fix path boundary issue and add unit tests

Author: AbhishekBhaskar

internal/handlers/terraform_registry.go

@@ -2,6 +2,8 @@ package handlers
 
 import (
 	"net/http"
+	"sort"
+	"strings"
 	"sync"
 
 	"github.com/elazarl/goproxy"
@@ -65,6 +67,12 @@ func NewTerraformRegistryHandler(credentials config.Credentials) *TerraformRegis
 		}
 		handler.credentials = append(handler.credentials, terraformCred)
 	}
+
+	// Sort credentials by URL path length descending (longest first)
+	sort.Slice(handler.credentials, func(i, j int) bool {
+		return len(handler.credentials[i].url) > len(handler.credentials[j].url)
+	})
+
 	return &handler
 }
 
@@ -80,7 +88,7 @@ func (h *TerraformRegistryHandler) HandleRequest(request *http.Request, context
 
 	// Fall back to static credentials
 	for _, cred := range h.credentials {
-		if !helpers.UrlMatchesRequest(request, cred.url, true) && !helpers.CheckHost(request, cred.host) {
+		if !urlMatchesRequestWithBoundary(request, cred.url) && !helpers.CheckHost(request, cred.host) {
 			continue
 		}
 
@@ -91,3 +99,53 @@ func (h *TerraformRegistryHandler) HandleRequest(request *http.Request, context
 
 	return request, nil
 }
+
+// urlMatchesRequestWithBoundary checks if the request URL matches the credential URL
+// with proper path boundary checking.
+func urlMatchesRequestWithBoundary(request *http.Request, credURL string) bool {
+	if credURL == "" {
+		return false
+	}
+
+	parsedURL, err := helpers.ParseURLLax(credURL)
+	if err != nil {
+		return false
+	}
+
+	if !helpers.AreHostnamesEqual(parsedURL.Hostname(), request.URL.Hostname()) {
+		return false
+	}
+
+	urlPort := parsedURL.Port()
+	if urlPort == "" {
+		urlPort = "443"
+	}
+
+	reqPort := request.URL.Port()
+	if reqPort == "" {
+		reqPort = "443"
+	}
+
+	if urlPort != reqPort {
+		return false
+	}
+
+	credPath := strings.TrimRight(parsedURL.Path, "/")
+	reqPath := request.URL.Path
+
+	if credPath == "" {
+		// Empty path matches everything on the host
+		return true
+	}
+
+	if reqPath == credPath {
+		return true
+	}
+
+	// Check if request path starts with credPath followed by /
+	if strings.HasPrefix(reqPath, credPath+"/") {
+		return true
+	}
+
+	return false
+}

internal/handlers/terraform_registry_test.go

@@ -110,4 +110,26 @@ func TestTerraformRegistryHandler(t *testing.T) {
 		handler := NewTerraformRegistryHandler(credentials)
 		assert.Equal(t, 0, len(handler.credentials), "should skip credential with empty host and url")
 	})
+
+	t.Run("path boundary: /org should not match /org1", func(t *testing.T) {
+		// Credentials are sorted longest-path-first to ensure /org1 matches before /org
+		credentials := config.Credentials{
+			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org", "token": "token-org"},
+			config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org1", "token": "token-org1"},
+		}
+		handler := NewTerraformRegistryHandler(credentials)
+
+		assert.Equal(t, "https://terraform.example.com/org1", handler.credentials[0].url, "longer path should be first")
+		assert.Equal(t, "https://terraform.example.com/org", handler.credentials[1].url, "shorter path should be second")
+
+		req1 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org1/v1/providers/foo", nil), nil)
+		assert.Equal(t, "Bearer token-org1", req1.Header.Get("Authorization"), "/org1 path should use org1 token")
+
+		req2 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org/v1/providers/bar", nil), nil)
+		assert.Equal(t, "Bearer token-org", req2.Header.Get("Authorization"), "/org path should use org token")
+
+		// Request to /org123 should NOT match /org1 or /org (path boundary check)
+		req3 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org123/v1/providers/baz", nil), nil)
+		assert.Equal(t, "", req3.Header.Get("Authorization"), "/org123 should not match /org or /org1")
+	})
 }