fix: move per-request credentials from shared Repository config to PushContext (#177)

* fix: move per-request credentials from shared Repository config to PushContext

closes #176

Repository objects are cached and shared across concurrent pushes to the
same upstream in LocalRepositoryCache. Writing per-request values
(pushUser, pushToken, repoSlug, pushId, resolvedUser, scmUsername,
validationRecordId, upstreamUser) to db.getConfig() raced under concurrent
load — request A's token could be overwritten by request B before A's
hooks had a chance to read it.

Fix: store all per-request transient values on PushContext, which is
created fresh per request in StoreAndForwardReceivePackFactory.
upstreamUrl stays in repo config as it is per-repo (not per-request) and
is intentionally persisted to disk.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply spotless formatting

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: coopernetes

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/ApprovalPreReceiveHook.java

@@ -45,30 +45,40 @@ public class ApprovalPreReceiveHook implements PreReceiveHook {
     private final Duration timeout;
     private final String serviceUrl;
     private final RepoPermissionService repoPermissionService;
+    private final PushContext pushContext;
 
     public ApprovalPreReceiveHook(PushStore pushStore, ApprovalGateway approvalGateway) {
-        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, null, null);
+        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, null, null, null);
     }
 
     public ApprovalPreReceiveHook(PushStore pushStore, ApprovalGateway approvalGateway, String serviceUrl) {
-        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, serviceUrl, null);
+        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, serviceUrl, null, null);
     }
 
     public ApprovalPreReceiveHook(
             PushStore pushStore,
             ApprovalGateway approvalGateway,
             String serviceUrl,
             RepoPermissionService repoPermissionService) {
-        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, serviceUrl, repoPermissionService);
+        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, serviceUrl, repoPermissionService, null);
+    }
+
+    public ApprovalPreReceiveHook(
+            PushStore pushStore,
+            ApprovalGateway approvalGateway,
+            String serviceUrl,
+            RepoPermissionService repoPermissionService,
+            PushContext pushContext) {
+        this(pushStore, approvalGateway, DEFAULT_TIMEOUT, serviceUrl, repoPermissionService, pushContext);
     }
 
     public ApprovalPreReceiveHook(PushStore pushStore, ApprovalGateway approvalGateway, Duration timeout) {
-        this(pushStore, approvalGateway, timeout, null, null);
+        this(pushStore, approvalGateway, timeout, null, null, null);
     }
 
     public ApprovalPreReceiveHook(
             PushStore pushStore, ApprovalGateway approvalGateway, Duration timeout, String serviceUrl) {
-        this(pushStore, approvalGateway, timeout, serviceUrl, null);
+        this(pushStore, approvalGateway, timeout, serviceUrl, null, null);
     }
 
     public ApprovalPreReceiveHook(
@@ -77,21 +87,31 @@ public ApprovalPreReceiveHook(
             Duration timeout,
             String serviceUrl,
             RepoPermissionService repoPermissionService) {
+        this(pushStore, approvalGateway, timeout, serviceUrl, repoPermissionService, null);
+    }
+
+    public ApprovalPreReceiveHook(
+            PushStore pushStore,
+            ApprovalGateway approvalGateway,
+            Duration timeout,
+            String serviceUrl,
+            RepoPermissionService repoPermissionService,
+            PushContext pushContext) {
         this.pushStore = pushStore;
         this.approvalGateway = approvalGateway;
         this.timeout = timeout;
         this.serviceUrl = serviceUrl;
         this.repoPermissionService = repoPermissionService;
+        this.pushContext = pushContext;
     }
 
     @Override
     public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         OutputStream msgOut = rp.getMessageOutputStream();
 
-        // Read the validation record ID stored by PushStorePersistenceHook.validationResultHook
-        String validationRecordId = rp.getRepository().getConfig().getString("gitproxy", null, "validationRecordId");
+        String validationRecordId = pushContext != null ? pushContext.getValidationRecordId() : null;
         if (validationRecordId == null) {
-            log.warn("No validationRecordId in repo config - skipping approval gate");
+            log.warn("No validationRecordId in push context - skipping approval gate");
             return;
         }
 

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/BitbucketCredentialRewriteHook.java

@@ -30,6 +30,7 @@ public class BitbucketCredentialRewriteHook implements GitProxyHook {
     private static final int ORDER = 148;
 
     private final BitbucketProvider provider;
+    private final PushContext pushContext;
 
     @Override
     public int getOrder() {
@@ -43,12 +44,11 @@ public String getName() {
 
     @Override
     public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
-        var repo = rp.getRepository();
-        String pushEmail = repo.getConfig().getString("gitproxy", null, "pushUser");
-        String pushToken = repo.getConfig().getString("gitproxy", null, "pushToken");
+        String pushEmail = pushContext.getPushUser();
+        String pushToken = pushContext.getPushToken();
 
         if (pushEmail == null || pushToken == null) {
-            log.debug("No push credentials in repo config — skipping Bitbucket upstream username resolution");
+            log.debug("No push credentials in context — skipping Bitbucket upstream username resolution");
             return;
         }
 
@@ -61,7 +61,7 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         }
 
         String upstreamUser = identity.get().login();
-        repo.getConfig().setString("gitproxy", null, "upstreamUser", upstreamUser);
+        pushContext.setUpstreamUser(upstreamUser);
         log.debug("Stored Bitbucket upstream username '{}' for push email '{}'", upstreamUser, pushEmail);
     }
 }

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/CheckUserPushPermissionHook.java

@@ -64,10 +64,9 @@ public CheckUserPushPermissionHook(
 
     @Override
     public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
-        var config = rp.getRepository().getConfig();
-        String pushUser = config.getString("gitproxy", null, "pushUser");
-        String pushToken = config.getString("gitproxy", null, "pushToken");
-        String repoSlug = config.getString("gitproxy", null, "repoSlug");
+        String pushUser = pushContext.getPushUser();
+        String pushToken = pushContext.getPushToken();
+        String repoSlug = pushContext.getRepoSlug();
 
         if (identityResolver == null) {
             log.debug("No identity resolver configured (open mode), skipping permission check");
@@ -140,13 +139,13 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
                 user.getUsername(),
                 providerId,
                 repoSlug);
-        config.setString("gitproxy", null, "resolvedUser", user.getUsername());
+        pushContext.setResolvedUser(user.getUsername());
         if (provider != null && user.getScmIdentities() != null) {
             user.getScmIdentities().stream()
                     .filter(id -> provider.getProviderId().equalsIgnoreCase(id.getProvider()))
                     .map(org.finos.gitproxy.user.ScmIdentity::getUsername)
                     .findFirst()
-                    .ifPresent(scmUser -> config.setString("gitproxy", null, "scmUsername", scmUser));
+                    .ifPresent(pushContext::setScmUsername);
         }
         pushContext.addStep(PushStep.builder()
                 .stepName("checkUserPermission")

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/ForwardingPostReceiveHook.java

@@ -68,10 +68,10 @@ public void onPostReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         Repository repo = rp.getRepository();
 
         // If BitbucketCredentialRewriteHook resolved an upstream username, use it instead of the push email.
-        String upstreamUser = repo.getConfig().getString("gitproxy", null, "upstreamUser");
+        String upstreamUser = pushContext.getUpstreamUser();
         CredentialsProvider effectiveCreds = credentials;
         if (upstreamUser != null) {
-            String pushToken = repo.getConfig().getString("gitproxy", null, "pushToken");
+            String pushToken = pushContext.getPushToken();
             effectiveCreds = new UsernamePasswordCredentialsProvider(upstreamUser, pushToken != null ? pushToken : "");
             log.debug("Using Bitbucket upstream username '{}' for forwarding credentials", upstreamUser);
         }

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/IdentityVerificationHook.java

@@ -74,9 +74,8 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
             return;
         }
 
-        var config = rp.getRepository().getConfig();
-        String pushUser = config.getString("gitproxy", null, "pushUser");
-        String pushToken = config.getString("gitproxy", null, "pushToken");
+        String pushUser = pushContext.getPushUser();
+        String pushToken = pushContext.getPushToken();
 
         if (pushUser == null || pushUser.isEmpty()) {
             log.debug("No push user in repo config — skipping identity verification");

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/PushContext.java

@@ -4,16 +4,40 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import lombok.Data;
 import org.finos.gitproxy.db.model.PushStep;
 
 /**
- * Shared context for accumulating {@link PushStep} records across pre-receive hooks within a single push. Hooks write
- * steps (diffs, scan results, etc.) to this context, and the persistence hook reads them when saving the final record.
+ * Per-request context shared across all pre/post-receive hooks within a single push. Carries both accumulated
+ * {@link PushStep} records (diffs, scan results, etc.) and transient per-request values that must not be stored on the
+ * shared cached {@link org.eclipse.jgit.lib.Repository} config.
+ *
+ * <p>All fields are written once (by {@link StoreAndForwardReceivePackFactory} or early hooks) and read by later hooks.
+ * No synchronisation is needed because hooks in a single push execute sequentially on the same thread.
  */
+@Data
 public class PushContext {
 
     private final List<PushStep> steps = new ArrayList<>();
 
+    // Per-request credentials — written by StoreAndForwardReceivePackFactory before any hook runs.
+    private String pushUser;
+    private String pushToken;
+    private String repoSlug;
+
+    // Resolved upstream username for Bitbucket pushes — written by BitbucketCredentialRewriteHook.
+    private String upstreamUser;
+
+    // Push record ID — written by PushStorePersistenceHook.preReceiveHook().
+    private String pushId;
+
+    // Identity resolved by CheckUserPushPermissionHook — written after permission check passes.
+    private String resolvedUser;
+    private String scmUsername;
+
+    // Validation record ID — written by PushStorePersistenceHook.validationResultHook().
+    private String validationRecordId;
+
     /** Add a step to the context. */
     public void addStep(PushStep step) {
         steps.add(step);

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/PushStorePersistenceHook.java

@@ -80,8 +80,7 @@ public void setAutoApproval(boolean autoApproval) {
     public PreReceiveHook preReceiveHook() {
         return (ReceivePack rp, Collection<ReceiveCommand> commands) -> {
             String pushId = UUID.randomUUID().toString();
-            // Store push ID in repo config so post-receive can find it
-            rp.getRepository().getConfig().setString("gitproxy", null, "pushId", pushId);
+            pushContext.setPushId(pushId);
 
             try {
                 PushRecord record = buildInitialRecord(pushId, rp, commands);
@@ -102,14 +101,14 @@ public PreReceiveHook preReceiveHook() {
      */
     public PreReceiveHook validationResultHook(ValidationContext validationContext) {
         return (ReceivePack rp, Collection<ReceiveCommand> commands) -> {
-            String pushId = rp.getRepository().getConfig().getString("gitproxy", null, "pushId");
+            String pushId = pushContext != null ? pushContext.getPushId() : null;
             if (pushId == null) return;
 
-            // Re-read resolvedUser and scmUsername here — both are set by CheckUserPushPermissionHook
-            // (order 150), which runs after preReceiveHook(), so they were not available when the
-            // RECEIVED record was written. validationResultHook fires after all validation hooks complete.
-            String resolvedUserLate = rp.getRepository().getConfig().getString("gitproxy", null, "resolvedUser");
-            String scmUsernameLate = rp.getRepository().getConfig().getString("gitproxy", null, "scmUsername");
+            // Read resolvedUser and scmUsername from pushContext — both are set by CheckUserPushPermissionHook
+            // (order 150) after preReceiveHook() ran, so they were not available when the RECEIVED record
+            // was written. validationResultHook fires after all validation hooks complete.
+            String resolvedUserLate = pushContext.getResolvedUser();
+            String scmUsernameLate = pushContext.getScmUsername();
 
             try {
                 pushStore.findById(pushId).ifPresent(initial -> {
@@ -156,9 +155,7 @@ public PreReceiveHook validationResultHook(ValidationContext validationContext)
                         record.setBlockedMessage(validationContext.getIssues().size() + " validation issue(s) found");
                         record.setSteps(allSteps);
                         pushStore.save(record);
-                        rp.getRepository()
-                                .getConfig()
-                                .setString("gitproxy", null, "validationRecordId", record.getId());
+                        if (pushContext != null) pushContext.setValidationRecordId(record.getId());
                         log.debug(
                                 "Saved validation result record: id={}, status=REJECTED (auto-rejected)",
                                 record.getId());
@@ -221,7 +218,7 @@ public PreReceiveHook validationResultHook(ValidationContext validationContext)
                     }
 
                     pushStore.save(record);
-                    rp.getRepository().getConfig().setString("gitproxy", null, "validationRecordId", record.getId());
+                    if (pushContext != null) pushContext.setValidationRecordId(record.getId());
                     log.debug(
                             "Saved validation result record: id={}, status=PENDING (awaiting review)", record.getId());
                 });
@@ -239,7 +236,7 @@ public PreReceiveHook validationResultHook(ValidationContext validationContext)
      */
     public PostReceiveHook postReceiveHook() {
         return (ReceivePack rp, Collection<ReceiveCommand> commands) -> {
-            String pushId = rp.getRepository().getConfig().getString("gitproxy", null, "pushId");
+            String pushId = pushContext != null ? pushContext.getPushId() : null;
             if (pushId == null) return;
 
             try {

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/RepositoryUrlRuleHook.java

@@ -41,9 +41,9 @@ public RepositoryUrlRuleHook(
 
     @Override
     public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
-        String repoSlug = rp.getRepository().getConfig().getString("gitproxy", null, "repoSlug");
+        String repoSlug = pushContext.getRepoSlug();
         if (repoSlug == null || repoSlug.isBlank()) {
-            log.warn("No repoSlug in repo config — cannot evaluate URL rules, blocking push (fail-closed)");
+            log.warn("No repoSlug in push context — cannot evaluate URL rules, blocking push (fail-closed)");
             blockPush(rp, commands, "Repository path unavailable");
             return;
         }

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/StoreAndForwardReceivePackFactory.java

@@ -157,35 +157,27 @@ public ReceivePack create(HttpServletRequest req, Repository db)
             creds = extractBasicAuth(req);
         }
 
-        // Store push credentials in repo config so hooks can read them for identity resolution.
-        // pushToken is the PAT/password — stored only in-process repo config, never persisted to disk.
+        // Per-request shared contexts — created before credentials are extracted so they can be
+        // stored on pushContext rather than the shared cached Repository config.
+        var validationContext = new ValidationContext();
+        var pushContext = new PushContext();
+
+        // Store per-request credentials on pushContext, not the shared Repository config.
+        // Writing to db.getConfig() would race with concurrent pushes to the same cached repo.
         String[] userPass = extractUserPass(req);
-        String pushUser = userPass != null ? userPass[0] : null;
-        String pushToken = userPass != null ? userPass[1] : null;
-        if (pushUser != null) {
-            db.getConfig().setString("gitproxy", null, "pushUser", pushUser);
-        }
-        if (pushToken != null) {
-            db.getConfig().setString("gitproxy", null, "pushToken", pushToken);
-        }
+        pushContext.setPushUser(userPass != null ? userPass[0] : null);
+        pushContext.setPushToken(userPass != null ? userPass[1] : null);
 
-        // Store the repo slug (/owner/repo) so permission hooks can read it without re-parsing the URL.
         String pathInfo = req.getPathInfo();
         if (pathInfo != null) {
-            // pathInfo is e.g. /owner/repo.git — strip .git suffix
             String slug = pathInfo.replaceAll("\\.git$", "");
-            // Normalise to /owner/repo (at most two path segments after leading /)
             String[] segments = slug.split("/", 4);
             if (segments.length >= 3) {
                 slug = "/" + segments[1] + "/" + segments[2];
             }
-            db.getConfig().setString("gitproxy", null, "repoSlug", slug);
+            pushContext.setRepoSlug(slug);
         }
 
-        // Per-request shared contexts
-        var validationContext = new ValidationContext();
-        var pushContext = new PushContext();
-
         // Persistence hook (records push to database)
         var persistenceHook = pushStore != null ? new PushStorePersistenceHook(pushStore, provider) : null;
         if (persistenceHook != null) {
@@ -247,7 +239,7 @@ public ReceivePack create(HttpServletRequest req, Repository db)
                 new GpgSignatureHook(gpgConfig, validationContext, pushContext),
                 new SecretScanningHook(secretScanConfig, validationContext, pushContext)));
         if (provider instanceof BitbucketProvider bitbucketProvider) {
-            validationHooks.add(new BitbucketCredentialRewriteHook(bitbucketProvider));
+            validationHooks.add(new BitbucketCredentialRewriteHook(bitbucketProvider, pushContext));
         }
         validationHooks.sort(Comparator.comparingInt(GitProxyHook::getOrder));
 
@@ -257,7 +249,8 @@ public ReceivePack create(HttpServletRequest req, Repository db)
             hooks.add(persistenceHook.preReceiveHook());
             hooks.addAll(validationHooks);
             hooks.add(persistenceHook.validationResultHook(validationContext));
-            hooks.add(new ApprovalPreReceiveHook(pushStore, approvalGateway, serviceUrl, repoPermissionService));
+            hooks.add(new ApprovalPreReceiveHook(
+                    pushStore, approvalGateway, serviceUrl, repoPermissionService, pushContext));
             preHooks = hooks.toArray(PreReceiveHook[]::new);
         } else {
             preHooks = validationHooks.toArray(PreReceiveHook[]::new);