Implement credentials tracking

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketApiUtils.java

@@ -50,7 +50,7 @@
         }
 
         serverUrl = StringUtils.defaultIfBlank(serverUrl, serverUrlFallback);
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
+        StandardCredentials credentials = BitbucketCredentials.lookupCredentialsAndTrackUsage(
             serverUrl,
             context,
             credentialsId,

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketBuildStatusNotifications.java

@@ -165,11 +165,6 @@ private static void createStatus(@NonNull Run<?, ?> build, @NonNull TaskListener
         }
     }
 
-    private static @CheckForNull BitbucketSCMSource findBitbucketSCMSource(Run<?, ?> build) {
-        SCMSource s = SCMSource.SourceByItem.findSource(build.getParent());
-        return s instanceof BitbucketSCMSource ? (BitbucketSCMSource) s : null;
-    }
-
     private static void sendNotifications(BitbucketSCMSource source, Run<?, ?> build, TaskListener listener)
             throws IOException, InterruptedException {
         BitbucketSCMSourceContext sourceContext = new BitbucketSCMSourceContext(null,
@@ -244,7 +239,7 @@ public static class JobCheckOutListener extends SCMListener {
         @Override
         public void onCheckout(Run<?, ?> build, SCM scm, FilePath workspace, TaskListener listener, File changelogFile,
                                SCMRevisionState pollingBaseline) throws Exception {
-            BitbucketSCMSource source = findBitbucketSCMSource(build);
+            BitbucketSCMSource source = BitbucketSCMSource.findForRun(build);
             if (source == null) {
                 return;
             }
@@ -277,7 +272,7 @@ public static class JobCompletedListener extends RunListener<Run<?, ?>> {
 
         @Override
         public void onCompleted(Run<?, ?> build, TaskListener listener) {
-            BitbucketSCMSource source = findBitbucketSCMSource(build);
+            BitbucketSCMSource source = BitbucketSCMSource.findForRun(build);
             if (source == null) {
                 return;
             }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketCredentials.java

@@ -24,6 +24,7 @@
 package com.cloudbees.jenkins.plugins.bitbucket;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.plugins.credentials.Credentials;
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
@@ -32,8 +33,8 @@
 import com.cloudbees.plugins.credentials.domains.URIRequirementBuilder;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.Item;
 import hudson.model.Queue;
-import hudson.model.queue.Tasks;
 import hudson.security.ACL;
 import hudson.security.AccessControlled;
 import hudson.util.FormValidation;
@@ -44,6 +45,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.QueryParameter;
+import org.springframework.security.core.Authentication;
 
 /**
  * Utility class for common code accessing credentials
@@ -53,26 +55,32 @@
         throw new IllegalAccessError("Utility class");
     }
 
+    /**
+     * Performs a lookup of credentials for the given context. Additionally, usage of the credentials is tracked for the
+     * given {@link SCMSourceOwner} via {@link CredentialsProvider#track(Item, Credentials)}
+     */
     @CheckForNull
-    static <T extends StandardCredentials> T lookupCredentials(@CheckForNull String serverUrl,
-                                                               @CheckForNull SCMSourceOwner context,
-                                                               @CheckForNull String id,
-                                                               @NonNull Class<T> type) {
+    static <T extends StandardCredentials> T lookupCredentialsAndTrackUsage(@CheckForNull String serverUrl,
+                                                                            @CheckForNull SCMSourceOwner context,
+                                                                            @CheckForNull String id,
+                                                                            @NonNull Class<T> type) {
         if (StringUtils.isNotBlank(id) && context != null) {
-            return CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
-                            type,
-                            context,
-                            context instanceof Queue.Task
-                                    ? Tasks.getDefaultAuthenticationOf((Queue.Task) context)
-                                    : ACL.SYSTEM,
-                            URIRequirementBuilder.fromUri(serverUrl).build()
-                    ),
-                    CredentialsMatchers.allOf(
-                            CredentialsMatchers.withId(id),
-                            CredentialsMatchers.anyOf(CredentialsMatchers.instanceOf(type))
-                    )
+            final T credentials = CredentialsMatchers.firstOrNull(
+                CredentialsProvider.lookupCredentialsInItem(
+                    type,
+                    context,
+                    getAuthenticationForContext(context),
+                    URIRequirementBuilder.fromUri(serverUrl).build()
+                ),
+                CredentialsMatchers.allOf(
+                    CredentialsMatchers.withId(id),
+                    CredentialsMatchers.anyOf(CredentialsMatchers.instanceOf(type))
+                )
             );
+
+            CredentialsProvider.track(context, credentials);
+
+            return credentials;
         }
         return null;
     }
@@ -87,34 +95,32 @@
             return result;
         }
         result.includeMatchingAs(
-                context instanceof Queue.Task
-                        ? Tasks.getDefaultAuthenticationOf((Queue.Task) context)
-                        : ACL.SYSTEM,
-                context,
-                StandardCredentials.class,
-                URIRequirementBuilder.fromUri(serverUrl).build(),
-                AuthenticationTokens.matcher(BitbucketAuthenticator.authenticationContext(serverUrl))
+            getAuthenticationForContext(context),
+            context,
+            StandardCredentials.class,
+            URIRequirementBuilder.fromUri(serverUrl).build(),
+            AuthenticationTokens.matcher(BitbucketAuthenticator.authenticationContext(serverUrl))
         );
         return result;
     }
 
     static FormValidation checkCredentialsId(
         @AncestorInPath @CheckForNull SCMSourceOwner context,
         @QueryParameter String value,
         @QueryParameter String serverUrl) {
         if (!value.isEmpty()) {
             AccessControlled contextToCheck = context == null ? Jenkins.get() : context;
             contextToCheck.checkPermission(CredentialsProvider.VIEW);
             if (CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
-                            StandardCertificateCredentials.class,
-                            context,
-                            context instanceof Queue.Task ? Tasks.getDefaultAuthenticationOf((Queue.Task) context) : ACL.SYSTEM,
-                            URIRequirementBuilder.fromUri(serverUrl).build()),
-                    CredentialsMatchers.allOf(
-                            CredentialsMatchers.withId(value),
-                            AuthenticationTokens.matcher(BitbucketAuthenticator.authenticationContext(serverUrl))
-                    )
+                CredentialsProvider.lookupCredentialsInItem(
+                    StandardCertificateCredentials.class,
+                    context,
+                    getAuthenticationForContext(context),
+                    URIRequirementBuilder.fromUri(serverUrl).build()),
+                CredentialsMatchers.allOf(
+                    CredentialsMatchers.withId(value),
+                    AuthenticationTokens.matcher(BitbucketAuthenticator.authenticationContext(serverUrl))
+                )
             ) != null) {
                 return FormValidation.warning("A certificate was selected. You will likely need to configure Checkout over SSH.");
             }
@@ -123,4 +129,10 @@
             return FormValidation.warning("Credentials are required for build notifications");
         }
     }
+
+    private static Authentication getAuthenticationForContext(SCMSourceOwner context) {
+        return context instanceof Queue.Task
+            ? ((Queue.Task) context).getDefaultAuthentication2()
+            : ACL.SYSTEM2;
+    }
 }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketGitSCMBuilder.java

@@ -158,7 +158,7 @@ public BitbucketSCMSource scmSource() {
     @NonNull
     public BitbucketGitSCMBuilder withCredentials(String credentialsId, BitbucketRepositoryProtocol protocol) {
         if (StringUtils.isNotBlank(credentialsId)) {
-            StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
+            StandardCredentials credentials = BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 scmSource.getServerUrl(),
                 scmSource.getOwner(),
                 DescriptorImpl.SAME.equals(scmSource.getCheckoutCredentialsId()) ? credentialsId : scmSource.getCheckoutCredentialsId(),

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMNavigator.java

@@ -494,7 +494,7 @@ public void visitSources(SCMSourceObserver observer) throws IOException, Interru
             listener.getLogger().format("Must specify a repository owner%n");
             return;
         }
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
+        StandardCredentials credentials = BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 serverUrl,
                 observer.getContext(),
                 credentialsId,
@@ -545,7 +545,7 @@ public List<Action> retrieveActions(@NonNull SCMNavigatorOwner owner,
         // TODO when we have support for trusted events, use the details from event if event was from trusted source
         listener.getLogger().printf("Looking up team details of %s...%n", getRepoOwner());
         List<Action> result = new ArrayList<>();
-        StandardCredentials credentials = BitbucketCredentials.lookupCredentials(
+        StandardCredentials credentials = BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 serverUrl,
                 owner,
                 credentialsId,

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java

@@ -62,6 +62,7 @@
 import hudson.model.Action;
 import hudson.model.Actionable;
 import hudson.model.Item;
+import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.plugins.git.GitSCM;
 import hudson.scm.SCM;
@@ -1072,7 +1073,7 @@ public DescriptorImpl getDescriptor() {
 
     @CheckForNull
     /* package */ StandardCredentials credentials() {
-        return BitbucketCredentials.lookupCredentials(
+        return BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 getServerUrl(),
                 getOwner(),
                 getCredentialsId(),
@@ -1225,6 +1226,11 @@ public static void setEventDelaySeconds(int eventDelaySeconds) {
         BitbucketSCMSource.eventDelaySeconds = Math.min(300, Math.max(0, eventDelaySeconds));
     }
 
+    public static BitbucketSCMSource findForRun(Run<?, ?> run) {
+        SCMSource s = SCMSource.SourceByItem.findSource(run.getParent());
+        return s instanceof BitbucketSCMSource ?  (BitbucketSCMSource) s : null;
+    }
+
     private void initCloneLinks() {
         if (primaryCloneLinks == null) {
             BitbucketApi bitbucket = buildBitbucketClient();

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/CredentialTrackingRunListener.java

@@ -0,0 +1,27 @@
+package com.cloudbees.jenkins.plugins.bitbucket;
+
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+import hudson.Extension;
+import hudson.model.Run;
+import hudson.model.listeners.RunListener;
+
+/**
+ * Tracks the usage of credentials
+ */
+@Extension
+public class CredentialTrackingRunListener extends RunListener<Run<?, ?>> {
+    @Override
+    public void onInitialize(Run<?, ?> run) {
+        final BitbucketSCMSource source = BitbucketSCMSource.findForRun(run);
+
+        if (source == null) {
+            return;
+        }
+
+        final boolean usesSshCheckout = source.getTraits().stream().anyMatch(scmSourceTrait -> scmSourceTrait instanceof SSHCheckoutTrait);
+
+        if (!usesSshCheckout) {
+            CredentialsProvider.track(run, source.credentials());
+        }
+    }
+}

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/BranchScanningIntegrationTest.java

@@ -115,7 +115,7 @@ public void uriResolverByCredentialsTest() throws Exception {
         CredentialsProvider.lookupStores(j.jenkins).iterator().next()
                 .addCredentials(Domain.global(), c);
 
-        StandardCredentials creds = BitbucketCredentials.lookupCredentials(
+        StandardCredentials creds = BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 null ,
                 source.getOwner(),
                 c.getId(),
@@ -127,7 +127,7 @@ public void uriResolverByCredentialsTest() throws Exception {
         CredentialsProvider.lookupStores(j.jenkins).iterator().next()
                 .addCredentials(Domain.global(), c);
 
-        creds = BitbucketCredentials.lookupCredentials(
+        creds = BitbucketCredentials.lookupCredentialsAndTrackUsage(
                 null,
                 source.getOwner(),
                 c.getId(),