Skip to content

Commit 9517f29

Browse files
kbukum1kbukum1
committed
Migrate python handler to OIDCRegistry
Replace manual OIDC credential map and mutex with the shared OIDCRegistry type. OIDC key changes from hostname-only to full URL (via index-url or url field), fixing credential collisions when multiple Python indexes share a host with different paths.
1 parent 5328230 commit 9517f29

2 files changed

Lines changed: 74 additions & 20 deletions

File tree

internal/handlers/oidc_handling_test.go

Lines changed: 55 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1035,7 +1035,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
10351035
},
10361036
urlMocks: []mockHttpRequest{},
10371037
expectedLogLines: []string{
1038-
"registered aws OIDC credentials for python index: python.example.com",
1038+
"registered aws OIDC credentials for python index: https://python.example.com",
10391039
},
10401040
urlsToAuthenticate: []string{
10411041
"https://python.example.com/some-package",
@@ -1057,7 +1057,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
10571057
},
10581058
urlMocks: []mockHttpRequest{},
10591059
expectedLogLines: []string{
1060-
"registered azure OIDC credentials for python index: python.example.com",
1060+
"registered azure OIDC credentials for python index: https://python.example.com",
10611061
},
10621062
urlsToAuthenticate: []string{
10631063
"https://python.example.com/some-package",
@@ -1078,7 +1078,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
10781078
},
10791079
urlMocks: []mockHttpRequest{},
10801080
expectedLogLines: []string{
1081-
"registered jfrog OIDC credentials for python index: jfrog.example.com",
1081+
"registered jfrog OIDC credentials for python index: https://jfrog.example.com",
10821082
},
10831083
urlsToAuthenticate: []string{
10841084
"https://jfrog.example.com/some-package",
@@ -1101,7 +1101,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
11011101
},
11021102
urlMocks: []mockHttpRequest{},
11031103
expectedLogLines: []string{
1104-
"registered cloudsmith OIDC credentials for python index: cloudsmith.example.com",
1104+
"registered cloudsmith OIDC credentials for python index: https://cloudsmith.example.com",
11051105
},
11061106
urlsToAuthenticate: []string{
11071107
"https://cloudsmith.example.com/some-package",
@@ -1390,3 +1390,54 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
13901390
})
13911391
}
13921392
}
1393+
1394+
// TestPythonOIDCSimpleSuffixStripping verifies that Python index URLs ending
1395+
// with /simple or /+simple are normalized before OIDC registration, so that
1396+
// requests to sibling paths (e.g. /org/pkg/a) still match.
1397+
func TestPythonOIDCSimpleSuffixStripping(t *testing.T) {
1398+
httpmock.Activate()
1399+
defer httpmock.DeactivateAndReset()
1400+
1401+
tenantA := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
1402+
tenantB := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
1403+
clientId := "87654321-4321-4321-4321-210987654321"
1404+
1405+
tokenUrl := "https://token.actions.example.com" //nolint:gosec // test URL
1406+
httpmock.RegisterResponder("GET", tokenUrl,
1407+
httpmock.NewStringResponder(200, `{"count":1,"value":"sometoken"}`))
1408+
1409+
httpmock.RegisterResponder("POST", fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", tenantA),
1410+
httpmock.NewStringResponder(200, `{"access_token":"__token_A__","expires_in":3600,"token_type":"Bearer"}`))
1411+
httpmock.RegisterResponder("POST", fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", tenantB),
1412+
httpmock.NewStringResponder(200, `{"access_token":"__token_B__","expires_in":3600,"token_type":"Bearer"}`))
1413+
1414+
t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", tokenUrl)
1415+
t.Setenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN", "sometoken")
1416+
1417+
creds := config.Credentials{
1418+
config.Credential{
1419+
"type": "python_index",
1420+
"index-url": "https://pkgs.example.com/org/feed-A/+simple/",
1421+
"tenant-id": tenantA,
1422+
"client-id": clientId,
1423+
},
1424+
config.Credential{
1425+
"type": "python_index",
1426+
"index-url": "https://pkgs.example.com/org/feed-B/simple",
1427+
"tenant-id": tenantB,
1428+
"client-id": clientId,
1429+
},
1430+
}
1431+
1432+
handler := NewPythonIndexHandler(creds)
1433+
1434+
// /+simple/ should be stripped → registered as /org/feed-A/
1435+
reqA := httptest.NewRequest("GET", "https://pkgs.example.com/org/feed-A/pkg/a", nil)
1436+
reqA = handleRequestAndClose(handler, reqA, nil)
1437+
assertHasTokenAuth(t, reqA, "Bearer", "__token_A__", "feed-A request should use token A")
1438+
1439+
// /simple should be stripped → registered as /org/feed-B/
1440+
reqB := httptest.NewRequest("GET", "https://pkgs.example.com/org/feed-B/pkg/b", nil)
1441+
reqB = handleRequestAndClose(handler, reqB, nil)
1442+
assertHasTokenAuth(t, reqB, "Bearer", "__token_B__", "feed-B request should use token B")
1443+
}

internal/handlers/python_index.go

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ import (
44
"net/http"
55
"regexp"
66
"strings"
7-
"sync"
87

98
"github.com/elazarl/goproxy"
109

@@ -18,9 +17,8 @@ var simpleSuffixRe = regexp.MustCompile(`/\+?simple/?\z`)
1817

1918
// PythonIndexHandler handles requests to Python indexes, adding auth.
2019
type PythonIndexHandler struct {
21-
credentials []pythonIndexCredentials
22-
oidcCredentials map[string]*oidc.OIDCCredential
23-
mutex sync.RWMutex
20+
credentials []pythonIndexCredentials
21+
oidcRegistry *oidc.OIDCRegistry
2422
}
2523

2624
type pythonIndexCredentials struct {
@@ -34,8 +32,8 @@ type pythonIndexCredentials struct {
3432
// NewPythonIndexHandler returns a new PythonIndexHandler.
3533
func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler {
3634
handler := PythonIndexHandler{
37-
credentials: []pythonIndexCredentials{},
38-
oidcCredentials: make(map[string]*oidc.OIDCCredential),
35+
credentials: []pythonIndexCredentials{},
36+
oidcRegistry: oidc.NewOIDCRegistry(),
3937
}
4038

4139
for _, cred := range creds {
@@ -47,16 +45,21 @@ func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler {
4745

4846
oidcCredential, _ := oidc.CreateOIDCCredential(cred)
4947
if oidcCredential != nil {
50-
host := cred.Host()
51-
if host == "" && indexURL != "" {
52-
regURL, err := helpers.ParseURLLax(indexURL)
53-
if err == nil {
54-
host = regURL.Hostname()
55-
}
48+
// Normalize the registration URL by stripping the /simple or /+simple
49+
// suffix, matching how static credentials are matched at request time.
50+
// Without this, a config of /dependabot/+simple/ would not prefix-match
51+
// requests to /dependabot/pkg/a.
52+
regURL := indexURL
53+
if regURL == "" {
54+
regURL = cred.GetString("url")
5655
}
57-
if host != "" {
58-
handler.oidcCredentials[host] = oidcCredential
59-
logging.RequestLogf(nil, "registered %s OIDC credentials for python index: %s", oidcCredential.Provider(), host)
56+
if regURL != "" {
57+
regURL = simpleSuffixRe.ReplaceAllString(regURL, "/")
58+
} else {
59+
regURL = cred.Host()
60+
}
61+
if regURL != "" {
62+
handler.oidcRegistry.RegisterURL(regURL, oidcCredential, "python index")
6063
}
6164
continue
6265
}
@@ -85,7 +88,7 @@ func (h *PythonIndexHandler) HandleRequest(req *http.Request, ctx *goproxy.Proxy
8588
}
8689

8790
// Try OIDC credentials first
88-
if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
91+
if h.oidcRegistry.TryAuth(req, ctx) {
8992
return req, nil
9093
}
9194

0 commit comments

Comments
 (0)