refactor: use provider name as canonical DB foreign key (#190)

* refactor: use provider name as canonical DB foreign key

Replace the type/host compound key (e.g. github/github.com) with the
user-configured provider name (e.g. github, internal-github) as the
canonical identifier stored in all provider FK columns.

Provider names are unique by YAML map key constraint, stable across
hostname changes, and human-readable — removing the need for the
type/host compound key entirely.

Changes:
- GitProxyProvider.getProviderId() now returns getName()
- ProviderRegistry.resolveProvider() simplified; type/host fallback removed
- JettyConfigurationBuilder: removed seenProviderIds conflict map (redundant),
  updated error messages and Javadocs
- ProfileController + UserController: removed provider.replace('@', '/') decode
- api.ts: removed providerToPathKey function and its two call sites
- scripts/migrate-provider-ids.sql: one-off UPDATE script for existing installs
- Tests: updated all provider ID assertions, removed backwards-compat test,
  added two tests for same-type multi-provider (github + internal-github)

closes #188

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: pre-install grype ourselves, drop grype-version from scan-action

scan-action downloads grype's install.sh from main at runtime and passes
the version directly — the script constructs releases/{version} URLs
which 404 for non-latest versions. Pre-install our checksum-verified
binary first so scan-action uses the PATH binary instead.

* chore: bump grype to 0.112.0

* fix: pre-install grype in docker-publish scan job, bump to 0.112.0

Same broken pattern as container-scan.yml — scan-action was downloading
grype's install.sh from main which constructs invalid release tag URLs.
Pre-install our checksum-verified binary first, drop grype-version.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: coopernetes

.github/workflows/container-scan.yml

@@ -12,17 +12,26 @@ jobs:
     name: Container Scan
     runs-on: ubuntu-latest
     env:
-      GRYPE_VERSION: "0.111.1"
+      GRYPE_VERSION: "0.112.0"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
+      - name: Install grype
+        run: |
+          cd /tmp
+          curl -sSfL -o "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" \
+            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz"
+          curl -sSfL -o "grype_${GRYPE_VERSION}_checksums.txt" \
+            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt"
+          grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" "grype_${GRYPE_VERSION}_checksums.txt" | sha256sum --check
+          tar -xzf "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin grype
+
       - name: Scan image
         uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # ratchet:anchore/scan-action@v7
         id: scan
         with:
           image: ghcr.io/coopernetes/git-proxy-java:latest
-          grype-version: ${{ env.GRYPE_VERSION }}
           fail-build: true
           severity-cutoff: high
           only-fixed: true
@@ -33,17 +42,6 @@ jobs:
       # in the GitHub Security tab (high CVSS score ≠ high actual risk for this workload).
       # The build still fails on high/critical with a fix available via fail-build: true above.
 
-      - name: Install grype
-        if: always()
-        run: |
-          cd /tmp
-          curl -sSfL -o "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" \
-            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz"
-          curl -sSfL -o "grype_${GRYPE_VERSION}_checksums.txt" \
-            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt"
-          grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" "grype_${GRYPE_VERSION}_checksums.txt" | sha256sum --check
-          tar -xzf "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin grype
-
       - name: Generate human-readable report
         if: always()
         run: |

.github/workflows/docker-publish.yml

@@ -82,17 +82,26 @@ jobs:
       contents: read
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     env:
-      GRYPE_VERSION: "0.111.1"
+      GRYPE_VERSION: "0.112.0"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
+      - name: Install grype
+        run: |
+          cd /tmp
+          curl -sSfL -o "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" \
+            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz"
+          curl -sSfL -o "grype_${GRYPE_VERSION}_checksums.txt" \
+            "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt"
+          grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" "grype_${GRYPE_VERSION}_checksums.txt" | sha256sum --check
+          tar -xzf "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin grype
+
       - name: Scan image
         uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # ratchet:anchore/scan-action@v7
         id: scan
         with:
           image: ghcr.io/${{ github.repository }}@${{ needs.build-and-push.outputs.digest }}
-          grype-version: ${{ env.GRYPE_VERSION }}
           fail-build: true
           severity-cutoff: high
           only-fixed: true
@@ -103,10 +112,6 @@ jobs:
       # in the GitHub Security tab (high CVSS score ≠ high actual risk for this workload).
       # The build still fails on high/critical with a fix available via fail-build: true above.
 
-      - name: Add grype to PATH
-        if: always()
-        run: echo "$(dirname $(find /opt/hostedtoolcache/grype -name grype -type f | head -1))" >> $GITHUB_PATH
-
       - name: Generate scan report
         if: always()
         run: |

git-proxy-java-core/src/main/java/org/finos/gitproxy/provider/GitProxyProvider.java

@@ -14,13 +14,12 @@ public interface GitProxyProvider {
     String getType();
 
     /**
-     * Unique provider identity combining type and host (e.g. "github/github.com", "github/github.corp.example.com").
-     * Used for SCM identity resolution, permission matching, token caching, and DB storage. Two providers of the same
-     * type but different hosts (e.g. public GitHub and internal GHES) have distinct provider IDs — tokens, identities,
-     * and permissions are never shared across hosts.
+     * Canonical provider identity — equals the user-configured name (the YAML config map key, e.g. {@code "github"},
+     * {@code "internal"}). Used for SCM identity resolution, permission matching, token caching, and DB storage.
+     * Provider names are unique by YAML map key constraint and stable across hostname changes.
      */
     default String getProviderId() {
-        return getType() + "/" + getUri().getHost();
+        return getName();
     }
 
     URI getUri();

git-proxy-java-core/src/main/java/org/finos/gitproxy/provider/ProviderRegistry.java

@@ -4,9 +4,8 @@
 import org.finos.gitproxy.db.UrlRuleRegistry;
 
 /**
- * Registry of configured git proxy providers. Keyed by the friendly name used as the config map key (e.g.
- * {@code github}, {@code internal-gitlab}), independent of the internal {@code type/host} provider ID used for request
- * routing.
+ * Registry of configured git proxy providers. Keyed by the user-configured name (the YAML config map key, e.g.
+ * {@code github}, {@code internal-gitlab}), which is also the canonical provider ID stored in the database.
  *
  * <p>Consistent with {@link UrlRuleRegistry} — a lookup/discovery mechanism, not a CRUD store.
  */
@@ -23,21 +22,13 @@ public interface ProviderRegistry {
     List<GitProxyProvider> getProviders();
 
     /**
-     * Resolves a provider by either its friendly name (e.g. {@code "github"}) or its canonical {@code type/host} ID
-     * (e.g. {@code "github/github.com"}). Friendly name is tried first.
+     * Resolves a provider by its name (the YAML config map key, e.g. {@code "github"}). Null/blank input returns null
+     * (meaning "applies to all providers").
      *
-     * <p>This is the entry point for validating config references in {@code permissions:}, {@code rules:}, and
-     * {@code scm-identities:} — both forms are accepted so operators can use whichever is more readable.
-     *
-     * @return the provider, or {@code null} if neither a friendly name nor an ID match
+     * @return the provider, or {@code null} if not found
      */
     default GitProxyProvider resolveProvider(String nameOrId) {
         if (nameOrId == null || nameOrId.isBlank()) return null;
-        GitProxyProvider byName = getProvider(nameOrId);
-        if (byName != null) return byName;
-        return getProviders().stream()
-                .filter(p -> p.getProviderId().equals(nameOrId))
-                .findFirst()
-                .orElse(null);
+        return getProvider(nameOrId);
     }
 }

git-proxy-java-core/src/test/java/org/finos/gitproxy/db/PushRecordMapperTest.java

@@ -127,7 +127,7 @@ void fromRequestDetails_withProvider_setsUpstreamUrl() {
         when(provider.getName()).thenReturn("github");
         when(provider.getType()).thenReturn("github");
         when(provider.getUri()).thenReturn(URI.create("https://github.com/"));
-        when(provider.getProviderId()).thenReturn("github/github.com");
+        when(provider.getProviderId()).thenReturn("github");
 
         GitRequestDetails details = new GitRequestDetails();
         details.setRepoRef(

git-proxy-java-core/src/test/java/org/finos/gitproxy/git/ApprovalPreReceiveHookTest.java

@@ -175,14 +175,13 @@ void selfApproved_alreadyApprovedAtHookStart_noPerm_rejected() throws Exception
                 .id(recordId)
                 .status(PushStatus.APPROVED)
                 .resolvedUser("alice")
-                .provider("github/github.com")
+                .provider("github")
                 .url("/owner/repo")
                 .attestation(att)
                 .build();
         when(pushStore.findById(recordId)).thenReturn(Optional.of(record));
         RepoPermissionService perms = mock(RepoPermissionService.class);
-        when(perms.isBypassReviewAllowed("alice", "github/github.com", "/owner/repo"))
-                .thenReturn(false);
+        when(perms.isBypassReviewAllowed("alice", "github", "/owner/repo")).thenReturn(false);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");
@@ -193,7 +192,7 @@ void selfApproved_alreadyApprovedAtHookStart_noPerm_rejected() throws Exception
                 .onPreReceive(rp, List.of(cmd));
 
         assertEquals(ReceiveCommand.Result.REJECTED_OTHER_REASON, cmd.getResult());
-        verify(perms).isBypassReviewAllowed("alice", "github/github.com", "/owner/repo");
+        verify(perms).isBypassReviewAllowed("alice", "github", "/owner/repo");
     }
 
     @Test
@@ -210,14 +209,13 @@ void selfApproved_alreadyApprovedAtHookStart_withPerm_passes() throws Exception
                 .id(recordId)
                 .status(PushStatus.APPROVED)
                 .resolvedUser("alice")
-                .provider("github/github.com")
+                .provider("github")
                 .url("/owner/repo")
                 .attestation(att)
                 .build();
         when(pushStore.findById(recordId)).thenReturn(Optional.of(record));
         RepoPermissionService perms = mock(RepoPermissionService.class);
-        when(perms.isBypassReviewAllowed("alice", "github/github.com", "/owner/repo"))
-                .thenReturn(true);
+        when(perms.isBypassReviewAllowed("alice", "github", "/owner/repo")).thenReturn(true);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");
@@ -241,7 +239,7 @@ void selfApproved_viaWaitForApproval_noPerm_rejected() throws Exception {
                 .id(recordId)
                 .status(PushStatus.PENDING)
                 .resolvedUser("alice")
-                .provider("github/github.com")
+                .provider("github")
                 .url("/owner/repo")
                 .build();
         Attestation att = Attestation.builder()
@@ -253,16 +251,15 @@ void selfApproved_viaWaitForApproval_noPerm_rejected() throws Exception {
                 .id(recordId)
                 .status(PushStatus.APPROVED)
                 .resolvedUser("alice")
-                .provider("github/github.com")
+                .provider("github")
                 .url("/owner/repo")
                 .attestation(att)
                 .build();
         when(pushStore.findById(recordId)).thenReturn(Optional.of(pending)).thenReturn(Optional.of(approved));
         when(approvalGateway.waitForApproval(eq(recordId), any(), any(Duration.class)))
                 .thenReturn(ApprovalResult.APPROVED);
         RepoPermissionService perms = mock(RepoPermissionService.class);
-        when(perms.isBypassReviewAllowed("alice", "github/github.com", "/owner/repo"))
-                .thenReturn(false);
+        when(perms.isBypassReviewAllowed("alice", "github", "/owner/repo")).thenReturn(false);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");
@@ -273,7 +270,7 @@ void selfApproved_viaWaitForApproval_noPerm_rejected() throws Exception {
                 .onPreReceive(rp, List.of(cmd));
 
         assertEquals(ReceiveCommand.Result.REJECTED_OTHER_REASON, cmd.getResult());
-        verify(perms).isBypassReviewAllowed("alice", "github/github.com", "/owner/repo");
+        verify(perms).isBypassReviewAllowed("alice", "github", "/owner/repo");
     }
 
     @Test
@@ -291,7 +288,7 @@ void differentApproverThanPusher_noReVerifyNeeded() throws Exception {
                 .id(recordId)
                 .status(PushStatus.APPROVED)
                 .resolvedUser("alice")
-                .provider("github/github.com")
+                .provider("github")
                 .url("/owner/repo")
                 .attestation(att)
                 .build();

git-proxy-java-core/src/test/java/org/finos/gitproxy/git/CheckUserPushPermissionHookTest.java

@@ -123,8 +123,7 @@ void resolverReturnsEmpty_addsNotRegisteredIssue() throws Exception {
     void userNotAuthorized_addsUnauthorizedIssue() throws Exception {
         GitProxyProvider github = new GitHubProvider("/push");
         when(resolver.resolve(eq(github), eq("corp-user"), any())).thenReturn(Optional.of(userEntry("alice")));
-        when(permService.isAllowedToPush("alice", "github/github.com", "/owner/repo"))
-                .thenReturn(false);
+        when(permService.isAllowedToPush("alice", "github", "/owner/repo")).thenReturn(false);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");
@@ -154,8 +153,7 @@ void resolvedAndAuthorized_recordsPass() throws Exception {
         GitProxyProvider github = new GitHubProvider("/push");
         when(resolver.resolve(eq(github), eq("corp-user"), eq("ghp_secret")))
                 .thenReturn(Optional.of(userEntry("alice")));
-        when(permService.isAllowedToPush("alice", "github/github.com", "/owner/repo"))
-                .thenReturn(true);
+        when(permService.isAllowedToPush("alice", "github", "/owner/repo")).thenReturn(true);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");
@@ -201,8 +199,7 @@ void nullResolver_withPushUser_passesInOpenMode() throws Exception {
     void provider_isPassedToResolver() throws Exception {
         GitProxyProvider github = new GitHubProvider("/push");
         when(resolver.resolve(eq(github), eq("my-user"), any())).thenReturn(Optional.of(userEntry("my-user")));
-        when(permService.isAllowedToPush("my-user", "github/github.com", "/owner/repo"))
-                .thenReturn(true);
+        when(permService.isAllowedToPush("my-user", "github", "/owner/repo")).thenReturn(true);
 
         RevCommit c1 = createCommit("init");
         RevCommit c2 = createCommit("second");

git-proxy-java-core/src/test/java/org/finos/gitproxy/provider/ProviderTest.java

@@ -164,18 +164,10 @@ void registry_resolveProvider_byFriendlyName() {
         assertSame(github, registry.resolveProvider("github"));
     }
 
-    @Test
-    void registry_resolveProvider_byTypeHostId() {
-        var github = new GitHubProvider("/proxy");
-        var registry = new InMemoryProviderRegistry(Map.of("github", github));
-        // "github/github.com" is the canonical type/host ID
-        assertSame(github, registry.resolveProvider("github/github.com"));
-    }
-
     @Test
     void registry_resolveProvider_unknown_returnsNull() {
         var registry = new InMemoryProviderRegistry(Map.of());
-        assertNull(registry.resolveProvider("nonexistent/host.example.com"));
+        assertNull(registry.resolveProvider("nonexistent"));
     }
 
     @Test

git-proxy-java-core/src/test/java/org/finos/gitproxy/service/CachingTokenPushIdentityResolverTest.java

@@ -31,7 +31,7 @@ void setUp() {
         when(provider.getName()).thenReturn("github");
         when(provider.getType()).thenReturn("github");
         when(provider.getUri()).thenReturn(URI.create("https://github.com"));
-        when(provider.getProviderId()).thenReturn("github/github.com");
+        when(provider.getProviderId()).thenReturn("github");
         resolver = new CachingTokenPushIdentityResolver(delegate, cache, userStore);
     }
 
@@ -51,7 +51,7 @@ private static UserEntry entry(String username) {
     @Test
     void cacheHit_returnsCachedUser_delegateNotCalled() {
         UserEntry alice = entry("alice");
-        when(cache.lookup(eq("github/github.com"), anyString())).thenReturn(Optional.of("alice"));
+        when(cache.lookup(eq("github"), anyString())).thenReturn(Optional.of("alice"));
         when(userStore.findByUsername("alice")).thenReturn(Optional.of(alice));
 
         var result = resolver.resolve(provider, "me", "good-token");
@@ -67,22 +67,22 @@ void cacheHit_returnsCachedUser_delegateNotCalled() {
     @Test
     void cacheMiss_delegateResolves_storesAndReturns() {
         UserEntry alice = entry("alice");
-        when(cache.lookup(eq("github/github.com"), anyString())).thenReturn(Optional.empty());
+        when(cache.lookup(eq("github"), anyString())).thenReturn(Optional.empty());
         when(delegate.resolve(provider, "me", "good-token")).thenReturn(Optional.of(alice));
 
         var result = resolver.resolve(provider, "me", "good-token");
 
         assertTrue(result.isPresent());
         assertEquals("alice", result.get().getUsername());
-        verify(cache).store(eq("github/github.com"), anyString(), eq("alice"));
+        verify(cache).store(eq("github"), anyString(), eq("alice"));
         verifyNoMoreInteractions(userStore);
     }
 
     // ---- cache miss, delegate returns empty → nothing stored ----
 
     @Test
     void cacheMiss_delegateEmpty_nothingStored() {
-        when(cache.lookup(eq("github/github.com"), anyString())).thenReturn(Optional.empty());
+        when(cache.lookup(eq("github"), anyString())).thenReturn(Optional.empty());
         when(delegate.resolve(provider, "me", "bad-token")).thenReturn(Optional.empty());
 
         var result = resolver.resolve(provider, "me", "bad-token");
@@ -95,30 +95,30 @@ void cacheMiss_delegateEmpty_nothingStored() {
 
     @Test
     void sameToken_lookupCalledWithSameHash() {
-        when(cache.lookup(eq("github/github.com"), anyString())).thenReturn(Optional.empty());
+        when(cache.lookup(eq("github"), anyString())).thenReturn(Optional.empty());
         when(delegate.resolve(any(), any(), any())).thenReturn(Optional.empty());
 
         resolver.resolve(provider, "me", "my-token");
         resolver.resolve(provider, "me", "my-token");
 
         // Capture both hash arguments and assert they are equal
         var captor = org.mockito.ArgumentCaptor.forClass(String.class);
-        verify(cache, times(2)).lookup(eq("github/github.com"), captor.capture());
+        verify(cache, times(2)).lookup(eq("github"), captor.capture());
         assertEquals(captor.getAllValues().get(0), captor.getAllValues().get(1));
     }
 
     // ---- different tokens produce different hashes ----
 
     @Test
     void differentTokens_differentHashes() {
-        when(cache.lookup(eq("github/github.com"), anyString())).thenReturn(Optional.empty());
+        when(cache.lookup(eq("github"), anyString())).thenReturn(Optional.empty());
         when(delegate.resolve(any(), any(), any())).thenReturn(Optional.empty());
 
         resolver.resolve(provider, "me", "token-a");
         resolver.resolve(provider, "me", "token-b");
 
         var captor = org.mockito.ArgumentCaptor.forClass(String.class);
-        verify(cache, times(2)).lookup(eq("github/github.com"), captor.capture());
+        verify(cache, times(2)).lookup(eq("github"), captor.capture());
         assertNotEquals(captor.getAllValues().get(0), captor.getAllValues().get(1));
     }