Skip to content

Cache app installation token #291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 13, 2020
Merged

Cache app installation token #291

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
60d07a0
Cache app installation token
jglick Mar 26, 2020
9da1f5a
Back to 8m
jglick Mar 26, 2020
6d8b52a
Refresh the token when it is halfway toward expiration (4m), to be on…
jglick Mar 26, 2020
023cdca
SpotBugs
jglick Mar 26, 2020
5cb7140
Merge branch 'master' of github.com:jenkinsci/github-branch-source-pl…
jglick Apr 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import hudson.util.Secret;
import java.io.IOException;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.github.GHApp;
Expand Down Expand Up @@ -39,6 +40,9 @@ public class GitHubAppCredentials extends BaseStandardCredentials implements Sta

private String apiUri;

private transient String cachedToken;
private transient long tokenCacheTime;

@DataBoundConstructor
@SuppressWarnings("unused") // by stapler
public GitHubAppCredentials(
Expand Down Expand Up @@ -105,7 +109,15 @@ public Secret getPassword() {
apiUri = "https://api.github.com";
}

String appInstallationToken = generateAppInstallationToken(appID, privateKey.getPlainText(), apiUri);
long now = System.currentTimeMillis();
String appInstallationToken;
if (cachedToken != null && now - tokenCacheTime < JwtHelper.VALIDITY_MS - /* takes some time to send requests */ TimeUnit.SECONDS.toMillis(10)) {
appInstallationToken = cachedToken;
} else {
appInstallationToken = generateAppInstallationToken(appID, privateKey.getPlainText(), apiUri);
cachedToken = appInstallationToken;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This token is valid for an hour not 10 minutes, and the expires_at field should be looked at (in case it changes in the future) https://github.com/jglick/github-branch-source-plugin-1/blob/GitHubAppCredentials.cachedToken/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L125-L129

The generated JWT that's used to get this token can only be valid for up to 10 minutes, but the retrieved token is an hour (I didn't see any documentation on this but I just tried it out locally).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, this is shows the same.
https://github.com/github-api/github-api/blob/3cbddf1de9e6a0f261a55247a54f8afdfd168fef/src/test/resources/org/kohsuke/github/GHAppTest/wiremock/createToken/mappings/mapping-app-installations-3755540-access_tokens-7W6Uy.json#L22
https://github.com/github-api/github-api/blob/3cbddf1de9e6a0f261a55247a54f8afdfd168fef/src/test/resources/org/kohsuke/github/GHAppTest/wiremock/createToken/__files/body-app-installations-3755540-access_tokens-7W6Uy.json#L3

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I guess you are saying that we could potentially stretch out the interval between token refreshes to, say, 55m? Would be nice to see some docs on this though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I guess you are saying that we could potentially stretch out the interval between token refreshes to, say, 55m? Would be nice to see some docs on this though.

Yes, but probably better to look at expires_at in case they change it, I had a look and couldn't see any docs on it

tokenCacheTime = now;
}

return Secret.fromString(appInstallationToken);
}
Expand Down
11 changes: 7 additions & 4 deletions src/main/java/org/jenkinsci/plugins/github_branch_source/JwtHelper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,17 @@
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Date;
import java.util.Objects;

import static java.util.Objects.requireNonNull;
import java.util.concurrent.TimeUnit;

class JwtHelper {

/**
* Somewhat less than the <a href="https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app">maximum JWT validity</a>.
*/
static final long VALIDITY_MS = TimeUnit.MINUTES.toMillis(8);

/**
* Create a JWT for authenticating to GitHub as an app installation
* @param githubAppId the app ID
Expand All @@ -42,9 +47,7 @@ static String createJWT(String githubAppId, final String privateKey) {
.setIssuer(githubAppId)
.signWith(signingKey, signatureAlgorithm);

long oneMinuteInMillis = 60L * 1000L;
long expMillis = nowMillis + (oneMinuteInMillis * 8);
Date exp = new Date(expMillis);
Date exp = new Date(nowMillis + VALIDITY_MS);
builder.setExpiration(exp);

return builder.compact();
Expand Down