[JENKINS-75477] Frequent 401 errors from Bitbucket Data Center when there are high concurrent builds

Use CredentialsMatcher boxed in a timeout execution only when gathering the list of credentials for a web UI page, to exclude credentials that make remote calls to retrieve the password. In all other cases, when the plugin needs to look up stored credentials, it does not set the timebox on the secret.getPassword call, which causes an unpredictable

Author: nfalco79

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketGitSCMBuilder.java

@@ -34,7 +34,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.impl.endpoint.BitbucketServerEndpoint;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.extension.FallbackToOtherRepositoryGitSCMExtension;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.SCMUtils;
 import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
 import com.cloudbees.plugins.credentials.Credentials;
@@ -172,9 +172,9 @@ public BitbucketSCMSource scmSource() {
     @NonNull
     public BitbucketGitSCMBuilder withCredentials(String credentialsId, BitbucketRepositoryProtocol protocol) {
         if (StringUtils.isNotBlank(credentialsId)) {
-            StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
-                scmSource.getServerUrl(),
+            StandardCredentials credentials = BitbucketCredentialsUtils.lookupCredentials(
                 scmSource.getOwner(),
+                scmSource.getServerUrl(),
                 credentialsId,
                 StandardCredentials.class
             );

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMNavigator.java

@@ -35,7 +35,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.impl.endpoint.BitbucketCloudEndpoint;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.endpoint.BitbucketServerEndpoint;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.MirrorListSupplier;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.URLUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.server.BitbucketServerWebhookImplementation;
@@ -248,9 +248,9 @@ public void visitSources(SCMSourceObserver observer) throws IOException, Interru
             listener.getLogger().format("Must specify a repository owner%n");
             return;
         }
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
-                serverUrl,
+        StandardCredentials credentials = BitbucketCredentialsUtils.lookupCredentials(
                 observer.getContext(),
+                serverUrl,
                 credentialsId,
                 StandardCredentials.class
         );
@@ -301,9 +301,9 @@ public List<Action> retrieveActions(@NonNull SCMNavigatorOwner owner,
         // TODO when we have support for trusted events, use the details from event if event was from trusted source
         listener.getLogger().printf("Looking up team details of %s...%n", getRepoOwner());
         List<Action> result = new ArrayList<>();
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
-                serverUrl,
+        StandardCredentials credentials = BitbucketCredentialsUtils.lookupCredentials(
                 owner,
+                serverUrl,
                 credentialsId,
                 StandardCredentials.class
         );
@@ -392,6 +392,7 @@ public boolean isServerUrlSelectable() {
             return !BitbucketEndpointProvider.all().isEmpty();
         }
 
+        @RequirePOST
         public ListBoxModel doFillServerUrlItems(@AncestorInPath SCMSourceOwner context) {
             AccessControlled contextToCheck = context == null ? Jenkins.get() : context;
             if (!contextToCheck.hasPermission(Item.CONFIGURE)) {
@@ -402,9 +403,9 @@ public ListBoxModel doFillServerUrlItems(@AncestorInPath SCMSourceOwner context)
 
         @RequirePOST
         public static FormValidation doCheckCredentialsId(@AncestorInPath SCMSourceOwner context,
-                                                          @QueryParameter(fixEmpty = true, value = "serverUrl") String serverURL,
+                                                          @QueryParameter(fixEmpty = true, value = "serverUrl", required = true) String serverURL,
                                                           @QueryParameter String value) {
-            return BitbucketCredentials.checkCredentialsId(context, value, serverURL);
+            return BitbucketCredentialsUtils.checkCredentialsId(context, value, serverURL);
         }
 
         @RequirePOST
@@ -420,16 +421,17 @@ public static FormValidation doCheckMirrorId(@QueryParameter String value,
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public ListBoxModel doFillCredentialsIdItems(@AncestorInPath SCMSourceOwner context,
-                                                     @QueryParameter(fixEmpty = true, value = "serverUrl") String serverURL) {
-            return BitbucketCredentials.fillCredentialsIdItems(context, serverURL);
+                                                     @QueryParameter(fixEmpty = true, value = "serverUrl", required = true) String serverURL) {
+            return BitbucketCredentialsUtils.listCredentials(context, serverURL, null);
         }
 
+        @RequirePOST
         public ListBoxModel doFillMirrorIdItems(@AncestorInPath SCMSourceOwner context,
-                                                @QueryParameter(fixEmpty = true, value = "serverUrl") String serverUrl,
+                                                @QueryParameter(fixEmpty = true, value = "serverUrl", required = true) String serverUrl,
                                                 @QueryParameter String credentialsId,
-                                                @QueryParameter String repoOwner)
-            throws FormFillFailure {
+                                                @QueryParameter String repoOwner) throws FormFillFailure {
             return getFromBitbucket(context, serverUrl, credentialsId, repoOwner, null, MirrorListSupplier.INSTANCE);
         }
 

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java

@@ -49,7 +49,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.impl.extension.GitClientAuthenticatorExtension;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils.BitbucketSupplier;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.DateUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.MirrorListSupplier;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.URLUtils;
@@ -797,9 +797,9 @@ public DescriptorImpl getDescriptor() {
 
     @CheckForNull
     /* package */ StandardCredentials credentials() {
-        return BitbucketCredentials.lookupCredentials(
-                getServerUrl(),
+        return BitbucketCredentialsUtils.lookupCredentials(
                 getOwner(),
+                getServerUrl(),
                 getCredentialsId(),
                 StandardCredentials.class
         );
@@ -1054,7 +1054,7 @@ public String getDisplayName() {
         public FormValidation doCheckCredentialsId(@CheckForNull @AncestorInPath SCMSourceOwner context,
                                                    @QueryParameter String value,
                                                    @QueryParameter(fixEmpty = true, value = "serverUrl") String serverURL) {
-            return BitbucketCredentials.checkCredentialsId(context, value, serverURL);
+            return BitbucketCredentialsUtils.checkCredentialsId(context, value, serverURL);
         }
 
         public static FormValidation doCheckServerUrl(@AncestorInPath SCMSourceOwner context, @QueryParameter String value) {
@@ -1095,7 +1095,7 @@ public ListBoxModel doFillServerUrlItems(@AncestorInPath SCMSourceOwner context)
         }
 
         public ListBoxModel doFillCredentialsIdItems(@AncestorInPath SCMSourceOwner context, @QueryParameter String serverUrl) {
-            return BitbucketCredentials.fillCredentialsIdItems(context, serverUrl);
+            return BitbucketCredentialsUtils.listCredentials(context, serverUrl, null);
         }
 
         @RequirePOST

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/BitbucketApiFactory.java

@@ -79,7 +79,7 @@ protected BitbucketApi create(@Nullable String serverUrl,
      * Creates a {@link BitbucketApi} for the specified URL with the supplied credentials, owner and (optional)
      * repository.
      *
-     * @param serverUrl   the server URL.
+     * @param serverURL   the server URL.
      * @param authenticator the (optional) authenticator.
      * @param owner       the owner name.
      * @param projectKey  the (optional) project key.
@@ -88,17 +88,17 @@ protected BitbucketApi create(@Nullable String serverUrl,
      * @throws IllegalArgumentException if the supplied URL is not supported.
      */
     @NonNull
-    public static BitbucketApi newInstance(@Nullable String serverUrl,
+    public static BitbucketApi newInstance(@Nullable String serverURL,
                                            @Nullable BitbucketAuthenticator authenticator,
                                            @NonNull String owner,
                                            @CheckForNull String projectKey,
                                            @CheckForNull String repository) {
         for (BitbucketApiFactory factory : ExtensionList.lookup(BitbucketApiFactory.class)) {
-            if (factory.isMatch(serverUrl)) {
-                return factory.create(serverUrl, authenticator, owner, projectKey, repository);
+            if (factory.isMatch(serverURL)) {
+                return factory.create(serverURL, authenticator, owner, projectKey, repository);
             }
         }
-        throw new IllegalArgumentException("Unsupported Bitbucket server URL: " + serverUrl);
+        throw new IllegalArgumentException("Unsupported Bitbucket server URL: " + serverURL);
     }
 
     @NonNull

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/endpoint/BitbucketEndpoint.java

@@ -24,7 +24,7 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.endpoint;
 
 import com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -128,7 +128,7 @@ default StandardCredentials credentials() {
         if (credentialsId == null) {
             return null;
         } else {
-            return BitbucketCredentials.lookupCredentials(getServerURL(), Jenkins.get(), credentialsId, StandardCredentials.class);
+            return BitbucketCredentialsUtils.lookupCredentials(Jenkins.get(), getServerURL(), credentialsId, StandardCredentials.class);
         }
     }
 
@@ -143,7 +143,7 @@ default StringCredentials hookSignatureCredentials() {
         if (credentialsId == null) {
             return null;
         } else {
-            return BitbucketCredentials.lookupCredentials(getServerURL(), Jenkins.get(), credentialsId, StringCredentials.class);
+            return BitbucketCredentialsUtils.lookupCredentials(Jenkins.get(), getServerURL(), credentialsId, StringCredentials.class);
         }
     }
 

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/endpoint/BitbucketEndpointDescriptor.java

@@ -23,9 +23,8 @@
  */
 package com.cloudbees.jenkins.plugins.bitbucket.api.endpoint;
 
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
-import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.domains.URIRequirementBuilder;
 import hudson.Util;
@@ -59,7 +58,7 @@ public class BitbucketEndpointDescriptor extends Descriptor<BitbucketEndpoint> {
     public ListBoxModel doFillCredentialsIdItems(@QueryParameter(fixEmpty = true) String credentialsId,
                                                  @QueryParameter(value = "serverUrl", fixEmpty = true) String serverURL) {
         Jenkins jenkins = checkPermission();
-        return BitbucketCredentials.fillCredentialsIdItems(serverURL, jenkins, StandardCredentials.class, credentialsId);
+        return BitbucketCredentialsUtils.listCredentials(jenkins, serverURL, credentialsId);
     }
 
     private static Jenkins checkPermission() {

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/ServerPushEvent.java

@@ -34,7 +34,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketCommit;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketPullRequest;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient;
 import com.cloudbees.jenkins.plugins.bitbucket.server.client.branch.BitbucketServerCommit;
 import com.cloudbees.jenkins.plugins.bitbucket.server.client.pullrequest.BitbucketServerPullRequest;
@@ -197,9 +197,9 @@ private void addBranchesAndTags(BitbucketSCMSource src, Map<SCMHead, SCMRevision
     protected BitbucketApi getClient(BitbucketSCMSource src) {
         String serverURL = src.getServerUrl();
 
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
-            serverURL,
+        StandardCredentials credentials = BitbucketCredentialsUtils.lookupCredentials(
             src.getOwner(),
+            serverURL,
             src.getCredentialsId(),
             StandardCredentials.class
         );

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/avatars/BitbucketAvatarImageSource.java

@@ -26,7 +26,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketApi;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketApiFactory;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentialsUtils;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
@@ -68,7 +68,7 @@ public AvatarImage fetch() {
                     owner = Jenkins.get().getItemByFullName(scmOwner, SCMNavigatorOwner.class);
                 }
                 if (owner != null) {
-                    StandardCredentials credentials = BitbucketCredentials.lookupCredentials(serverURL, owner, credentialsId, StandardCredentials.class);
+                    StandardCredentials credentials = BitbucketCredentialsUtils.lookupCredentials(owner, serverURL, credentialsId, StandardCredentials.class);
                     BitbucketAuthenticator authenticator = AuthenticationTokens.convert(BitbucketAuthenticator.authenticationContext(serverURL), credentials);
                     // projectKey and repository are not used to fetch the project avatar
                     // owner can not be null but is not used from the client to retrieve avatar image, we just need authentication

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketClientCertificateAuthenticatorSource.java

@@ -57,7 +57,7 @@ public BitbucketClientCertificateAuthenticator convert(@NonNull StandardCertific
     }
 
     /**
-     * Whether this source works in the given context. For client certs, only HTTPS BitbucketServer instances make sense
+     * Whether this source works in the given context. For client certs, only HTTPS Bitbucket Data Center instances make sense
      *
      * @param ctx the context
      * @return whether this can authenticate given the context

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketOAuthAuthenticatorSource.java

@@ -26,6 +26,7 @@
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
 import com.cloudbees.plugins.credentials.CredentialsMatcher;
+import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
@@ -61,8 +62,7 @@ public BitbucketOAuthAuthenticator convert(@NonNull StandardUsernamePasswordCred
     }
 
     /**
-     * Whether this source works in the given context. For client certs, only HTTPS
-     * BitbucketServer instances make sense
+     * Whether this source works in the given context.
      *
      * @param ctx the context
      * @return whether this can authenticate given the context
@@ -78,7 +78,7 @@ protected boolean isFit(AuthenticationTokenContext<? super BitbucketOAuthAuthent
      */
     @Override
     public CredentialsMatcher matcher() {
-        return new BitbucketOAuthCredentialMatcher();
+        return CredentialsMatchers.allOf(super.matcher(), new BitbucketOAuthCredentialMatcher());
     }
 
 }