[JENKINS-73172] Reuse credentials object reference through scans to avoid frequent duplicated lookups (#787)

* [JENKINS-73172] Cache scan credentials in ThreadLocal to avoid frequent duplicated lookups

* [JENKINS-73172] Adapt GitHubSCMBuilder and fix tests

* [JENKINS-73172] Use CredentialsProvider.lookupCredentialsInItem

* [JENKINS-73172] Extract in a CredentialsCache

* [JENKINS-73172] Handle expiration

* [JENKINS-73172] Improve thoughput using parent context + add disabled via system property

* [JENKINS-73172] Keep referenc of the credentials through scans

* [JENKINS-73172] Revert ThreadLocal from Connector

* [JENKINS-73172] Add missing volatile

Co-authored-by: Robert Sandell <[email protected]>

* Restrict

* [JENKINS-73172] Apply spotless

* [JENKINS-73172] Spotbugs fix / Prevent potential NPE

* [JENKINS-73172] Apply non deprecated API suggestions

Co-authored-by: Jérôme Pochat <[email protected]>

* [JENKINS-73172] Make method private

Co-authored-by: Jérôme Pochat <[email protected]>

* [JENKINS-73172] Infer ID from credentials object if not null for consistency

---------

Co-authored-by: Robert Sandell <[email protected]>
Co-authored-by: Jérôme Pochat <[email protected]>

Author: 3 people

src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java

@@ -295,23 +295,22 @@ public static StandardCredentials lookupScanCredentials(
             @CheckForNull String repoOwner) {
         if (Util.fixEmpty(scanCredentialsId) == null) {
             return null;
-        } else {
-            StandardCredentials c = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
-                            StandardUsernameCredentials.class,
-                            context,
-                            context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
-                            githubDomainRequirements(apiUri)),
-                    CredentialsMatchers.allOf(
-                            CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher()));
-            if (c instanceof GitHubAppCredentials && repoOwner != null) {
-                return ((GitHubAppCredentials) c).withOwner(repoOwner);
-            } else {
-                return c;
-            }
         }
+        StandardCredentials c = CredentialsMatchers.firstOrNull(
+                CredentialsProvider.lookupCredentialsInItem(
+                        StandardUsernameCredentials.class,
+                        context,
+                        context instanceof Queue.Task
+                                ? ((Queue.Task) context).getDefaultAuthentication2()
+                                : ACL.SYSTEM2,
+                        githubDomainRequirements(apiUri)),
+                CredentialsMatchers.allOf(
+                        CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher()));
+
+        if (c instanceof GitHubAppCredentials && repoOwner != null) {
+            c = ((GitHubAppCredentials) c).withOwner(repoOwner);
+        }
+        return c;
     }
 
     /**

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilder.java

@@ -124,7 +124,6 @@ public GitHubSCMBuilder(
         if (repoUrl != null) {
             withBrowser(new GithubWeb(repoUrl));
         }
-        withCredentials(credentialsId(), null);
     }
 
     /**
@@ -189,7 +188,9 @@ public final RepositoryUriResolver uriResolver() {
      *     {@code null} to detect the the protocol based on the credentialsId. Defaults to HTTP if
      *     credentials are {@code null}. Enables support for blank SSH credentials.
      * @return {@code this} for method chaining.
+     * @deprecated Use {@link #withCredentials(String)} and {@link #withResolver(RepositoryUriResolver)}
      */
+    @Deprecated
     @NonNull
     public GitHubSCMBuilder withCredentials(String credentialsId, RepositoryUriResolver uriResolver) {
         if (uriResolver == null) {
@@ -200,6 +201,12 @@ public GitHubSCMBuilder withCredentials(String credentialsId, RepositoryUriResol
         return withCredentials(credentialsId);
     }
 
+    @NonNull
+    public GitHubSCMBuilder withResolver(RepositoryUriResolver uriResolver) {
+        this.uriResolver = uriResolver;
+        return this;
+    }
+
     /**
      * Returns a {@link RepositoryUriResolver} according to credentials configuration.
      *
@@ -215,12 +222,12 @@ public static RepositoryUriResolver uriResolver(
             return HTTPS;
         } else {
             StandardCredentials credentials = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
+                    CredentialsProvider.lookupCredentialsInItem(
                             StandardCredentials.class,
                             context,
                             context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
+                                    ? ((Queue.Task) context).getDefaultAuthentication2()
+                                    : ACL.SYSTEM2,
                             URIRequirementBuilder.create()
                                     .withHostname(RepositoryUriResolver.hostnameFromApiUri(apiUri))
                                     .build()),

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java

@@ -211,6 +211,9 @@ public class GitHubSCMNavigator extends SCMNavigator {
     private transient Boolean buildForkPRHead;
 
     private static final LoadingCache<String, Boolean> privateModeCache = createPrivateModeCache();
+    /** The cache of the credentials object */
+    @CheckForNull
+    private transient volatile StandardCredentials credentials;
 
     /**
      * Constructor.
@@ -252,6 +255,15 @@ public GitHubSCMNavigator(String apiUri, String repoOwner, String scanCredential
         }
     }
 
+    @CheckForNull
+    @Restricted(NoExternalUse.class)
+    private StandardCredentials getCredentials(@CheckForNull Item context, boolean forceRefresh) {
+        if (credentials == null || forceRefresh) {
+            credentials = Connector.lookupScanCredentials(context, getApiUri(), getCredentialsId(), getRepoOwner());
+        }
+        return credentials;
+    }
+
     /**
      * Gets the API endpoint for the GitHub server.
      *
@@ -962,9 +974,7 @@ public void visitSources(SCMSourceObserver observer) throws IOException, Interru
             throw new AbortException("Must specify user or organization");
         }
 
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) observer.getContext(), apiUri, credentialsId, repoOwner);
-
+        StandardCredentials credentials = getCredentials(observer.getContext(), true);
         // Github client and validation
         GitHub github = Connector.connect(apiUri, credentials);
         try {
@@ -1278,9 +1288,7 @@ public void visitSource(String sourceName, SCMSourceObserver observer) throws IO
             throw new AbortException("Must specify user or organization");
         }
 
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) observer.getContext(), apiUri, credentialsId, repoOwner);
-
+        StandardCredentials credentials = getCredentials(observer.getContext(), false);
         // Github client and validation
         GitHub github;
         try {
@@ -1544,9 +1552,7 @@ public List<Action> retrieveActions(
         listener.getLogger().printf("Looking up details of %s...%n", getRepoOwner());
         List<Action> result = new ArrayList<>();
         String apiUri = Util.fixEmptyAndTrim(getApiUri());
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) owner, getApiUri(), credentialsId, repoOwner);
-        GitHub hub = Connector.connect(getApiUri(), credentials);
+        GitHub hub = Connector.connect(getApiUri(), getCredentials(owner, true));
         Connector.configureLocalRateLimitChecker(listener, hub);
         boolean privateMode = !isEnableAvatar() || determinePrivateMode(apiUri);
         try {
@@ -1642,9 +1648,7 @@ public void afterSave(@NonNull SCMNavigatorOwner owner) {
         GitHubWebHook.get().registerHookFor(owner);
         try {
             // FIXME MINOR HACK ALERT
-            StandardCredentials credentials =
-                    Connector.lookupScanCredentials((Item) owner, getApiUri(), credentialsId, repoOwner);
-            GitHub hub = Connector.connect(getApiUri(), credentials);
+            GitHub hub = Connector.connect(getApiUri(), getCredentials(owner, true));
             try {
                 GitHubOrgWebHook.register(hub, repoOwner);
             } finally {
@@ -1984,6 +1988,7 @@ public SourceFactory(GitHubSCMNavigatorRequest request) {
         public SCMSource create(@NonNull String name) {
             return new GitHubSCMSourceBuilder(getId() + "::" + name, apiUri, credentialsId, repoOwner, name)
                     .withRequest(request)
+                    .withCredentials(credentials)
                     .build();
         }
     }

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java

@@ -30,6 +30,7 @@
 import static org.apache.commons.lang.StringUtils.removeEnd;
 import static org.jenkinsci.plugins.github_branch_source.Connector.isCredentialValid;
 import static org.jenkinsci.plugins.github_branch_source.GitHubSCMBuilder.API_V3;
+import static org.jenkinsci.plugins.github_branch_source.GitHubSCMBuilder.HTTPS;
 
 import com.cloudbees.jenkins.GitHubWebHook;
 import com.cloudbees.plugins.credentials.CredentialsNameProvider;
@@ -272,6 +273,9 @@ public class GitHubSCMSource extends AbstractGitSCMSource {
     /** The cache of {@link ObjectMetadataAction} instances for each open PR. */
     @NonNull
     private transient /*effectively final*/ Map<Integer, ContributorMetadataAction> pullRequestContributorCache;
+    /** The cache of the credentials object */
+    @CheckForNull
+    private transient volatile StandardCredentials credentials;
 
     /**
      * Used during upgrade from 1.x to 2.2.0+ only.
@@ -317,6 +321,19 @@ public GitHubSCMSource(String repoOwner, String repository, String repositoryUrl
         this.traits = new ArrayList<>();
     }
 
+    /**
+     * Constructor that passes a looked up credentials object.
+     *
+     * @param repoOwner the repository owner.
+     * @param repository the repository name.
+     * @param credentials a {@link com.cloudbees.plugins.credentials.common.StandardCredentials}
+     */
+    @Restricted(NoExternalUse.class)
+    GitHubSCMSource(String repoOwner, String repository, StandardCredentials credentials) {
+        this(repoOwner, repository, null, false);
+        this.credentials = credentials;
+    }
+
     /**
      * Legacy constructor.
      *
@@ -362,6 +379,15 @@ public GitHubSCMSource(
         }
     }
 
+    @CheckForNull
+    @Restricted(NoExternalUse.class)
+    private StandardCredentials getCredentials(@CheckForNull Item context, boolean forceRefresh) {
+        if (credentials == null || forceRefresh) {
+            credentials = Connector.lookupScanCredentials(context, getApiUri(), getCredentialsId(), getRepoOwner());
+        }
+        return credentials;
+    }
+
     @Restricted(NoExternalUse.class)
     public boolean isConfiguredByUrl() {
         return repositoryUrl != null;
@@ -598,8 +624,8 @@ public static void setCacheSize(int cacheSize) {
     /** {@inheritDoc} */
     @Override
     public String getRemote() {
-        return GitHubSCMBuilder.uriResolver(getOwner(), apiUri, credentialsId)
-                .getRepositoryUri(apiUri, repoOwner, repository);
+        // Only HTTPS is applicable to the source remote with Username / Password credentials
+        return HTTPS.getRepositoryUri(apiUri, repoOwner, repository);
     }
 
     /** {@inheritDoc} */
@@ -619,7 +645,7 @@ public String getPronoun() {
     @Restricted(DoNotUse.class)
     @RestrictedSince("2.2.0")
     public RepositoryUriResolver getUriResolver() {
-        return GitHubSCMBuilder.uriResolver(getOwner(), apiUri, credentialsId);
+        return HTTPS;
     }
 
     @Restricted(NoExternalUse.class)
@@ -977,8 +1003,10 @@ protected final void retrieve(
             @CheckForNull SCMHeadEvent<?> event,
             @NonNull final TaskListener listener)
             throws IOException, InterruptedException {
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
+        // In case we are in an Organization Scan - i.e. (observer instanceof SCMHeadObserver.Any) - use the cached
+        // credentials
+        // https://github.com/jenkinsci/branch-api-plugin/blob/2.1169.va_f810c56e895/src/main/java/jenkins/branch/MultiBranchProjectFactory.java#L262
+        StandardCredentials credentials = getCredentials(getOwner(), !(observer instanceof SCMHeadObserver.Any));
         // Github client and validation
         final GitHub github = Connector.connect(apiUri, credentials);
         try {
@@ -1279,10 +1307,8 @@ public SCMRevision create(@NonNull PullRequestSCMHead head, @Nullable Void ignor
     @Override
     protected Set<String> retrieveRevisions(@NonNull TaskListener listener, Item retrieveContext)
             throws IOException, InterruptedException {
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials(retrieveContext, apiUri, credentialsId, repoOwner);
         // Github client and validation
-        final GitHub github = Connector.connect(apiUri, credentials);
+        final GitHub github = Connector.connect(apiUri, getCredentials(retrieveContext, false));
         try {
             Connector.configureLocalRateLimitChecker(listener, github);
             Set<String> result = new TreeSet<>();
@@ -1385,10 +1411,8 @@ protected Set<String> retrieveRevisions(@NonNull TaskListener listener, Item ret
     @Override
     protected SCMRevision retrieve(@NonNull String headName, @NonNull TaskListener listener, Item retrieveContext)
             throws IOException, InterruptedException {
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials(retrieveContext, apiUri, credentialsId, repoOwner);
         // Github client and validation
-        final GitHub github = Connector.connect(apiUri, credentials);
+        final GitHub github = Connector.connect(apiUri, getCredentials(retrieveContext, false));
         try {
             Connector.configureLocalRateLimitChecker(listener, github);
             // Input data validation
@@ -1614,10 +1638,8 @@ public void unwrap() throws IOException, InterruptedException {
     @NonNull
     @Override
     protected SCMProbe createProbe(@NonNull SCMHead head, @CheckForNull final SCMRevision revision) throws IOException {
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
         // Github client and validation
-        GitHub github = Connector.connect(apiUri, credentials);
+        GitHub github = Connector.connect(apiUri, getCredentials(getOwner(), false));
         try {
             String fullName = repoOwner + "/" + repository;
             final GHRepository repo = github.getRepository(fullName);
@@ -1632,11 +1654,8 @@ protected SCMProbe createProbe(@NonNull SCMHead head, @CheckForNull final SCMRev
     @Override
     @CheckForNull
     protected SCMRevision retrieve(SCMHead head, TaskListener listener) throws IOException, InterruptedException {
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
-
         // Github client and validation
-        GitHub github = Connector.connect(apiUri, credentials);
+        GitHub github = Connector.connect(apiUri, getCredentials(getOwner(), false));
         try {
             try {
                 Connector.checkConnectionValidity(apiUri, listener, credentials, github);
@@ -1783,11 +1802,9 @@ PullRequestSource retrievePullRequestSource(int number) {
                 if (StringUtils.isNotBlank(repository)) {
                     String fullName = repoOwner + "/" + repository;
                     LOGGER.log(Level.INFO, "Getting remote pull requests from {0}", fullName);
-                    StandardCredentials credentials =
-                            Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
                     LogTaskListener listener = new LogTaskListener(LOGGER, Level.INFO);
                     try {
-                        GitHub github = Connector.connect(apiUri, credentials);
+                        GitHub github = Connector.connect(apiUri, getCredentials(getOwner(), false));
                         try {
                             Connector.configureLocalRateLimitChecker(listener, github);
                             ghRepository = github.getRepository(fullName);
@@ -1952,8 +1969,7 @@ protected List<Action> retrieveActions(@CheckForNull SCMSourceEvent event, @NonN
         result.add(new GitHubRepoMetadataAction());
         String repository = this.repository;
 
-        StandardCredentials credentials =
-                Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
+        StandardCredentials credentials = getCredentials(getOwner(), true);
         GitHub hub = Connector.connect(apiUri, credentials);
         try {
             Connector.checkConnectionValidity(apiUri, listener, credentials, hub);
@@ -2857,8 +2873,7 @@ protected Set<String> create() {
                     .format(
                             "Connecting to %s to obtain list of collaborators for %s/%s%n",
                             apiUri, repoOwner, repository);
-            StandardCredentials credentials =
-                    Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
+            StandardCredentials credentials = getCredentials(getOwner(), false);
             // Github client and validation
             try {
                 GitHub github = Connector.connect(apiUri, credentials);
@@ -2922,9 +2937,7 @@ public GHPermissionType fetch(String username) throws IOException, InterruptedEx
                         .format(
                                 "Connecting to %s to check permissions of obtain list of %s for %s/%s%n",
                                 apiUri, username, repoOwner, repository);
-                StandardCredentials credentials =
-                        Connector.lookupScanCredentials((Item) getOwner(), apiUri, credentialsId, repoOwner);
-                github = Connector.connect(apiUri, credentials);
+                github = Connector.connect(apiUri, getCredentials(getOwner(), false));
                 String fullName = repoOwner + "/" + repository;
                 repo = github.getRepository(fullName);
             }

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceBuilder.java

@@ -23,6 +23,7 @@
  */
 package org.jenkinsci.plugins.github_branch_source;
 
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import jenkins.scm.api.trait.SCMSourceBuilder;
@@ -45,6 +46,9 @@ public class GitHubSCMSourceBuilder extends SCMSourceBuilder<GitHubSCMSourceBuil
     /** The repository owner. */
     @NonNull
     private final String repoOwner;
+    /** The credentials. */
+    @CheckForNull
+    private StandardCredentials credentials;
 
     /**
      * Constructor.
@@ -94,7 +98,7 @@ public final String apiUri() {
      */
     @CheckForNull
     public final String credentialsId() {
-        return credentialsId;
+        return credentials == null ? credentialsId : credentials.getId();
     }
 
     /**
@@ -107,11 +111,22 @@ public final String repoOwner() {
         return repoOwner;
     }
 
+    /**
+     * Pass the credentials object to the {@link GitHubSCMSource}.
+     * @param credentials the {@link com.cloudbees.plugins.credentials.common.StandardCredentials}
+     * @return the current builder
+     */
+    @NonNull
+    SCMSourceBuilder<GitHubSCMSourceBuilder, GitHubSCMSource> withCredentials(StandardCredentials credentials) {
+        this.credentials = credentials;
+        return this;
+    }
+
     /** {@inheritDoc} */
     @NonNull
     @Override
     public GitHubSCMSource build() {
-        GitHubSCMSource result = new GitHubSCMSource(repoOwner, projectName());
+        GitHubSCMSource result = new GitHubSCMSource(repoOwner, projectName(), credentials);
         result.setId(id());
         result.setApiUri(apiUri());
         result.setCredentialsId(credentialsId());