fix: remove weird host based cred cache

[jakobmoellerdev]

What this PR does / why we need it

• refactor: remove credentialCache from provider and related test files
• chore: simplify credential handling by inlining logic into toCredential function

Which issue(s) this PR fixes

the current provider credential cache is not correct. oras can and our cred cache was only able to store by hostname but reusing the creds for differing identities as we have it is invalid.

Verification

• I have tested the changes locally by running ocm

this came up during testing of open-component-model/ocm-website#777

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Removed the in-memory, thread-safe OCI credential cache and its tests. Provider now derives an identity per repository call, creates a fresh auth cache, and supplies credentials via an inline Credential callback. Docker credential resolution now accepts host-only hostport values.

Changes

Cohort / File(s)	Summary
Credential cache removal bindings/go/oci/repository/provider/credential_cache.go, bindings/go/oci/repository/provider/credential_cache_test.go	Deleted the in-memory, thread-safe credential cache and its tests (cache entries, get/add semantics, helpers, and equality checks).
Provider behavior bindings/go/oci/repository/provider/provider.go	Removed provider-level credential/authorization cache fields and initialization. GetComponentVersionRepository now derives identity via v1.IdentityFromOCIRepository, creates a fresh auth.Cache per call, and configures auth.Client.Credential with an inline credentials.CredentialFunc using the provided creds (parameter renamed credentials→creds).
Docker credential handling bindings/go/oci/credentials/docker_config.go, bindings/go/oci/credentials/docker_config_test.go	CredentialFunc accepts host-only hostport values by treating a missing-port AddrError as "host without port" instead of failing; tests updated accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant Provider
    participant Identity as "Identity\n(v1.IdentityFromOCIRepository)"
    participant AuthCache as "auth.Cache\n(new per call)"
    participant AuthClient as "auth.Client\n(CredentialFunc)"
    participant Registry

    Provider->>Identity: derive consumer identity from repository
    Provider->>AuthCache: create auth.NewCache()
    Provider->>AuthClient: create client with CredentialFunc(identity, creds)
    AuthClient->>AuthCache: consult cache for tokens/credentials
    AuthClient->>Registry: authenticate requests using computed credentials

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Normalize scheme handling and update identity type to OCIRegistry #1964 — Changes to how OCI consumer identities are derived/used (v1.IdentityFromOCIRepository) and related credential resolution behavior.

Suggested reviewers

• frewilhelm
• Skarlso
• matthiasbruns

Poem

🐰 I nibbled the cache, sent state on its way,
Fresh creds for each call, I leap and I play,
Host-only names now pass through my door,
No more stale entries piled on the floor,
Hopping light-footed — new flow, evermore! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: removing a credential cache that had hostname-based limitations, which is the primary objective of the changeset.
Description check	✅ Passed	The description clearly explains what was removed (credential cache), why it was removed (hostname-only storage is invalid for ORAS), and confirms testing was performed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/oci/repository/provider/provider.go`:
- Around line 196-209: The toCredential function currently reads raw map keys
like "username", "password", "access_token", and "refresh_token" which
mismatches the keys used when writing credentials (e.g.,
accessToken/refreshToken); update toCredential to use the shared constants
(e.g., CredentialKeyUsername, CredentialKeyPassword, CredentialKeyAccessToken,
CredentialKeyRefreshToken from bindings/go/oci/credentials/docker_config.go)
instead of raw string literals so token-based auth isn't dropped and key names
remain consistent across writers and readers.
- Around line 143-151: The credential keys and cache lifetime are incorrect:
update toCredential to read the canonical credential keys defined in
credentials.CredentialKeyAccessToken / CredentialKeyRefreshToken (instead of
"access_token"/"refresh_token") so it matches how CredentialFunc populates
credentials, and when constructing the ocirepository client in NewFromOCIRepoV1
replace the shared b.authorizationCache with a new per-client cache via
auth.NewCache() (leave b.httpClient and other fields as-is) so each
repository/client gets an isolated authorization cache.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 229c1f33-3d86-4e04-b125-5a18603e40a2

📥 Commits

Reviewing files that changed from the base of the PR and between 220c7f9 and fe61cab.

📒 Files selected for processing (3)

• bindings/go/oci/repository/provider/credential_cache.go
• bindings/go/oci/repository/provider/credential_cache_test.go
• bindings/go/oci/repository/provider/provider.go

💤 Files with no reviewable changes (2)

• bindings/go/oci/repository/provider/credential_cache_test.go
• bindings/go/oci/repository/provider/credential_cache.go