comparable cache key

Author: benbroadaway

github-app-installation/src/main/java/com/walmartlabs/concord/github/appinstallation/AccessTokenProvider.java

@@ -60,6 +60,7 @@ public class AccessTokenProvider {
     public AccessTokenProvider(GitHubAppInstallationConfig cfg, ObjectMapper objectMapper) {
         this.httpTimeout = cfg.getHttpClientTimeout();
         this.objectMapper = objectMapper;
+        // TODO: use thread pool for http client. JDK17 HttpClient creates a new thread per client even for synchronous execution
         this.httpClientSupplier = () -> HttpClient.newBuilder() // would be nice to re-use client thread-safely
                 .connectTimeout(httpTimeout)
                 .build();
@@ -96,14 +97,13 @@ private String getAccessTokenUrl(String apiBaseUrl, String installationRepo, Str
                 .build();
 
         var appInstallation = sendRequest(req, 200, AccessTokenProvider.GitHubAppInstallationResp.class, (code, body) -> {
-            log.warn("getAccessTokenUrl ['{}'] -> error: {} : {}", installationRepo, code, body);
-
             if (code == 404) {
                 // not possible to discern between repo not found and app not installed for existing (private) repo
                 log.warn("getAccessTokenUrl ['{}'] -> not found", installationRepo);
                 return new GitHubAppException.NotFoundException("Repo not found or App installation not found for repo");
             }
 
+            log.warn("getAccessTokenUrl ['{}'] -> error: {} : {}", installationRepo, code, body);
             return new GitHubAppException("Unexpected error locating repo installation: " + code);
         });
 

github-app-installation/src/main/java/com/walmartlabs/concord/github/appinstallation/CacheKey.java

@@ -0,0 +1,66 @@
+package com.walmartlabs.concord.github.appinstallation;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import org.immutables.value.Value;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.net.URI;
+import java.util.Objects;
+
+@Value.Immutable
+@Value.Style(jdkOnly = true, redactedMask = "**redacted**")
+interface CacheKey {
+
+    URI repoUri();
+
+    @Nullable
+    @Value.Redacted
+    byte[] binaryDataSecret();
+
+    @Value.Default
+    default int weight() {
+        var weight = 1;
+
+        if (binaryDataSecret() != null) {
+            var data = Objects.requireNonNull(binaryDataSecret());
+            weight += 1;
+            weight += data.length / 1024;
+        }
+
+        return weight;
+    }
+
+    static CacheKey from(URI repoUri) {
+        return ImmutableCacheKey.builder()
+                .repoUri(repoUri)
+                .build();
+    }
+
+    static CacheKey from(URI repoUri, @Nonnull byte[] secret) {
+        return ImmutableCacheKey.builder()
+                .repoUri(repoUri)
+                .binaryDataSecret(secret)
+                .build();
+    }
+
+}

github-app-installation/src/main/java/com/walmartlabs/concord/github/appinstallation/GitHubAppInstallation.java

@@ -54,8 +54,6 @@ public class GitHubAppInstallation implements AuthTokenProvider {
 
     private final LoadingCache<CacheKey, Optional<ExternalAuthToken>> cache;
 
-    private record CacheKey(URI repoUri, Secret secret) {}
-
     @Inject
     public GitHubAppInstallation(GitHubAppInstallationConfig cfg, ObjectMapper objectMapper) {
         this.cfg = cfg;
@@ -65,23 +63,11 @@ public GitHubAppInstallation(GitHubAppInstallationConfig cfg, ObjectMapper objec
         this.cache = CacheBuilder.newBuilder()
                 .expireAfterWrite(cfg.getSystemAuthCacheDuration())
                 .maximumWeight(cfg.getSystemAuthCacheMaxWeight())
-                .weigher((Weigher<CacheKey, Optional<ExternalAuthToken>>) (key, value) -> {
-                    int weight = 1;
-
-                    if (key.secret() != null) {
-                        weight += 1;
-
-                        if (key.secret() instanceof BinaryDataSecret bds) {
-                            weight += bds.getData().length / 1024;
-                        }
-                    }
-
-                    return weight;
-                })
+                .weigher((Weigher<CacheKey, Optional<ExternalAuthToken>>) (key, value) -> key.weight())
                 .build(new CacheLoader<>() {
                     @Override
                     public @Nonnull Optional<ExternalAuthToken> load(@Nonnull CacheKey key) {
-                        return fetchToken(key.repoUri(), key.secret());
+                        return fetchToken(key.repoUri(), key.binaryDataSecret());
                     }
                 });
     }
@@ -91,10 +77,27 @@ public boolean supports(URI repo, @Nullable Secret secret) {
         return Utils.validateSecret(secret, objectMapper) || systemSupports(repo);
     }
 
+    private CacheKey createKey(URI repoUri, @Nullable Secret secret) {
+        if (secret == null) {
+            return CacheKey.from(repoUri);
+        }
+
+        if (secret instanceof BinaryDataSecret bds) {
+            return CacheKey.from(repoUri, bds.getData());
+        }
+
+        return null;
+    }
+
     @Override
     public Optional<ExternalAuthToken> getToken(URI repo, @Nullable Secret secret) {
+        var cacheKey = createKey(repo, secret);
+
+        if (cacheKey == null) {
+            return Optional.empty();
+        }
+
         try {
-            var cacheKey = new CacheKey(repo, secret);
             var activeToken = cache.get(cacheKey);
 
             return activeToken.map(t -> refreshBeforeExpire(t, cacheKey));
@@ -120,9 +123,9 @@ private boolean systemSupports(URI repoUri) {
         return cfg.getAuthConfigs().stream().anyMatch(auth -> auth.canHandle(repoUri));
     }
 
-    private Optional<ExternalAuthToken> fetchToken(URI repo, @Nullable Secret secret) {
+    private Optional<ExternalAuthToken> fetchToken(URI repo, @Nullable byte[] secret) {
         if (secret != null) {
-            return fromSecret(repo, secret);
+            return Optional.ofNullable(fromBinaryData(repo, secret));
         }
 
         // no secret, see if system config has something for this repo
@@ -169,24 +172,16 @@ private ExternalAuthToken refreshBeforeExpire(@Nonnull ExternalAuthToken token,
         return token;
     }
 
-    private Optional<ExternalAuthToken> fromSecret(URI repo, @Nonnull Secret secret) {
-        if (secret instanceof BinaryDataSecret bds) {
-            return Optional.ofNullable(fromBinaryData(repo, bds));
-        }
-
-        return Optional.empty();
-    }
-
-    private ExternalAuthToken fromBinaryData(URI repo, BinaryDataSecret bds) {
-        var appInfo = Utils.parseAppInstallation(bds, objectMapper);
+    private ExternalAuthToken fromBinaryData(URI repo, byte[] data) {
+        var appInfo = Utils.parseAppInstallation(data, objectMapper);
         if (appInfo.isPresent()) {
             // great, it's apparently a valid app installation config
             return getTokenFromAppInstall(appInfo.get(), repo);
         }
 
         // hopefully it's just a token a plaintext token
         return GitHubInstallationToken.builder()
-                .token(new String(bds.getData()).trim())
+                .token(new String(data).trim())
                 .build();
     }
 
@@ -196,8 +191,9 @@ private ExternalAuthToken getTokenFromAppInstall(GitHubAppAuthConfig app, URI re
         try {
             var ownerAndRepo = Utils.extractOwnerAndRepo(app, repo);
             return accessTokenProvider().getRepoInstallationToken(app, ownerAndRepo);
-        } catch (RepoExtractionException e) {
-            log.warn("Error retrieving GitHub access token", e);
+        } catch (RepoExtractionException | GitHubAppException e) {
+            var msg = e.getMessage();
+            log.warn("Error retrieving GitHub access token: {}", msg);
         }
 
         return null;

github-app-installation/src/main/java/com/walmartlabs/concord/github/appinstallation/Utils.java

@@ -52,7 +52,7 @@ static boolean validateSecret(Secret secret, ObjectMapper mapper) {
             return false;
         }
 
-        var base = parseRawAppInstallation(bds, mapper);
+        var base = parseRawAppInstallation(bds.getData(), mapper);
         if (base == null) {
             // It's not JSON, may be an oauth token
             return isPrintableAscii(bds.getData());
@@ -62,7 +62,7 @@ static boolean validateSecret(Secret secret, ObjectMapper mapper) {
         }
 
         // App installation config format is either valid or not
-        return parseAppInstallation(bds, mapper).isPresent();
+        return parseAppInstallation(bds.getData(), mapper).isPresent();
     }
 
     private static boolean isPrintableAscii(byte[] bytes) {
@@ -81,10 +81,9 @@ private static boolean isPrintableAscii(byte[] bytes) {
         return true;
     }
 
-    static Map<?, ?> parseRawAppInstallation(BinaryDataSecret bds,
-                                                     ObjectMapper mapper) {
+    static Map<?, ?> parseRawAppInstallation(byte[] bds, ObjectMapper mapper) {
         try { // find out if it's at least valid JSON.
-            var base = mapper.readValue(bds.getData(), Map.class);
+            var base = mapper.readValue(bds, Map.class);
             if (base.containsKey("githubAppInstallation")) {
                 return base;
             } else {
@@ -97,8 +96,7 @@ private static boolean isPrintableAscii(byte[] bytes) {
         }
     }
 
-    static Optional<GitHubAppAuthConfig> parseAppInstallation(BinaryDataSecret bds,
-                                                              ObjectMapper mapper) {
+    static Optional<GitHubAppAuthConfig> parseAppInstallation(byte[] bds, ObjectMapper mapper) {
         Map<?, ?> base = parseRawAppInstallation(bds, mapper);
 
         if (base == null || !base.containsKey("githubAppInstallation")) {

github-app-installation/src/test/java/com/walmartlabs/concord/github/appinstallation/UtilsTest.java

@@ -56,7 +56,7 @@ void testValidateSecret() {
 
     @Test
     void parseAppInstallation_ValidJson() {
-        var o = parseAppInstallation(new BinaryDataSecret(APP_INSTALL_CONTENT.getBytes()), MAPPPER);
+        var o = parseAppInstallation(APP_INSTALL_CONTENT.getBytes(), MAPPPER);
 
         assertTrue(o.isPresent());
         var result = o.get();
@@ -72,32 +72,32 @@ void parseAppInstallation_MissingElement() {
                         "privateKey": "mock-key-data"
                     }
                 }""";
-        var secret = new BinaryDataSecret(missingClientId.getBytes());
-        var ex = assertThrows(GitHubAppException.class, () -> parseAppInstallation(secret, MAPPPER));
+        var data = missingClientId.getBytes();
+        var ex = assertThrows(GitHubAppException.class, () -> parseAppInstallation(data, MAPPPER));
 
         assertTrue(ex.getMessage().contains("Invalid app installation definition"));
     }
 
     @Test
     void parseAppInstallation_OtherJson() {
         var unexpectedJson = "{ \"valid\": \"but not usable here\"}";
-        var result = parseAppInstallation(new BinaryDataSecret(unexpectedJson.getBytes()), MAPPPER);
+        var result = parseAppInstallation(unexpectedJson.getBytes(), MAPPPER);
 
         assertFalse(result.isPresent());
     }
 
     @Test
     void parseRawAppInstallation_NotJson() {
         var unexpectedJson = "justText";
-        var result = parseRawAppInstallation(new BinaryDataSecret(unexpectedJson.getBytes()), MAPPPER);
+        var result = parseRawAppInstallation(unexpectedJson.getBytes(), MAPPPER);
 
         assertNull(result);
     }
 
     @Test
     void parseRawAppInstallation_OtherJson() {
         var unexpectedJson = "{ \"valid\": \"but not usable here\"}";
-        var result = parseRawAppInstallation(new BinaryDataSecret(unexpectedJson.getBytes()), MAPPPER);
+        var result = parseRawAppInstallation(unexpectedJson.getBytes(), MAPPPER);
 
         assertNotNull(result);
         assertTrue(result.isEmpty());

server/impl/src/main/java/com/walmartlabs/concord/server/org/secret/SystemResource.java

@@ -22,14 +22,16 @@
 
 import com.walmartlabs.concord.common.ExternalAuthToken;
 import com.walmartlabs.concord.common.AuthTokenProvider;
-import com.walmartlabs.concord.repository.RepositoryException;
+import com.walmartlabs.concord.github.appinstallation.exception.GitHubAppException;
 import com.walmartlabs.concord.server.sdk.ConcordApplicationException;
 import com.walmartlabs.concord.server.sdk.rest.Resource;
+import com.walmartlabs.concord.server.sdk.validation.Validate;
 import com.walmartlabs.concord.server.security.Permission;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 
 import javax.inject.Inject;
+import javax.validation.constraints.NotNull;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -52,18 +54,19 @@ public SystemResource(AuthTokenProvider authTokenProvider) {
     @GET
     @Path("/gitauth")
     @Produces(MediaType.APPLICATION_JSON)
+    @Validate
     @Operation(description = "Retrieves system-provided auth for give repository URI. Requires externalTokenLookup permission. ", operationId = "getExternalToken")
-    public ExternalAuthToken getExternalToken(@QueryParam("repoUri") URI repoUri) {
+    public ExternalAuthToken getExternalToken(@QueryParam("repoUri") @NotNull URI repoUri) {
         assertSystemGitAuthPermission();
 
         try {
             return authTokenProvider.getToken(repoUri, null)
                     .orElseThrow(() -> new ConcordApplicationException("No system-provided auth found for the given repository URI: " + repoUri, Response.Status.NOT_FOUND));
-        } catch (RepositoryException.NotFoundException e) {
-            throw new ConcordApplicationException(e.getMessage(), Response.Status.BAD_REQUEST);
-        } catch (RepositoryException e) {
-            // TODO 500?
+        } catch (GitHubAppException.NotFoundException e) {
+            // repo issue, or app not installed
             throw new ConcordApplicationException(e.getMessage(), Response.Status.NOT_FOUND);
+        } catch (GitHubAppException e) {
+            throw new ConcordApplicationException(e.getMessage(), Response.Status.BAD_REQUEST);
         }
     }