xds: CDS balancer security integration. (#3955)

credentials/tls/certprovider/store.go

@@ -80,9 +80,19 @@ func GetProvider(name string, config interface{}, opts Options) (Provider, error
 	if builder == nil {
 		return nil, fmt.Errorf("no registered builder for provider name: %s", name)
 	}
-	stableConfig, err := builder.ParseConfig(config)
-	if err != nil {
-		return nil, err
+
+	var (
+		stableConfig StableConfig
+		err          error
+	)
+	if c, ok := config.(StableConfig); ok {
+		// The config passed to the store has already been parsed.
+		stableConfig = c
+	} else {
+		stableConfig, err = builder.ParseConfig(config)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	sk := storeKey{

credentials/xds/xds.go

@@ -37,10 +37,15 @@ import (
 	"google.golang.org/grpc/attributes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/tls/certprovider"
+	"google.golang.org/grpc/internal"
 	credinternal "google.golang.org/grpc/internal/credentials"
 	"google.golang.org/grpc/resolver"
 )
 
+func init() {
+	internal.GetXDSHandshakeInfoForTesting = getHandshakeInfo
+}
+
 // ClientOptions contains parameters to configure a new client-side xDS
 // credentials implementation.
 type ClientOptions struct {
@@ -124,6 +129,18 @@ func (hi *HandshakeInfo) SetAcceptedSANs(sans []string) {
 	hi.mu.Unlock()
 }
 
+// UseFallbackCreds returns true when fallback credentials are to be used based
+// on the contents of the HandshakeInfo.
+func (hi *HandshakeInfo) UseFallbackCreds() bool {
+	if hi == nil {
+		return true
+	}
+
+	hi.mu.Lock()
+	defer hi.mu.Unlock()
+	return hi.identityProvider == nil && hi.rootProvider == nil
+}
+
 func (hi *HandshakeInfo) validate(isClient bool) error {
 	hi.mu.Lock()
 	defer hi.mu.Unlock()
@@ -245,10 +262,9 @@ func (c *credsImpl) ClientHandshake(ctx context.Context, authority string, rawCo
 		return c.fallback.ClientHandshake(ctx, authority, rawConn)
 	}
 	hi := getHandshakeInfo(chi.Attributes)
-	if hi == nil {
+	if hi.UseFallbackCreds() {
 		return c.fallback.ClientHandshake(ctx, authority, rawConn)
 	}
-
 	if err := hi.validate(c.isClient); err != nil {
 		return nil, nil, err
 	}
@@ -355,3 +371,9 @@ func (c *credsImpl) Clone() credentials.TransportCredentials {
 func (c *credsImpl) OverrideServerName(_ string) error {
 	return errors.New("serverName for peer validation must be configured as a list of acceptable SANs")
 }
+
+// UsesXDS returns true if c uses xDS to fetch security configuration
+// used at handshake time, and false otherwise.
+func (c *credsImpl) UsesXDS() bool {
+	return true
+}

credentials/xds/xds_test.go

@@ -303,12 +303,7 @@ func (s) TestClientCredsInvalidHandshakeInfo(t *testing.T) {
 
 	pCtx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 	defer cancel()
-	ctx := newTestContextWithHandshakeInfo(pCtx, nil, nil)
-	if _, _, err := creds.ClientHandshake(ctx, authority, nil); err == nil {
-		t.Fatal("ClientHandshake succeeded without certificate providers in HandshakeInfo")
-	}
-
-	ctx = newTestContextWithHandshakeInfo(pCtx, nil, &fakeProvider{})
+	ctx := newTestContextWithHandshakeInfo(pCtx, nil, &fakeProvider{})
 	if _, _, err := creds.ClientHandshake(ctx, authority, nil); err == nil {
 		t.Fatal("ClientHandshake succeeded without root certificate provider in HandshakeInfo")
 	}

internal/internal.go

@@ -57,6 +57,10 @@ var (
 	// bootstrap code while parsing certificate provider configs in the
 	// bootstrap file.
 	GetCertificateProviderBuilder interface{} // func(string) certprovider.Builder
+	// GetXDSHandshakeInfoForTesting returns a pointer to the xds.HandshakeInfo
+	// stored in the passed in attributes. This is set by
+	// credentials/xds/xds.go.
+	GetXDSHandshakeInfoForTesting interface{} // func (attr *attributes.Attributes) *xds.HandshakeInfo
 )
 
 // HealthChecker defines the signature of the client-side LB channel health checking function.