load libsecret only once

Previously, libsecret was loaded and unloaded multiple times, leading
to issues where calls could run indefinitely due to glib not properly
cleaning up.
Now, libsecret is stored in a OnceLock, ensuring it is only loaded once,
preventing unnecessary unload/reload cycles.

Author: biglben

Cargo.lock

@@ -27,7 +27,7 @@ blake3 = "1.5.5"
 build-rs = { version = "0.3.1", path = "crates/build-rs" }
 cargo = { path = "" }
 cargo-credential = { version = "0.4.2", path = "credential/cargo-credential" }
-cargo-credential-libsecret = { version = "0.4.15", path = "credential/cargo-credential-libsecret" }
+cargo-credential-libsecret = { version = "0.5.0", path = "credential/cargo-credential-libsecret" }
 cargo-credential-macos-keychain = { version = "0.4.15", path = "credential/cargo-credential-macos-keychain" }
 cargo-credential-wincred = { version = "0.4.15", path = "credential/cargo-credential-wincred" }
 cargo-platform = { path = "crates/cargo-platform", version = "0.3.0" }
@@ -185,6 +185,7 @@ jiff.workspace = true
 jobserver.workspace = true
 lazycell.workspace = true
 libgit2-sys.workspace = true
+libloading.workspace = true
 memchr.workspace = true
 opener.workspace = true
 os_info.workspace = true

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cargo-credential-libsecret"
-version = "0.4.15"
+version = "0.5.0"
 rust-version = "1.87"  # MSRV:1
 edition.workspace = true
 license.workspace = true

credential/cargo-credential-libsecret/Cargo.toml

@@ -6,7 +6,6 @@
 mod linux {
     //! Implementation of the libsecret credential helper.
 
-    use anyhow::Context;
     use cargo_credential::{
         read_token, Action, CacheControl, Credential, CredentialResponse, Error, RegistryInfo,
         Secret,
@@ -83,7 +82,9 @@ mod linux {
         ...
     ) -> *mut gchar;
 
-    pub struct LibSecretCredential;
+    pub struct LibSecretCredential<'a> {
+        libsecret: &'a Library,
+    }
 
     fn label(index_url: &str) -> CString {
         CString::new(format!("cargo-registry:{}", index_url)).unwrap()
@@ -105,31 +106,35 @@ mod linux {
         }
     }
 
-    impl Credential for LibSecretCredential {
+    impl<'a> LibSecretCredential<'a> {
+        pub fn new(libsecret: &'a Library) -> LibSecretCredential<'a> {
+            Self { libsecret }
+        }
+    }
+
+    impl Credential for LibSecretCredential<'_> {
         fn perform(
             &self,
             registry: &RegistryInfo<'_>,
             action: &Action<'_>,
             _args: &[&str],
         ) -> Result<CredentialResponse, Error> {
-            // Dynamically load libsecret to avoid users needing to install
-            // additional -dev packages when building this provider.
-            let lib;
             let secret_password_lookup_sync: Symbol<'_, SecretPasswordLookupSync>;
             let secret_password_store_sync: Symbol<'_, SecretPasswordStoreSync>;
             let secret_password_clear_sync: Symbol<'_, SecretPasswordClearSync>;
             unsafe {
-                lib = Library::new("libsecret-1.so.0").context(
-                    "failed to load libsecret: try installing the `libsecret` \
-                    or `libsecret-1-0` package with the system package manager",
-                )?;
-                secret_password_lookup_sync = lib
+                secret_password_lookup_sync = self
+                    .libsecret
                     .get(b"secret_password_lookup_sync\0")
                     .map_err(Box::new)?;
-                secret_password_store_sync =
-                    lib.get(b"secret_password_store_sync\0").map_err(Box::new)?;
-                secret_password_clear_sync =
-                    lib.get(b"secret_password_clear_sync\0").map_err(Box::new)?;
+                secret_password_store_sync = self
+                    .libsecret
+                    .get(b"secret_password_store_sync\0")
+                    .map_err(Box::new)?;
+                secret_password_clear_sync = self
+                    .libsecret
+                    .get(b"secret_password_clear_sync\0")
+                    .map_err(Box::new)?;
             }
 
             let index_url_c = CString::new(registry.index_url).unwrap();

credential/cargo-credential-libsecret/src/lib.rs

@@ -508,6 +508,26 @@ static BUILT_IN_PROVIDERS: &[&'static str] = &[
     "cargo:libsecret",
 ];
 
+#[cfg(target_os = "linux")]
+fn get_libsecret() -> CargoResult<&'static libloading::Library> {
+    // Dynamically load libsecret to avoid users needing to install additional -dev packages.
+    // OnceLock to prevent multiple load/unload cycles (which glib does not support).
+    static LIBSECRET: std::sync::OnceLock<libloading::Library> = std::sync::OnceLock::new();
+    // unfortunately `get_or_try_init` is not yet stable
+    match LIBSECRET.get() {
+        Some(lib) => Ok(lib),
+        None => {
+            let _ = LIBSECRET.set(
+                unsafe { libloading::Library::new("libsecret-1.so.0") }.context(
+                    "failed to load libsecret: try installing the `libsecret` \
+                or `libsecret-1-0` package with the system package manager",
+                )?,
+            );
+            Ok(LIBSECRET.get().unwrap())
+        }
+    }
+}
+
 fn credential_action(
     gctx: &GlobalContext,
     sid: &SourceId,
@@ -545,7 +565,9 @@ fn credential_action(
             #[cfg(target_os = "macos")]
             "cargo:macos-keychain" => Box::new(cargo_credential_macos_keychain::MacKeychain {}),
             #[cfg(target_os = "linux")]
-            "cargo:libsecret" => Box::new(cargo_credential_libsecret::LibSecretCredential {}),
+            "cargo:libsecret" => Box::new(cargo_credential_libsecret::LibSecretCredential::new(
+                get_libsecret()?,
+            )),
             name if BUILT_IN_PROVIDERS.contains(&name) => {
                 Box::new(cargo_credential::UnsupportedCredential {})
             }