Skip to content

Commit 9b6cfa7

Browse files
kbukum1kbukum1
committed
Migrate docker handler to OIDCRegistry
Replace manual OIDC credential map and mutex with the shared OIDCRegistry type. Docker already used the raw registry value as the key, so this is a pure structural refactor with no behavior change.
1 parent b63c337 commit 9b6cfa7

1 file changed

Lines changed: 9 additions & 15 deletions

File tree

internal/handlers/docker_registry.go

Lines changed: 9 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ import (
66
"net/http"
77
"regexp"
88
"strings"
9-
"sync"
109

1110
"github.com/aws/aws-sdk-go/aws"
1211
"github.com/aws/aws-sdk-go/aws/credentials"
@@ -31,18 +30,17 @@ type getECRClient func(region, keyID, secretKey string) (ecriface.ECRAPI, error)
3130

3231
// DockerRegistryHandler handles requests to Docker registries, adding auth.
3332
type DockerRegistryHandler struct {
34-
credentials []*dockerRegistryCredentials
35-
transport http.RoundTripper
36-
oidcCredentials map[string]*oidc.OIDCCredential
37-
mutex sync.RWMutex
33+
credentials []*dockerRegistryCredentials
34+
transport http.RoundTripper
35+
oidcRegistry *oidc.OIDCRegistry
3836
}
3937

4038
// NewDockerRegistryHandler returns a new DockerRegistryHandler.
4139
func NewDockerRegistryHandler(creds config.Credentials, transport http.RoundTripper, getECRClient getECRClient) *DockerRegistryHandler {
4240
handler := DockerRegistryHandler{
43-
credentials: []*dockerRegistryCredentials{},
44-
transport: transport,
45-
oidcCredentials: make(map[string]*oidc.OIDCCredential),
41+
credentials: []*dockerRegistryCredentials{},
42+
transport: transport,
43+
oidcRegistry: oidc.NewOIDCRegistry(),
4644
}
4745

4846
if getECRClient == nil {
@@ -59,12 +57,8 @@ func NewDockerRegistryHandler(creds config.Credentials, transport http.RoundTrip
5957
registry = cred.Host()
6058
}
6159

62-
oidcCredential, _ := oidc.CreateOIDCCredential(cred)
63-
if oidcCredential != nil {
64-
if registry != "" {
65-
handler.oidcCredentials[registry] = oidcCredential
66-
logging.RequestLogf(nil, "registered %s OIDC credentials for docker registry: %s", oidcCredential.Provider(), registry)
67-
}
60+
// OIDC credentials are not used as static credentials.
61+
if oidcCred, _, _ := handler.oidcRegistry.Register(cred, []string{"registry"}, "docker registry"); oidcCred != nil {
6862
continue
6963
}
7064

@@ -110,7 +104,7 @@ func (h *DockerRegistryHandler) HandleRequest(req *http.Request, ctx *goproxy.Pr
110104
}
111105

112106
// Try OIDC credentials first
113-
if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
107+
if h.oidcRegistry.TryAuth(req, ctx) {
114108
return req, nil
115109
}
116110

0 commit comments

Comments
 (0)