jenkinsci · jglick · Oct 16, 2024 · May 14, 2024 · May 16, 2024 · May 16, 2024
@@ -100,6 +100,7 @@
     private static final String SALT = Long.toHexString(ENTROPY.nextLong());
     private static final OkHttpClient baseClient =
             JenkinsOkHttpClient.newClientBuilder(new OkHttpClient()).build();
+    private static final ThreadLocal<StandardCredentials> scanCredentials = new ThreadLocal<>();
 
     private Connector() {
         throw new IllegalAccessError("Utility class");
@@ -295,23 +296,30 @@
             @CheckForNull String repoOwner) {
         if (Util.fixEmpty(scanCredentialsId) == null) {
             return null;
+        }
+
+        StandardCredentials c = CredentialsCache.getOrCreate(
+                context,
+                apiUri,
+                scanCredentialsId,
+                () -> CredentialsMatchers.firstOrNull(
+                        CredentialsProvider.lookupCredentialsInItem(
+                                StandardUsernameCredentials.class,
+                                context,
+                                context instanceof Queue.Task
+                                        ? ((Queue.Task) context).getDefaultAuthentication2()
+                                        : ACL.SYSTEM2,
+                                githubDomainRequirements(apiUri)),
+                        CredentialsMatchers.allOf(
+                                CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher())));
+
+        if (c instanceof GitHubAppCredentials && repoOwner != null) {
+            c = ((GitHubAppCredentials) c).withOwner(repoOwner);
+            scanCredentials.set(((GitHubAppCredentials) c).withOwner(repoOwner));
         } else {
-            StandardCredentials c = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
-                            StandardUsernameCredentials.class,
-                            context,
-                            context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
-                            githubDomainRequirements(apiUri)),
-                    CredentialsMatchers.allOf(
-                            CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher()));
-            if (c instanceof GitHubAppCredentials && repoOwner != null) {
-                return ((GitHubAppCredentials) c).withOwner(repoOwner);
-            } else {
-                return c;
-            }
+            scanCredentials.set(c);
         }
+        return c;
     }
 
     /**
@@ -323,7 +331,7 @@
     * @deprecated use {@link #listCheckoutCredentials(Item, String)}
     */
    @NonNull
    public static ListBoxModel listCheckoutCredentials(@CheckForNull SCMSourceOwner context, String apiUri) {
        return listCheckoutCredentials((Item) context, apiUri);
    }


diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/CredentialsCache.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/CredentialsCache.java
@@ -0,0 +1,113 @@
+package org.jenkinsci.plugins.github_branch_source;
+
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import hudson.Util;
+import hudson.model.Item;
+import hudson.model.ItemGroup;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.TimeUnit;
+import java.util.function.Supplier;
+import jenkins.util.SystemProperties;
+
+/**
+ * Caches the {@link com.cloudbees.plugins.credentials.common.StandardCredentials} per credentials request based on
+ * context, apiUri and credentialsId. The credentials are cached within a thread context using a {@link java.lang.ThreadLocal}.
+ * High cache hit ratio is expected in repeated usage within the same single threaded process such as Branch Indexing
+ * and Organization Scans.
+ */
+public class CredentialsCache {
+
+    /**
+     * The cache expiry in minutes. Default to 15 minutes.
+     */
+    private static final long CACHE_DURATION_SECONDS = SystemProperties.getLong(
+            CredentialsCache.class.getName() + ".CACHE_DURATION_SECONDS", TimeUnit.MINUTES.toSeconds(1L));
+
+    /**
+     * Whether the cache is disabled.
+     */
+    private static final boolean CACHE_DISABLED =
+            SystemProperties.getBoolean(CredentialsCache.class.getName() + ".CACHE_DISABLED", false);
+
+    private static final ThreadLocal<Map<Integer, CacheValue>> scanCredentialsRequests = new ThreadLocal<>();
+
+    /**
+     * Retrieve the cached credentials in the specified context for use against the specified API endpoint.
+     * If not found,
+     *
+     *
+     * @param context the context.
+     * @param apiUri the API endpoint.
+     * @param credentialsId the credentials to resolve.
+     * @return the {@link StandardCredentials} or {@code null}
+     */
+    @CheckForNull
+    static StandardCredentials getOrCreate(
+            @CheckForNull Item context,
+            @CheckForNull String apiUri,
+            @CheckForNull String credentialsId,
+            Supplier<StandardCredentials> lookup) {
+        if (Util.fixEmpty(credentialsId) == null) {
+            return null;
+        }
+
+        if (CACHE_DISABLED) {
+            return lookup.get();
+        }
+
+        if (scanCredentialsRequests.get() == null) {
+            scanCredentialsRequests.set(new HashMap<>());
+        }
+
+        int cacheKey = Objects.hash(apiUri, credentialsId, context == null ? null : context.getFullName());
+        CacheValue result = scanCredentialsRequests.get().get(cacheKey);
+        if (result == null || result.expired()) {
+            if (context != null) {
+                /*
+                 * Check if the credentials is cached for the parent context (SCMNavigator). If it is, it will be
+                 * stored in cache for the parent context and also the requested context for better cache hit
+                 * throughput.
+                 * That guarantees that the credentials cache is used throughout an entire Organization Scan process
+                 * that use the context of the OrganizationFolder and then a different child context for all repository
+                 * MultibranchProjects that it visits.
+                 */
+                ItemGroup<?> parent = context.getParent();
+                int parentCacheKey = Objects.hash(apiUri, credentialsId, parent == null ? null : parent.getFullName());
+                result = scanCredentialsRequests.get().get(parentCacheKey);
+
+                if (result == null || result.expired()) {
+                    result = new CacheValue(lookup.get());
+                    scanCredentialsRequests.get().put(parentCacheKey, result);
+                }
+            } else {
+                result = new CacheValue(lookup.get());
+            }
+            scanCredentialsRequests.get().put(cacheKey, result);
+        }
+
+        return result.getCredentials();
+    }
+
+    private static class CacheValue {
+
+        private final StandardCredentials credentials;
+
+        private final long requestTimeInMs;
+
+        public CacheValue(StandardCredentials credentials) {
+            this.credentials = credentials;
+            this.requestTimeInMs = System.currentTimeMillis();
+        }
+
+        public StandardCredentials getCredentials() {
+            return credentials;
+        }
+
+        public boolean expired() {
+            return (System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(CACHE_DURATION_SECONDS)) > requestTimeInMs;
+        }
+    }
+}
@@ -124,7 +124,6 @@
         if (repoUrl != null) {
             withBrowser(new GithubWeb(repoUrl));
         }
-        withCredentials(credentialsId(), null);
     }
 
     /**
@@ -189,7 +188,9 @@
      *     {@code null} to detect the the protocol based on the credentialsId. Defaults to HTTP if
      *     credentials are {@code null}. Enables support for blank SSH credentials.
      * @return {@code this} for method chaining.
+     * @deprecated Use {@link #withCredentials(String)} and {@link #withResolver(RepositoryUriResolver)}
      */
+    @Deprecated
     @NonNull
     public GitHubSCMBuilder withCredentials(String credentialsId, RepositoryUriResolver uriResolver) {
         if (uriResolver == null) {
@@ -200,6 +201,12 @@
         return withCredentials(credentialsId);
     }
 
+    @NonNull
+    public GitHubSCMBuilder withResolver(RepositoryUriResolver uriResolver) {
+        this.uriResolver = uriResolver;
+        return this;
+    }
+
     /**
      * Returns a {@link RepositoryUriResolver} according to credentials configuration.
      *
@@ -215,12 +222,12 @@
             return HTTPS;
         } else {
             StandardCredentials credentials = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
+                    CredentialsProvider.lookupCredentialsInItem(
                             StandardCredentials.class,
                             context,
                             context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
+                                    ? ((Queue.Task) context).getDefaultAuthentication2()
+                                    : ACL.SYSTEM2,
                             URIRequirementBuilder.create()
                                     .withHostname(RepositoryUriResolver.hostnameFromApiUri(apiUri))
                                     .build()),

@@ -30,6 +30,7 @@
 import static org.apache.commons.lang.StringUtils.removeEnd;
 import static org.jenkinsci.plugins.github_branch_source.Connector.isCredentialValid;
 import static org.jenkinsci.plugins.github_branch_source.GitHubSCMBuilder.API_V3;
+import static org.jenkinsci.plugins.github_branch_source.GitHubSCMBuilder.HTTPS;
 
 import com.cloudbees.jenkins.GitHubWebHook;
 import com.cloudbees.plugins.credentials.CredentialsNameProvider;
@@ -598,28 +599,28 @@
     /** {@inheritDoc} */
     @Override
     public String getRemote() {
-        return GitHubSCMBuilder.uriResolver(getOwner(), apiUri, credentialsId)
-                .getRepositoryUri(apiUri, repoOwner, repository);
+        // Only HTTPS is applicable to the source remote with Username / Password credentials
+        return HTTPS.getRepositoryUri(apiUri, repoOwner, repository);
     }
 
     /** {@inheritDoc} */
    @Override
    public String getPronoun() {
        return Messages.GitHubSCMSource_Pronoun();
    }

    /**
     * Returns a {@link RepositoryUriResolver} according to credentials configuration.
     *
     * @return a {@link RepositoryUriResolver}
     * @deprecated use {@link GitHubSCMBuilder#uriResolver()} or {@link
     *     GitHubSCMBuilder#uriResolver(Item, String, String)}.
     */
    @Deprecated
     @Restricted(DoNotUse.class)
     @RestrictedSince("2.2.0")
     public RepositoryUriResolver getUriResolver() {
-        return GitHubSCMBuilder.uriResolver(getOwner(), apiUri, credentialsId);
+        return HTTPS;
     }
 
     @Restricted(NoExternalUse.class)

@@ -98,7 +98,7 @@
     /** {@inheritDoc} */
     @Override
     protected void decorateBuilder(SCMBuilder<?, ?> builder) {
-        ((GitHubSCMBuilder) builder).withCredentials(credentialsId, GitHubSCMBuilder.SSH);
+        ((GitHubSCMBuilder) builder).withCredentials(credentialsId).withResolver(GitHubSCMBuilder.SSH);
     }
 
     /** Our descriptor. */
@@ -190,24 +190,24 @@
                 return FormValidation.ok();
             }
             if (CredentialsMatchers.firstOrNull(
-                            CredentialsProvider.lookupCredentials(
+                            CredentialsProvider.lookupCredentialsInItem(
                                     SSHUserPrivateKey.class,
                                     context,
                                     context instanceof Queue.Task
-                                            ? ((Queue.Task) context).getDefaultAuthentication()
-                                            : ACL.SYSTEM,
+                                            ? ((Queue.Task) context).getDefaultAuthentication2()
+                                            : ACL.SYSTEM2,
                                     URIRequirementBuilder.fromUri(serverUrl).build()),
                             CredentialsMatchers.withId(value))
                     != null) {
                 return FormValidation.ok();
             }
             if (CredentialsMatchers.firstOrNull(
-                            CredentialsProvider.lookupCredentials(
+                            CredentialsProvider.lookupCredentialsInItem(
                                     StandardUsernameCredentials.class,
                                     context,
                                     context instanceof Queue.Task
-                                            ? ((Queue.Task) context).getDefaultAuthentication()
-                                            : ACL.SYSTEM,
+                                            ? ((Queue.Task) context).getDefaultAuthentication2()
+                                            : ACL.SYSTEM2,
                                     URIRequirementBuilder.fromUri(serverUrl).build()),
                             CredentialsMatchers.withId(value))
                     != null) {