From 9e483296a4f69f2ec8ae12c4394783321e9e6cd7 Mon Sep 17 00:00:00 2001
From: Kamil Bukum <kbukum1@github.com>
Date: Thu, 2 Apr 2026 19:47:33 -0500
Subject: [PATCH 1/2] Migrate maven handler to OIDCRegistry

Replace manual OIDC credential map and mutex with the shared
OIDCRegistry type. OIDC key changes from hostname-only to full URL
(via url field), fixing credential collisions when multiple Maven
repositories share a host with different paths.
---
 internal/handlers/maven_repository.go   | 27 +++++++------------------
 internal/handlers/oidc_handling_test.go |  8 ++++----
 2 files changed, 11 insertions(+), 24 deletions(-)

diff --git a/internal/handlers/maven_repository.go b/internal/handlers/maven_repository.go
index 46e08f6..40f59fe 100644
--- a/internal/handlers/maven_repository.go
+++ b/internal/handlers/maven_repository.go
@@ -2,7 +2,6 @@ package handlers
 
 import (
 	"net/http"
-	"sync"
 
 	"github.com/elazarl/goproxy"
 
@@ -14,9 +13,8 @@ import (
 
 // MavenRepositoryHandler handles requests to maven repositories, adding auth.
 type MavenRepositoryHandler struct {
-	credentials     []mavenRepositoryCredentials
-	oidcCredentials map[string]*oidc.OIDCCredential
-	mutex           sync.RWMutex
+	credentials  []mavenRepositoryCredentials
+	oidcRegistry *oidc.OIDCRegistry
 }
 
 type mavenRepositoryCredentials struct {
@@ -29,8 +27,8 @@ type mavenRepositoryCredentials struct {
 // NewMavenRepositoryHandler returns a new MavenRepositoryHandler.
 func NewMavenRepositoryHandler(creds config.Credentials) *MavenRepositoryHandler {
 	handler := MavenRepositoryHandler{
-		credentials:     []mavenRepositoryCredentials{},
-		oidcCredentials: make(map[string]*oidc.OIDCCredential),
+		credentials:  []mavenRepositoryCredentials{},
+		oidcRegistry: oidc.NewOIDCRegistry(),
 	}
 
 	for _, cred := range creds {
@@ -40,19 +38,8 @@ func NewMavenRepositoryHandler(creds config.Credentials) *MavenRepositoryHandler
 
 		url := cred.GetString("url")
 
-		oidcCredential, _ := oidc.CreateOIDCCredential(cred)
-		if oidcCredential != nil {
-			host := cred.Host()
-			if host == "" && url != "" {
-				regURL, err := helpers.ParseURLLax(url)
-				if err == nil {
-					host = regURL.Hostname()
-				}
-			}
-			if host != "" {
-				handler.oidcCredentials[host] = oidcCredential
-				logging.RequestLogf(nil, "registered %s OIDC credentials for maven repository: %s", oidcCredential.Provider(), host)
-			}
+		// OIDC credentials are not used as static credentials.
+		if oidcCred, _, _ := handler.oidcRegistry.Register(cred, []string{"url"}, "maven repository"); oidcCred != nil {
 			continue
 		}
 
@@ -81,7 +68,7 @@ func (h *MavenRepositoryHandler) HandleRequest(req *http.Request, ctx *goproxy.P
 	}
 
 	// Try OIDC credentials first
-	if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) {
+	if h.oidcRegistry.TryAuth(req, ctx) {
 		return req, nil
 	}
 
diff --git a/internal/handlers/oidc_handling_test.go b/internal/handlers/oidc_handling_test.go
index dc742e6..5cc2bc4 100644
--- a/internal/handlers/oidc_handling_test.go
+++ b/internal/handlers/oidc_handling_test.go
@@ -627,7 +627,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered aws OIDC credentials for maven repository: maven.example.com",
+				"registered aws OIDC credentials for maven repository: https://maven.example.com/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://maven.example.com/packages/some-package",
@@ -649,7 +649,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered azure OIDC credentials for maven repository: maven.example.com",
+				"registered azure OIDC credentials for maven repository: https://maven.example.com/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://maven.example.com/packages/some-package",
@@ -670,7 +670,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered jfrog OIDC credentials for maven repository: jfrog.example.com",
+				"registered jfrog OIDC credentials for maven repository: https://jfrog.example.com/packages",
 			},
 			urlsToAuthenticate: []string{
 				"https://jfrog.example.com/packages/some-package",
@@ -693,7 +693,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			},
 			urlMocks: []mockHttpRequest{},
 			expectedLogLines: []string{
-				"registered cloudsmith OIDC credentials for maven repository: cloudsmith.example.com",
+				"registered cloudsmith OIDC credentials for maven repository: https://cloudsmith.example.com",
 			},
 			urlsToAuthenticate: []string{
 				"https://cloudsmith.example.com/some-package",

From a5b9f48edb6c89a66e5987218edd6778bc3337a5 Mon Sep 17 00:00:00 2001
From: Kamil Bukum <kbukum1@github.com>
Date: Sun, 5 Apr 2026 00:13:09 -0500
Subject: [PATCH 2/2] Retrigger CI