Prevent duplicate entries in OIDCRegistry

addEntry now checks for existing entries with the same path and port
before appending. This keeps storage bounded regardless of how many
times the same URL is registered.

Author: kbukum1

internal/oidc/oidc_registry.go

@@ -154,22 +154,28 @@ func (r *OIDCRegistry) TryAuth(req *http.Request, ctx *goproxy.ProxyCtx) bool {
 }
 
 // addEntry parses a URL or hostname string and adds a credential entry
-// to the appropriate host bucket. Returns false if the URL could not be parsed.
+// to the appropriate host bucket. Skips duplicates with the same path and port.
+// Returns false if the URL could not be parsed.
 func (r *OIDCRegistry) addEntry(urlOrHost string, cred *OIDCCredential) bool {
 	host, path, port := parseRegistryURL(urlOrHost)
 	if host == "" {
 		return false
 	}
 
-	entry := oidcEntry{
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	for _, e := range r.byHost[host] {
+		if e.path == path && e.port == port {
+			return true
+		}
+	}
+
+	r.byHost[host] = append(r.byHost[host], oidcEntry{
 		path:       path,
 		port:       port,
 		credential: cred,
-	}
-
-	r.mutex.Lock()
-	r.byHost[host] = append(r.byHost[host], entry)
-	r.mutex.Unlock()
+	})
 
 	return true
 }

internal/oidc/oidc_registry_test.go

@@ -462,3 +462,21 @@ func TestOIDCRegistry_RegisterURL_MultipleOnSameHost(t *testing.T) {
 		assert.Equal(t, "Bearer __test_token__", req.Header.Get("Authorization"))
 	}
 }
+
+func TestOIDCRegistry_Register_NoDuplicateEntries(t *testing.T) {
+	setupOIDCEnv(t)
+
+	r := NewOIDCRegistry()
+
+	cred1 := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages")
+	cred2 := azureCredWithURL("tenant-2", "client-2", "https://registry.example.com/packages")
+
+	r.Register(cred1, []string{"url"}, "test registry")
+	r.Register(cred2, []string{"url"}, "test registry")
+
+	r.mutex.RLock()
+	entries := r.byHost["registry.example.com"]
+	r.mutex.RUnlock()
+
+	assert.Equal(t, 1, len(entries), "duplicate path+port should not create a second entry")
+}