Merge pull request #24313 from yashykt/xdscredscpp

C++ API to create Xds channel credentials
4 years ago · 4013fd9dc9
parent 30ed4a50aa c52cb09f47
commit 4013fd9dc9
31 changed files with 665 additions and 11 deletions
--- a/3
+++ b/3
@ -1745,6 +1745,7 @@ grpc_cc_library(
        "src/core/lib/security/credentials/google_default/credentials_generic.cc",
        "src/core/lib/security/credentials/google_default/google_default_credentials.cc",
        "src/core/lib/security/credentials/iam/iam_credentials.cc",
+        "src/core/lib/security/credentials/insecure/insecure_credentials.cc",
        "src/core/lib/security/credentials/jwt/json_token.cc",
        "src/core/lib/security/credentials/jwt/jwt_credentials.cc",
        "src/core/lib/security/credentials/jwt/jwt_verifier.cc",
@ -1757,6 +1758,7 @@ grpc_cc_library(
        "src/core/lib/security/credentials/tls/tls_credentials.cc",
        "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
        "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
        "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
        "src/core/lib/security/security_connector/load_system_roots_linux.cc",
        "src/core/lib/security/security_connector/local/local_security_connector.cc",
@ -1799,6 +1801,7 @@ grpc_cc_library(
        "src/core/lib/security/credentials/tls/tls_credentials.h",
        "src/core/lib/security/security_connector/alts/alts_security_connector.h",
        "src/core/lib/security/security_connector/fake/fake_security_connector.h",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
        "src/core/lib/security/security_connector/load_system_roots.h",
        "src/core/lib/security/security_connector/load_system_roots_linux.h",
        "src/core/lib/security/security_connector/local/local_security_connector.h",
--- a/BUILD.gn
+++ b/BUILD.gn
@ -852,6 +852,7 @@ config("grpc_config") {
        "src/core/lib/security/credentials/google_default/google_default_credentials.h",
        "src/core/lib/security/credentials/iam/iam_credentials.cc",
        "src/core/lib/security/credentials/iam/iam_credentials.h",
+        "src/core/lib/security/credentials/insecure/insecure_credentials.cc",
        "src/core/lib/security/credentials/jwt/json_token.cc",
        "src/core/lib/security/credentials/jwt/json_token.h",
        "src/core/lib/security/credentials/jwt/jwt_credentials.cc",
@ -878,6 +879,8 @@ config("grpc_config") {
        "src/core/lib/security/security_connector/alts/alts_security_connector.h",
        "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
        "src/core/lib/security/security_connector/fake/fake_security_connector.h",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
        "src/core/lib/security/security_connector/load_system_roots.h",
        "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
        "src/core/lib/security/security_connector/load_system_roots_linux.cc",
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -841,6 +841,7 @@ if(gRPC_BUILD_TESTS)
  add_dependencies(buildtests_cxx hybrid_end2end_test)
  add_dependencies(buildtests_cxx init_test)
  add_dependencies(buildtests_cxx initial_settings_frame_bad_client_test)
+  add_dependencies(buildtests_cxx insecure_security_connector_test)
  add_dependencies(buildtests_cxx interop_client)
  add_dependencies(buildtests_cxx interop_server)
  if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
@ -924,6 +925,7 @@ if(gRPC_BUILD_TESTS)
    add_dependencies(buildtests_cxx writes_per_rpc_test)
  endif()
  add_dependencies(buildtests_cxx xds_bootstrap_test)
+  add_dependencies(buildtests_cxx xds_credentials_end2end_test)
  if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
    add_dependencies(buildtests_cxx xds_end2end_test)
  endif()
@ -1757,6 +1759,7 @@ add_library(grpc
  src/core/lib/security/credentials/google_default/credentials_generic.cc
  src/core/lib/security/credentials/google_default/google_default_credentials.cc
  src/core/lib/security/credentials/iam/iam_credentials.cc
+  src/core/lib/security/credentials/insecure/insecure_credentials.cc
  src/core/lib/security/credentials/jwt/json_token.cc
  src/core/lib/security/credentials/jwt/jwt_credentials.cc
  src/core/lib/security/credentials/jwt/jwt_verifier.cc
@ -1770,6 +1773,7 @@ add_library(grpc
  src/core/lib/security/credentials/xds/xds_credentials.cc
  src/core/lib/security/security_connector/alts/alts_security_connector.cc
  src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  src/core/lib/security/security_connector/load_system_roots_fallback.cc
  src/core/lib/security/security_connector/load_system_roots_linux.cc
  src/core/lib/security/security_connector/local/local_security_connector.cc
@ -12102,6 +12106,45 @@ target_link_libraries(initial_settings_frame_bad_client_test
 )


+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(insecure_security_connector_test
+  test/core/security/insecure_security_connector_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(insecure_security_connector_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(insecure_security_connector_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+  grpc
+  gpr
+  address_sorting
+  upb
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)

@ -14974,6 +15017,60 @@ target_link_libraries(xds_bootstrap_test
 )


+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(xds_credentials_end2end_test
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
+  test/cpp/end2end/test_service_impl.cc
+  test/cpp/end2end/xds_credentials_end2end_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(xds_credentials_end2end_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(xds_credentials_end2end_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc++_test_util
+  grpc_test_util
+  grpc++
+  grpc
+  gpr
+  address_sorting
+  upb
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)
 if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
--- a/4
+++ b/4
@ -2160,6 +2160,7 @@ LIBGRPC_SRC = \
    src/core/lib/security/credentials/google_default/credentials_generic.cc \
    src/core/lib/security/credentials/google_default/google_default_credentials.cc \
    src/core/lib/security/credentials/iam/iam_credentials.cc \
+    src/core/lib/security/credentials/insecure/insecure_credentials.cc \
    src/core/lib/security/credentials/jwt/json_token.cc \
    src/core/lib/security/credentials/jwt/jwt_credentials.cc \
    src/core/lib/security/credentials/jwt/jwt_verifier.cc \
@ -2173,6 +2174,7 @@ LIBGRPC_SRC = \
    src/core/lib/security/credentials/xds/xds_credentials.cc \
    src/core/lib/security/security_connector/alts/alts_security_connector.cc \
    src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
    src/core/lib/security/security_connector/load_system_roots_fallback.cc \
    src/core/lib/security/security_connector/load_system_roots_linux.cc \
    src/core/lib/security/security_connector/local/local_security_connector.cc \
@ -4604,6 +4606,7 @@ src/core/lib/security/credentials/fake/fake_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/iam/iam_credentials.cc: $(OPENSSL_DEP)
+src/core/lib/security/credentials/insecure/insecure_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/json_token.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_verifier.cc: $(OPENSSL_DEP)
@ -4617,6 +4620,7 @@ src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/load_system_roots_linux.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP)
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -699,6 +699,7 @@ libs:
  - src/core/lib/security/credentials/xds/xds_credentials.h
  - src/core/lib/security/security_connector/alts/alts_security_connector.h
  - src/core/lib/security/security_connector/fake/fake_security_connector.h
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.h
  - src/core/lib/security/security_connector/load_system_roots.h
  - src/core/lib/security/security_connector/load_system_roots_linux.h
  - src/core/lib/security/security_connector/local/local_security_connector.h
@ -1116,6 +1117,7 @@ libs:
  - src/core/lib/security/credentials/google_default/credentials_generic.cc
  - src/core/lib/security/credentials/google_default/google_default_credentials.cc
  - src/core/lib/security/credentials/iam/iam_credentials.cc
+  - src/core/lib/security/credentials/insecure/insecure_credentials.cc
  - src/core/lib/security/credentials/jwt/json_token.cc
  - src/core/lib/security/credentials/jwt/jwt_credentials.cc
  - src/core/lib/security/credentials/jwt/jwt_verifier.cc
@ -1129,6 +1131,7 @@ libs:
  - src/core/lib/security/credentials/xds/xds_credentials.cc
  - src/core/lib/security/security_connector/alts/alts_security_connector.cc
  - src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  - src/core/lib/security/security_connector/load_system_roots_fallback.cc
  - src/core/lib/security/security_connector/load_system_roots_linux.cc
  - src/core/lib/security/security_connector/local/local_security_connector.cc
@ -6255,6 +6258,19 @@ targets:
  - gpr
  - address_sorting
  - upb
+- name: insecure_security_connector_test
+  gtest: true
+  build: test
+  language: c++
+  headers: []
+  src:
+  - test/core/security/insecure_security_connector_test.cc
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr
+  - address_sorting
+  - upb
 - name: interop_client
  build: test
  run: false
@ -7544,6 +7560,26 @@ targets:
  - gpr
  - address_sorting
  - upb
+- name: xds_credentials_end2end_test
+  gtest: true
+  build: test
+  language: c++
+  headers:
+  - test/cpp/end2end/test_service_impl.h
+  src:
+  - src/proto/grpc/testing/echo.proto
+  - src/proto/grpc/testing/echo_messages.proto
+  - src/proto/grpc/testing/simple_messages.proto
+  - test/cpp/end2end/test_service_impl.cc
+  - test/cpp/end2end/xds_credentials_end2end_test.cc
+  deps:
+  - grpc++_test_util
+  - grpc_test_util
+  - grpc++
+  - grpc
+  - gpr
+  - address_sorting
+  - upb
 - name: xds_end2end_test
  gtest: true
  build: test
--- a/config.m4
+++ b/config.m4
@ -422,6 +422,7 @@ if test "$PHP_GRPC" != "no"; then
    src/core/lib/security/credentials/google_default/credentials_generic.cc \
    src/core/lib/security/credentials/google_default/google_default_credentials.cc \
    src/core/lib/security/credentials/iam/iam_credentials.cc \
+    src/core/lib/security/credentials/insecure/insecure_credentials.cc \
    src/core/lib/security/credentials/jwt/json_token.cc \
    src/core/lib/security/credentials/jwt/jwt_credentials.cc \
    src/core/lib/security/credentials/jwt/jwt_verifier.cc \
@ -435,6 +436,7 @@ if test "$PHP_GRPC" != "no"; then
    src/core/lib/security/credentials/xds/xds_credentials.cc \
    src/core/lib/security/security_connector/alts/alts_security_connector.cc \
    src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
    src/core/lib/security/security_connector/load_system_roots_fallback.cc \
    src/core/lib/security/security_connector/load_system_roots_linux.cc \
    src/core/lib/security/security_connector/local/local_security_connector.cc \
@ -993,6 +995,7 @@ if test "$PHP_GRPC" != "no"; then
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/fake)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/google_default)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/iam)
+  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/insecure)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/jwt)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/local)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/oauth2)
@ -1003,6 +1006,7 @@ if test "$PHP_GRPC" != "no"; then
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake)
+  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/insecure)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/local)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/ssl)
  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/tls)
--- a/config.w32
+++ b/config.w32
@ -389,6 +389,7 @@ if (PHP_GRPC != "no") {
    "src\\core\\lib\\security\\credentials\\google_default\\credentials_generic.cc " +
    "src\\core\\lib\\security\\credentials\\google_default\\google_default_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\iam\\iam_credentials.cc " +
+    "src\\core\\lib\\security\\credentials\\insecure\\insecure_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\jwt\\json_token.cc " +
    "src\\core\\lib\\security\\credentials\\jwt\\jwt_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\jwt\\jwt_verifier.cc " +
@ -402,6 +403,7 @@ if (PHP_GRPC != "no") {
    "src\\core\\lib\\security\\credentials\\xds\\xds_credentials.cc " +
    "src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " +
    "src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " +
+    "src\\core\\lib\\security\\security_connector\\insecure\\insecure_security_connector.cc " +
    "src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
    "src\\core\\lib\\security\\security_connector\\load_system_roots_linux.cc " +
    "src\\core\\lib\\security\\security_connector\\local\\local_security_connector.cc " +
@ -1036,6 +1038,7 @@ if (PHP_GRPC != "no") {
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\fake");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\google_default");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\iam");
+  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\insecure");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\jwt");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\local");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\oauth2");
@ -1046,6 +1049,7 @@ if (PHP_GRPC != "no") {
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake");
+  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\insecure");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\local");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\ssl");
  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\tls");
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@ -546,6 +546,7 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/credentials/xds/xds_credentials.h',
                      'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                      'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                      'src/core/lib/security/security_connector/load_system_roots.h',
                      'src/core/lib/security/security_connector/load_system_roots_linux.h',
                      'src/core/lib/security/security_connector/local/local_security_connector.h',
@ -1064,6 +1065,7 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/credentials/xds/xds_credentials.h',
                              'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                              'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                              'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                              'src/core/lib/security/security_connector/load_system_roots.h',
                              'src/core/lib/security/security_connector/load_system_roots_linux.h',
                              'src/core/lib/security/security_connector/local/local_security_connector.h',
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@ -907,6 +907,7 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/credentials/google_default/google_default_credentials.h',
                      'src/core/lib/security/credentials/iam/iam_credentials.cc',
                      'src/core/lib/security/credentials/iam/iam_credentials.h',
+                      'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
                      'src/core/lib/security/credentials/jwt/json_token.cc',
                      'src/core/lib/security/credentials/jwt/json_token.h',
                      'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
@ -933,6 +934,8 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                      'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
                      'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                      'src/core/lib/security/security_connector/load_system_roots.h',
                      'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
                      'src/core/lib/security/security_connector/load_system_roots_linux.cc',
@ -1504,6 +1507,7 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/credentials/xds/xds_credentials.h',
                              'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                              'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                              'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                              'src/core/lib/security/security_connector/load_system_roots.h',
                              'src/core/lib/security/security_connector/load_system_roots_linux.h',
                              'src/core/lib/security/security_connector/local/local_security_connector.h',
--- a/grpc.gemspec
+++ b/grpc.gemspec
@ -825,6 +825,7 @@ Gem::Specification.new do |s|
  s.files += %w( src/core/lib/security/credentials/google_default/google_default_credentials.h )
  s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.cc )
  s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.h )
+  s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.cc )
  s.files += %w( src/core/lib/security/credentials/jwt/json_token.cc )
  s.files += %w( src/core/lib/security/credentials/jwt/json_token.h )
  s.files += %w( src/core/lib/security/credentials/jwt/jwt_credentials.cc )
@ -851,6 +852,8 @@ Gem::Specification.new do |s|
  s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h )
  s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc )
  s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h )
+  s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.cc )
+  s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.h )
  s.files += %w( src/core/lib/security/security_connector/load_system_roots.h )
  s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )
  s.files += %w( src/core/lib/security/security_connector/load_system_roots_linux.cc )
--- a/grpc.gyp
+++ b/grpc.gyp
@ -786,6 +786,7 @@
        'src/core/lib/security/credentials/google_default/credentials_generic.cc',
        'src/core/lib/security/credentials/google_default/google_default_credentials.cc',
        'src/core/lib/security/credentials/iam/iam_credentials.cc',
+        'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
        'src/core/lib/security/credentials/jwt/json_token.cc',
        'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
        'src/core/lib/security/credentials/jwt/jwt_verifier.cc',
@ -799,6 +800,7 @@
        'src/core/lib/security/credentials/xds/xds_credentials.cc',
        'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
        'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
+        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
        'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
        'src/core/lib/security/security_connector/load_system_roots_linux.cc',
        'src/core/lib/security/security_connector/local/local_security_connector.cc',
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@ -1029,6 +1029,13 @@ grpc_channel_credentials* grpc_tls_credentials_create(
 grpc_server_credentials* grpc_tls_server_credentials_create(
    grpc_tls_credentials_options* options);

+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * This method creates an insecure channel credentials object.
+ */
+grpc_channel_credentials* grpc_insecure_credentials_create();
+
 /**
 * EXPERIMENTAL API - Subject to change
 *
--- a/include/grpcpp/security/credentials.h
+++ b/include/grpcpp/security/credentials.h
@ -54,7 +54,11 @@ std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
    std::vector<
        std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
        interceptor_creators);
-}
+
+/// Builds XDS Credentials.
+std::shared_ptr<ChannelCredentials> XdsCredentials(
+    const std::shared_ptr<ChannelCredentials>& fallback_creds);
+}  // namespace experimental

 /// A channel credentials object encapsulates all the state needed by a client
 /// to authenticate with a server for a given channel.
@ -72,6 +76,13 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen {
      const std::shared_ptr<ChannelCredentials>& channel_creds,
      const std::shared_ptr<CallCredentials>& call_creds);

+  // TODO(yashykt): We need this friend declaration mainly for access to
+  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
+  // (and also internal dependencies on the indirect method of creating a
+  // channel through credentials), we would be able to remove this.
+  friend std::shared_ptr<ChannelCredentials> grpc::experimental::XdsCredentials(
+      const std::shared_ptr<ChannelCredentials>& fallback_creds);
+
  virtual SecureChannelCredentials* AsSecureCredentials() = 0;

 private:
@ -101,6 +112,11 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen {
      /*interceptor_creators*/) {
    return nullptr;
  }
+
+  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
+  // not use grpc_channel_credentials internally and should be removed after
+  // insecure builds are removed from gRPC.
+  virtual bool IsInsecure() const { return false; }
 };

 /// A call credentials object encapsulates the state needed by a client to
--- a/package.xml
+++ b/package.xml
@ -805,6 +805,7 @@
    <file baseinstalldir="/" name="src/core/lib/security/credentials/google_default/google_default_credentials.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/jwt_credentials.cc" role="src" />
@ -831,6 +832,8 @@
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/security_connector/insecure/insecure_security_connector.cc" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/security_connector/insecure/insecure_security_connector.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_linux.cc" role="src" />
--- a/src/core/lib/security/credentials/insecure/insecure_credentials.cc
+++ b/src/core/lib/security/credentials/insecure/insecure_credentials.cc
@ -0,0 +1,51 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+namespace grpc_core {
+namespace {
+
+constexpr char kCredentialsTypeInsecure[] = "insecure";
+
+class InsecureCredentials final : public grpc_channel_credentials {
+ public:
+  explicit InsecureCredentials()
+      : grpc_channel_credentials(kCredentialsTypeInsecure) {}
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+  create_security_connector(
+      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+      const char* /* target_name */, const grpc_channel_args* /* args */,
+      grpc_channel_args** /* new_args */) override {
+    return MakeRefCounted<InsecureChannelSecurityConnector>(
+        Ref(), std::move(call_creds));
+  }
+};
+
+}  // namespace
+}  // namespace grpc_core
+
+grpc_channel_credentials* grpc_insecure_credentials_create() {
+  return new grpc_core::InsecureCredentials();
+}
--- a/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
+++ b/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
@ -0,0 +1,88 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/local_transport_security.h"
+
+namespace grpc_core {
+
+const char kInsecureTransportSecurityType[] = "insecure";
+
+// check_call_host and cancel_check_call_host are no-ops since we want to
+// provide an insecure channel.
+bool InsecureChannelSecurityConnector::check_call_host(
+    absl::string_view host, grpc_auth_context* auth_context,
+    grpc_closure* on_call_host_checked, grpc_error** error) {
+  *error = GRPC_ERROR_NONE;
+  return true;
+}
+
+void InsecureChannelSecurityConnector::cancel_check_call_host(
+    grpc_closure* on_call_host_checked, grpc_error* error) {
+  GRPC_ERROR_UNREF(error);
+}
+
+// add_handshakers should have been a no-op but we need to add a minimalist
+// security handshaker so that check_peer is invoked and an auth_context is
+// created with the security level of TSI_SECURITY_NONE.
+void InsecureChannelSecurityConnector::add_handshakers(
+    const grpc_channel_args* args, grpc_pollset_set* /* interested_parties */,
+    HandshakeManager* handshake_manager) {
+  tsi_handshaker* handshaker = nullptr;
+  // Re-use local_tsi_handshaker_create as a minimalist handshaker.
+  GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
+             TSI_OK);
+  handshake_manager->Add(SecurityHandshakerCreate(handshaker, this, args));
+}
+
+void InsecureChannelSecurityConnector::check_peer(
+    tsi_peer peer, grpc_endpoint* ep,
+    RefCountedPtr<grpc_auth_context>* auth_context,
+    grpc_closure* on_peer_checked) {
+  *auth_context = MakeAuthContext();
+  tsi_peer_destruct(&peer);
+  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, GRPC_ERROR_NONE);
+}
+
+int InsecureChannelSecurityConnector::cmp(
+    const grpc_security_connector* other_sc) const {
+  return channel_security_connector_cmp(
+      static_cast<const grpc_channel_security_connector*>(other_sc));
+}
+
+RefCountedPtr<grpc_auth_context>
+InsecureChannelSecurityConnector::MakeAuthContext() {
+  auto ctx = MakeRefCounted<grpc_auth_context>(nullptr);
+  grpc_auth_context_add_cstring_property(
+      ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+      kInsecureTransportSecurityType);
+  GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+                 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
+  const char* security_level = tsi_security_level_to_string(TSI_SECURITY_NONE);
+  grpc_auth_context_add_property(ctx.get(),
+                                 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
+                                 security_level, strlen(security_level));
+  return ctx;
+}
+
+}  // namespace grpc_core
--- a/src/core/lib/security/security_connector/insecure/insecure_security_connector.h
+++ b/src/core/lib/security/security_connector/insecure/insecure_security_connector.h
@ -0,0 +1,70 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/security_connector.h"
+
+namespace grpc_core {
+
+extern const char kInsecureTransportSecurityType[];
+
+class InsecureChannelSecurityConnector
+    : public grpc_channel_security_connector {
+ public:
+  InsecureChannelSecurityConnector(
+      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds)
+      : grpc_channel_security_connector(/* url_scheme */ nullptr,
+                                        std::move(channel_creds),
+                                        std::move(request_metadata_creds)) {}
+
+  bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
+                       grpc_closure* on_call_host_checked,
+                       grpc_error** error) override;
+
+  void cancel_check_call_host(grpc_closure* on_call_host_checked,
+                              grpc_error* error) override;
+
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* /* interested_parties */,
+                       grpc_core::HandshakeManager* handshake_manager) override;
+
+  void check_peer(tsi_peer peer, grpc_endpoint* ep,
+                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  grpc_closure* on_peer_checked) override;
+
+  int cmp(const grpc_security_connector* other_sc) const override;
+
+  // Exposed for testing purposes only.
+  // Create an auth context which is necessary to pass the santiy check in
+  // client_auth_filter that verifies if the peer's auth context is obtained
+  // during handshakes. The auth context is only checked for its existence and
+  // not actually used.
+  static RefCountedPtr<grpc_auth_context> MakeAuthContext();
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H \
+        */
--- a/src/core/lib/security/security_connector/local/local_security_connector.cc
+++ b/src/core/lib/security/security_connector/local/local_security_connector.cc
@ -157,7 +157,7 @@ class grpc_local_channel_security_connector final
      const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
      grpc_core::HandshakeManager* handshake_manager) override {
    tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) ==
+    GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
               TSI_OK);
    handshake_manager->Add(
        grpc_core::SecurityHandshakerCreate(handshaker, this, args));
@ -215,7 +215,7 @@ class grpc_local_server_security_connector final
      const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
      grpc_core::HandshakeManager* handshake_manager) override {
    tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */,
+    GPR_ASSERT(tsi_local_handshaker_create(false /* is_client */,
                                           &handshaker) == TSI_OK);
    handshake_manager->Add(
        grpc_core::SecurityHandshakerCreate(handshaker, this, args));
--- a/src/core/tsi/local_transport_security.cc
+++ b/src/core/tsi/local_transport_security.cc
@ -31,6 +31,8 @@
 #include "src/core/lib/iomgr/exec_ctx.h"
 #include "src/core/tsi/transport_security_grpc.h"

+namespace {
+
 /* Main struct for local TSI zero-copy frame protector. */
 typedef struct local_zero_copy_grpc_protector {
  tsi_zero_copy_grpc_protector base;
@ -197,7 +199,9 @@ static const tsi_handshaker_vtable handshaker_vtable = {
    nullptr, /* shutdown */
 };

-tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self) {
+}  // namespace
+
+tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self) {
  if (self == nullptr) {
    gpr_log(GPR_ERROR, "Invalid arguments to local_tsi_handshaker_create()");
    return TSI_INVALID_ARGUMENT;
--- a/src/core/tsi/local_transport_security.h
+++ b/src/core/tsi/local_transport_security.h
@ -29,12 +29,6 @@
 #define TSI_LOCAL_NUM_OF_PEER_PROPERTIES 1
 #define TSI_LOCAL_PROCESS_ID_PEER_PROPERTY "process_id"

-/**
- * Main struct for local TSI handshaker. All APIs in the header are
- * thread-comptabile.
- */
-typedef struct local_tsi_handshaker local_tsi_handshaker;
-
 /**
 * This method creates a local TSI handshaker instance.
 *
@ -45,7 +39,12 @@ typedef struct local_tsi_handshaker local_tsi_handshaker;
 *   method.
 *
 * It returns TSI_OK on success and an error status code on failure.
+ *
+ * This handshaker is also being used as a minimalist handshaker for insecure
+ * security connector. If this handshaker ever needs to do anything more that
+ * does not fit with an insecure connector, we would need to add a separate
+ * handshaker for insecure connectors.
 */
-tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self);
+tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self);

 #endif /* GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H */
--- a/src/cpp/client/insecure_credentials.cc
+++ b/src/cpp/client/insecure_credentials.cc
@ -51,6 +51,9 @@ class InsecureChannelCredentialsImpl final : public ChannelCredentials {
  }

  SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
+
+ private:
+  bool IsInsecure() const override { return true; }
 };
 }  // namespace

--- a/src/cpp/client/secure_credentials.cc
+++ b/src/cpp/client/secure_credentials.cc
@ -28,6 +28,7 @@
 #include <grpcpp/impl/grpc_library.h>
 #include <grpcpp/support/channel_arguments.h>

+// TODO(yashykt): We shouldn't be including "src/core" headers.
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/executor.h"
@ -294,6 +295,22 @@ std::shared_ptr<ChannelCredentials> TlsCredentials(
      grpc_tls_credentials_create(options.c_credentials_options()));
 }

+// Builds XDS Credentials
+std::shared_ptr<ChannelCredentials> XdsCredentials(
+    const std::shared_ptr<ChannelCredentials>& fallback_creds) {
+  if (fallback_creds->IsInsecure()) {
+    grpc_channel_credentials* insecure_creds =
+        grpc_insecure_credentials_create();
+    auto xds_creds =
+        WrapChannelCredentials(grpc_xds_credentials_create(insecure_creds));
+    grpc_channel_credentials_release(insecure_creds);
+    return xds_creds;
+  } else {
+    return WrapChannelCredentials(grpc_xds_credentials_create(
+        fallback_creds->AsSecureCredentials()->GetRawCreds()));
+  }
+}
+
 }  // namespace experimental

 // Builds credentials for use when running in GCE
--- a/src/cpp/client/secure_credentials.h
+++ b/src/cpp/client/secure_credentials.h
@ -26,6 +26,7 @@
 #include <grpcpp/support/config.h>

 #include "absl/strings/str_cat.h"
+// TODO(yashykt): We shouldn't be including "src/core" headers.
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/cpp/server/thread_pool_interface.h"

--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@ -398,6 +398,7 @@ CORE_SOURCE_FILES = [
    'src/core/lib/security/credentials/google_default/credentials_generic.cc',
    'src/core/lib/security/credentials/google_default/google_default_credentials.cc',
    'src/core/lib/security/credentials/iam/iam_credentials.cc',
+    'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
    'src/core/lib/security/credentials/jwt/json_token.cc',
    'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
    'src/core/lib/security/credentials/jwt/jwt_verifier.cc',
@ -411,6 +412,7 @@ CORE_SOURCE_FILES = [
    'src/core/lib/security/credentials/xds/xds_credentials.cc',
    'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
    'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
+    'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
    'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
    'src/core/lib/security/security_connector/load_system_roots_linux.cc',
    'src/core/lib/security/security_connector/local/local_security_connector.cc',
--- a/test/core/security/BUILD
+++ b/test/core/security/BUILD
@ -326,3 +326,17 @@ grpc_cc_test(
        "//test/core/util:grpc_test_util",
    ],
 )
+
+grpc_cc_test(
+    name = "insecure_security_connector_test",
+    srcs = ["insecure_security_connector_test.cc"],
+    external_deps = [
+        "gtest",
+    ],
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//:grpc_secure",
+        "//test/core/util:grpc_test_util",
+    ],
+)
--- a/test/core/security/insecure_security_connector_test.cc
+++ b/test/core/security/insecure_security_connector_test.cc
@ -0,0 +1,59 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+#include "src/core/tsi/transport_security.h"
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace testing {
+namespace {
+
+TEST(InsecureSecurityConnector, MakeAuthContextTest) {
+  auto auth_context = InsecureChannelSecurityConnector::MakeAuthContext();
+  // Verify that peer identity is set
+  auto it = grpc_auth_context_peer_identity(auth_context.get());
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  ASSERT_NE(prop, nullptr);
+  EXPECT_STREQ(prop->name, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME);
+  EXPECT_STREQ(prop->value, kInsecureTransportSecurityType);
+  // Verify that security level is set to none
+  it = grpc_auth_context_find_properties_by_name(
+      auth_context.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME);
+  prop = grpc_auth_property_iterator_next(&it);
+  ASSERT_NE(prop, nullptr);
+  EXPECT_EQ(grpc_tsi_security_level_string_to_enum(prop->value),
+            GRPC_SECURITY_NONE);
+}
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc_core
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  const auto result = RUN_ALL_TESTS();
+  return result;
+}
--- a/test/cpp/end2end/BUILD
+++ b/test/cpp/end2end/BUILD
@ -811,3 +811,21 @@ grpc_cc_test(
        "//test/cpp/util:test_util",
    ],
 )
+
+grpc_cc_test(
+    name = "xds_credentials_end2end_test",
+    srcs = ["xds_credentials_end2end_test.cc"],
+    external_deps = [
+        "gtest",
+    ],
+    deps = [
+        ":test_service_impl",
+        "//:gpr",
+        "//:grpc",
+        "//:grpc++",
+        "//src/proto/grpc/testing:echo_messages_proto",
+        "//src/proto/grpc/testing:echo_proto",
+        "//test/core/util:grpc_test_util",
+        "//test/cpp/util:test_util",
+    ],
+)
--- a/test/cpp/end2end/xds_credentials_end2end_test.cc
+++ b/test/cpp/end2end/xds_credentials_end2end_test.cc
@ -0,0 +1,86 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <grpc/grpc.h>
+#include <grpcpp/server_builder.h>
+
+#include "test/core/util/port.h"
+#include "test/core/util/test_config.h"
+#include "test/cpp/end2end/test_service_impl.h"
+#include "test/cpp/util/test_credentials_provider.h"
+
+namespace grpc {
+namespace testing {
+namespace {
+
+class XdsCredentialsEnd2EndFallbackTest
+    : public ::testing::TestWithParam<const char*> {
+ protected:
+  XdsCredentialsEnd2EndFallbackTest() {
+    int port = grpc_pick_unused_port_or_die();
+    ServerBuilder builder;
+    server_address_ = "localhost:" + std::to_string(port);
+    builder.AddListeningPort(
+        server_address_,
+        GetCredentialsProvider()->GetServerCredentials(GetParam()));
+    builder.RegisterService(&service_);
+    server_ = builder.BuildAndStart();
+  }
+
+  std::string server_address_;
+  TestServiceImpl service_;
+  std::unique_ptr<Server> server_;
+};
+
+TEST_P(XdsCredentialsEnd2EndFallbackTest, NoXdsSchemeInTarget) {
+  // Target does not use 'xds:///' scheme and should result in using fallback
+  // credentials.
+  ChannelArguments args;
+  auto channel = grpc::CreateCustomChannel(
+      server_address_,
+      grpc::experimental::XdsCredentials(
+          GetCredentialsProvider()->GetChannelCredentials(GetParam(), &args)),
+      args);
+  auto stub = grpc::testing::EchoTestService::NewStub(channel);
+  ClientContext ctx;
+  EchoRequest req;
+  req.set_message("Hello");
+  EchoResponse resp;
+  Status s = stub->Echo(&ctx, req, &resp);
+  EXPECT_EQ(s.ok(), true);
+  EXPECT_EQ(resp.message(), "Hello");
+}
+
+INSTANTIATE_TEST_SUITE_P(XdsCredentialsEnd2EndFallback,
+                         XdsCredentialsEnd2EndFallbackTest,
+                         ::testing::ValuesIn(std::vector<const char*>(
+                             {kInsecureCredentialsType, kTlsCredentialsType})));
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  const auto result = RUN_ALL_TESTS();
+  return result;
+}
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@ -1758,6 +1758,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \
 src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
+src/core/lib/security/credentials/insecure/insecure_credentials.cc \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \
@ -1784,6 +1785,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
 src/core/lib/security/security_connector/alts/alts_security_connector.h \
 src/core/lib/security/security_connector/fake/fake_security_connector.cc \
 src/core/lib/security/security_connector/fake/fake_security_connector.h \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.h \
 src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_linux.cc \
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@ -1601,6 +1601,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \
 src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
+src/core/lib/security/credentials/insecure/insecure_credentials.cc \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \
@ -1627,6 +1628,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
 src/core/lib/security/security_connector/alts/alts_security_connector.h \
 src/core/lib/security/security_connector/fake/fake_security_connector.cc \
 src/core/lib/security/security_connector/fake/fake_security_connector.h \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.h \
 src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_linux.cc \
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json
@ -4789,6 +4789,30 @@
    ], 
    "uses_polling": true
  }, 
+  {
+    "args": [], 
+    "benchmark": false, 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "cpu_cost": 1.0, 
+    "exclude_configs": [], 
+    "exclude_iomgrs": [], 
+    "flaky": false, 
+    "gtest": true, 
+    "language": "c++", 
+    "name": "insecure_security_connector_test", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "uses_polling": true
+  }, 
  {
    "args": [], 
    "benchmark": false, 
@ -6067,6 +6091,30 @@
    ], 
    "uses_polling": true
  }, 
+  {
+    "args": [], 
+    "benchmark": false, 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "cpu_cost": 1.0, 
+    "exclude_configs": [], 
+    "exclude_iomgrs": [], 
+    "flaky": false, 
+    "gtest": true, 
+    "language": "c++", 
+    "name": "xds_credentials_end2end_test", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "uses_polling": true
+  }, 
  {
    "args": [], 
    "boringssl": true,