grpc 1.74.1 → 1.75.0.pre1

data/src/core/client_channel/client_channel_filter.cc

@@ -2290,7 +2290,8 @@ class ClientChannelFilter::LoadBalancedCall::LbCallState final
   ServiceConfigCallData::CallAttributeInterface* GetCallAttribute(
       UniqueTypeName type) const override;
 
-  ClientCallTracer::CallAttemptTracer* GetCallAttemptTracer() const override;
+  ClientCallTracerInterface::CallAttemptTracer* GetCallAttemptTracer()
+      const override;
 
  private:
   LoadBalancedCall* lb_call_;
@@ -2307,7 +2308,7 @@ ClientChannelFilter::LoadBalancedCall::LbCallState::GetCallAttribute(
   return service_config_call_data->GetCallAttribute(type);
 }
 
-ClientCallTracer::CallAttemptTracer*
+ClientCallTracerInterface::CallAttemptTracer*
 ClientChannelFilter::LoadBalancedCall::LbCallState::GetCallAttemptTracer()
     const {
   return lb_call_->call_attempt_tracer();
@@ -2364,9 +2365,9 @@ class ClientChannelFilter::LoadBalancedCall::BackendMetricAccessor final
 
 namespace {
 
-ClientCallTracer::CallAttemptTracer* CreateCallAttemptTracer(
+ClientCallTracerInterface::CallAttemptTracer* CreateCallAttemptTracer(
     Arena* arena, bool is_transparent_retry) {
-  auto* call_tracer = DownCast<ClientCallTracer*>(
+  auto* call_tracer = DownCast<ClientCallTracerInterface*>(
       arena->GetContext<CallTracerAnnotationInterface>());
   if (call_tracer == nullptr) return nullptr;
   auto* tracer = call_tracer->StartNewAttempt(is_transparent_retry);

data/src/core/client_channel/client_channel_filter.h

@@ -373,7 +373,7 @@ class ClientChannelFilter::LoadBalancedCall
 
  protected:
   ClientChannelFilter* chand() const { return chand_; }
-  ClientCallTracer::CallAttemptTracer* call_attempt_tracer() const {
+  ClientCallTracerInterface::CallAttemptTracer* call_attempt_tracer() const {
     return call_attempt_tracer_;
   }
   ConnectedSubchannel* connected_subchannel() const {
@@ -434,7 +434,7 @@ class ClientChannelFilter::LoadBalancedCall
   // previous attempt yet leading to a situation where we have two active call
   // attempt tracers, and so we cannot rely on the arena to give us the right
   // tracer when performing cleanup.
-  ClientCallTracer::CallAttemptTracer* call_attempt_tracer_;
+  ClientCallTracerInterface::CallAttemptTracer* call_attempt_tracer_;
 
   absl::AnyInvocable<void()> on_commit_;
 

data/src/core/client_channel/client_channel_internal.h

@@ -54,7 +54,8 @@ class ClientChannelLbCallState : public LoadBalancingPolicy::CallState {
 
   virtual ServiceConfigCallData::CallAttributeInterface* GetCallAttribute(
       UniqueTypeName type) const = 0;
-  virtual ClientCallTracer::CallAttemptTracer* GetCallAttemptTracer() const = 0;
+  virtual ClientCallTracerInterface::CallAttemptTracer* GetCallAttemptTracer()
+      const = 0;
 };
 
 // Internal type for ServiceConfigCallData.  Handles call commits.

data/src/core/client_channel/load_balanced_call_destination.cc

@@ -29,7 +29,7 @@ namespace grpc_core {
 namespace {
 
 void MaybeCreateCallAttemptTracer(bool is_transparent_retry) {
-  auto* call_tracer = MaybeGetContext<ClientCallTracer>();
+  auto* call_tracer = MaybeGetContext<ClientCallTracerInterface>();
   if (call_tracer == nullptr) return;
   auto* tracer = call_tracer->StartNewAttempt(is_transparent_retry);
   SetContext<CallTracerInterface>(tracer);
@@ -47,8 +47,9 @@ class LbCallState : public ClientChannelLbCallState {
     return service_config_call_data->GetCallAttribute(type);
   }
 
-  ClientCallTracer::CallAttemptTracer* GetCallAttemptTracer() const override {
-    return GetContext<ClientCallTracer::CallAttemptTracer>();
+  ClientCallTracerInterface::CallAttemptTracer* GetCallAttemptTracer()
+      const override {
+    return GetContext<ClientCallTracerInterface::CallAttemptTracer>();
   }
 };
 
@@ -239,8 +240,8 @@ void LoadBalancedCallDestination::StartCall(
               }
               // If it was queued, add a trace annotation.
               if (was_queued) {
-                auto* tracer =
-                    MaybeGetContext<ClientCallTracer::CallAttemptTracer>();
+                auto* tracer = MaybeGetContext<
+                    ClientCallTracerInterface::CallAttemptTracer>();
                 if (tracer != nullptr) {
                   tracer->RecordAnnotation("Delayed LB pick complete.");
                 }

data/src/core/client_channel/subchannel.cc

@@ -117,7 +117,7 @@ class LegacyConnectedSubchannel : public ConnectedSubchannel {
     channel_stack_.reset(DEBUG_LOCATION, "ConnectedSubchannel");
   }
 
-  channelz::SubchannelNode* channelz_node() const {
+  channelz::SubchannelNode* channelz_node() const override {
     return channelz_node_.get();
   }
 
@@ -220,6 +220,8 @@ class NewConnectedSubchannel : public ConnectedSubchannel {
     Crash("legacy ping method called in call v3 impl");
   }
 
+  channelz::SubchannelNode* channelz_node() const override { return nullptr; }
+
  private:
   RefCountedPtr<UnstartedCallDestination> call_destination_;
   RefCountedPtr<TransportCallDestination> transport_;
@@ -410,17 +412,21 @@ class Subchannel::ConnectedSubchannelStateWatcher final
       // we will see TRANSIENT_FAILURE followed by SHUTDOWN, but if not, we
       // will see only SHUTDOWN.  Either way, we react to the first one we
       // see, ignoring anything that happens after that.
-      if (c->connected_subchannel_ == nullptr) return;
       if (new_state == GRPC_CHANNEL_TRANSIENT_FAILURE ||
           new_state == GRPC_CHANNEL_SHUTDOWN) {
+        RefCountedPtr<ConnectedSubchannel> connected_subchannel =
+            std::move(c->connected_subchannel_);
+        if (connected_subchannel == nullptr) return;
         GRPC_TRACE_LOG(subchannel, INFO)
             << "subchannel " << c << " " << c->key_.ToString()
-            << ": Connected subchannel " << c->connected_subchannel_.get()
+            << ": Connected subchannel " << connected_subchannel.get()
             << " reports " << ConnectivityStateName(new_state) << ": "
             << status;
-        c->connected_subchannel_.reset();
         if (c->channelz_node() != nullptr) {
-          c->channelz_node()->SetChildSocket(nullptr);
+          if (connected_subchannel->channelz_node() != nullptr) {
+            connected_subchannel->channelz_node()->RemoveParent(
+                c->channelz_node());
+          }
         }
         // If the subchannel was created from an endpoint, then we report
         // TRANSIENT_FAILURE here instead of IDLE. The subchannel will never
@@ -880,7 +886,9 @@ bool Subchannel::PublishTransportLocked() {
       << "subchannel " << this << " " << key_.ToString()
       << ": new connected subchannel at " << connected_subchannel_.get();
   if (channelz_node_ != nullptr) {
-    channelz_node_->SetChildSocket(std::move(socket_node));
+    if (socket_node != nullptr) {
+      socket_node->AddParent(channelz_node_.get());
+    }
   }
   // Start watching connected subchannel.
   connected_subchannel_->StartWatch(

data/src/core/client_channel/subchannel.h

@@ -85,6 +85,8 @@ class ConnectedSubchannel : public RefCounted<ConnectedSubchannel> {
   virtual size_t GetInitialCallSizeEstimate() const = 0;
   virtual void Ping(grpc_closure* on_initiate, grpc_closure* on_ack) = 0;
 
+  virtual channelz::SubchannelNode* channelz_node() const = 0;
+
  protected:
   explicit ConnectedSubchannel(const ChannelArgs& args);
 

data/src/core/config/core_configuration.cc

@@ -51,7 +51,9 @@ CoreConfiguration::CoreConfiguration(Builder* builder)
       certificate_provider_registry_(
           builder->certificate_provider_registry_.Build()),
       endpoint_transport_registry_(
-          builder->endpoint_transport_registry_.Build()) {}
+          builder->endpoint_transport_registry_.Build()),
+      auth_context_comparator_registry_(
+          builder->auth_context_comparator_registry_.Build()) {}
 
 void CoreConfiguration::RegisterBuilder(
     BuilderScope scope, absl::AnyInvocable<void(Builder*)> builder,

data/src/core/config/core_configuration.h

@@ -32,6 +32,7 @@
 #include "src/core/load_balancing/lb_policy_registry.h"
 #include "src/core/resolver/resolver_registry.h"
 #include "src/core/service_config/service_config_parser.h"
+#include "src/core/transport/auth_context_comparator_registry.h"
 #include "src/core/transport/endpoint_transport.h"
 #include "src/core/util/debug_location.h"
 
@@ -111,6 +112,10 @@ class GRPC_DLL CoreConfiguration {
       return &endpoint_transport_registry_;
     }
 
+    AuthContextComparatorRegistry::Builder* auth_context_comparator_registry() {
+      return &auth_context_comparator_registry_;
+    }
+
    private:
     friend class CoreConfiguration;
 
@@ -125,6 +130,7 @@ class GRPC_DLL CoreConfiguration {
     ProxyMapperRegistry::Builder proxy_mapper_registry_;
     CertificateProviderRegistry::Builder certificate_provider_registry_;
     EndpointTransportRegistry::Builder endpoint_transport_registry_;
+    AuthContextComparatorRegistry::Builder auth_context_comparator_registry_;
 
     Builder();
     CoreConfiguration* Build();
@@ -275,6 +281,11 @@ class GRPC_DLL CoreConfiguration {
     return endpoint_transport_registry_;
   }
 
+  const AuthContextComparatorRegistry& auth_context_comparator_registry()
+      const {
+    return auth_context_comparator_registry_;
+  }
+
   static void SetDefaultBuilder(void (*builder)(CoreConfiguration::Builder*)) {
     default_builder_ = builder;
   }
@@ -309,6 +320,7 @@ class GRPC_DLL CoreConfiguration {
   ProxyMapperRegistry proxy_mapper_registry_;
   CertificateProviderRegistry certificate_provider_registry_;
   EndpointTransportRegistry endpoint_transport_registry_;
+  AuthContextComparatorRegistry auth_context_comparator_registry_;
 };
 
 template <typename Sink>

data/src/core/credentials/transport/alts/alts_credentials.cc

@@ -25,6 +25,7 @@
 
 #include <utility>
 
+#include "absl/log/log.h"
 #include "src/core/credentials/transport/alts/alts_security_connector.h"
 #include "src/core/credentials/transport/alts/check_gcp_environment.h"
 #include "src/core/credentials/transport/alts/grpc_alts_credentials_options.h"
@@ -89,6 +90,8 @@ grpc_channel_credentials* grpc_alts_credentials_create_customized(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url, bool enable_untrusted_alts) {
   if (!enable_untrusted_alts && !grpc_alts_is_running_on_gcp()) {
+    LOG(ERROR) << "ALTS creds ignored. Not running on GCP and untrusted ALTS "
+                  "is not enabled.";
     return nullptr;
   }
   return new grpc_alts_credentials(options, handshaker_service_url);
@@ -98,6 +101,8 @@ grpc_server_credentials* grpc_alts_server_credentials_create_customized(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url, bool enable_untrusted_alts) {
   if (!enable_untrusted_alts && !grpc_alts_is_running_on_gcp()) {
+    LOG(ERROR) << "ALTS server creds ignored. Not running on GCP and untrusted "
+                  "ALTS is not enabled.";
     return nullptr;
   }
   return new grpc_alts_server_credentials(options, handshaker_service_url);

data/src/core/credentials/transport/alts/check_gcp_environment_windows.cc

@@ -27,6 +27,8 @@
 #include <tchar.h>
 #include <windows.h>
 
+#include <memory>
+
 #include "src/core/credentials/transport/alts/check_gcp_environment.h"
 #include "src/core/util/crash.h"
 

data/src/core/credentials/transport/channel_creds_registry_init.cc

@@ -87,10 +87,12 @@ class TlsChannelCredsFactory : public ChannelCredsFactory<> {
     auto options = MakeRefCounted<grpc_tls_credentials_options>();
     if (!config->certificate_file().empty() ||
         !config->ca_certificate_file().empty()) {
+      // TODO(gtcooke94): Expose the spiffe_bundle_map option in the XDS
+      // bootstrap config to use here.
       options->set_certificate_provider(
           MakeRefCounted<FileWatcherCertificateProvider>(
               config->private_key_file(), config->certificate_file(),
-              config->ca_certificate_file(),
+              config->ca_certificate_file(), /*spiffe_bundle_map_file=*/"",
               config->refresh_interval().millis() / GPR_MS_PER_SEC));
     }
     options->set_watch_root_cert(!config->ca_certificate_file().empty());

data/src/core/credentials/transport/ssl/ssl_credentials.cc

@@ -193,7 +193,7 @@ grpc_security_status grpc_ssl_credentials::InitializeClientHandshakerFactory(
                   "be nullptr";
     return GRPC_SECURITY_ERROR;
   }
-  options.pem_root_certs = pem_root_certs;
+  options.root_cert_info = std::make_shared<RootCertInfo>(pem_root_certs);
   options.root_store = root_store;
   options.alpn_protocols =
       grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);

data/src/core/credentials/transport/ssl/ssl_security_connector.cc

@@ -243,8 +243,10 @@ class grpc_ssl_server_security_connector
           server_credentials->config().pem_key_cert_pairs;
       options.num_key_cert_pairs =
           server_credentials->config().num_key_cert_pairs;
-      options.pem_client_root_certs =
-          server_credentials->config().pem_root_certs;
+      if (server_credentials->config().pem_root_certs != nullptr) {
+        options.root_cert_info = std::make_shared<RootCertInfo>(
+            server_credentials->config().pem_root_certs);
+      }
       options.client_certificate_request =
           grpc_get_tsi_client_certificate_request_type(
               server_credentials->config().client_certificate_request);
@@ -360,7 +362,10 @@ class grpc_ssl_server_security_connector
     options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
         config->pem_key_cert_pairs, config->num_key_cert_pairs);
     options.num_key_cert_pairs = config->num_key_cert_pairs;
-    options.pem_client_root_certs = config->pem_root_certs;
+    if (config->pem_root_certs != nullptr) {
+      options.root_cert_info =
+          std::make_shared<RootCertInfo>(config->pem_root_certs);
+    }
     options.client_certificate_request =
         grpc_get_tsi_client_certificate_request_type(
             server_creds->config().client_certificate_request);

data/src/core/credentials/transport/tls/grpc_tls_certificate_distributor.cc

@@ -22,14 +22,20 @@
 
 #include "absl/log/check.h"
 #include "absl/status/status.h"
+#include "src/core/credentials/transport/tls/spiffe_utils.h"
+#include "src/core/tsi/ssl_transport_security.h"
+
+bool grpc_tls_certificate_distributor::CertificateInfo::AreRootsEmpty() {
+  return IsRootCertInfoEmpty(roots.get());
+}
 
 void grpc_tls_certificate_distributor::SetKeyMaterials(
-    const std::string& cert_name, std::optional<std::string> pem_root_certs,
+    const std::string& cert_name, std::shared_ptr<RootCertInfo> roots,
     std::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs) {
-  CHECK(pem_root_certs.has_value() || pem_key_cert_pairs.has_value());
+  CHECK(roots != nullptr || pem_key_cert_pairs.has_value());
   grpc_core::MutexLock lock(&mu_);
   auto& cert_info = certificate_info_map_[cert_name];
-  if (pem_root_certs.has_value()) {
+  if (roots != nullptr) {
     // Successful credential updates will clear any pre-existing error.
     cert_info.SetRootError(absl::OkStatus());
     for (auto* watcher_ptr : cert_info.root_cert_watchers) {
@@ -49,9 +55,9 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
         }
       }
       watcher_ptr->OnCertificatesChanged(
-          pem_root_certs, std::move(pem_key_cert_pairs_to_report));
+          roots, std::move(pem_key_cert_pairs_to_report));
     }
-    cert_info.pem_root_certs = std::move(*pem_root_certs);
+    cert_info.roots = roots;
   }
   if (pem_key_cert_pairs.has_value()) {
     // Successful credential updates will clear any pre-existing error.
@@ -61,20 +67,19 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
       const auto watcher_it = watchers_.find(watcher_ptr);
       CHECK(watcher_it != watchers_.end());
       CHECK(watcher_it->second.identity_cert_name.has_value());
-      std::optional<absl::string_view> pem_root_certs_to_report;
-      if (pem_root_certs.has_value() &&
-          watcher_it->second.root_cert_name == cert_name) {
+      std::shared_ptr<RootCertInfo> roots_to_report;
+      if (roots != nullptr && watcher_it->second.root_cert_name == cert_name) {
         // In this case, We've already sent the credential updates at the time
         // when checking pem_root_certs, so we will skip here.
         continue;
       } else if (watcher_it->second.root_cert_name.has_value()) {
         auto& root_cert_info =
             certificate_info_map_[*watcher_it->second.root_cert_name];
-        if (!root_cert_info.pem_root_certs.empty()) {
-          pem_root_certs_to_report = root_cert_info.pem_root_certs;
+        if (!root_cert_info.AreRootsEmpty()) {
+          roots_to_report = root_cert_info.roots;
         }
       }
-      watcher_ptr->OnCertificatesChanged(pem_root_certs_to_report,
+      watcher_ptr->OnCertificatesChanged(std::move(roots_to_report),
                                          pem_key_cert_pairs);
     }
     cert_info.pem_key_cert_pairs = std::move(*pem_key_cert_pairs);
@@ -85,8 +90,7 @@ bool grpc_tls_certificate_distributor::HasRootCerts(
     const std::string& root_cert_name) {
   grpc_core::MutexLock lock(&mu_);
   const auto it = certificate_info_map_.find(root_cert_name);
-  return it != certificate_info_map_.end() &&
-         !it->second.pem_root_certs.empty();
+  return it != certificate_info_map_.end() && !it->second.AreRootsEmpty();
 };
 
 bool grpc_tls_certificate_distributor::HasKeyCertPairs(
@@ -129,9 +133,9 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
       CHECK_NE(watcher_ptr, nullptr);
       const auto watcher_it = watchers_.find(watcher_ptr);
       CHECK(watcher_it != watchers_.end());
-      // root_cert_error_to_report is the error of the root cert this watcher is
-      // watching, if there is any.
-      grpc_error_handle root_cert_error_to_report;
+      // root_error_to_report is the error of the roots this watcher
+      // is watching, if there is any.
+      grpc_error_handle root_error_to_report;
       if (root_cert_error.has_value() &&
           watcher_it->second.root_cert_name == cert_name) {
         // In this case, We've already sent the error updates at the time when
@@ -140,9 +144,9 @@ void grpc_tls_certificate_distributor::SetErrorForCert(
       } else if (watcher_it->second.root_cert_name.has_value()) {
         auto& root_cert_info =
             certificate_info_map_[*watcher_it->second.root_cert_name];
-        root_cert_error_to_report = root_cert_info.root_cert_error;
+        root_error_to_report = root_cert_info.root_cert_error;
       }
-      watcher_ptr->OnError(root_cert_error_to_report, *identity_cert_error);
+      watcher_ptr->OnError(root_error_to_report, *identity_cert_error);
     }
     cert_info.SetIdentityError(*identity_cert_error);
   }
@@ -186,7 +190,7 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
     CHECK(watcher_it == watchers_.end());
     watchers_[watcher_ptr] = {std::move(watcher), root_cert_name,
                               identity_cert_name};
-    std::optional<absl::string_view> updated_root_certs;
+    std::shared_ptr<RootCertInfo> updated_roots;
     std::optional<grpc_core::PemKeyCertPairList> updated_identity_pairs;
     grpc_error_handle root_error;
     grpc_error_handle identity_error;
@@ -198,8 +202,8 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
       cert_info.root_cert_watchers.insert(watcher_ptr);
       root_error = cert_info.root_cert_error;
       // Empty credentials will be treated as no updates.
-      if (!cert_info.pem_root_certs.empty()) {
-        updated_root_certs = cert_info.pem_root_certs;
+      if (!cert_info.AreRootsEmpty()) {
+        updated_roots = cert_info.roots;
       }
     }
     if (identity_cert_name.has_value()) {
@@ -219,11 +223,12 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
     // occurred while trying to fetch the latest cert, but the updated_*_certs
     // should always be valid. So we will send the updates regardless of
     // *_cert_error.
-    if (updated_root_certs.has_value() || updated_identity_pairs.has_value()) {
-      watcher_ptr->OnCertificatesChanged(updated_root_certs,
+    if (updated_roots != nullptr || updated_identity_pairs.has_value()) {
+      watcher_ptr->OnCertificatesChanged(updated_roots,
                                          std::move(updated_identity_pairs));
     }
-    // Notify this watcher if the certs it is watching already had some errors.
+    // Notify this watcher if the certs it is watching already had some
+    // errors.
     if (!root_error.ok() || !identity_error.ok()) {
       watcher_ptr->OnError(root_error, identity_error);
     }

data/src/core/credentials/transport/tls/grpc_tls_certificate_distributor.h

@@ -29,8 +29,10 @@
 
 #include "absl/base/thread_annotations.h"
 #include "absl/strings/string_view.h"
+#include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/credentials/transport/tls/ssl_utils.h"
 #include "src/core/lib/iomgr/error.h"
+#include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/util/ref_counted.h"
 #include "src/core/util/sync.h"
 
@@ -53,11 +55,11 @@ struct grpc_tls_certificate_distributor
     // latest contents for both root and identity certificates, even when only
     // one side of it got updated.
     //
-    // @param root_certs the contents of the reloaded root certs.
+    // @param roots the contents of the reloaded roots.
     // @param key_cert_pairs the contents of the reloaded identity key-cert
     // pairs.
     virtual void OnCertificatesChanged(
-        std::optional<absl::string_view> root_certs,
+        std::shared_ptr<RootCertInfo> roots,
         std::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) = 0;
 
     // Handles an error that occurs while attempting to fetch certificate data.
@@ -81,10 +83,11 @@ struct grpc_tls_certificate_distributor
   // Sets the key materials based on their certificate name.
   //
   // @param cert_name The name of the certificates being updated.
-  // @param pem_root_certs The content of root certificates.
+  // @param roots The content of the roots, either the pem root certificates or
+  // the SpiffeBundleMap.
   // @param pem_key_cert_pairs The content of identity key-cert pairs.
   void SetKeyMaterials(
-      const std::string& cert_name, std::optional<std::string> pem_root_certs,
+      const std::string& cert_name, std::shared_ptr<RootCertInfo> roots,
       std::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs);
 
   bool HasRootCerts(const std::string& root_cert_name);
@@ -171,10 +174,12 @@ struct grpc_tls_certificate_distributor
   // root certs, while pem_root_certs still contains the valid old data.
   struct CertificateInfo {
     // The contents of the root certificates.
-    std::string pem_root_certs;
+    std::shared_ptr<RootCertInfo> roots;
     // The contents of the identity key-certificate pairs.
     grpc_core::PemKeyCertPairList pem_key_cert_pairs;
-    // The root cert reloading error propagated by the caller.
+    // TODO(gtcooke94) Swap to using absl::StatusOr<>
+    // https://github.com/grpc/grpc/pull/39708/files#r2144014200 The root cert
+    // reloading error propagated by the caller.
     grpc_error_handle root_cert_error;
     // The identity cert reloading error propagated by the caller.
     grpc_error_handle identity_cert_error;
@@ -188,10 +193,16 @@ struct grpc_tls_certificate_distributor
     std::set<TlsCertificatesWatcherInterface*> identity_cert_watchers;
 
     ~CertificateInfo() {}
+    // TODO(gtcooke94) These can be set directly, no need for setters
+    // https://github.com/grpc/grpc/pull/39708/files#r2144015746
     void SetRootError(grpc_error_handle error) { root_cert_error = error; }
     void SetIdentityError(grpc_error_handle error) {
       identity_cert_error = error;
     }
+
+    // Returns if the root variant contains either "", an empty SpiffeBundleMap,
+    // or a nullptr to a SpiffeBundleMap
+    bool AreRootsEmpty();
   };
 
   grpc_core::Mutex mu_;
@@ -202,8 +213,8 @@ struct grpc_tls_certificate_distributor
   // Stores information about each watcher.
   std::map<TlsCertificatesWatcherInterface*, WatcherInfo> watchers_
       ABSL_GUARDED_BY(mu_);
-  // The callback to notify the caller, e.g. the Producer, that the watch status
-  // is changed.
+  // The callback to notify the caller, e.g. the Producer, that the watch
+  // status is changed.
   std::function<void(std::string, bool, bool)> watch_status_callback_
       ABSL_GUARDED_BY(callback_mu_);
   // Stores the names of each certificate, and their corresponding credential