Migrate nuget handler to OIDCRegistry by kbukum1 · Pull Request #92 · dependabot/proxy

kbukum1 · 2026-04-03T01:27:18Z

What

Migrate the NuGet feed handler from manual OIDC credential map + mutex to the shared OIDCRegistry type introduced in #78.

Why

Part of the phased migration to fix OIDC credential collisions when multiple registries share a host (#87).

NuGet previously stored OIDC credentials by url-with-host-fallback. OIDCRegistry preserves the full URL with path-prefix matching, fixing potential collisions when multiple NuGet feeds share a host.

Key changes

Replace oidcCredentials map[string]*oidc.OIDCCredential + sync.RWMutex with *oidc.OIDCRegistry
Primary feed URL registered via Register(cred, ["url"], "nuget feed")
HTTP-discovered resource URLs registered via RegisterURL(discoveredURL, credential, "nuget resource") — this is the only handler that uses RegisterURL
Discovery request authenticated via oidcRegistry.TryAuth() instead of TryAuthOIDCRequestWithPrefix()
Test log lines updated: RegisterURL uses consistent format without the leading indent the old code used
Net -13 lines

Behavior changes

Credential selection is now deterministic. The old code iterated over a Go map (map[string]*OIDCCredential), so with multiple OIDC credentials on the same host, which one matched was nondeterministic. OIDCRegistry.TryAuth uses longest path-prefix matching, ensuring the most specific credential always wins. This is the core fix for OIDC credential collision when multiple registries share a host #87.
Host matching uses strings.ToLower instead of IDNA normalization. The old TryAuthOIDCRequestWithPrefix used helpers.AreHostnamesEqual (IDNA ToASCII), while OIDCRegistry.TryAuth uses lowercase comparison. This is acceptable because all real OIDC registries (Azure DevOps, JFrog, AWS CodeArtifact, Cloudsmith) use ASCII hostnames — no package registry uses internationalized domain names.
OIDC auth restricted to HTTPS only. Previously TryAuthOIDCRequestWithPrefix had no scheme guard, so OIDC tokens could be sent over plaintext HTTP. Now gated with req.URL.Scheme == "https" to prevent credential leakage. Static credentials continue to work over both HTTP and HTTPS (existing nuget behavior).
OIDC discovery guarded with url != "". Host-only credentials (from CLI) are still registered for request-time matching, but feed index discovery is skipped when the URL field is empty since bare hostnames are not valid request URLs.
Response body leak fix. Both the OIDC and static credential discovery blocks now use a closure with defer rawRsp.Body.Close(), fixing a pre-existing bug where the body was leaked on io.ReadAll error or early-return status code paths.

Copilot

Pull request overview

Migrates the NuGet feed handler’s OIDC handling to the shared oidc.OIDCRegistry, aligning NuGet with the registry-based, path-prefix OIDC matching model introduced in #78 to avoid credential collisions when multiple feeds share a host.

Changes:

Replaced the NuGet handler’s per-handler OIDC map + RWMutex with *oidc.OIDCRegistry, and switched request-time auth to oidcRegistry.TryAuth().
Added registration of NuGet HTTP-discovered resource URLs via oidcRegistry.RegisterURL(...).
Updated OIDC log-line expectations in oidc_handling_test.go to match the new registration log format.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
internal/handlers/nuget_feed.go	Uses `OIDCRegistry` for OIDC credential storage/matching and registers discovered NuGet resource URLs via `RegisterURL`.
internal/handlers/oidc_handling_test.go	Updates expected log lines for NuGet OIDC resource registration output.

Comments suppressed due to low confidence (1)

internal/handlers/nuget_feed.go:92

The log line on io.ReadAll failure drops the underlying error and the URL being fetched, which makes diagnosing feed discovery issues harder. Include both err and the key/URL in the message (and consider logging response status when relevant).

				body, err := io.ReadAll(rawRsp.Body)
				if err != nil {
					logging.RequestLogf(nil, "error reading http response body")
					continue

internal/handlers/nuget_feed.go

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

internal/handlers/nuget_feed.go

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

internal/handlers/nuget_feed.go

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

internal/handlers/nuget_feed.go

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Replace manual OIDC credential map and mutex with the shared OIDCRegistry type. Nuget uses Register() for the primary feed URL and RegisterURL() for HTTP-discovered resource URLs. The old code stored OIDC credentials by url-with-host-fallback. OIDCRegistry preserves the full URL with path-prefix matching, fixing potential collisions when multiple nuget feeds share a host. Test log lines updated: RegisterURL uses consistent log format without the leading indent that the old code used.

kbukum1 requested a review from a team as a code owner April 3, 2026 01:27

kbukum1 marked this pull request as draft April 3, 2026 01:27

This was referenced Apr 3, 2026

Add generalized OIDCRegistry for collision-free credential storage #78

Merged

OIDC credential collision when multiple registries share a host #87

Closed

kbukum1 requested a review from Copilot April 3, 2026 01:48

Copilot started reviewing on behalf of kbukum1 April 3, 2026 01:49 View session