Migrate rubygems handler to OIDCRegistry

Author: kbukum1

internal/handlers/hex_organization.go

@@ -13,38 +13,25 @@ import (
 
 // HexOrganizationHandler handles requests to repo.hex.pm, adding auth.
 type HexOrganizationHandler struct {
-	credentials []hexOrganizationCredentials
-}
-
-type hexOrganizationCredentials struct {
-	organization string
-	key          string
+	orgTokens map[string]string
 }
 
 // NewHexOrganizationHandler returns a new HexOrganizationHandler.
 func NewHexOrganizationHandler(creds config.Credentials) *HexOrganizationHandler {
-	handler := HexOrganizationHandler{credentials: []hexOrganizationCredentials{}}
+	handler := HexOrganizationHandler{orgTokens: map[string]string{}}
 
 	for _, cred := range creds {
 		if cred["type"] != "hex_organization" {
 			continue
 		}
 
 		org := cred.GetString("organization")
-		// Support both "key" and "token" (backwards compatibility)
-		key := cred.GetString("key")
-		if key == "" {
-			key = cred.GetString("token")
-		}
-		if org == "" || key == "" {
+		token := cred.GetString("token")
+		if org == "" || token == "" {
 			continue
 		}
 
-		hexCred := hexOrganizationCredentials{
-			organization: org,
-			key:          key,
-		}
-		handler.credentials = append(handler.credentials, hexCred)
+		handler.orgTokens[org] = token
 	}
 
 	return &handler
@@ -65,14 +52,13 @@ func (h *HexOrganizationHandler) HandleRequest(req *http.Request, ctx *goproxy.P
 		return req, nil
 	}
 
-	reqOrg := pathParts[1]
-	for _, cred := range h.credentials {
-		if cred.organization == reqOrg {
-			logging.RequestLogf(ctx, "* authenticating hex request (org: %s)", reqOrg)
-			req.Header.Set("authorization", cred.key)
-			return req, nil
-		}
+	token, ok := h.orgTokens[pathParts[1]]
+	if !ok {
+		return req, nil
 	}
 
+	logging.RequestLogf(ctx, "* authenticating hex request (org: %s)", pathParts[1])
+	req.Header.Set("authorization", token)
+
 	return req, nil
 }

internal/handlers/hex_organization_test.go

@@ -8,29 +8,29 @@ import (
 )
 
 func TestHexOrganizationHandler(t *testing.T) {
-	dependabotKey := "123"
-	deltaForceKey := "456"
+	dependabotToken := "123"
+	deltaForceToken := "456"
 	credentials := config.Credentials{
 		config.Credential{
 			"type":         "hex_organization",
 			"organization": "dependabot",
-			"key":          dependabotKey,
+			"token":        dependabotToken,
 		},
 		config.Credential{
 			"type":         "hex_organization",
 			"organization": "deltaforce",
-			"key":          deltaForceKey,
+			"token":        deltaForceToken,
 		},
 	}
 	handler := NewHexOrganizationHandler(credentials)
 
 	req := httptest.NewRequest("GET", "https://repo.hex.pm/repos/dependabot/packages/foo", nil)
 	req = handleRequestAndClose(handler, req, nil)
-	assertHasTokenAuth(t, req, "", dependabotKey, "dependabot registry request")
+	assertHasTokenAuth(t, req, "", dependabotToken, "dependabot registry request")
 
 	req = httptest.NewRequest("GET", "https://repo.hex.pm/repos/deltaforce/packages/foo", nil)
 	req = handleRequestAndClose(handler, req, nil)
-	assertHasTokenAuth(t, req, "", deltaForceKey, "deltaforce registry request")
+	assertHasTokenAuth(t, req, "", deltaForceToken, "deltaforce registry request")
 
 	// Not an org
 	req = httptest.NewRequest("GET", "https://repo.hex.pm/packages/foo", nil)
@@ -52,36 +52,3 @@ func TestHexOrganizationHandler(t *testing.T) {
 	req = handleRequestAndClose(handler, req, nil)
 	assertUnauthenticated(t, req, "post request")
 }
-
-func TestHexOrganizationHandler_BackwardsCompatibility(t *testing.T) {
-	t.Run("supports legacy token field", func(t *testing.T) {
-		credentials := config.Credentials{
-			config.Credential{
-				"type":         "hex_organization",
-				"organization": "legacy-org",
-				"token":        "legacy-token",
-			},
-		}
-		handler := NewHexOrganizationHandler(credentials)
-
-		req := httptest.NewRequest("GET", "https://repo.hex.pm/repos/legacy-org/packages/foo", nil)
-		req = handleRequestAndClose(handler, req, nil)
-		assertHasTokenAuth(t, req, "", "legacy-token", "should support legacy token field")
-	})
-
-	t.Run("key takes precedence over token", func(t *testing.T) {
-		credentials := config.Credentials{
-			config.Credential{
-				"type":         "hex_organization",
-				"organization": "test-org",
-				"key":          "new-key",
-				"token":        "old-token",
-			},
-		}
-		handler := NewHexOrganizationHandler(credentials)
-
-		req := httptest.NewRequest("GET", "https://repo.hex.pm/repos/test-org/packages/foo", nil)
-		req = handleRequestAndClose(handler, req, nil)
-		assertHasTokenAuth(t, req, "", "new-key", "key should take precedence over token")
-	})
-}

internal/handlers/rubygems_server.go

@@ -3,7 +3,6 @@ package handlers
 import (
 	"net/http"
 	"strings"
-	"sync"
 
 	"github.com/elazarl/goproxy"
 
@@ -15,9 +14,8 @@ import (
 
 // RubyGemsServerHandler handles requests to rubygems servers, adding auth.
 type RubyGemsServerHandler struct {
-	credentials     []rubyGemsServerCredentials
-	oidcCredentials map[string]*oidc.OIDCCredential
-	mutex           sync.RWMutex
+	credentials  []rubyGemsServerCredentials
+	oidcRegistry *oidc.OIDCRegistry
 }
 
 type rubyGemsServerCredentials struct {
@@ -29,8 +27,8 @@ type rubyGemsServerCredentials struct {
 // NewRubyGemsServerHandler returns a new RubyGemsServerHandler.
 func NewRubyGemsServerHandler(creds config.Credentials) *RubyGemsServerHandler {
 	handler := RubyGemsServerHandler{
-		credentials:     []rubyGemsServerCredentials{},
-		oidcCredentials: make(map[string]*oidc.OIDCCredential),
+		credentials:  []rubyGemsServerCredentials{},
+		oidcRegistry: oidc.NewOIDCRegistry(),
 	}
 
 	for _, cred := range creds {
@@ -41,16 +39,8 @@ func NewRubyGemsServerHandler(creds config.Credentials) *RubyGemsServerHandler {
 		host := cred.Host()
 		url := cred.GetString("url")
 
-		oidcCredential, _ := oidc.CreateOIDCCredential(cred)
-		if oidcCredential != nil {
-			hostURL := url
-			if hostURL == "" {
-				hostURL = host
-			}
-			if hostURL != "" {
-				handler.oidcCredentials[hostURL] = oidcCredential
-				logging.RequestLogf(nil, "registered %s OIDC credentials for rubygems server: %s", oidcCredential.Provider(), hostURL)
-			}
+		// OIDC credentials are not used as static credentials.
+		if oidcCred, _, _ := handler.oidcRegistry.Register(cred, []string{"url"}, "rubygems server"); oidcCred != nil {
 			continue
 		}
 
@@ -72,7 +62,7 @@ func (h *RubyGemsServerHandler) HandleRequest(req *http.Request, ctx *goproxy.Pr
 	}
 
 	// Try OIDC credentials first
-	if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
+	if h.oidcRegistry.TryAuth(req, ctx) {
 		return req, nil
 	}
 

internal/handlers/terraform_registry.go

@@ -2,8 +2,6 @@ package handlers
 
 import (
 	"net/http"
-	"sort"
-	"strings"
 	"sync"
 
 	"github.com/elazarl/goproxy"
@@ -15,20 +13,14 @@ import (
 )
 
 type TerraformRegistryHandler struct {
-	credentials     []terraformRegistryCredentials
+	credentials     map[string]string
 	oidcCredentials map[string]*oidc.OIDCCredential
 	mutex           sync.RWMutex
 }
 
-type terraformRegistryCredentials struct {
-	host  string
-	url   string
-	token string
-}
-
 func NewTerraformRegistryHandler(credentials config.Credentials) *TerraformRegistryHandler {
 	handler := TerraformRegistryHandler{
-		credentials:     []terraformRegistryCredentials{},
+		credentials:     make(map[string]string),
 		oidcCredentials: make(map[string]*oidc.OIDCCredential),
 	}
 
@@ -48,33 +40,8 @@ func NewTerraformRegistryHandler(credentials config.Credentials) *TerraformRegis
 			continue
 		}
 
-		token := credential.GetString("token")
-		url := credential.GetString("url")
-
-		// Skip credentials with empty token or both empty host and url
-		if token == "" || (host == "" && url == "") {
-			continue
-		}
-
-		terraformCred := terraformRegistryCredentials{
-			url:   url,
-			token: token,
-		}
-		// Only set host when url is not provided to ensure URL-prefix matching
-		// takes precedence and doesn't fall back to host matching
-		if url == "" {
-			terraformCred.host = host
-		}
-		handler.credentials = append(handler.credentials, terraformCred)
+		handler.credentials[host] = credential.GetString("token")
 	}
-
-	// Sort credentials by URL length descending (longest first) to ensure
-	// more specific URLs match before shorter ones. Using SliceStable for
-	// deterministic ordering when URL lengths are equal.
-	sort.SliceStable(handler.credentials, func(i, j int) bool {
-		return len(handler.credentials[i].url) > len(handler.credentials[j].url)
-	})
-
 	return &handler
 }
 
@@ -89,65 +56,15 @@ func (h *TerraformRegistryHandler) HandleRequest(request *http.Request, context
 	}
 
 	// Fall back to static credentials
-	for _, cred := range h.credentials {
-		if !urlMatchesRequestWithBoundary(request, cred.url) && !helpers.CheckHost(request, cred.host) {
-			continue
-		}
+	host := request.URL.Hostname()
+	token, ok := h.credentials[host]
 
-		logging.RequestLogf(context, "* authenticating terraform registry request (host: %s)", request.URL.Hostname())
-		request.Header.Set("Authorization", "Bearer "+cred.token)
+	if !ok {
 		return request, nil
 	}
 
-	return request, nil
-}
-
-// urlMatchesRequestWithBoundary checks if the request URL matches the credential URL
-// with proper path boundary checking.
-func urlMatchesRequestWithBoundary(request *http.Request, credURL string) bool {
-	if credURL == "" {
-		return false
-	}
-
-	parsedURL, err := helpers.ParseURLLax(credURL)
-	if err != nil {
-		return false
-	}
-
-	if !helpers.AreHostnamesEqual(parsedURL.Hostname(), request.URL.Hostname()) {
-		return false
-	}
-
-	urlPort := parsedURL.Port()
-	if urlPort == "" {
-		urlPort = "443"
-	}
-
-	reqPort := request.URL.Port()
-	if reqPort == "" {
-		reqPort = "443"
-	}
-
-	if urlPort != reqPort {
-		return false
-	}
+	logging.RequestLogf(context, "* authenticating terraform registry request (host: %s)", host)
+	request.Header.Set("Authorization", "Bearer "+token)
 
-	credPath := strings.TrimRight(parsedURL.Path, "/")
-	reqPath := request.URL.Path
-
-	if credPath == "" {
-		// Empty path matches everything on the host
-		return true
-	}
-
-	if reqPath == credPath {
-		return true
-	}
-
-	// Check if request path starts with credPath followed by /
-	if strings.HasPrefix(reqPath, credPath+"/") {
-		return true
-	}
-
-	return false
+	return request, nil
 }

internal/handlers/terraform_registry_test.go

@@ -74,62 +74,4 @@ func TestTerraformRegistryHandler(t *testing.T) {
 
 		assert.Equal(t, "", request.Header.Get("Authorization"), "should be empty")
 	})
-
-	t.Run("multiple credentials on same host with different URL paths", func(t *testing.T) {
-		credentials := config.Credentials{
-			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org1", "token": "token-org1"},
-			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org2", "token": "token-org2"},
-		}
-		handler := NewTerraformRegistryHandler(credentials)
-
-		// Request to org1 path should use org1 token
-		req1 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org1/v1/providers/foo", nil), nil)
-		assert.Equal(t, "Bearer token-org1", req1.Header.Get("Authorization"), "should use org1 token")
-
-		// Request to org2 path should use org2 token
-		req2 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org2/v1/providers/bar", nil), nil)
-		assert.Equal(t, "Bearer token-org2", req2.Header.Get("Authorization"), "should use org2 token")
-
-		// Request to unmatched path should not be authenticated
-		req3 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org3/v1/providers/baz", nil), nil)
-		assert.Equal(t, "", req3.Header.Get("Authorization"), "should not be authenticated")
-	})
-
-	t.Run("skips credentials with empty token", func(t *testing.T) {
-		credentials := config.Credentials{
-			config.Credential{"type": "terraform_registry", "host": "terraform.example.org", "token": ""},
-		}
-		handler := NewTerraformRegistryHandler(credentials)
-		assert.Equal(t, 0, len(handler.credentials), "should skip credential with empty token")
-	})
-
-	t.Run("skips credentials with empty host and url", func(t *testing.T) {
-		credentials := config.Credentials{
-			config.Credential{"type": "terraform_registry", "token": "some-token"},
-		}
-		handler := NewTerraformRegistryHandler(credentials)
-		assert.Equal(t, 0, len(handler.credentials), "should skip credential with empty host and url")
-	})
-
-	t.Run("path boundary: /org should not match /org1", func(t *testing.T) {
-		// Credentials are sorted longest-path-first to ensure /org1 matches before /org
-		credentials := config.Credentials{
-			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org", "token": "token-org"},
-			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org1", "token": "token-org1"},
-		}
-		handler := NewTerraformRegistryHandler(credentials)
-
-		assert.Equal(t, "https://terraform.example.com/org1", handler.credentials[0].url, "longer path should be first")
-		assert.Equal(t, "https://terraform.example.com/org", handler.credentials[1].url, "shorter path should be second")
-
-		req1 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org1/v1/providers/foo", nil), nil)
-		assert.Equal(t, "Bearer token-org1", req1.Header.Get("Authorization"), "/org1 path should use org1 token")
-
-		req2 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org/v1/providers/bar", nil), nil)
-		assert.Equal(t, "Bearer token-org", req2.Header.Get("Authorization"), "/org path should use org token")
-
-		// Request to /org123 should NOT match /org1 or /org (path boundary check)
-		req3 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org123/v1/providers/baz", nil), nil)
-		assert.Equal(t, "", req3.Header.Get("Authorization"), "/org123 should not match /org or /org1")
-	})
 }