Migrate maven handler to OIDCRegistry

[kbukum1]

What

Migrate the Maven repository handler from manual OIDC credential map + mutex to the shared OIDCRegistry type introduced in #78.

Why

Part of the phased migration to fix OIDC credential collisions when multiple registries share a host (#87).

Maven was storing OIDC credentials keyed by hostname only. Two Maven repositories on the same host with different paths would collide. The OIDCRegistry preserves the full URL (via url field), fixing this.

Key behavior change

OIDC registration key changes from hostname-only to full URL, reflected in updated expected log lines in the OIDC integration test.

Behavior changes

• Credential selection is now deterministic. The old code iterated over a Go map (map[string]*OIDCCredential), so with multiple OIDC credentials on the same host, which one matched was nondeterministic. OIDCRegistry.TryAuth uses longest path-prefix matching, ensuring the most specific credential always wins. This is the core fix for OIDC credential collision when multiple registries share a host #87.

• Host matching uses strings.ToLower instead of IDNA normalization. The old TryAuthOIDCRequestWithPrefix used helpers.AreHostnamesEqual (IDNA ToASCII), while OIDCRegistry.TryAuth uses lowercase comparison. This is acceptable because all real OIDC registries (Azure DevOps, JFrog, AWS CodeArtifact, Cloudsmith) use ASCII hostnames — no package registry uses internationalized domain names.

[Copilot]

Pull request overview

This PR migrates the Maven repository handler from a per-handler OIDC credential map (keyed by hostname) to the shared oidc.OIDCRegistry, addressing OIDC credential collisions when multiple Maven registries share the same host but differ by path.

Changes:

• Replace Maven’s handler-local map[string]*OIDCCredential + sync.RWMutex with oidc.OIDCRegistry.
• Update OIDC integration test expectations to reflect the new registration/log key (full URL instead of hostname).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
internal/handlers/maven_repository.go	Switch Maven OIDC storage/matching to OIDCRegistry and use TryAuth for request authentication.
internal/handlers/oidc_handling_test.go	Update expected log lines for Maven OIDC registration to include full URL keys.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

internal/handlers/oidc_handling_test.go:635

• The Maven OIDC migration is meant to fix same-host/different-path collisions via longest path-prefix matching, but the handler-level integration test cases here still cover only a single Maven OIDC credential at a time. Consider adding a regression case with two maven_repository OIDC credentials sharing the same host but different URL paths (e.g., /feed-A/... and /feed-B/...) and assert that a request under feed-A is authenticated with the feed-A credential (and similarly for feed-B). This will catch regressions where the handler registers with the wrong key fields or the match selection stops being deterministic.

		{
			name:     "Maven",
			provider: "aws",
			handlerFactory: func(creds config.Credentials) oidcHandler {
				return NewMavenRepositoryHandler(creds)
			},
			credentials: config.Credentials{
				config.Credential{
					"type":         "maven_repository",
					"url":          "https://maven.example.com/packages",
					"aws-region":   testRegion,
					"account-id":   "123456789012",
					"role-name":    "MyRole",
					"domain":       "my-domain",
					"domain-owner": "9876543210",
				},
			},
			urlMocks: []mockHttpRequest{},
			expectedLogLines: []string{
				"registered aws OIDC credentials for maven repository: https://maven.example.com/packages",
			},
			urlsToAuthenticate: []string{
				"https://maven.example.com/packages/some-package",
			},
		},