Add experimental XdsCredentials with support for insecure channel_credentials and security_connector

BUILD

@@ -1747,6 +1747,7 @@ grpc_cc_library(
         "src/core/lib/security/credentials/google_default/credentials_generic.cc",
         "src/core/lib/security/credentials/google_default/google_default_credentials.cc",
         "src/core/lib/security/credentials/iam/iam_credentials.cc",
+        "src/core/lib/security/credentials/insecure/insecure_credentials.cc",
         "src/core/lib/security/credentials/jwt/json_token.cc",
         "src/core/lib/security/credentials/jwt/jwt_credentials.cc",
         "src/core/lib/security/credentials/jwt/jwt_verifier.cc",
@@ -1759,6 +1760,7 @@ grpc_cc_library(
         "src/core/lib/security/credentials/tls/tls_credentials.cc",
         "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
         "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
         "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
         "src/core/lib/security/security_connector/load_system_roots_linux.cc",
         "src/core/lib/security/security_connector/local/local_security_connector.cc",
@@ -1801,6 +1803,7 @@ grpc_cc_library(
         "src/core/lib/security/credentials/tls/tls_credentials.h",
         "src/core/lib/security/security_connector/alts/alts_security_connector.h",
         "src/core/lib/security/security_connector/fake/fake_security_connector.h",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
         "src/core/lib/security/security_connector/load_system_roots.h",
         "src/core/lib/security/security_connector/load_system_roots_linux.h",
         "src/core/lib/security/security_connector/local/local_security_connector.h",

BUILD.gn

@@ -851,6 +851,7 @@ config("grpc_config") {
         "src/core/lib/security/credentials/google_default/google_default_credentials.h",
         "src/core/lib/security/credentials/iam/iam_credentials.cc",
         "src/core/lib/security/credentials/iam/iam_credentials.h",
+        "src/core/lib/security/credentials/insecure/insecure_credentials.cc",
         "src/core/lib/security/credentials/jwt/json_token.cc",
         "src/core/lib/security/credentials/jwt/json_token.h",
         "src/core/lib/security/credentials/jwt/jwt_credentials.cc",
@@ -877,6 +878,8 @@ config("grpc_config") {
         "src/core/lib/security/security_connector/alts/alts_security_connector.h",
         "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
         "src/core/lib/security/security_connector/fake/fake_security_connector.h",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
+        "src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
         "src/core/lib/security/security_connector/load_system_roots.h",
         "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
         "src/core/lib/security/security_connector/load_system_roots_linux.cc",

CMakeLists.txt

@@ -841,6 +841,7 @@ if(gRPC_BUILD_TESTS)
   add_dependencies(buildtests_cxx hybrid_end2end_test)
   add_dependencies(buildtests_cxx init_test)
   add_dependencies(buildtests_cxx initial_settings_frame_bad_client_test)
+  add_dependencies(buildtests_cxx insecure_security_connector_test)
   add_dependencies(buildtests_cxx interop_client)
   add_dependencies(buildtests_cxx interop_server)
   if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
@@ -924,6 +925,7 @@ if(gRPC_BUILD_TESTS)
     add_dependencies(buildtests_cxx writes_per_rpc_test)
   endif()
   add_dependencies(buildtests_cxx xds_bootstrap_test)
+  add_dependencies(buildtests_cxx xds_credentials_end2end_test)
   if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
     add_dependencies(buildtests_cxx xds_end2end_test)
   endif()
@@ -1757,6 +1759,7 @@ add_library(grpc
   src/core/lib/security/credentials/google_default/credentials_generic.cc
   src/core/lib/security/credentials/google_default/google_default_credentials.cc
   src/core/lib/security/credentials/iam/iam_credentials.cc
+  src/core/lib/security/credentials/insecure/insecure_credentials.cc
   src/core/lib/security/credentials/jwt/json_token.cc
   src/core/lib/security/credentials/jwt/jwt_credentials.cc
   src/core/lib/security/credentials/jwt/jwt_verifier.cc
@@ -1770,6 +1773,7 @@ add_library(grpc
   src/core/lib/security/credentials/xds/xds_credentials.cc
   src/core/lib/security/security_connector/alts/alts_security_connector.cc
   src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
   src/core/lib/security/security_connector/load_system_roots_fallback.cc
   src/core/lib/security/security_connector/load_system_roots_linux.cc
   src/core/lib/security/security_connector/local/local_security_connector.cc
@@ -12109,6 +12113,45 @@ target_link_libraries(initial_settings_frame_bad_client_test
 )
 
 
+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(insecure_security_connector_test
+  test/core/security/insecure_security_connector_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(insecure_security_connector_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(insecure_security_connector_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+  grpc
+  gpr
+  address_sorting
+  upb
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)
 
@@ -14981,6 +15024,60 @@ target_link_libraries(xds_bootstrap_test
 )
 
 
+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(xds_credentials_end2end_test
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
+  test/cpp/end2end/test_service_impl.cc
+  test/cpp/end2end/xds_credentials_end2end_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(xds_credentials_end2end_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(xds_credentials_end2end_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc++_test_util
+  grpc_test_util
+  grpc++
+  grpc
+  gpr
+  address_sorting
+  upb
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)
 if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)

Makefile

@@ -2160,6 +2160,7 @@ LIBGRPC_SRC = \
     src/core/lib/security/credentials/google_default/credentials_generic.cc \
     src/core/lib/security/credentials/google_default/google_default_credentials.cc \
     src/core/lib/security/credentials/iam/iam_credentials.cc \
+    src/core/lib/security/credentials/insecure/insecure_credentials.cc \
     src/core/lib/security/credentials/jwt/json_token.cc \
     src/core/lib/security/credentials/jwt/jwt_credentials.cc \
     src/core/lib/security/credentials/jwt/jwt_verifier.cc \
@@ -2173,6 +2174,7 @@ LIBGRPC_SRC = \
     src/core/lib/security/credentials/xds/xds_credentials.cc \
     src/core/lib/security/security_connector/alts/alts_security_connector.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
     src/core/lib/security/security_connector/load_system_roots_linux.cc \
     src/core/lib/security/security_connector/local/local_security_connector.cc \
@@ -4611,6 +4613,7 @@ src/core/lib/security/credentials/fake/fake_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/iam/iam_credentials.cc: $(OPENSSL_DEP)
+src/core/lib/security/credentials/insecure/insecure_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/json_token.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_verifier.cc: $(OPENSSL_DEP)
@@ -4624,6 +4627,7 @@ src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/load_system_roots_linux.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP)

build_autogenerated.yaml

@@ -698,6 +698,7 @@ libs:
   - src/core/lib/security/credentials/xds/xds_credentials.h
   - src/core/lib/security/security_connector/alts/alts_security_connector.h
   - src/core/lib/security/security_connector/fake/fake_security_connector.h
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.h
   - src/core/lib/security/security_connector/load_system_roots.h
   - src/core/lib/security/security_connector/load_system_roots_linux.h
   - src/core/lib/security/security_connector/local/local_security_connector.h
@@ -1115,6 +1116,7 @@ libs:
   - src/core/lib/security/credentials/google_default/credentials_generic.cc
   - src/core/lib/security/credentials/google_default/google_default_credentials.cc
   - src/core/lib/security/credentials/iam/iam_credentials.cc
+  - src/core/lib/security/credentials/insecure/insecure_credentials.cc
   - src/core/lib/security/credentials/jwt/json_token.cc
   - src/core/lib/security/credentials/jwt/jwt_credentials.cc
   - src/core/lib/security/credentials/jwt/jwt_verifier.cc
@@ -1128,6 +1130,7 @@ libs:
   - src/core/lib/security/credentials/xds/xds_credentials.cc
   - src/core/lib/security/security_connector/alts/alts_security_connector.cc
   - src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
   - src/core/lib/security/security_connector/load_system_roots_fallback.cc
   - src/core/lib/security/security_connector/load_system_roots_linux.cc
   - src/core/lib/security/security_connector/local/local_security_connector.cc
@@ -6261,6 +6264,19 @@ targets:
   - gpr
   - address_sorting
   - upb
+- name: insecure_security_connector_test
+  gtest: true
+  build: test
+  language: c++
+  headers: []
+  src:
+  - test/core/security/insecure_security_connector_test.cc
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr
+  - address_sorting
+  - upb
 - name: interop_client
   build: test
   run: false
@@ -7550,6 +7566,26 @@ targets:
   - gpr
   - address_sorting
   - upb
+- name: xds_credentials_end2end_test
+  gtest: true
+  build: test
+  language: c++
+  headers:
+  - test/cpp/end2end/test_service_impl.h
+  src:
+  - src/proto/grpc/testing/echo.proto
+  - src/proto/grpc/testing/echo_messages.proto
+  - src/proto/grpc/testing/simple_messages.proto
+  - test/cpp/end2end/test_service_impl.cc
+  - test/cpp/end2end/xds_credentials_end2end_test.cc
+  deps:
+  - grpc++_test_util
+  - grpc_test_util
+  - grpc++
+  - grpc
+  - gpr
+  - address_sorting
+  - upb
 - name: xds_end2end_test
   gtest: true
   build: test

config.m4

@@ -422,6 +422,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/lib/security/credentials/google_default/credentials_generic.cc \
     src/core/lib/security/credentials/google_default/google_default_credentials.cc \
     src/core/lib/security/credentials/iam/iam_credentials.cc \
+    src/core/lib/security/credentials/insecure/insecure_credentials.cc \
     src/core/lib/security/credentials/jwt/json_token.cc \
     src/core/lib/security/credentials/jwt/jwt_credentials.cc \
     src/core/lib/security/credentials/jwt/jwt_verifier.cc \
@@ -435,6 +436,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/lib/security/credentials/xds/xds_credentials.cc \
     src/core/lib/security/security_connector/alts/alts_security_connector.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
     src/core/lib/security/security_connector/load_system_roots_linux.cc \
     src/core/lib/security/security_connector/local/local_security_connector.cc \
@@ -993,6 +995,7 @@ if test "$PHP_GRPC" != "no"; then
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/fake)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/google_default)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/iam)
+  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/insecure)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/jwt)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/local)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/oauth2)
@@ -1003,6 +1006,7 @@ if test "$PHP_GRPC" != "no"; then
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake)
+  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/insecure)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/local)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/ssl)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/tls)

config.w32

@@ -389,6 +389,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\lib\\security\\credentials\\google_default\\credentials_generic.cc " +
     "src\\core\\lib\\security\\credentials\\google_default\\google_default_credentials.cc " +
     "src\\core\\lib\\security\\credentials\\iam\\iam_credentials.cc " +
+    "src\\core\\lib\\security\\credentials\\insecure\\insecure_credentials.cc " +
     "src\\core\\lib\\security\\credentials\\jwt\\json_token.cc " +
     "src\\core\\lib\\security\\credentials\\jwt\\jwt_credentials.cc " +
     "src\\core\\lib\\security\\credentials\\jwt\\jwt_verifier.cc " +
@@ -402,6 +403,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\lib\\security\\credentials\\xds\\xds_credentials.cc " +
     "src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " +
     "src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " +
+    "src\\core\\lib\\security\\security_connector\\insecure\\insecure_security_connector.cc " +
     "src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
     "src\\core\\lib\\security\\security_connector\\load_system_roots_linux.cc " +
     "src\\core\\lib\\security\\security_connector\\local\\local_security_connector.cc " +
@@ -1036,6 +1038,7 @@ if (PHP_GRPC != "no") {
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\fake");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\google_default");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\iam");
+  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\insecure");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\jwt");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\local");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\oauth2");
@@ -1046,6 +1049,7 @@ if (PHP_GRPC != "no") {
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake");
+  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\insecure");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\local");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\ssl");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\tls");

gRPC-C++.podspec

@@ -548,6 +548,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/xds/xds_credentials.h',
                       'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                       'src/core/lib/security/security_connector/load_system_roots.h',
                       'src/core/lib/security/security_connector/load_system_roots_linux.h',
                       'src/core/lib/security/security_connector/local/local_security_connector.h',
@@ -1065,6 +1066,7 @@ Pod::Spec.new do |s|
                               'src/core/lib/security/credentials/xds/xds_credentials.h',
                               'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                               'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                              'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                               'src/core/lib/security/security_connector/load_system_roots.h',
                               'src/core/lib/security/security_connector/load_system_roots_linux.h',
                               'src/core/lib/security/security_connector/local/local_security_connector.h',

gRPC-Core.podspec

@@ -906,6 +906,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/google_default/google_default_credentials.h',
                       'src/core/lib/security/credentials/iam/iam_credentials.cc',
                       'src/core/lib/security/credentials/iam/iam_credentials.h',
+                      'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
                       'src/core/lib/security/credentials/jwt/json_token.cc',
                       'src/core/lib/security/credentials/jwt/json_token.h',
                       'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
@@ -932,6 +933,8 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
+                      'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                       'src/core/lib/security/security_connector/load_system_roots.h',
                       'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
                       'src/core/lib/security/security_connector/load_system_roots_linux.cc',
@@ -1502,6 +1505,7 @@ Pod::Spec.new do |s|
                               'src/core/lib/security/credentials/xds/xds_credentials.h',
                               'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                               'src/core/lib/security/security_connector/fake/fake_security_connector.h',
+                              'src/core/lib/security/security_connector/insecure/insecure_security_connector.h',
                               'src/core/lib/security/security_connector/load_system_roots.h',
                               'src/core/lib/security/security_connector/load_system_roots_linux.h',
                               'src/core/lib/security/security_connector/local/local_security_connector.h',

grpc.gemspec

@@ -824,6 +824,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/lib/security/credentials/google_default/google_default_credentials.h )
   s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.cc )
   s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.h )
+  s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.cc )
   s.files += %w( src/core/lib/security/credentials/jwt/json_token.cc )
   s.files += %w( src/core/lib/security/credentials/jwt/json_token.h )
   s.files += %w( src/core/lib/security/credentials/jwt/jwt_credentials.cc )
@@ -850,6 +851,8 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h )
   s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc )
   s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h )
+  s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.cc )
+  s.files += %w( src/core/lib/security/security_connector/insecure/insecure_security_connector.h )
   s.files += %w( src/core/lib/security/security_connector/load_system_roots.h )
   s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )
   s.files += %w( src/core/lib/security/security_connector/load_system_roots_linux.cc )

grpc.gyp

@@ -786,6 +786,7 @@
         'src/core/lib/security/credentials/google_default/credentials_generic.cc',
         'src/core/lib/security/credentials/google_default/google_default_credentials.cc',
         'src/core/lib/security/credentials/iam/iam_credentials.cc',
+        'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
         'src/core/lib/security/credentials/jwt/json_token.cc',
         'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
         'src/core/lib/security/credentials/jwt/jwt_verifier.cc',
@@ -799,6 +800,7 @@
         'src/core/lib/security/credentials/xds/xds_credentials.cc',
         'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
         'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
+        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
         'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
         'src/core/lib/security/security_connector/load_system_roots_linux.cc',
         'src/core/lib/security/security_connector/local/local_security_connector.cc',

include/grpc/grpc_security.h

@@ -1029,6 +1029,13 @@ grpc_channel_credentials* grpc_tls_credentials_create(
 grpc_server_credentials* grpc_tls_server_credentials_create(
     grpc_tls_credentials_options* options);
 
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * This method creates an insecure channel credentials object.
+ */
+grpc_channel_credentials* grpc_insecure_credentials_create();
+
 /**
  * EXPERIMENTAL API - Subject to change
  *

include/grpcpp/security/credentials.h

@@ -54,7 +54,11 @@ std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
     std::vector<
         std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
         interceptor_creators);
-}
+
+/// Builds XDS Credentials.
+std::shared_ptr<ChannelCredentials> XdsCredentials(
+    const std::shared_ptr<ChannelCredentials>& fallback_creds);
+}  // namespace experimental
 
 /// A channel credentials object encapsulates all the state needed by a client
 /// to authenticate with a server for a given channel.
@@ -72,6 +76,13 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen {
       const std::shared_ptr<ChannelCredentials>& channel_creds,
       const std::shared_ptr<CallCredentials>& call_creds);
 
+  // TODO(yashykt): We need this friend declaration mainly for access to
+  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
+  // (and also internal dependencies on the indirect method of creating a
+  // channel through credentials), we would be able to remove this.
+  friend std::shared_ptr<ChannelCredentials> grpc::experimental::XdsCredentials(
+      const std::shared_ptr<ChannelCredentials>& fallback_creds);
+
   virtual SecureChannelCredentials* AsSecureCredentials() = 0;
 
  private:
@@ -101,6 +112,11 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen {
       /*interceptor_creators*/) {
     return nullptr;
   }
+
+  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
+  // not use grpc_channel_credentials internally and should be removed after
+  // insecure builds are removed from gRPC.
+  virtual bool IsInsecure() const { return false; }
 };
 
 /// A call credentials object encapsulates the state needed by a client to

package.xml

@@ -804,6 +804,7 @@
     <file baseinstalldir="/" name="src/core/lib/security/credentials/google_default/google_default_credentials.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/jwt_credentials.cc" role="src" />
@@ -830,6 +831,8 @@
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/security_connector/insecure/insecure_security_connector.cc" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/security_connector/insecure/insecure_security_connector.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_linux.cc" role="src" />

src/core/lib/security/credentials/insecure/insecure_credentials.cc

@@ -0,0 +1,51 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+namespace grpc_core {
+namespace {
+
+constexpr char kCredentialsTypeInsecure[] = "insecure";
+
+class InsecureCredentials final : public grpc_channel_credentials {
+ public:
+  explicit InsecureCredentials()
+      : grpc_channel_credentials(kCredentialsTypeInsecure) {}
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+  create_security_connector(
+      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+      const char* /* target_name */, const grpc_channel_args* /* args */,
+      grpc_channel_args** /* new_args */) override {
+    return MakeRefCounted<InsecureChannelSecurityConnector>(
+        Ref(), std::move(call_creds));
+  }
+};
+
+}  // namespace
+}  // namespace grpc_core
+
+grpc_channel_credentials* grpc_insecure_credentials_create() {
+  return new grpc_core::InsecureCredentials();
+}

src/core/lib/security/security_connector/insecure/insecure_security_connector.cc

@@ -0,0 +1,88 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/local_transport_security.h"
+
+namespace grpc_core {
+
+const char kInsecureTransportSecurityType[] = "insecure";
+
+// check_call_host and cancel_check_call_host are no-ops since we want to
+// provide an insecure channel.
+bool InsecureChannelSecurityConnector::check_call_host(
+    absl::string_view host, grpc_auth_context* auth_context,
+    grpc_closure* on_call_host_checked, grpc_error** error) {
+  *error = GRPC_ERROR_NONE;
+  return true;
+}
+
+void InsecureChannelSecurityConnector::cancel_check_call_host(
+    grpc_closure* on_call_host_checked, grpc_error* error) {
+  GRPC_ERROR_UNREF(error);
+}
+
+// add_handshakers should have been a no-op but we need to add a minimalist
+// security handshaker so that check_peer is invoked and an auth_context is
+// created with the security level of TSI_SECURITY_NONE.
+void InsecureChannelSecurityConnector::add_handshakers(
+    const grpc_channel_args* args, grpc_pollset_set* /* interested_parties */,
+    HandshakeManager* handshake_manager) {
+  tsi_handshaker* handshaker = nullptr;
+  // Re-use local_tsi_handshaker_create as a minimalist handshaker.
+  GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
+             TSI_OK);
+  handshake_manager->Add(SecurityHandshakerCreate(handshaker, this, args));
+}
+
+void InsecureChannelSecurityConnector::check_peer(
+    tsi_peer peer, grpc_endpoint* ep,
+    RefCountedPtr<grpc_auth_context>* auth_context,
+    grpc_closure* on_peer_checked) {
+  *auth_context = MakeAuthContext();
+  tsi_peer_destruct(&peer);
+  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, GRPC_ERROR_NONE);
+}
+
+int InsecureChannelSecurityConnector::cmp(
+    const grpc_security_connector* other_sc) const {
+  return channel_security_connector_cmp(
+      static_cast<const grpc_channel_security_connector*>(other_sc));
+}
+
+RefCountedPtr<grpc_auth_context>
+InsecureChannelSecurityConnector::MakeAuthContext() {
+  auto ctx = MakeRefCounted<grpc_auth_context>(nullptr);
+  grpc_auth_context_add_cstring_property(
+      ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+      kInsecureTransportSecurityType);
+  GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+                 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
+  const char* security_level = tsi_security_level_to_string(TSI_SECURITY_NONE);
+  grpc_auth_context_add_property(ctx.get(),
+                                 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
+                                 security_level, strlen(security_level));
+  return ctx;
+}
+
+}  // namespace grpc_core

src/core/lib/security/security_connector/insecure/insecure_security_connector.h

@@ -0,0 +1,70 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/security_connector.h"
+
+namespace grpc_core {
+
+extern const char kInsecureTransportSecurityType[];
+
+class InsecureChannelSecurityConnector
+    : public grpc_channel_security_connector {
+ public:
+  InsecureChannelSecurityConnector(
+      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds)
+      : grpc_channel_security_connector(/* url_scheme */ nullptr,
+                                        std::move(channel_creds),
+                                        std::move(request_metadata_creds)) {}
+
+  bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
+                       grpc_closure* on_call_host_checked,
+                       grpc_error** error) override;
+
+  void cancel_check_call_host(grpc_closure* on_call_host_checked,
+                              grpc_error* error) override;
+
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* /* interested_parties */,
+                       grpc_core::HandshakeManager* handshake_manager) override;
+
+  void check_peer(tsi_peer peer, grpc_endpoint* ep,
+                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  grpc_closure* on_peer_checked) override;
+
+  int cmp(const grpc_security_connector* other_sc) const override;
+
+  // Exposed for testing purposes only.
+  // Create an auth context which is necessary to pass the santiy check in
+  // client_auth_filter that verifies if the peer's auth context is obtained
+  // during handshakes. The auth context is only checked for its existence and
+  // not actually used.
+  static RefCountedPtr<grpc_auth_context> MakeAuthContext();
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H \
+        */

src/core/lib/security/security_connector/local/local_security_connector.cc

@@ -157,7 +157,7 @@ class grpc_local_channel_security_connector final
       const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
       grpc_core::HandshakeManager* handshake_manager) override {
     tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) ==
+    GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
                TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));
@@ -215,7 +215,7 @@ class grpc_local_server_security_connector final
       const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
       grpc_core::HandshakeManager* handshake_manager) override {
     tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */,
+    GPR_ASSERT(tsi_local_handshaker_create(false /* is_client */,
                                            &handshaker) == TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));

src/core/tsi/local_transport_security.cc

@@ -31,6 +31,8 @@
 #include "src/core/lib/iomgr/exec_ctx.h"
 #include "src/core/tsi/transport_security_grpc.h"
 
+namespace {
+
 /* Main struct for local TSI zero-copy frame protector. */
 typedef struct local_zero_copy_grpc_protector {
   tsi_zero_copy_grpc_protector base;
@@ -197,7 +199,9 @@ static const tsi_handshaker_vtable handshaker_vtable = {
     nullptr, /* shutdown */
 };
 
-tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self) {
+}  // namespace
+
+tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self) {
   if (self == nullptr) {
     gpr_log(GPR_ERROR, "Invalid arguments to local_tsi_handshaker_create()");
     return TSI_INVALID_ARGUMENT;

src/core/tsi/local_transport_security.h

@@ -29,12 +29,6 @@
 #define TSI_LOCAL_NUM_OF_PEER_PROPERTIES 1
 #define TSI_LOCAL_PROCESS_ID_PEER_PROPERTY "process_id"
 
-/**
- * Main struct for local TSI handshaker. All APIs in the header are
- * thread-comptabile.
- */
-typedef struct local_tsi_handshaker local_tsi_handshaker;
-
 /**
  * This method creates a local TSI handshaker instance.
  *
@@ -45,7 +39,12 @@ typedef struct local_tsi_handshaker local_tsi_handshaker;
  *   method.
  *
  * It returns TSI_OK on success and an error status code on failure.
+ *
+ * This handshaker is also being used as a minimalist handshaker for insecure
+ * security connector. If this handshaker ever needs to do anything more that
+ * does not fit with an insecure connector, we would need to add a separate
+ * handshaker for insecure connectors.
  */
-tsi_result local_tsi_handshaker_create(bool is_client, tsi_handshaker** self);
+tsi_result tsi_local_handshaker_create(bool is_client, tsi_handshaker** self);
 
 #endif /* GRPC_CORE_TSI_LOCAL_TRANSPORT_SECURITY_H */

src/cpp/client/insecure_credentials.cc

@@ -51,6 +51,9 @@ class InsecureChannelCredentialsImpl final : public ChannelCredentials {
   }
 
   SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
+
+ private:
+  bool IsInsecure() const override { return true; }
 };
 }  // namespace
 

src/cpp/client/secure_credentials.cc

@@ -28,6 +28,7 @@
 #include <grpcpp/impl/grpc_library.h>
 #include <grpcpp/support/channel_arguments.h>
 
+// TODO(yashykt): We shouldn't be including "src/core" headers.
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/executor.h"
@@ -294,6 +295,22 @@ std::shared_ptr<ChannelCredentials> TlsCredentials(
       grpc_tls_credentials_create(options.c_credentials_options()));
 }
 
+// Builds XDS Credentials
+std::shared_ptr<ChannelCredentials> XdsCredentials(
+    const std::shared_ptr<ChannelCredentials>& fallback_creds) {
+  if (fallback_creds->IsInsecure()) {
+    grpc_channel_credentials* insecure_creds =
+        grpc_insecure_credentials_create();
+    auto xds_creds =
+        WrapChannelCredentials(grpc_xds_credentials_create(insecure_creds));
+    grpc_channel_credentials_release(insecure_creds);
+    return xds_creds;
+  } else {
+    return WrapChannelCredentials(grpc_xds_credentials_create(
+        fallback_creds->AsSecureCredentials()->GetRawCreds()));
+  }
+}
+
 }  // namespace experimental
 
 // Builds credentials for use when running in GCE

src/cpp/client/secure_credentials.h

@@ -26,6 +26,7 @@
 #include <grpcpp/support/config.h>
 
 #include "absl/strings/str_cat.h"
+// TODO(yashykt): We shouldn't be including "src/core" headers.
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/cpp/server/thread_pool_interface.h"
 

src/python/grpcio/grpc_core_dependencies.py

@@ -398,6 +398,7 @@ CORE_SOURCE_FILES = [
     'src/core/lib/security/credentials/google_default/credentials_generic.cc',
     'src/core/lib/security/credentials/google_default/google_default_credentials.cc',
     'src/core/lib/security/credentials/iam/iam_credentials.cc',
+    'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
     'src/core/lib/security/credentials/jwt/json_token.cc',
     'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
     'src/core/lib/security/credentials/jwt/jwt_verifier.cc',
@@ -411,6 +412,7 @@ CORE_SOURCE_FILES = [
     'src/core/lib/security/credentials/xds/xds_credentials.cc',
     'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
     'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
+    'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
     'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
     'src/core/lib/security/security_connector/load_system_roots_linux.cc',
     'src/core/lib/security/security_connector/local/local_security_connector.cc',

test/core/security/BUILD

@@ -326,3 +326,17 @@ grpc_cc_test(
         "//test/core/util:grpc_test_util",
     ],
 )
+
+grpc_cc_test(
+    name = "insecure_security_connector_test",
+    srcs = ["insecure_security_connector_test.cc"],
+    external_deps = [
+        "gtest",
+    ],
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//:grpc_secure",
+        "//test/core/util:grpc_test_util",
+    ],
+)

test/core/security/insecure_security_connector_test.cc

@@ -0,0 +1,59 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+#include "src/core/tsi/transport_security.h"
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace testing {
+namespace {
+
+TEST(InsecureSecurityConnector, MakeAuthContextTest) {
+  auto auth_context = InsecureChannelSecurityConnector::MakeAuthContext();
+  // Verify that peer identity is set
+  auto it = grpc_auth_context_peer_identity(auth_context.get());
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  ASSERT_NE(prop, nullptr);
+  EXPECT_STREQ(prop->name, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME);
+  EXPECT_STREQ(prop->value, kInsecureTransportSecurityType);
+  // Verify that security level is set to none
+  it = grpc_auth_context_find_properties_by_name(
+      auth_context.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME);
+  prop = grpc_auth_property_iterator_next(&it);
+  ASSERT_NE(prop, nullptr);
+  EXPECT_EQ(grpc_tsi_security_level_string_to_enum(prop->value),
+            GRPC_SECURITY_NONE);
+}
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc_core
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  const auto result = RUN_ALL_TESTS();
+  return result;
+}

test/cpp/end2end/BUILD

@@ -811,3 +811,21 @@ grpc_cc_test(
         "//test/cpp/util:test_util",
     ],
 )
+
+grpc_cc_test(
+    name = "xds_credentials_end2end_test",
+    srcs = ["xds_credentials_end2end_test.cc"],
+    external_deps = [
+        "gtest",
+    ],
+    deps = [
+        ":test_service_impl",
+        "//:gpr",
+        "//:grpc",
+        "//:grpc++",
+        "//src/proto/grpc/testing:echo_messages_proto",
+        "//src/proto/grpc/testing:echo_proto",
+        "//test/core/util:grpc_test_util",
+        "//test/cpp/util:test_util",
+    ],
+)

test/cpp/end2end/xds_credentials_end2end_test.cc

@@ -0,0 +1,86 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <grpc/grpc.h>
+#include <grpcpp/server_builder.h>
+
+#include "test/core/util/port.h"
+#include "test/core/util/test_config.h"
+#include "test/cpp/end2end/test_service_impl.h"
+#include "test/cpp/util/test_credentials_provider.h"
+
+namespace grpc {
+namespace testing {
+namespace {
+
+class XdsCredentialsEnd2EndFallbackTest
+    : public ::testing::TestWithParam<const char*> {
+ protected:
+  XdsCredentialsEnd2EndFallbackTest() {
+    int port = grpc_pick_unused_port_or_die();
+    ServerBuilder builder;
+    server_address_ = "localhost:" + std::to_string(port);
+    builder.AddListeningPort(
+        server_address_,
+        GetCredentialsProvider()->GetServerCredentials(GetParam()));
+    builder.RegisterService(&service_);
+    server_ = builder.BuildAndStart();
+  }
+
+  std::string server_address_;
+  TestServiceImpl service_;
+  std::unique_ptr<Server> server_;
+};
+
+TEST_P(XdsCredentialsEnd2EndFallbackTest, NoXdsSchemeInTarget) {
+  // Target does not use 'xds:///' scheme and should result in using fallback
+  // credentials.
+  ChannelArguments args;
+  auto channel = grpc::CreateCustomChannel(
+      server_address_,
+      grpc::experimental::XdsCredentials(
+          GetCredentialsProvider()->GetChannelCredentials(GetParam(), &args)),
+      args);
+  auto stub = grpc::testing::EchoTestService::NewStub(channel);
+  ClientContext ctx;
+  EchoRequest req;
+  req.set_message("Hello");
+  EchoResponse resp;
+  Status s = stub->Echo(&ctx, req, &resp);
+  EXPECT_EQ(s.ok(), true);
+  EXPECT_EQ(resp.message(), "Hello");
+}
+
+INSTANTIATE_TEST_SUITE_P(XdsCredentialsEnd2EndFallback,
+                         XdsCredentialsEnd2EndFallbackTest,
+                         ::testing::ValuesIn(std::vector<const char*>(
+                             {kInsecureCredentialsType, kTlsCredentialsType})));
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  const auto result = RUN_ALL_TESTS();
+  return result;
+}

tools/doxygen/Doxyfile.c++.internal

@@ -1760,6 +1760,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \
 src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
+src/core/lib/security/credentials/insecure/insecure_credentials.cc \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \
@@ -1786,6 +1787,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
 src/core/lib/security/security_connector/alts/alts_security_connector.h \
 src/core/lib/security/security_connector/fake/fake_security_connector.cc \
 src/core/lib/security/security_connector/fake/fake_security_connector.h \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.h \
 src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_linux.cc \

tools/doxygen/Doxyfile.core.internal

@@ -1600,6 +1600,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.cc \
 src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
+src/core/lib/security/credentials/insecure/insecure_credentials.cc \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \
@@ -1626,6 +1627,8 @@ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
 src/core/lib/security/security_connector/alts/alts_security_connector.h \
 src/core/lib/security/security_connector/fake/fake_security_connector.cc \
 src/core/lib/security/security_connector/fake/fake_security_connector.h \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
+src/core/lib/security/security_connector/insecure/insecure_security_connector.h \
 src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_linux.cc \

tools/run_tests/generated/tests.json

@@ -4789,6 +4789,30 @@
     ], 
     "uses_polling": true
   }, 
+  {
+    "args": [], 
+    "benchmark": false, 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "cpu_cost": 1.0, 
+    "exclude_configs": [], 
+    "exclude_iomgrs": [], 
+    "flaky": false, 
+    "gtest": true, 
+    "language": "c++", 
+    "name": "insecure_security_connector_test", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "uses_polling": true
+  }, 
   {
     "args": [], 
     "benchmark": false, 
@@ -6067,6 +6091,30 @@
     ], 
     "uses_polling": true
   }, 
+  {
+    "args": [], 
+    "benchmark": false, 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "cpu_cost": 1.0, 
+    "exclude_configs": [], 
+    "exclude_iomgrs": [], 
+    "flaky": false, 
+    "gtest": true, 
+    "language": "c++", 
+    "name": "xds_credentials_end2end_test", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "uses_polling": true
+  }, 
   {
     "args": [], 
     "boringssl": true,