Reduce overall calls to Github

i386 · i386 · commit c4159effd64e · 2016-10-24T14:42:21.000+11:00
* Always lookup the user locally before asking Github
* lazyily lookup authorities if needed.
* Requires 2.7.1 for User.getUserById
diff --git a/pom.xml b/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <!-- Baseline Jenkins version you use to build the plugin. Users must have this version or newer to run. -->
-        <jenkins.version>1.612</jenkins.version>
+        <jenkins.version>2.7.1</jenkins.version>
         <!-- Java Level to use. Java 7 required when using core >= 1.612 -->
         <java.level>7</java.level>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
@@ -91,11 +91,22 @@ public class GithubAuthenticationToken extends AbstractAuthenticationToken {
     private static final Cache<String, Boolean> publicRepositoryCache =
             CacheBuilder.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
 
-    private static final Cache<String, GHUser> usersByIdCache =
+    private static final Cache<String, GithubUser> usersByIdCache =
             CacheBuilder.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
 
     private final List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
 
+    private static final GithubUser UNKNOWN_USER = new GithubUser(null);
+
+    /** Wrapper for cache **/
+    static class GithubUser {
+        public final GHUser user;
+
+        public GithubUser(GHUser user) {
+            this.user = user;
+        }
+    }
+
     public GithubAuthenticationToken(final String accessToken, final String githubServer) throws IOException {
         super(new GrantedAuthority[] {});
 
@@ -300,18 +311,20 @@ public Boolean call() throws Exception {
             .getLogger(GithubAuthenticationToken.class.getName());
 
     public GHUser loadUser(String username) throws IOException {
-        GHUser user;
+        GithubUser user;
         try {
             user = usersByIdCache.get(username);
             if (gh != null && user == null && isAuthenticated()) {
-                user = getGitHub().getUser(username);
-                usersByIdCache.put(user.getLogin(), user);
+                GHUser ghUser = getGitHub().getUser(username);
+                user = new GithubUser(ghUser);
+                usersByIdCache.put(username, user);
             }
         } catch (IOException | ExecutionException e) {
             LOGGER.log(Level.FINEST, e.getMessage(), e);
-            user = null;
+            user = UNKNOWN_USER;
+            usersByIdCache.put(username, UNKNOWN_USER);
         }
-        return user;
+        return user != null ? user.user : null;
     }
 
     public GHOrganization loadOrganization(String organization) {
@@ -352,51 +365,55 @@ public GHTeam loadTeam(String organization, String team) {
     public GithubOAuthUserDetails getUserDetails(String username) throws IOException {
         GHUser user = loadUser(username);
         if (user != null) {
-            List<GrantedAuthority> groups = new ArrayList<GrantedAuthority>();
-            try {
-                GHPersonSet<GHOrganization> orgs;
-                if(myRealm == null) {
-                    Jenkins jenkins = Jenkins.getInstance();
-                    if (jenkins == null) {
-                        throw new IllegalStateException("Jenkins not started");
-                    }
-                    myRealm = (GithubSecurityRealm) jenkins.getSecurityRealm();
-                }
-                //Search for scopes that allow fetching team membership.  This is documented online.
-                //https://developer.github.com/v3/orgs/#list-your-organizations
-                //https://developer.github.com/v3/orgs/teams/#list-user-teams
-                if(this.userName.equals(username) && (myRealm.hasScope("read:org") || myRealm.hasScope("admin:org") || myRealm.hasScope("user") || myRealm.hasScope("repo"))) {
-                    //This allows us to search for private organization membership.
-                    orgs = getMyself().getAllOrganizations();
-                } else {
-                    //This searches for public organization membership.
-                    orgs = user.getOrganizations();
+            return new GithubOAuthUserDetails(user.getLogin(), this);
+        }
+        return null;
+    }
+
+    public GrantedAuthority[] getGrantedAuthorities(GHUser user) {
+        List<GrantedAuthority> groups = new ArrayList<GrantedAuthority>();
+        try {
+            GHPersonSet<GHOrganization> orgs;
+            if(myRealm == null) {
+                Jenkins jenkins = Jenkins.getInstance();
+                if (jenkins == null) {
+                    throw new IllegalStateException("Jenkins not started");
                 }
-                for (GHOrganization ghOrganization : orgs) {
-                    String orgLogin = ghOrganization.getLogin();
-                    LOGGER.log(Level.FINE, "Fetch teams for user " + username + " in organization " + orgLogin);
-                    groups.add(new GrantedAuthorityImpl(orgLogin));
-                    try {
-                        if (!getMyself().isMemberOf(ghOrganization)) {
-                            continue;
-                        }
-                        Map<String, GHTeam> teams = ghOrganization.getTeams();
-                        for (Map.Entry<String, GHTeam> entry : teams.entrySet()) {
-                            GHTeam team = entry.getValue();
-                            if (team.hasMember(user)) {
-                                groups.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
-                                        + team));
-                            }
+                myRealm = (GithubSecurityRealm) jenkins.getSecurityRealm();
+            }
+            //Search for scopes that allow fetching team membership.  This is documented online.
+            //https://developer.github.com/v3/orgs/#list-your-organizations
+            //https://developer.github.com/v3/orgs/teams/#list-user-teams
+            if(this.userName.equals(user.getLogin()) && (myRealm.hasScope("read:org") || myRealm.hasScope("admin:org") || myRealm.hasScope("user") || myRealm.hasScope("repo"))) {
+                //This allows us to search for private organization membership.
+                orgs = getMyself().getAllOrganizations();
+            } else {
+                //This searches for public organization membership.
+                orgs = user.getOrganizations();
+            }
+            for (GHOrganization ghOrganization : orgs) {
+                String orgLogin = ghOrganization.getLogin();
+                LOGGER.log(Level.FINE, "Fetch teams for user " + user.getLogin() + " in organization " + orgLogin);
+                groups.add(new GrantedAuthorityImpl(orgLogin));
+                try {
+                    if (!getMyself().isMemberOf(ghOrganization)) {
+                        continue;
+                    }
+                    Map<String, GHTeam> teams = ghOrganization.getTeams();
+                    for (Map.Entry<String, GHTeam> entry : teams.entrySet()) {
+                        GHTeam team = entry.getValue();
+                        if (team.hasMember(user)) {
+                            groups.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
+                                    + team));
                         }
-                    } catch (IOException | Error ignore) {
-                        LOGGER.log(Level.FINEST, "not enough rights to list teams from " + orgLogin, ignore);
                     }
+                } catch (IOException | Error ignore) {
+                    LOGGER.log(Level.FINEST, "not enough rights to list teams from " + orgLogin, ignore);
                 }
-            } catch(IOException e) {
-                LOGGER.log(Level.FINE, e.getMessage(), e);
             }
-            return new GithubOAuthUserDetails(user, groups.toArray(new GrantedAuthority[groups.size()]));
+        } catch(IOException e) {
+            LOGGER.log(Level.FINE, e.getMessage(), e);
         }
-        return null;
+        return groups.toArray(new GrantedAuthority[groups.size()]);
     }
 }
diff --git a/src/main/java/org/jenkinsci/plugins/GithubOAuthUserDetails.java b/src/main/java/org/jenkinsci/plugins/GithubOAuthUserDetails.java
@@ -3,21 +3,46 @@
  */
 package org.jenkinsci.plugins;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.userdetails.User;
 import org.acegisecurity.userdetails.UserDetails;
 import org.kohsuke.github.GHUser;
 
+import javax.annotation.Nonnull;
+import java.io.IOException;
+
 /**
  * @author Mike
  *
  */
+@SuppressFBWarnings("EQ_DOESNT_OVERRIDE_EQUALS")
 public class GithubOAuthUserDetails extends User implements UserDetails {
 
     private static final long serialVersionUID = 1L;
 
-    public GithubOAuthUserDetails(GHUser user, GrantedAuthority[] authorities) {
-        super(user.getLogin(), "", true, true, true, true, authorities);
+    private final GithubAuthenticationToken authenticationToken;
+
+    public GithubOAuthUserDetails(@Nonnull String login, @Nonnull GrantedAuthority[] authorities) {
+        super(login, "", true, true, true, true, authorities);
+        this.authenticationToken = null;
     }
 
+    public GithubOAuthUserDetails(@Nonnull String login, @Nonnull GithubAuthenticationToken authenticationToken) {
+        super(login, "", true, true, true, true, null);
+        this.authenticationToken = authenticationToken;
+    }
+
+    @Override
+    public GrantedAuthority[] getAuthorities() {
+        if (super.getAuthorities() == null) {
+            try {
+                GHUser user = authenticationToken.loadUser(getUsername());
+                setAuthorities(authenticationToken.getGrantedAuthorities(user));
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+        return super.getAuthorities();
+    }
 }
diff --git a/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
@@ -67,7 +67,6 @@ of this software and associated documentation files (the "Software"), to deal
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHTeam;
-import org.kohsuke.github.GHUser;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.Header;
 import org.kohsuke.stapler.HttpRedirect;
@@ -393,7 +392,7 @@ public HttpResponse doFinishLogin(StaplerRequest request)
                 }
             }
 
-            fireAuthenticated(new GithubOAuthUserDetails(self, auth.getAuthorities()));
+            fireAuthenticated(new GithubOAuthUserDetails(self.getLogin(), auth.getAuthorities()));
         } else {
             Log.info("Github did not return an access token.");
         }
@@ -580,7 +579,6 @@ public DescriptorImpl getDescriptor() {
     @Override
     public UserDetails loadUserByUsername(String username)
             throws UsernameNotFoundException, DataAccessException {
-        GHUser user = null;
 
         Authentication token = SecurityContextHolder.getContext().getAuthentication();
 
@@ -596,6 +594,15 @@ public UserDetails loadUserByUsername(String username)
             throw new UserMayOrMayNotExistException("Unexpected authentication type: " + token);
         }
 
+        /**
+         * Always lookup the local user first. If we can't resolve it then we can burn an API request to Github for this user
+         * Taken from hudson.security.HudsonPrivateSecurityRealm#loadUserByUsername(java.lang.String)
+         */
+        User localUser = User.getById(username, false);
+        if (localUser != null) {
+            return new GithubOAuthUserDetails(username, authToken);
+        }
+
         try {
             GithubOAuthUserDetails userDetails = authToken.getUserDetails(username);
             if (userDetails == null)
