xds: Implement server-side security

internal/internal.go

@@ -61,6 +61,10 @@ var (
 	// stored in the passed in attributes. This is set by
 	// credentials/xds/xds.go.
 	GetXDSHandshakeInfoForTesting interface{} // func (attr *attributes.Attributes) *xds.HandshakeInfo
+	// GetServerCredentials returns the transport credentials configured on a
+	// gRPC server. An xDS-enabled server needs to know what type of credentials
+	// is configured on the underlying gRPC server. This is set by server.go.
+	GetServerCredentials interface{} // func (s interface{}) *credentials.TransportCredentials
 )
 
 // HealthChecker defines the signature of the client-side LB channel health checking function.

server.go

@@ -40,6 +40,7 @@ import (
 	"google.golang.org/grpc/encoding"
 	"google.golang.org/grpc/encoding/proto"
 	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/binarylog"
 	"google.golang.org/grpc/internal/channelz"
 	"google.golang.org/grpc/internal/grpcrand"
@@ -58,6 +59,16 @@ const (
 	defaultServerMaxSendMessageSize    = math.MaxInt32
 )
 
+func init() {
+	internal.GetServerCredentials = func(srv interface{}) credentials.TransportCredentials {
+		s, ok := srv.(*Server)
+		if !ok {
+			return nil
+		}
+		return s.opts.creds
+	}
+}
+
 var statusOK = status.New(codes.OK, "")
 var logger = grpclog.Component("core")
 

xds/internal/client/client.go

@@ -149,6 +149,10 @@ type ListenerUpdate struct {
 	SecurityCfg *SecurityConfig
 }
 
+func (lu *ListenerUpdate) String() string {
+	return fmt.Sprintf("{RouteConfigName: %q, SecurityConfig: %+v", lu.RouteConfigName, lu.SecurityCfg)
+}
+
 // RouteConfigUpdate contains information received in an RDS response, which is
 // of interest to the registered RDS watcher.
 type RouteConfigUpdate struct {