Merge pull request #24408 from yashykt/castore

Certificate Provider Store implementation

BUILD

@@ -1309,6 +1309,7 @@ grpc_cc_library(
     name = "grpc_xds_credentials",
     srcs = [
         "src/core/ext/xds/certificate_provider_registry.cc",
+        "src/core/ext/xds/certificate_provider_store.cc",
         "src/core/lib/security/credentials/xds/xds_credentials.cc",
     ],
     hdrs = [

BUILD.gn

@@ -719,6 +719,7 @@ config("grpc_config") {
         "src/core/ext/xds/certificate_provider_factory.h",
         "src/core/ext/xds/certificate_provider_registry.cc",
         "src/core/ext/xds/certificate_provider_registry.h",
+        "src/core/ext/xds/certificate_provider_store.cc",
         "src/core/ext/xds/certificate_provider_store.h",
         "src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc",
         "src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h",

CMakeLists.txt

@@ -788,6 +788,7 @@ if(gRPC_BUILD_TESTS)
   add_dependencies(buildtests_cxx byte_stream_test)
   add_dependencies(buildtests_cxx cancel_ares_query_test)
   add_dependencies(buildtests_cxx certificate_provider_registry_test)
+  add_dependencies(buildtests_cxx certificate_provider_store_test)
   add_dependencies(buildtests_cxx cfstream_test)
   add_dependencies(buildtests_cxx channel_arguments_test)
   add_dependencies(buildtests_cxx channel_filter_test)
@@ -1691,6 +1692,7 @@ add_library(grpc
   src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c
   src/core/ext/upbdefs-generated/validate/validate.upbdefs.c
   src/core/ext/xds/certificate_provider_registry.cc
+  src/core/ext/xds/certificate_provider_store.cc
   src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc
   src/core/ext/xds/xds_api.cc
   src/core/ext/xds/xds_bootstrap.cc
@@ -9743,6 +9745,45 @@ target_link_libraries(certificate_provider_registry_test
 )
 
 
+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(certificate_provider_store_test
+  test/core/xds/certificate_provider_store_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(certificate_provider_store_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(certificate_provider_store_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+  grpc
+  gpr
+  address_sorting
+  upb
+  ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)
 

Makefile

@@ -2105,6 +2105,7 @@ LIBGRPC_SRC = \
     src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c \
     src/core/ext/upbdefs-generated/validate/validate.upbdefs.c \
     src/core/ext/xds/certificate_provider_registry.cc \
+    src/core/ext/xds/certificate_provider_store.cc \
     src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc \
     src/core/ext/xds/xds_api.cc \
     src/core/ext/xds/xds_bootstrap.cc \
@@ -4763,6 +4764,7 @@ src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c: $(OPENSS
 src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c: $(OPENSSL_DEP)
 src/core/ext/upbdefs-generated/validate/validate.upbdefs.c: $(OPENSSL_DEP)
 src/core/ext/xds/certificate_provider_registry.cc: $(OPENSSL_DEP)
+src/core/ext/xds/certificate_provider_store.cc: $(OPENSSL_DEP)
 src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_api.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_bootstrap.cc: $(OPENSSL_DEP)

build_autogenerated.yaml

@@ -1119,6 +1119,7 @@ libs:
   - src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c
   - src/core/ext/upbdefs-generated/validate/validate.upbdefs.c
   - src/core/ext/xds/certificate_provider_registry.cc
+  - src/core/ext/xds/certificate_provider_store.cc
   - src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc
   - src/core/ext/xds/xds_api.cc
   - src/core/ext/xds/xds_bootstrap.cc
@@ -5416,6 +5417,19 @@ targets:
   - gpr
   - address_sorting
   - upb
+- name: certificate_provider_store_test
+  gtest: true
+  build: test
+  language: c++
+  headers: []
+  src:
+  - test/core/xds/certificate_provider_store_test.cc
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr
+  - address_sorting
+  - upb
 - name: cfstream_test
   gtest: true
   build: test

config.m4

@@ -311,6 +311,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c \
     src/core/ext/upbdefs-generated/validate/validate.upbdefs.c \
     src/core/ext/xds/certificate_provider_registry.cc \
+    src/core/ext/xds/certificate_provider_store.cc \
     src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc \
     src/core/ext/xds/xds_api.cc \
     src/core/ext/xds/xds_bootstrap.cc \

config.w32

@@ -278,6 +278,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\ext\\upbdefs-generated\\udpa\\core\\v1\\resource_name.upbdefs.c " +
     "src\\core\\ext\\upbdefs-generated\\validate\\validate.upbdefs.c " +
     "src\\core\\ext\\xds\\certificate_provider_registry.cc " +
+    "src\\core\\ext\\xds\\certificate_provider_store.cc " +
     "src\\core\\ext\\xds\\google_mesh_ca_certificate_provider_factory.cc " +
     "src\\core\\ext\\xds\\xds_api.cc " +
     "src\\core\\ext\\xds\\xds_bootstrap.cc " +

gRPC-Core.podspec

@@ -706,6 +706,7 @@ Pod::Spec.new do |s|
                       'src/core/ext/xds/certificate_provider_factory.h',
                       'src/core/ext/xds/certificate_provider_registry.cc',
                       'src/core/ext/xds/certificate_provider_registry.h',
+                      'src/core/ext/xds/certificate_provider_store.cc',
                       'src/core/ext/xds/certificate_provider_store.h',
                       'src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc',
                       'src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h',

grpc.gemspec

@@ -624,6 +624,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/ext/xds/certificate_provider_factory.h )
   s.files += %w( src/core/ext/xds/certificate_provider_registry.cc )
   s.files += %w( src/core/ext/xds/certificate_provider_registry.h )
+  s.files += %w( src/core/ext/xds/certificate_provider_store.cc )
   s.files += %w( src/core/ext/xds/certificate_provider_store.h )
   s.files += %w( src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc )
   s.files += %w( src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h )

grpc.gyp

@@ -715,6 +715,7 @@
         'src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c',
         'src/core/ext/upbdefs-generated/validate/validate.upbdefs.c',
         'src/core/ext/xds/certificate_provider_registry.cc',
+        'src/core/ext/xds/certificate_provider_store.cc',
         'src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc',
         'src/core/ext/xds/xds_api.cc',
         'src/core/ext/xds/xds_bootstrap.cc',

package.xml

@@ -604,6 +604,7 @@
     <file baseinstalldir="/" name="src/core/ext/xds/certificate_provider_factory.h" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/certificate_provider_registry.cc" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/certificate_provider_registry.h" role="src" />
+    <file baseinstalldir="/" name="src/core/ext/xds/certificate_provider_store.cc" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/certificate_provider_store.h" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h" role="src" />

src/core/ext/xds/certificate_provider_store.cc

@@ -0,0 +1,84 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/certificate_provider_store.h"
+
+#include "src/core/ext/xds/certificate_provider_registry.h"
+
+namespace grpc_core {
+
+// If a certificate provider is created, the CertificateProviderStore
+// maintains a raw pointer to the created CertificateProviderWrapper so that
+// future calls to `CreateOrGetCertificateProvider()` with the same key result
+// in returning a ref to this created certificate provider. This entry is
+// deleted when the refcount to this provider reaches zero.
+RefCountedPtr<grpc_tls_certificate_provider>
+CertificateProviderStore::CreateOrGetCertificateProvider(
+    absl::string_view key) {
+  RefCountedPtr<CertificateProviderWrapper> result;
+  MutexLock lock(&mu_);
+  auto it = certificate_providers_map_.find(key);
+  if (it == certificate_providers_map_.end()) {
+    it = certificate_providers_map_.insert({key, nullptr}).first;
+  } else {
+    result = it->second->RefIfNonZero();
+  }
+  if (result == nullptr) {
+    result = CreateCertificateProviderLocked(key);
+    it->second = result.get();
+  }
+  return result;
+}
+
+RefCountedPtr<CertificateProviderStore::CertificateProviderWrapper>
+CertificateProviderStore::CreateCertificateProviderLocked(
+    absl::string_view key) {
+  auto plugin_config_it = plugin_config_map_.find(std::string(key));
+  if (plugin_config_it == plugin_config_map_.end()) {
+    return nullptr;
+  }
+  CertificateProviderFactory* factory =
+      CertificateProviderRegistry::LookupCertificateProviderFactory(
+          plugin_config_it->second.plugin_name);
+  if (factory == nullptr) {
+    // This should never happen since an entry is only inserted in the
+    // plugin_config_map_ if the corresponding factory was found when parsing
+    // the xDS bootstrap file.
+    gpr_log(GPR_ERROR, "Certificate provider factory %s not found",
+            plugin_config_it->second.plugin_name.c_str());
+    return nullptr;
+  }
+  return MakeRefCounted<CertificateProviderWrapper>(
+      factory->CreateCertificateProvider(plugin_config_it->second.config), this,
+      plugin_config_it->first);
+}
+
+void CertificateProviderStore::ReleaseCertificateProvider(
+    absl::string_view key, CertificateProviderWrapper* wrapper) {
+  MutexLock lock(&mu_);
+  auto it = certificate_providers_map_.find(key);
+  if (it != certificate_providers_map_.end()) {
+    if (it->second == wrapper) {
+      certificate_providers_map_.erase(it);
+    }
+  }
+}
+
+}  // namespace grpc_core

src/core/ext/xds/certificate_provider_store.h

@@ -32,7 +32,8 @@
 
 namespace grpc_core {
 
-// Map for xDS based grpc_tls_certificate_provider instances.
+// Map for xDS based grpc_tls_certificate_provider instances. The store should
+// outlive the refs taken via `CreateOrGetCertificateProvider()`.
 class CertificateProviderStore {
  public:
   struct PluginDefinition {
@@ -40,24 +41,64 @@ class CertificateProviderStore {
     RefCountedPtr<CertificateProviderFactory::Config> config;
   };
 
+  // Maps plugin instance (opaque) name to plugin defition.
   typedef std::map<std::string, PluginDefinition> PluginDefinitionMap;
 
   CertificateProviderStore(PluginDefinitionMap plugin_config_map)
       : plugin_config_map_(std::move(plugin_config_map)) {}
 
-  // If a provider corresponding to the config is found, a raw pointer to the
-  // grpc_tls_certificate_provider in the map is returned. If no provider is
-  // found for a key, a new provider is created. The CertificateProviderStore
-  // maintains a ref to the grpc_tls_certificate_provider for its entire
-  // lifetime.
+  // If a certificate provider corresponding to the instance name \a key is
+  // found, a ref to the grpc_tls_certificate_provider is returned. If no
+  // provider is found for the key, a new provider is created from the plugin
+  // definition map.
+  // Returns nullptr on failure to get or create a new certificate provider.
   RefCountedPtr<grpc_tls_certificate_provider> CreateOrGetCertificateProvider(
       absl::string_view key);
 
  private:
+  // A thin wrapper around `grpc_tls_certificate_provider` which allows removing
+  // the entry from the CertificateProviderStore when the refcount reaches zero.
+  class CertificateProviderWrapper : public grpc_tls_certificate_provider {
+   public:
+    CertificateProviderWrapper(
+        RefCountedPtr<grpc_tls_certificate_provider> certificate_provider,
+        CertificateProviderStore* store, absl::string_view key)
+        : certificate_provider_(std::move(certificate_provider)),
+          store_(store),
+          key_(key) {}
+
+    ~CertificateProviderWrapper() override {
+      store_->ReleaseCertificateProvider(key_, this);
+    }
+
+    grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
+        const override {
+      return certificate_provider_->distributor();
+    }
+
+    grpc_pollset_set* interested_parties() const override {
+      return certificate_provider_->interested_parties();
+    }
+
+   private:
+    RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
+    CertificateProviderStore* store_;
+    absl::string_view key_;
+  };
+
+  RefCountedPtr<CertificateProviderWrapper> CreateCertificateProviderLocked(
+      absl::string_view key);
+
+  // Releases a previously created certificate provider from the certificate
+  // provider map if the value matches \a wrapper.
+  void ReleaseCertificateProvider(absl::string_view key,
+                                  CertificateProviderWrapper* wrapper);
+
+  Mutex mu_;
   // Map of plugin configurations
   PluginDefinitionMap plugin_config_map_;
   // Underlying map for the providers.
-  std::map<absl::string_view, RefCountedPtr<grpc_tls_certificate_provider>>
+  std::map<absl::string_view, CertificateProviderWrapper*>
       certificate_providers_map_;
 };
 

src/core/lib/security/certificate_provider.h

@@ -24,10 +24,7 @@
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/pollset_set.h"
-
-// TODO(yashkt): After https://github.com/grpc/grpc/pull/23572, remove this
-// forward declaration and include the header for the distributor instead.
-struct grpc_tls_certificate_distributor;
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 
 // Interface for a grpc_tls_certificate_provider that handles the process to
 // fetch credentials and validation contexts. Implementations are free to rely
@@ -41,20 +38,10 @@ struct grpc_tls_certificate_distributor;
 struct grpc_tls_certificate_provider
     : public grpc_core::RefCounted<grpc_tls_certificate_provider> {
  public:
-  grpc_tls_certificate_provider()
-      : interested_parties_(grpc_pollset_set_create()) {}
-
-  ~grpc_tls_certificate_provider() override {
-    grpc_pollset_set_destroy(interested_parties_);
-  }
-
-  grpc_pollset_set* interested_parties() const { return interested_parties_; }
+  virtual grpc_pollset_set* interested_parties() const { return nullptr; }
 
   virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
   distributor() const = 0;
-
- private:
-  grpc_pollset_set* interested_parties_;
 };
 
 #endif  // GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H

src/python/grpcio/grpc_core_dependencies.py

@@ -287,6 +287,7 @@ CORE_SOURCE_FILES = [
     'src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c',
     'src/core/ext/upbdefs-generated/validate/validate.upbdefs.c',
     'src/core/ext/xds/certificate_provider_registry.cc',
+    'src/core/ext/xds/certificate_provider_store.cc',
     'src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc',
     'src/core/ext/xds/xds_api.cc',
     'src/core/ext/xds/xds_bootstrap.cc',

test/core/xds/BUILD

@@ -14,10 +14,22 @@
 
 load("//bazel:grpc_build_system.bzl", "grpc_cc_test", "grpc_package")
 
-grpc_package(name = "test/core/client_channel")
+grpc_package(name = "test/core/xds")
 
 licenses(["notice"])
 
+grpc_cc_test(
+    name = "certificate_provider_store_test",
+    srcs = ["certificate_provider_store_test.cc"],
+    external_deps = ["gtest"],
+    language = "C++",
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//test/core/util:grpc_test_util",
+    ],
+)
+
 grpc_cc_test(
     name = "google_mesh_ca_certificate_provider_factory_test",
     srcs = ["google_mesh_ca_certificate_provider_factory_test.cc"],

test/core/xds/certificate_provider_store_test.cc

@@ -0,0 +1,164 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <thread>
+
+#include <gmock/gmock.h>
+
+#include "src/core/ext/xds/certificate_provider_registry.h"
+#include "src/core/ext/xds/certificate_provider_store.h"
+
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace testing {
+namespace {
+
+class CertificateProviderStoreTest : public ::testing::Test {
+ public:
+  CertificateProviderStoreTest() { grpc_init(); }
+
+  ~CertificateProviderStoreTest() override { grpc_shutdown_blocking(); }
+};
+
+class FakeCertificateProvider : public grpc_tls_certificate_provider {
+ public:
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
+    // never called
+    GPR_ASSERT(0);
+    return nullptr;
+  }
+};
+
+class FakeCertificateProviderFactory1 : public CertificateProviderFactory {
+ public:
+  class Config : public CertificateProviderFactory::Config {
+   public:
+    const char* name() const override { return "fake1"; }
+  };
+
+  const char* name() const override { return "fake1"; }
+
+  RefCountedPtr<CertificateProviderFactory::Config>
+  CreateCertificateProviderConfig(const Json& config_json,
+                                  grpc_error** error) override {
+    return MakeRefCounted<Config>();
+  }
+
+  RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider(
+      RefCountedPtr<CertificateProviderFactory::Config> config) override {
+    return MakeRefCounted<FakeCertificateProvider>();
+  }
+};
+
+class FakeCertificateProviderFactory2 : public CertificateProviderFactory {
+ public:
+  class Config : public CertificateProviderFactory::Config {
+   public:
+    const char* name() const override { return "fake2"; }
+  };
+
+  const char* name() const override { return "fake2"; }
+
+  RefCountedPtr<CertificateProviderFactory::Config>
+  CreateCertificateProviderConfig(const Json& config_json,
+                                  grpc_error** error) override {
+    return MakeRefCounted<Config>();
+  }
+
+  RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider(
+      RefCountedPtr<CertificateProviderFactory::Config> config) override {
+    return MakeRefCounted<FakeCertificateProvider>();
+  }
+};
+
+TEST_F(CertificateProviderStoreTest, Basic) {
+  // Set up factories. (Register only one of the factories.)
+  auto* fake_factory_1 = new FakeCertificateProviderFactory1;
+  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+      std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
+  auto fake_factory_2 = absl::make_unique<FakeCertificateProviderFactory2>();
+  // Set up store
+  CertificateProviderStore::PluginDefinitionMap map = {
+      {"fake_plugin_1",
+       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
+                                                                 nullptr)}},
+      {"fake_plugin_2",
+       {"fake2", fake_factory_2->CreateCertificateProviderConfig(Json::Object(),
+                                                                 nullptr)}},
+      {"fake_plugin_3",
+       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
+                                                                 nullptr)}},
+  };
+  CertificateProviderStore store(std::move(map));
+  // Test for creating certificate providers with known plugin configuration.
+  auto cert_provider_1 = store.CreateOrGetCertificateProvider("fake_plugin_1");
+  ASSERT_NE(cert_provider_1, nullptr);
+  auto cert_provider_3 = store.CreateOrGetCertificateProvider("fake_plugin_3");
+  ASSERT_NE(cert_provider_3, nullptr);
+  // Test for creating certificate provider with known plugin configuration but
+  // unregistered factory.
+  ASSERT_EQ(store.CreateOrGetCertificateProvider("fake_plugin_2"), nullptr);
+  // Test for creating certificate provider with unknown plugin configuration.
+  ASSERT_EQ(store.CreateOrGetCertificateProvider("unknown"), nullptr);
+  // Test for getting previously created certificate providers.
+  ASSERT_EQ(store.CreateOrGetCertificateProvider("fake_plugin_1"),
+            cert_provider_1);
+  ASSERT_EQ(store.CreateOrGetCertificateProvider("fake_plugin_3"),
+            cert_provider_3);
+  // Release previously created certificate providers so that the store outlasts
+  // the certificate providers.
+  cert_provider_1.reset();
+  cert_provider_3.reset();
+}
+
+TEST_F(CertificateProviderStoreTest, Multithreaded) {
+  auto* fake_factory_1 = new FakeCertificateProviderFactory1;
+  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+      std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
+  CertificateProviderStore::PluginDefinitionMap map = {
+      {"fake_plugin_1",
+       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
+                                                                 nullptr)}}};
+  CertificateProviderStore store(std::move(map));
+  // Test concurrent `CreateOrGetCertificateProvider()` with the same key.
+  std::vector<std::thread> threads;
+  threads.reserve(1000);
+  for (auto i = 0; i < 1000; i++) {
+    threads.emplace_back([&store]() {
+      for (auto i = 0; i < 10; ++i) {
+        ASSERT_NE(store.CreateOrGetCertificateProvider("fake_plugin_1"),
+                  nullptr);
+      }
+    });
+  }
+  for (auto& thread : threads) {
+    thread.join();
+  }
+}
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc_core
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  auto result = RUN_ALL_TESTS();
+  return result;
+}

tools/doxygen/Doxyfile.c++.internal

@@ -1555,6 +1555,7 @@ src/core/ext/upbdefs-generated/validate/validate.upbdefs.h \
 src/core/ext/xds/certificate_provider_factory.h \
 src/core/ext/xds/certificate_provider_registry.cc \
 src/core/ext/xds/certificate_provider_registry.h \
+src/core/ext/xds/certificate_provider_store.cc \
 src/core/ext/xds/certificate_provider_store.h \
 src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc \
 src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h \

tools/doxygen/Doxyfile.core.internal

@@ -1393,6 +1393,7 @@ src/core/ext/upbdefs-generated/validate/validate.upbdefs.h \
 src/core/ext/xds/certificate_provider_factory.h \
 src/core/ext/xds/certificate_provider_registry.cc \
 src/core/ext/xds/certificate_provider_registry.h \
+src/core/ext/xds/certificate_provider_store.cc \
 src/core/ext/xds/certificate_provider_store.h \
 src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc \
 src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h \

tools/run_tests/generated/tests.json

@@ -3881,6 +3881,30 @@
     ], 
     "uses_polling": true
   }, 
+  {
+    "args": [], 
+    "benchmark": false, 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "cpu_cost": 1.0, 
+    "exclude_configs": [], 
+    "exclude_iomgrs": [], 
+    "flaky": false, 
+    "gtest": true, 
+    "language": "c++", 
+    "name": "certificate_provider_store_test", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "posix", 
+      "windows"
+    ], 
+    "uses_polling": true
+  }, 
   {
     "args": [], 
     "benchmark": false,