Migrate nuget handler to OIDCRegistry

kbukum1 · kbukum1 · commit cd8f757d18ad · 2026-04-02T20:27:04.000-05:00
Replace manual OIDC credential map and mutex with the shared
OIDCRegistry type. Nuget uses Register() for the primary feed
URL and RegisterURL() for HTTP-discovered resource URLs.

The old code stored OIDC credentials by url-with-host-fallback.
OIDCRegistry preserves the full URL with path-prefix matching,
fixing potential collisions when multiple nuget feeds share a host.

Test log lines updated: RegisterURL uses consistent log format
without the leading indent that the old code used.
diff --git a/internal/handlers/nuget_feed.go b/internal/handlers/nuget_feed.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/elazarl/goproxy"
@@ -36,9 +35,8 @@ type nugetV3IndexResponse struct {
 
 // NugetFeedHandler handles requests to nuget feeds, adding auth.
 type NugetFeedHandler struct {
-	credentials     []nugetFeedCredentials
-	oidcCredentials map[string]*oidc.OIDCCredential
-	mutex           sync.RWMutex
+	credentials  []nugetFeedCredentials
+	oidcRegistry *oidc.OIDCRegistry
 }
 
 type nugetFeedCredentials struct {
@@ -52,8 +50,8 @@ type nugetFeedCredentials struct {
 // NewNugetFeedHandler returns a new NugetFeedHandler.
 func NewNugetFeedHandler(creds config.Credentials) *NugetFeedHandler {
 	handler := NugetFeedHandler{
-		credentials:     []nugetFeedCredentials{},
-		oidcCredentials: make(map[string]*oidc.OIDCCredential),
+		credentials:  []nugetFeedCredentials{},
+		oidcRegistry: oidc.NewOIDCRegistry(),
 	}
 
 	httpClient := &http.Client{
@@ -72,54 +70,43 @@ func NewNugetFeedHandler(creds config.Credentials) *NugetFeedHandler {
 		username := cred.GetString("username")
 		password := cred.GetString("password")
 
-		oidcCredential, _ := oidc.CreateOIDCCredential(cred)
-		if oidcCredential != nil {
-			key := url
-			if key == "" {
-				key = host
+		oidcCredential, key, ok := handler.oidcRegistry.Register(cred, []string{"url"}, "nuget feed")
+		if ok {
+			// Query all resources to add to the authentication list
+			req, err := http.NewRequestWithContext(context.Background(), "GET", key, nil)
+			if err != nil {
+				logging.RequestLogf(nil, "error creating http request (%s): %v", key, err)
+				continue
 			}
 
-			if key != "" {
-				handler.oidcCredentials[key] = oidcCredential
-				logging.RequestLogf(nil, "registered %s OIDC credentials for nuget feed: %s", oidcCredential.Provider(), key)
+			if handler.oidcRegistry.TryAuth(req, nil) {
+				rawRsp, err := httpClient.Do(req)
+				if err != nil {
+					logging.RequestLogf(nil, "error retrieving http response (%s): %v", key, err)
+					continue
+				}
 
-				// now query all resources to add to the authentication list
-				req, err := http.NewRequestWithContext(context.Background(), "GET", key, nil)
+				body, err := io.ReadAll(rawRsp.Body)
 				if err != nil {
-					logging.RequestLogf(nil, "error creating http request (%s): %v", key, err)
+					logging.RequestLogf(nil, "error reading http response body")
+					continue
+				}
+				rawRsp.Body.Close()
+
+				switch rawRsp.StatusCode {
+				case 401, 403:
+					logging.RequestLogf(nil, "unauthorized for nuget feed %s", key)
+					continue
+				}
+
+				if rawRsp.StatusCode >= 400 {
+					logging.RequestLogf(nil, "unexpected http response %d for nuget feed %s", rawRsp.StatusCode, key)
 					continue
 				}
 
-				if oidc.TryAuthOIDCRequestWithPrefix(&handler.mutex, handler.oidcCredentials, req, nil) {
-					rawRsp, err := httpClient.Do(req)
-					if err != nil {
-						logging.RequestLogf(nil, "error retrieving http response (%s): %v", key, err)
-						continue
-					}
-
-					body, err := io.ReadAll(rawRsp.Body)
-					if err != nil {
-						logging.RequestLogf(nil, "error reading http response body")
-						continue
-					}
-					rawRsp.Body.Close()
-
-					switch rawRsp.StatusCode {
-					case 401, 403:
-						logging.RequestLogf(nil, "unauthorized for nuget feed %s", key)
-						continue
-					}
-
-					if rawRsp.StatusCode >= 400 {
-						logging.RequestLogf(nil, "unexpected http response %d for nuget feed %s", rawRsp.StatusCode, key)
-						continue
-					}
-
-					urlsToAuthenticate := extraUrlsFromSourceResponse(body, key)
-					for _, url := range urlsToAuthenticate {
-						handler.oidcCredentials[url] = oidcCredential
-						logging.RequestLogf(nil, "  registered %s OIDC credentials for nuget resource: %s", oidcCredential.Provider(), url)
-					}
+				urlsToAuthenticate := extraUrlsFromSourceResponse(body, key)
+				for _, discoveredURL := range urlsToAuthenticate {
+					handler.oidcRegistry.RegisterURL(discoveredURL, oidcCredential, "nuget resource")
 				}
 			}
 			continue
@@ -262,7 +249,7 @@ func (h *NugetFeedHandler) HandleRequest(req *http.Request, ctx *goproxy.ProxyCt
 	}
 
 	// Try OIDC credentials first
-	if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
+	if h.oidcRegistry.TryAuth(req, ctx) {
 		return req, nil
 	}
 
diff --git a/internal/handlers/oidc_handling_test.go b/internal/handlers/oidc_handling_test.go
@@ -822,7 +822,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			expectedLogLines: []string{
 				"registered aws OIDC credentials for nuget feed: https://nuget.example.com/index.json",
-				"  registered aws OIDC credentials for nuget resource: https://nuget.example.com/v3/packages",
+				"registered aws OIDC credentials for nuget resource: https://nuget.example.com/v3/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://nuget.example.com/index.json",                          // base url
@@ -852,7 +852,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			expectedLogLines: []string{
 				"registered azure OIDC credentials for nuget feed: https://nuget.example.com/index.json",
-				"  registered azure OIDC credentials for nuget resource: https://nuget.example.com/v3/packages",
+				"registered azure OIDC credentials for nuget resource: https://nuget.example.com/v3/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://nuget.example.com/index.json",                          // base url
@@ -881,7 +881,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			expectedLogLines: []string{
 				"registered jfrog OIDC credentials for nuget feed: https://jfrog.example.com/index.json",
-				"  registered jfrog OIDC credentials for nuget resource: https://jfrog.example.com/v3/packages",
+				"registered jfrog OIDC credentials for nuget resource: https://jfrog.example.com/v3/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://jfrog.example.com/index.json",                          // base url
@@ -912,7 +912,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			expectedLogLines: []string{
 				"registered cloudsmith OIDC credentials for nuget feed: https://cloudsmith.example.com/v3/index.json",
-				"  registered cloudsmith OIDC credentials for nuget resource: https://cloudsmith.example.com/v3/packages",
+				"registered cloudsmith OIDC credentials for nuget resource: https://cloudsmith.example.com/v3/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://cloudsmith.example.com/v3/index.json",                       // base url
