From e19c62ad1350fbc3c16dacada2f12b9944e84ac7 Mon Sep 17 00:00:00 2001 From: Kamil Bukum Date: Thu, 2 Apr 2026 19:58:38 -0500 Subject: [PATCH] Migrate docker handler to OIDCRegistry Replace manual OIDC credential map and mutex with the shared OIDCRegistry type. Docker already used the raw registry value as the key, so this is a pure structural refactor with no behavior change. --- internal/handlers/docker_registry.go | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/internal/handlers/docker_registry.go b/internal/handlers/docker_registry.go index cb8f7a0..4d6ce1a 100644 --- a/internal/handlers/docker_registry.go +++ b/internal/handlers/docker_registry.go @@ -6,7 +6,6 @@ import ( "net/http" "regexp" "strings" - "sync" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" @@ -31,18 +30,17 @@ type getECRClient func(region, keyID, secretKey string) (ecriface.ECRAPI, error) // DockerRegistryHandler handles requests to Docker registries, adding auth. type DockerRegistryHandler struct { - credentials []*dockerRegistryCredentials - transport http.RoundTripper - oidcCredentials map[string]*oidc.OIDCCredential - mutex sync.RWMutex + credentials []*dockerRegistryCredentials + transport http.RoundTripper + oidcRegistry *oidc.OIDCRegistry } // NewDockerRegistryHandler returns a new DockerRegistryHandler. func NewDockerRegistryHandler(creds config.Credentials, transport http.RoundTripper, getECRClient getECRClient) *DockerRegistryHandler { handler := DockerRegistryHandler{ - credentials: []*dockerRegistryCredentials{}, - transport: transport, - oidcCredentials: make(map[string]*oidc.OIDCCredential), + credentials: []*dockerRegistryCredentials{}, + transport: transport, + oidcRegistry: oidc.NewOIDCRegistry(), } if getECRClient == nil { @@ -59,12 +57,8 @@ func NewDockerRegistryHandler(creds config.Credentials, transport http.RoundTrip registry = cred.Host() } - oidcCredential, _ := oidc.CreateOIDCCredential(cred) - if oidcCredential != nil { - if registry != "" { - handler.oidcCredentials[registry] = oidcCredential - logging.RequestLogf(nil, "registered %s OIDC credentials for docker registry: %s", oidcCredential.Provider(), registry) - } + // OIDC credentials are not used as static credentials. + if oidcCred, _, _ := handler.oidcRegistry.Register(cred, []string{"registry"}, "docker registry"); oidcCred != nil { continue } @@ -110,7 +104,7 @@ func (h *DockerRegistryHandler) HandleRequest(req *http.Request, ctx *goproxy.Pr } // Try OIDC credentials first - if oidc.TryAuthOIDCRequestWithPrefix(&h.mutex, h.oidcCredentials, req, ctx) { + if h.oidcRegistry.TryAuth(req, ctx) { return req, nil }