Migrate python handler to OIDCRegistry

Replace manual OIDC credential map and mutex with the shared
OIDCRegistry type. OIDC key changes from hostname-only to full URL
(via index-url or url field), fixing credential collisions when
multiple Python indexes share a host with different paths.

Author: kbukum1

internal/handlers/oidc_handling_test.go

@@ -1035,7 +1035,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered aws OIDC credentials for python index: python.example.com",
+				"registered aws OIDC credentials for python index: https://python.example.com",
 			},
 			urlsToAuthenticate: []string{
 				"https://python.example.com/some-package",
@@ -1057,7 +1057,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered azure OIDC credentials for python index: python.example.com",
+				"registered azure OIDC credentials for python index: https://python.example.com",
 			},
 			urlsToAuthenticate: []string{
 				"https://python.example.com/some-package",
@@ -1078,7 +1078,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered jfrog OIDC credentials for python index: jfrog.example.com",
+				"registered jfrog OIDC credentials for python index: https://jfrog.example.com",
 			},
 			urlsToAuthenticate: []string{
 				"https://jfrog.example.com/some-package",
@@ -1101,7 +1101,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered cloudsmith OIDC credentials for python index: cloudsmith.example.com",
+				"registered cloudsmith OIDC credentials for python index: https://cloudsmith.example.com",
 			},
 			urlsToAuthenticate: []string{
 				"https://cloudsmith.example.com/some-package",

internal/handlers/python_index.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 	"regexp"
 	"strings"
-	"sync"
 
 	"github.com/elazarl/goproxy"
 
@@ -18,9 +17,8 @@ var simpleSuffixRe = regexp.MustCompile(`/\+?simple/?\z`)
 
 // PythonIndexHandler handles requests to Python indexes, adding auth.
 type PythonIndexHandler struct {
-	credentials     []pythonIndexCredentials
-	oidcCredentials map[string]*oidc.OIDCCredential
-	mutex           sync.RWMutex
+	credentials  []pythonIndexCredentials
+	oidcRegistry *oidc.OIDCRegistry
 }
 
 type pythonIndexCredentials struct {
@@ -34,8 +32,8 @@ type pythonIndexCredentials struct {
 // NewPythonIndexHandler returns a new PythonIndexHandler.
 func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler {
 	handler := PythonIndexHandler{
-		credentials:     []pythonIndexCredentials{},
-		oidcCredentials: make(map[string]*oidc.OIDCCredential),
+		credentials:  []pythonIndexCredentials{},
+		oidcRegistry: oidc.NewOIDCRegistry(),
 	}
 
 	for _, cred := range creds {
@@ -45,19 +43,7 @@ func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler {
 
 		indexURL := cred.GetString("index-url")
 
-		oidcCredential, _ := oidc.CreateOIDCCredential(cred)
-		if oidcCredential != nil {
-			host := cred.Host()
-			if host == "" && indexURL != "" {
-				regURL, err := helpers.ParseURLLax(indexURL)
-				if err == nil {
-					host = regURL.Hostname()
-				}
-			}
-			if host != "" {
-				handler.oidcCredentials[host] = oidcCredential
-				logging.RequestLogf(nil, "registered %s OIDC credentials for python index: %s", oidcCredential.Provider(), host)
-			}
+		if _, _, ok := handler.oidcRegistry.Register(cred, []string{"index-url", "url"}, "python index"); ok {
 			continue
 		}
 
@@ -85,7 +71,7 @@ func (h *PythonIndexHandler) HandleRequest(req *http.Request, ctx *goproxy.Proxy
 	}
 
 	// Try OIDC credentials first
-	if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
+	if h.oidcRegistry.TryAuth(req, ctx) {
 		return req, nil
 	}