grpc · easwars · May 29, 2024 · Apr 15, 2024 · May 11, 2024 · May 17, 2024
diff --git a/credentials/tls/certprovider/store.go b/credentials/tls/certprovider/store.go
@@ -19,6 +19,7 @@
 package certprovider
 
 import (
+	"context"
 	"fmt"
 	"sync"
 )
@@ -53,6 +54,23 @@ type wrappedProvider struct {
 	store    *store
 }
 
+// closedProvider always returns errProviderClosed error.
+type closedProvider struct{}
+
+func (c closedProvider) KeyMaterial(ctx context.Context) (*KeyMaterial, error) {
+	return nil, errProviderClosed
+}
+
+func (c closedProvider) Close() {
+}
+
+// singleCloseWrappedProvider wraps a provider instance with a reference count to avoid double
+// close still in use provider.
+type singleCloseWrappedProvider struct {
+	mu       sync.RWMutex
+	provider Provider
+}
+
 // store is a collection of provider instances, safe for concurrent access.
 type store struct {
 	mu        sync.Mutex
@@ -75,6 +93,25 @@ func (wp *wrappedProvider) Close() {
 	}
 }
 
+// Close overrides the Close method of the embedded provider to avoid release the
+// already released reference.
+func (w *singleCloseWrappedProvider) Close() {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	w.provider.Close()
+	w.provider = closedProvider{}
+}
+
+// KeyMaterial returns the key material sourced by the Provider.
+// Callers are expected to use the returned value as read-only.
+func (w *singleCloseWrappedProvider) KeyMaterial(ctx context.Context) (*KeyMaterial, error) {
+	w.mu.RLock()
+	defer w.mu.RUnlock()
+
+	return w.provider.KeyMaterial(ctx)
+}
+
 // BuildableConfig wraps parsed provider configuration and functionality to
 // instantiate provider instances.
 type BuildableConfig struct {
@@ -112,7 +149,7 @@ func (bc *BuildableConfig) Build(opts BuildOptions) (Provider, error) {
 	}
 	if wp, ok := provStore.providers[sk]; ok {
 		wp.refCount++
-		return wp, nil
+		return &singleCloseWrappedProvider{provider: wp}, nil
 	}
 
 	provider := bc.starter(opts)
@@ -126,7 +163,7 @@ func (bc *BuildableConfig) Build(opts BuildOptions) (Provider, error) {
 		store:    provStore,
 	}
 	provStore.providers[sk] = wp
-	return wp, nil
+	return &singleCloseWrappedProvider{provider: wp}, nil
 }
 
 // String returns the provider name and config as a colon separated string.