact results in a straightforward design, and using a
   // single watcher does not seem to provide any benefit other than cutting down
   // on the number of callbacks.
-  if (root_being_watched && !watching_root_certs_) {
-    // We need to start watching root certs.
-    watching_root_certs_ = true;
-    if (root_cert_distributor_ == nullptr) {
-      xds_certificate_provider_->distributor_->SetErrorForCert(
+  if (root_being_watched && root_cert_watcher_ == nullptr) {
+    // Start watching root cert.
+    if (root_cert_provider_ == nullptr) {
+      distributor_->SetErrorForCert(
           cert_name,
           GRPC_ERROR_CREATE(
               "No certificate provider available for root certificates"),
           absl::nullopt);
     } else {
-      UpdateRootCertWatcher(cert_name, root_cert_distributor_.get());
-    }
-  } else if (!root_being_watched && watching_root_certs_) {
-    // We need to cancel root certs watch.
-    watching_root_certs_ = false;
-    if (root_cert_distributor_ != nullptr) {
-      root_cert_distributor_->CancelTlsCertificatesWatch(root_cert_watcher_);
-      root_cert_watcher_ = nullptr;
+      auto watcher = std::make_unique<RootCertificatesWatcher>(distributor_);
+      root_cert_watcher_ = watcher.get();
+      root_cert_provider_->distributor()->WatchTlsCertificates(
+          std::move(watcher), root_cert_name_, absl::nullopt);
     }
-    GPR_ASSERT(root_cert_watcher_ == nullptr);
-  }
-  if (identity_being_watched && !watching_identity_certs_) {
-    watching_identity_certs_ = true;
-    if (identity_cert_distributor_ == nullptr) {
-      xds_certificate_provider_->distributor_->SetErrorForCert(
+  } else if (!root_being_watched && root_cert_watcher_ != nullptr) {
+    // Cancel root cert watch.
+    GPR_ASSERT(root_cert_provider_ != nullptr);
+    root_cert_provider_->distributor()->CancelTlsCertificatesWatch(
+        root_cert_watcher_);
+    root_cert_watcher_ = nullptr;
+  }
+  if (identity_being_watched && identity_cert_watcher_ == nullptr) {
+    // Start watching identity cert.
+    if (identity_cert_provider_ == nullptr) {
+      distributor_->SetErrorForCert(
           cert_name, absl::nullopt,
           GRPC_ERROR_CREATE(
               "No certificate provider available for identity certificates"));
     } else {
-      UpdateIdentityCertWatcher(cert_name, identity_cert_distributor_.get());
+      auto watcher =
+          std::make_unique<IdentityCertificatesWatcher>(distributor_);
+      identity_cert_watcher_ = watcher.get();
+      identity_cert_provider_->distributor()->WatchTlsCertificates(
+          std::move(watcher), absl::nullopt, identity_cert_name_);
     }
-  } else if (!identity_being_watched && watching_identity_certs_) {
-    watching_identity_certs_ = false;
-    if (identity_cert_distributor_ != nullptr) {
-      identity_cert_distributor_->CancelTlsCertificatesWatch(
-          identity_cert_watcher_);
-      identity_cert_watcher_ = nullptr;
-    }
-    GPR_ASSERT(identity_cert_watcher_ == nullptr);
-  }
-}
-//
-// XdsCertificateProvider
-//
-XdsCertificateProvider::XdsCertificateProvider()
-    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
-  distributor_->SetWatchStatusCallback(
-      absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
-}
-XdsCertificateProvider::~XdsCertificateProvider() {
-  distributor_->SetWatchStatusCallback(nullptr);
-}
-UniqueTypeName XdsCertificateProvider::type() const {
-  static UniqueTypeName::Factory kFactory("Xds");
-  return kFactory.Create();
-}
-bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->ProvidesRootCerts();
-}
-void XdsCertificateProvider::UpdateRootCertNameAndDistributor(
-    const std::string& cert_name, absl::string_view root_cert_name,
-    RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
-  }
-  it->second->UpdateRootCertNameAndDistributor(cert_name, root_cert_name,
-                                               root_cert_distributor);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-bool XdsCertificateProvider::ProvidesIdentityCerts(
-    const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->ProvidesIdentityCerts();
-}
-void XdsCertificateProvider::UpdateIdentityCertNameAndDistributor(
-    const std::string& cert_name, absl::string_view identity_cert_name,
-    RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
-  }
-  it->second->UpdateIdentityCertNameAndDistributor(
-      cert_name, identity_cert_name, identity_cert_distributor);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-bool XdsCertificateProvider::GetRequireClientCertificate(
-    const std::string& cert_name) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return false;
-  return it->second->require_client_certificate();
-}
-void XdsCertificateProvider::UpdateRequireClientCertificate(
-    const std::string& cert_name, bool require_client_certificate) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) return;
-  it->second->set_require_client_certificate(require_client_certificate);
-}
-std::vector<StringMatcher> XdsCertificateProvider::GetSanMatchers(
-    const std::string& cluster) {
-  MutexLock lock(&san_matchers_mu_);
-  auto it = san_matcher_map_.find(cluster);
-  if (it == san_matcher_map_.end()) return {};
-  return it->second;
-}
-void XdsCertificateProvider::UpdateSubjectAlternativeNameMatchers(
-    const std::string& cluster, std::vector<StringMatcher> matchers) {
-  MutexLock lock(&san_matchers_mu_);
-  if (matchers.empty()) {
-    san_matcher_map_.erase(cluster);
-  } else {
-    san_matcher_map_[cluster] = std::move(matchers);
-  }
-}
-void XdsCertificateProvider::WatchStatusCallback(std::string cert_name,
-                                                 bool root_being_watched,
-                                                 bool identity_being_watched) {
-  MutexLock lock(&mu_);
-  auto it = certificate_state_map_.find(cert_name);
-  if (it == certificate_state_map_.end()) {
-    it =
-        certificate_state_map_
-            .emplace(cert_name, std::make_unique<ClusterCertificateState>(this))
-            .first;
+  } else if (!identity_being_watched && identity_cert_watcher_ != nullptr) {
+    GPR_ASSERT(identity_cert_provider_ != nullptr);
+    identity_cert_provider_->distributor()->CancelTlsCertificatesWatch(
+        identity_cert_watcher_);
+    identity_cert_watcher_ = nullptr;
   }
-  it->second->WatchStatusCallback(cert_name, root_being_watched,
-                                  identity_being_watched);
-  // Delete unused entries.
-  if (it->second->IsSafeToRemove()) certificate_state_map_.erase(it);
-}
-namespace {
-void* XdsCertificateProviderArgCopy(void* p) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(p);
-  return xds_certificate_provider->Ref().release();
-}
-void XdsCertificateProviderArgDestroy(void* p) {
-  XdsCertificateProvider* xds_certificate_provider =
-      static_cast<XdsCertificateProvider*>(p);
-  xds_certificate_provider->Unref();
-}
-int XdsCertificateProviderArgCmp(void* p, void* q) {
-  return QsortCompare(p, q);
-}
-const grpc_arg_pointer_vtable kChannelArgVtable = {
-    XdsCertificateProviderArgCopy, XdsCertificateProviderArgDestroy,
-    XdsCertificateProviderArgCmp};
-}  // namespace
-grpc_arg XdsCertificateProvider::MakeChannelArg() const {
-  return grpc_channel_arg_pointer_create(
-      const_cast<char*>(GRPC_ARG_XDS_CERTIFICATE_PROVIDER),
-      const_cast<XdsCertificateProvider*>(this), &kChannelArgVtable);
-}
-RefCountedPtr<XdsCertificateProvider>
-XdsCertificateProvider::GetFromChannelArgs(const grpc_channel_args* args) {
-  XdsCertificateProvider* xds_certificate_provider =
-      grpc_channel_args_find_pointer<XdsCertificateProvider>(
-          args, GRPC_ARG_XDS_CERTIFICATE_PROVIDER);
-  return xds_certificate_provider != nullptr ? xds_certificate_provider->Ref()
-                                             : nullptr;
 }
 }  // namespace grpc_core

data/src/core/ext/xds/xds_certificate_provider.h CHANGED Viewed

@@ -40,24 +40,26 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
-#define GRPC_ARG_XDS_CERTIFICATE_PROVIDER \
-  "grpc.internal.xds_certificate_provider"
 namespace grpc_core {
 class XdsCertificateProvider : public grpc_tls_certificate_provider {
  public:
-  XdsCertificateProvider();
-  ~XdsCertificateProvider() override;
-  static absl::string_view ChannelArgName() {
-    return GRPC_ARG_XDS_CERTIFICATE_PROVIDER;
-  }
+  // ctor for client side
+  XdsCertificateProvider(
+      RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+      absl::string_view root_cert_name,
+      RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+      absl::string_view identity_cert_name,
+      std::vector<StringMatcher> san_matchers);
+  // ctor for server side
+  XdsCertificateProvider(
+      RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider,
+      absl::string_view root_cert_name,
+      RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
+      absl::string_view identity_cert_name, bool require_client_certificate);
-  static int ChannelArgsCompare(const XdsCertificateProvider* a,
-                                const XdsCertificateProvider* b) {
-    return QsortCompare(a, b);
-  }
+  ~XdsCertificateProvider() override;
   RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
     return distributor_;
@@ -65,91 +67,27 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
   UniqueTypeName type() const override;
-  bool ProvidesRootCerts(const std::string& cert_name);
-  void UpdateRootCertNameAndDistributor(
-      const std::string& cert_name, absl::string_view root_cert_name,
-      RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
-  bool ProvidesIdentityCerts(const std::string& cert_name);
-  void UpdateIdentityCertNameAndDistributor(
-      const std::string& cert_name, absl::string_view identity_cert_name,
-      RefCountedPtr<grpc_tls_certificate_distributor>
-          identity_cert_distributor);
-  bool GetRequireClientCertificate(const std::string& cert_name);
-  // Updating \a require_client_certificate for a non-existing \a cert_name has
-  // no effect.
-  void UpdateRequireClientCertificate(const std::string& cert_name,
-                                      bool require_client_certificate);
-  std::vector<StringMatcher> GetSanMatchers(const std::string& cluster);
-  void UpdateSubjectAlternativeNameMatchers(
-      const std::string& cluster, std::vector<StringMatcher> matchers);
-  grpc_arg MakeChannelArg() const;
+  bool ProvidesRootCerts() const { return root_cert_provider_ != nullptr; }
+  bool ProvidesIdentityCerts() const {
+    return identity_cert_provider_ != nullptr;
+  }
+  bool require_client_certificate() const {
+    return require_client_certificate_;
+  }
+  const std::vector<StringMatcher>& san_matchers() const {
+    return san_matchers_;
+  }
-  static RefCountedPtr<XdsCertificateProvider> GetFromChannelArgs(
-      const grpc_channel_args* args);
+  static absl::string_view ChannelArgName() {
+    return "grpc.internal.xds_certificate_provider";
+  }
+  static int ChannelArgsCompare(const XdsCertificateProvider* a,
+                                const XdsCertificateProvider* b) {
+    if (a == nullptr || b == nullptr) return QsortCompare(a, b);
+    return a->Compare(b);
+  }
  private:
-  class ClusterCertificateState {
-   public:
-    explicit ClusterCertificateState(
-        XdsCertificateProvider* xds_certificate_provider)
-        : xds_certificate_provider_(xds_certificate_provider) {}
-    ~ClusterCertificateState();
-    // Returns true if the certs aren't being watched and there are no
-    // distributors configured.
-    bool IsSafeToRemove() const;
-    bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; }
-    bool ProvidesIdentityCerts() const {
-      return identity_cert_distributor_ != nullptr;
-    }
-    void UpdateRootCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view root_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
-    void UpdateIdentityCertNameAndDistributor(
-        const std::string& cert_name, absl::string_view identity_cert_name,
-        RefCountedPtr<grpc_tls_certificate_distributor>
-            identity_cert_distributor);
-    void UpdateRootCertWatcher(
-        const std::string& cert_name,
-        grpc_tls_certificate_distributor* root_cert_distributor);
-    void UpdateIdentityCertWatcher(
-        const std::string& cert_name,
-        grpc_tls_certificate_distributor* identity_cert_distributor);
-    bool require_client_certificate() const {
-      return require_client_certificate_;
-    }
-    void set_require_client_certificate(bool require_client_certificate) {
-      require_client_certificate_ = require_client_certificate;
-    }
-    void WatchStatusCallback(const std::string& cert_name,
-                             bool root_being_watched,
-                             bool identity_being_watched);
-   private:
-    XdsCertificateProvider* xds_certificate_provider_;
-    bool watching_root_certs_ = false;
-    bool watching_identity_certs_ = false;
-    std::string root_cert_name_;
-    std::string identity_cert_name_;
-    RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
-    RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
-    grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
-        root_cert_watcher_ = nullptr;
-    grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
-        identity_cert_watcher_ = nullptr;
-    bool require_client_certificate_ = false;
-  };
   int CompareImpl(const grpc_tls_certificate_provider* other) const override {
     // TODO(yashykt): Maybe do something better here.
     return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
@@ -160,22 +98,17 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
                            bool identity_being_watched);
   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
-  Mutex mu_;
-  std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>>
-      certificate_state_map_ ABSL_GUARDED_BY(mu_);
-  // Use a separate mutex for san_matchers_ to avoid deadlocks since
-  // san_matchers_ needs to be accessed when a handshake is being done and we
-  // run into a possible deadlock scenario if using the same mutex. The mutex
-  // deadlock cycle is formed as -
-  // WatchStatusCallback() -> SetKeyMaterials() ->
-  // TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnCertificatesChanged()
-  // -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() ->
-  // subject_alternative_names_matchers()
-  Mutex san_matchers_mu_;
-  std::map<std::string /*cluster_name*/, std::vector<StringMatcher>>
-      san_matcher_map_ ABSL_GUARDED_BY(san_matchers_mu_);
+  RefCountedPtr<grpc_tls_certificate_provider> root_cert_provider_;
+  std::string root_cert_name_;
+  RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider_;
+  std::string identity_cert_name_;
+  std::vector<StringMatcher> san_matchers_;
+  bool require_client_certificate_ = false;
+  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+      root_cert_watcher_ = nullptr;
+  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+      identity_cert_watcher_ = nullptr;
 };
 }  // namespace grpc_core