feat: store jwks keysets based on issuer_url (#18862)

Currently, any custom issuer keys would be stored alongside the "parent"
keys for the service, intermingling and making it less clear which keys
belong to which service.

Store with the `issuer_url` instead, as redis is fine with keys using
special characters, and thus allow storage and lookups for a given
issuer.

No migration path necessary, as an empty cache will trigger a fresh
lookup and storage the first time.

Signed-off-by: Mike Fiedler <[email protected]>

Author: miketheman

warehouse/oidc/services.py

@@ -121,7 +121,7 @@ def __init__(
         self.cache_url = cache_url
         self.metrics = metrics
 
-        self._publisher_jwk_key = f"/warehouse/oidc/jwks/{self.publisher}"
+        self._publisher_jwk_key = f"/warehouse/oidc/jwks/{self.issuer_url}"
         self._publisher_timeout_key = f"{self._publisher_jwk_key}/timeout"
 
     def _store_keyset(self, keys: dict) -> None:
@@ -255,7 +255,7 @@ def jwt_identifier_exists(self, jti: str) -> bool:
         Check if a JWT Token Identifier has already been used.
         """
         with redis.StrictRedis.from_url(self.cache_url) as r:
-            return bool(r.exists(f"/warehouse/oidc/{self.publisher}/{jti}"))
+            return bool(r.exists(f"/warehouse/oidc/{self.issuer_url}/{jti}"))
 
     def store_jwt_identifier(self, jti: str, expiration: int) -> None:
         """
@@ -266,7 +266,7 @@ def store_jwt_identifier(self, jti: str, expiration: int) -> None:
             # the token expiration date. Thus, the lock will not be
             # released before the token invalidation.
             r.set(
-                f"/warehouse/oidc/{self.publisher}/{jti}",
+                f"/warehouse/oidc/{self.issuer_url}/{jti}",
                 exat=expiration + 5,
                 value="",  # empty value to lower memory usage
                 nx=True,