grpc 1.78.0 → 1.80.0.pre1

data/src/core/tsi/ssl_transport_security.h

@@ -21,10 +21,12 @@
 
 #include <grpc/grpc_crl_provider.h>
 #include <grpc/grpc_security_constants.h>
+#include <grpc/private_key_signer.h>
 #include <grpc/support/port_platform.h>
 #include <openssl/x509.h>
 
 #include <memory>
+#include <string>
 
 #include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
@@ -51,8 +53,13 @@
 #define TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY \
   "x509_verified_root_cert_subject"
 
+namespace tsi {
 using RootCertInfo = std::variant<std::string, grpc_core::SpiffeBundleMap>;
 
+using PrivateKey =
+    std::variant<std::string, std::shared_ptr<grpc_core::PrivateKeySigner>>;
+}  // namespace tsi
+
 // --- tsi_ssl_root_certs_store object ---
 
 // This object stores SSL root certificates. It can be shared by multiple SSL
@@ -105,13 +112,17 @@ typedef struct tsi_ssl_client_handshaker_factory
 
 // Object that holds a private key / certificate chain pair in PEM format.
 struct tsi_ssl_pem_key_cert_pair {
-  // private_key is the NULL-terminated string containing the PEM encoding of
-  // the client's private key.
-  const char* private_key;
+  // private_key is either the string containing the PEM encoding of
+  // the client's private key or an implementation of PrivateKeySigner.
+  tsi::PrivateKey private_key;
 
-  // cert_chain is the NULL-terminated string containing the PEM encoding of
+  // cert_chain is the string containing the PEM encoding of
   // the client's certificate chain.
-  const char* cert_chain;
+  std::string cert_chain;
+
+  tsi_ssl_pem_key_cert_pair() = default;
+  tsi_ssl_pem_key_cert_pair(tsi::PrivateKey pk, std::string cert_chain_pem)
+      : private_key(std::move(pk)), cert_chain(std::move(cert_chain_pem)) {}
 };
 // TO BE DEPRECATED.
 // Creates a client handshaker factory.
@@ -192,7 +203,7 @@ struct tsi_ssl_client_handshaker_options {
 
   // root_cert_info is either the string containing the PEM encoding of the
   // client root certificates or a SPIFFE bundle map.
-  std::shared_ptr<RootCertInfo> root_cert_info;
+  std::shared_ptr<tsi::RootCertInfo> root_cert_info;
 
   // TODO(gtcooke94) this ctor is not needed
   // https://github.com/grpc/grpc/pull/39708/files#r2143735662
@@ -262,7 +273,6 @@ typedef struct tsi_ssl_server_handshaker_factory
 // Creates a server handshaker factory.
 // - pem_key_cert_pairs is an array private key / certificate chains of the
 //   server.
-// - num_key_cert_pairs is the number of items in the pem_key_cert_pairs array.
 // - pem_root_certs is the NULL-terminated string containing the PEM encoding
 //   of the client root certificates. This parameter may be NULL if the server
 //   does not want the client to be authenticated with SSL.
@@ -281,11 +291,10 @@ typedef struct tsi_ssl_server_handshaker_factory
 // - This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
 //   where a parameter is invalid.
 tsi_result tsi_create_ssl_server_handshaker_factory(
-    const tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs,
-    size_t num_key_cert_pairs, const char* pem_client_root_certs,
-    int force_client_auth, const char* cipher_suites,
-    const char** alpn_protocols, uint16_t num_alpn_protocols,
-    tsi_ssl_server_handshaker_factory** factory);
+    std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs,
+    const char* pem_client_root_certs, int force_client_auth,
+    const char* cipher_suites, const char** alpn_protocols,
+    uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory** factory);
 
 // TO BE DEPRECATED.
 // Same as tsi_create_ssl_server_handshaker_factory method except uses
@@ -295,8 +304,8 @@ tsi_result tsi_create_ssl_server_handshaker_factory(
 //   authenticate with an SSL cert. Note that this option is ignored if
 //   pem_client_root_certs is NULL or pem_client_roots_certs_size is 0
 tsi_result tsi_create_ssl_server_handshaker_factory_ex(
-    const tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs,
-    size_t num_key_cert_pairs, const char* pem_client_root_certs,
+    std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs,
+    const char* pem_client_root_certs,
     tsi_client_certificate_request_type client_certificate_request,
     const char* cipher_suites, const char** alpn_protocols,
     uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory** factory);
@@ -304,10 +313,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_ex(
 struct tsi_ssl_server_handshaker_options {
   // pem_key_cert_pairs is an array private key / certificate chains of the
   // server.
-  const tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs;
-  // num_key_cert_pairs is the number of items in the pem_key_cert_pairs
-  // array.
-  size_t num_key_cert_pairs;
+  std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs;
   // client_certificate_request, if set to non-zero will force the client to
   // authenticate with an SSL cert. Note that this option is ignored if
   // root_cert_info is NULL
@@ -364,14 +370,12 @@ struct tsi_ssl_server_handshaker_options {
   // root_cert_info is either the string containing the PEM encoding of the
   // server root certificates or a SPIFFE bundle map. This parameter may be NULL
   // if the server does not want the client to be authenticated with SSL.
-  std::shared_ptr<RootCertInfo> root_cert_info;
+  std::shared_ptr<tsi::RootCertInfo> root_cert_info;
 
   // TODO(gtcooke94) this ctor is not needed
   // https://github.com/grpc/grpc/pull/39708/files#r2143735662
   tsi_ssl_server_handshaker_options()
-      : pem_key_cert_pairs(nullptr),
-        num_key_cert_pairs(0),
-        client_certificate_request(TSI_DONT_REQUEST_CLIENT_CERTIFICATE),
+      : client_certificate_request(TSI_DONT_REQUEST_CLIENT_CERTIFICATE),
         cipher_suites(nullptr),
         alpn_protocols(nullptr),
         num_alpn_protocols(0),
@@ -448,6 +452,8 @@ tsi_result tsi_ssl_extract_x509_subject_names_from_pem_cert(
 tsi_result tsi_ssl_get_cert_chain_contents(STACK_OF(X509) * peer_chain,
                                            tsi_peer_property* property);
 
+namespace tsi {
 bool IsRootCertInfoEmpty(const RootCertInfo* root_cert_info);
+}  // namespace tsi
 
 #endif  // GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_H

data/src/core/tsi/ssl_transport_security_utils.cc

@@ -36,7 +36,7 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 
-namespace grpc_core {
+namespace tsi {
 
 const char* SslErrorString(int error) {
   switch (error) {
@@ -449,4 +449,4 @@ absl::StatusOr<std::string> ParseUriString(GENERAL_NAME* subject_alt_name) {
   OPENSSL_free(name);
   return ret;
 }
-}  // namespace grpc_core
+}  // namespace tsi

data/src/core/tsi/ssl_transport_security_utils.h

@@ -31,7 +31,7 @@
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
 
-namespace grpc_core {
+namespace tsi {
 
 // Converts an SSL error status code to a readable string.
 //
@@ -181,6 +181,6 @@ absl::StatusOr<EVP_PKEY*> ParsePemPrivateKey(absl::string_view private_key_pem);
 
 // Safely parses a URI from OpenSSL's GENERAL_NAME to a string representation.
 absl::StatusOr<std::string> ParseUriString(GENERAL_NAME* subject_alt_name);
-}  // namespace grpc_core
+}  // namespace tsi
 
 #endif  // GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H

data/src/core/util/bitset.h

@@ -182,6 +182,12 @@ class BitSet {
     return *this;
   }
 
+  void Merge(const BitSet& other) {
+    for (size_t i = 0; i < kUnits; i++) {
+      units_[i] |= other.units_[i];
+    }
+  }
+
  private:
   // Given a bit index, return which unit it's stored in.
   static constexpr size_t unit_for(size_t bit) { return bit / kUnitBits; }

data/src/core/util/function_signature.h

@@ -31,7 +31,9 @@
 #elif defined(__GNUC__)
 #define GRPC_FUNCTION_SIGNATURE __PRETTY_FUNCTION__
 #else
-#define GRPC_FUNCTION_SIGNATURE "???()"
+#define GRPC_FUNCTION_SIGNATURE \
+  "??"                          \
+  "?()"
 #endif
 
 namespace grpc_core {

data/src/core/util/http_client/httpcli_security_connector.cc

@@ -78,7 +78,8 @@ class grpc_httpcli_ssl_channel_security_connector final
                                    const tsi_ssl_root_certs_store* root_store) {
     tsi_ssl_client_handshaker_options options;
     if (pem_root_certs != nullptr) {
-      options.root_cert_info = std::make_shared<RootCertInfo>(pem_root_certs);
+      options.root_cert_info =
+          std::make_shared<tsi::RootCertInfo>(pem_root_certs);
     }
     options.root_store = root_store;
     return tsi_create_ssl_client_handshaker_factory_with_options(

data/src/core/util/json/json_reader.cc

@@ -242,10 +242,6 @@ uint32_t JsonReader::ReadChar() {
   if (remaining_input_ == 0) return GRPC_JSON_READ_CHAR_EOF;
   const uint32_t r = *input_++;
   --remaining_input_;
-  if (r == 0) {
-    remaining_input_ = 0;
-    return GRPC_JSON_READ_CHAR_EOF;
-  }
   return r;
 }
 

data/src/core/xds/grpc/certificate_provider_store.cc

@@ -131,7 +131,8 @@ CertificateProviderStore::CreateCertificateProviderLocked(
     return nullptr;
   }
   return MakeRefCounted<CertificateProviderWrapper>(
-      factory->CreateCertificateProvider(definition.config), Ref(), name);
+      factory->CreateCertificateProvider(definition.config),
+      RefAsSubclass<CertificateProviderStore>(), name);
 }
 
 void CertificateProviderStore::ReleaseCertificateProvider(

data/src/core/xds/grpc/certificate_provider_store.h

@@ -20,7 +20,6 @@
 #define GRPC_SRC_CORE_XDS_GRPC_CERTIFICATE_PROVIDER_STORE_H
 
 #include <grpc/grpc_security.h>
-#include <grpc/support/port_platform.h>
 
 #include <map>
 #include <string>
@@ -38,6 +37,7 @@
 #include "src/core/util/unique_type_name.h"
 #include "src/core/util/useful.h"
 #include "src/core/util/validation_errors.h"
+#include "src/core/xds/grpc/certificate_provider_store_interface.h"
 #include "absl/base/thread_annotations.h"
 #include "absl/strings/string_view.h"
 
@@ -45,20 +45,8 @@ namespace grpc_core {
 
 // Map for xDS based grpc_tls_certificate_provider instances.
 class CertificateProviderStore final
-    : public InternallyRefCounted<CertificateProviderStore> {
+    : public CertificateProviderStoreInterface {
  public:
-  struct PluginDefinition {
-    std::string plugin_name;
-    RefCountedPtr<CertificateProviderFactory::Config> config;
-
-    static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
-    void JsonPostLoad(const Json& json, const JsonArgs& args,
-                      ValidationErrors* errors);
-  };
-
-  // Maps plugin instance (opaque) name to plugin definition.
-  typedef std::map<std::string, PluginDefinition> PluginDefinitionMap;
-
   explicit CertificateProviderStore(PluginDefinitionMap plugin_config_map)
       : plugin_config_map_(std::move(plugin_config_map)) {}
 
@@ -68,9 +56,7 @@ class CertificateProviderStore final
   // definition map.
   // Returns nullptr on failure to get or create a new certificate provider.
   RefCountedPtr<grpc_tls_certificate_provider> CreateOrGetCertificateProvider(
-      absl::string_view key);
-
-  void Orphan() override { Unref(); }
+      absl::string_view key) override;
 
  private:
   // A thin wrapper around `grpc_tls_certificate_provider` which allows removing

data/src/core/xds/grpc/certificate_provider_store_interface.h

@@ -0,0 +1,61 @@
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_SRC_CORE_XDS_GRPC_CERTIFICATE_PROVIDER_STORE_INTERFACE_H
+#define GRPC_SRC_CORE_XDS_GRPC_CERTIFICATE_PROVIDER_STORE_INTERFACE_H
+
+#include <map>
+#include <string>
+
+#include "src/core/credentials/transport/tls/certificate_provider_factory.h"
+#include "src/core/util/json/json.h"
+#include "src/core/util/json/json_args.h"
+#include "src/core/util/json/json_object_loader.h"
+#include "src/core/util/ref_counted.h"
+#include "src/core/util/ref_counted_ptr.h"
+#include "src/core/util/validation_errors.h"
+#include "absl/strings/string_view.h"
+
+namespace grpc_core {
+
+// Map for xDS based grpc_tls_certificate_provider instances.
+class CertificateProviderStoreInterface
+    : public RefCounted<CertificateProviderStoreInterface> {
+ public:
+  struct PluginDefinition {
+    std::string plugin_name;
+    RefCountedPtr<CertificateProviderFactory::Config> config;
+
+    static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+    void JsonPostLoad(const Json& json, const JsonArgs& args,
+                      ValidationErrors* errors);
+  };
+
+  // Maps plugin instance (opaque) name to plugin definition.
+  using PluginDefinitionMap = std::map<std::string, PluginDefinition>;
+
+  // If a certificate provider corresponding to the instance name \a key is
+  // found, a ref to the grpc_tls_certificate_provider is returned. If no
+  // provider is found for the key, a new provider is created from the plugin
+  // definition map.
+  // Returns nullptr on failure to get or create a new certificate provider.
+  virtual RefCountedPtr<grpc_tls_certificate_provider>
+  CreateOrGetCertificateProvider(absl::string_view key) = 0;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_XDS_GRPC_CERTIFICATE_PROVIDER_STORE_INTERFACE_H

data/src/core/xds/grpc/xds_bootstrap_grpc.cc

@@ -25,6 +25,7 @@
 #include <vector>
 
 #include "src/core/util/down_cast.h"
+#include "src/core/util/env.h"
 #include "src/core/util/json/json.h"
 #include "src/core/util/json/json_object_loader.h"
 #include "src/core/util/json/json_reader.h"
@@ -41,6 +42,15 @@
 
 namespace grpc_core {
 
+// TODO(roth): Remove this once the feature passes interop tests.
+bool XdsExtProcOnClientEnabled() {
+  auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_EXT_PROC_ON_CLIENT");
+  if (!value.has_value()) return false;
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value->c_str(), &parsed_value);
+  return parse_succeeded && parsed_value;
+}
+
 //
 // GrpcXdsBootstrap::GrpcNode::Locality
 //
@@ -90,6 +100,24 @@ const JsonLoaderInterface* GrpcXdsBootstrap::GrpcAuthority::JsonLoader(
   return loader;
 }
 
+//
+// GrpcXdsBootstrap::AllowedGrpcService
+//
+
+const JsonLoaderInterface* GrpcXdsBootstrap::AllowedGrpcService::JsonLoader(
+    const JsonArgs&) {
+  static const auto* loader = JsonObjectLoader<AllowedGrpcService>().Finish();
+  return loader;
+};
+
+void GrpcXdsBootstrap::AllowedGrpcService::JsonPostLoad(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors) {
+  // Parse "channel_creds".
+  channel_creds_config = ParseXdsBootstrapChannelCreds(json, args, errors);
+  // Parse "call_creds".
+  call_creds_configs = ParseXdsBootstrapCallCreds(json, args, errors);
+}
+
 //
 // GrpcXdsBootstrap
 //
@@ -106,6 +134,7 @@ absl::StatusOr<std::unique_ptr<GrpcXdsBootstrap>> GrpcXdsBootstrap::Create(
    public:
     bool IsEnabled(absl::string_view key) const override {
       if (key == "federation") return XdsFederationEnabled();
+      if (key == "grpc_service") return XdsExtProcOnClientEnabled();
       return true;
     }
   };
@@ -130,6 +159,9 @@ const JsonLoaderInterface* GrpcXdsBootstrap::JsonLoader(const JsonArgs&) {
                          &GrpcXdsBootstrap::
                              client_default_listener_resource_name_template_,
                          "federation")
+          .OptionalField("allowed_grpc_services",
+                         &GrpcXdsBootstrap::allowed_grpc_services_,
+                         "grpc_service")
           .Finish();
   return loader;
 }
@@ -225,6 +257,22 @@ std::string GrpcXdsBootstrap::ToString() const {
                         plugin_definition.config->ToString()));
   }
   parts.push_back("}");
+  parts.push_back("allowed_grpc_services={\n");
+  for (const auto& [target_uri, creds] : allowed_grpc_services_) {
+    parts.push_back(absl::StrCat("  ", target_uri, "={\n"));
+    if (creds.channel_creds_config != nullptr) {
+      parts.push_back(absl::StrCat(
+          "    channel_creds={type=", creds.channel_creds_config->type(),
+          ", config=", creds.channel_creds_config->ToString(), "},\n"));
+    }
+    for (const auto& call_creds_config : creds.call_creds_configs) {
+      parts.push_back(
+          absl::StrCat("    call_creds={type=", call_creds_config->type(),
+                       ", config=", call_creds_config->ToString(), "},\n"));
+    }
+    parts.push_back("  },\n");
+  }
+  parts.push_back("}");
   return absl::StrJoin(parts, "");
 }
 

data/src/core/xds/grpc/xds_bootstrap_grpc.h

@@ -42,6 +42,8 @@
 
 namespace grpc_core {
 
+bool XdsExtProcOnClientEnabled();
+
 class GrpcXdsBootstrap final : public XdsBootstrap {
  public:
   class GrpcNode final : public Node {
@@ -101,6 +103,15 @@ class GrpcXdsBootstrap final : public XdsBootstrap {
     bool fallback_on_reachability_only_;
   };
 
+  struct AllowedGrpcService {
+    RefCountedPtr<const ChannelCredsConfig> channel_creds_config;
+    std::vector<RefCountedPtr<const CallCredsConfig>> call_creds_configs;
+
+    static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+    void JsonPostLoad(const Json& json, const JsonArgs& args,
+                      ValidationErrors* errors);
+  };
+
   // Creates bootstrap object from json_string.
   static absl::StatusOr<std::unique_ptr<GrpcXdsBootstrap>> Create(
       absl::string_view json_string);
@@ -135,6 +146,11 @@ class GrpcXdsBootstrap final : public XdsBootstrap {
       const {
     return certificate_providers_;
   }
+  const std::map<std::string, AllowedGrpcService>& allowed_grpc_services()
+      const {
+    return allowed_grpc_services_;
+  }
+
   const XdsHttpFilterRegistry& http_filter_registry() const {
     return http_filter_registry_;
   }
@@ -165,6 +181,8 @@ class GrpcXdsBootstrap final : public XdsBootstrap {
   std::string server_listener_resource_name_template_;
   std::map<std::string, GrpcAuthority> authorities_;
   CertificateProviderStore::PluginDefinitionMap certificate_providers_;
+  std::map<std::string, AllowedGrpcService> allowed_grpc_services_;
+
   XdsHttpFilterRegistry http_filter_registry_;
   XdsClusterSpecifierPluginRegistry cluster_specifier_plugin_registry_;
   XdsLbPolicyRegistry lb_policy_registry_;

data/src/core/xds/grpc/xds_certificate_provider.cc

@@ -29,6 +29,8 @@
 #include "src/core/util/grpc_check.h"
 #include "absl/functional/bind_front.h"
 
+using tsi::RootCertInfo;
+
 namespace grpc_core {
 
 namespace {
@@ -108,7 +110,8 @@ XdsCertificateProvider::XdsCertificateProvider(
     absl::string_view root_cert_name, bool use_system_root_certs,
     RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
     absl::string_view identity_cert_name,
-    std::vector<StringMatcher> san_matchers)
+    std::vector<StringMatcher> san_matchers, std::string sni,
+    bool auto_host_sni, bool auto_sni_san_validation)
     : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
       root_cert_provider_(std::move(root_cert_provider)),
       root_cert_name_(root_cert_name),
@@ -116,7 +119,9 @@ XdsCertificateProvider::XdsCertificateProvider(
       identity_cert_provider_(std::move(identity_cert_provider)),
       identity_cert_name_(identity_cert_name),
       san_matchers_(std::move(san_matchers)),
-      require_client_certificate_(false) {
+      sni_(std::move(sni)),
+      auto_host_sni_(auto_host_sni),
+      auto_sni_san_validation_(auto_sni_san_validation) {
   distributor_->SetWatchStatusCallback(
       absl::bind_front(&XdsCertificateProvider::WatchStatusCallback, this));
 }

data/src/core/xds/grpc/xds_certificate_provider.h

@@ -39,7 +39,11 @@
 #include "absl/strings/string_view.h"
 
 namespace grpc_core {
-
+// TODO(roth): Now that we've changed the TLS creds API to configure different
+// providers for root and identity certs, we no longer need to multiplex
+// multiple providers in an XdsCertificateProvider. Consider removing this code
+// and instead just passing down the relevant TLS creds configuration via a
+// channel arg.
 class XdsCertificateProvider final : public grpc_tls_certificate_provider {
  public:
   // ctor for client side
@@ -48,7 +52,8 @@ class XdsCertificateProvider final : public grpc_tls_certificate_provider {
       absl::string_view root_cert_name, bool use_system_root_certs,
       RefCountedPtr<grpc_tls_certificate_provider> identity_cert_provider,
       absl::string_view identity_cert_name,
-      std::vector<StringMatcher> san_matchers);
+      std::vector<StringMatcher> san_matchers, std::string sni,
+      bool auto_host_sni, bool auto_sni_san_validation);
 
   // ctor for server side
   XdsCertificateProvider(
@@ -76,6 +81,9 @@ class XdsCertificateProvider final : public grpc_tls_certificate_provider {
   const std::vector<StringMatcher>& san_matchers() const {
     return san_matchers_;
   }
+  const std::string& sni() const { return sni_; }
+  bool auto_host_sni() const { return auto_host_sni_; }
+  bool auto_sni_san_validation() const { return auto_sni_san_validation_; }
 
   static absl::string_view ChannelArgName() {
     return "grpc.internal.xds_certificate_provider";
@@ -104,6 +112,9 @@ class XdsCertificateProvider final : public grpc_tls_certificate_provider {
   std::string identity_cert_name_;
   std::vector<StringMatcher> san_matchers_;
   bool require_client_certificate_ = false;
+  std::string sni_;
+  bool auto_host_sni_;
+  bool auto_sni_san_validation_ = false;
 
   grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
       root_cert_watcher_ = nullptr;

data/src/core/xds/grpc/xds_client_grpc.cc

@@ -204,7 +204,7 @@ absl::StatusOr<std::string> FindBootstrapContents()
         << "Got bootstrap file location from GRPC_XDS_BOOTSTRAP "
            "environment variable: "
         << *path;
-    auto contents = LoadFile(*path, /*add_null_terminator=*/true);
+    auto contents = LoadFile(*path, /*add_null_terminator=*/false);
     if (!contents.ok()) return contents.status();
     return std::string(contents->as_string_view());
   }
@@ -278,9 +278,13 @@ absl::StatusOr<RefCountedPtr<GrpcXdsClient>> GrpcXdsClient::GetOrCreate(
     grpc_channel_args* xds_channel_args = args.GetPointer<grpc_channel_args>(
         GRPC_ARG_TEST_ONLY_DO_NOT_USE_IN_PROD_XDS_CLIENT_CHANNEL_ARGS);
     auto channel_args = ChannelArgs::FromC(xds_channel_args);
+    auto certificate_provider_store = MakeRefCounted<CertificateProviderStore>(
+        (*bootstrap)->certificate_providers());
     return MakeRefCounted<GrpcXdsClient>(
         key, std::move(*bootstrap), channel_args,
-        MakeRefCounted<GrpcXdsTransportFactory>(channel_args),
+        MakeRefCounted<GrpcXdsTransportFactory>(channel_args,
+                                                certificate_provider_store),
+        certificate_provider_store,
         GetStatsPluginGroupForKeyAndChannelArgs(key, args));
   }
   // Otherwise, check the global map to see if the XdsClient instance
@@ -301,9 +305,13 @@ absl::StatusOr<RefCountedPtr<GrpcXdsClient>> GrpcXdsClient::GetOrCreate(
     bootstrap = std::move(*global_bootstrap);
   }
   auto channel_args = ChannelArgs::FromC(g_channel_args);
+  auto certificate_provider_store = MakeRefCounted<CertificateProviderStore>(
+      bootstrap->certificate_providers());
   auto xds_client = MakeRefCounted<GrpcXdsClient>(
       key, std::move(bootstrap), channel_args,
-      MakeRefCounted<GrpcXdsTransportFactory>(channel_args),
+      MakeRefCounted<GrpcXdsTransportFactory>(channel_args,
+                                              certificate_provider_store),
+      certificate_provider_store,
       GetStatsPluginGroupForKeyAndChannelArgs(key, args));
   g_xds_client_map->emplace(xds_client->key(), xds_client.get());
   GRPC_TRACE_LOG(xds_client, INFO) << "[xds_client " << xds_client.get()
@@ -330,6 +338,7 @@ GrpcXdsClient::GrpcXdsClient(
     absl::string_view key, std::shared_ptr<GrpcXdsBootstrap> bootstrap,
     const ChannelArgs& args,
     RefCountedPtr<XdsTransportFactory> transport_factory,
+    RefCountedPtr<CertificateProviderStore> certificate_provider_store,
     std::shared_ptr<GlobalStatsPluginRegistry::StatsPluginGroup>
         stats_plugin_group)
     : XdsClient(
@@ -342,9 +351,7 @@ GrpcXdsClient::GrpcXdsClient(
                            GRPC_ARG_XDS_RESOURCE_DOES_NOT_EXIST_TIMEOUT_MS)
                        .value_or(Duration::Seconds(15)))),
       key_(key),
-      certificate_provider_store_(MakeOrphanable<CertificateProviderStore>(
-          DownCast<const GrpcXdsBootstrap&>(this->bootstrap())
-              .certificate_providers())),
+      certificate_provider_store_(std::move(certificate_provider_store)),
       stats_plugin_group_(std::move(stats_plugin_group)),
       registered_metric_callback_(stats_plugin_group_->RegisterCallback(
           [this](CallbackMetricReporter& reporter) {

data/src/core/xds/grpc/xds_client_grpc.h

@@ -63,12 +63,15 @@ class GrpcXdsClient final : public XdsClient {
   // work for callers that use interested_parties() but not for callers
   // that also use certificate_provider_store(), but we should consider
   // alternatives for that case as well.
-  GrpcXdsClient(absl::string_view key,
-                std::shared_ptr<GrpcXdsBootstrap> bootstrap,
-                const ChannelArgs& args,
-                RefCountedPtr<XdsTransportFactory> transport_factory,
-                std::shared_ptr<GlobalStatsPluginRegistry::StatsPluginGroup>
-                    stats_plugin_group);
+  // Once we no longer need to inject the transport factory, we probably
+  // also won't need to inject the certificate provider store.
+  GrpcXdsClient(
+      absl::string_view key, std::shared_ptr<GrpcXdsBootstrap> bootstrap,
+      const ChannelArgs& args,
+      RefCountedPtr<XdsTransportFactory> transport_factory,
+      RefCountedPtr<CertificateProviderStore> certificate_provider_store,
+      std::shared_ptr<GlobalStatsPluginRegistry::StatsPluginGroup>
+          stats_plugin_group);
 
   // Helpers for encoding the XdsClient object in channel args.
   static absl::string_view ChannelArgName() {
@@ -100,7 +103,7 @@ class GrpcXdsClient final : public XdsClient {
   void Orphaned() override;
 
   std::string key_;
-  OrphanablePtr<CertificateProviderStore> certificate_provider_store_;
+  RefCountedPtr<CertificateProviderStore> certificate_provider_store_;
   std::shared_ptr<GlobalStatsPluginRegistry::StatsPluginGroup>
       stats_plugin_group_;
   std::unique_ptr<RegisteredMetricCallback> registered_metric_callback_;

data/src/core/xds/grpc/xds_cluster.cc

@@ -25,6 +25,22 @@
 
 namespace grpc_core {
 
+std::string XdsClusterResource::UpstreamTlsContext::ToString() const {
+  std::vector<std::string> contents;
+  if (!common_tls_context.Empty()) {
+    contents.push_back(
+        absl::StrCat("common_tls_context=", common_tls_context.ToString()));
+  }
+  contents.push_back(absl::StrCat("sni=", sni));
+  if (auto_host_sni) {
+    contents.push_back("auto_host_sni=true");
+  }
+  if (auto_sni_san_validation) {
+    contents.push_back("auto_sni_san_validation=true");
+  }
+  return absl::StrCat("{", absl::StrJoin(contents, ", "), "}");
+}
+
 std::string XdsClusterResource::ToString() const {
   std::vector<std::string> contents;
   Match(
@@ -58,10 +74,8 @@ std::string XdsClusterResource::ToString() const {
                      lrs_backend_metric_propagation->AsString()));
   }
   if (use_http_connect) contents.push_back("use_http_connect=true");
-  if (!common_tls_context.Empty()) {
-    contents.push_back(
-        absl::StrCat("common_tls_context=", common_tls_context.ToString()));
-  }
+  contents.push_back(
+      absl::StrCat("upstream_tls_context=", upstream_tls_context.ToString()));
   if (connection_idle_timeout != Duration::Zero()) {
     contents.push_back(absl::StrCat("connection_idle_timeout=",
                                     connection_idle_timeout.ToString()));