SonarQube QA takes approximatively 45-60min to complete. When profiling what is happening during the ITs, we find out that every single WS API call is using a basic authentication with a bearer login:password, often admin:admin. Such authentication mechanism is slow by design, because passwords need to be hashed (only the hash is stored in database). Computing such hash is CPU intensive, for about 80ms-200ms for every call made to the SonarQube server during the integration tests. We are currently using a bcrypt library implementation to achieve the hash. We do not actually need to test the hash time for functional testing, so this behaviour is a waste of time and resources.
Empiric tests of ITs without hashing password show a gain of about 40-60% on the total execution time of the QA, often going from 40-50min to 20-30min. Left column without hashing password, right column is current behaviour :
Disabling hash is obviously not the solution, but that helps to get a sense of what performance increase we can hope to achieve. Solutions that needs to be discussed :
- generate, store and use a token when invoking Tester.AsUser()
- change hash implementation to PBKDF2withhmacsha256, which allow by configuration how much costly we want the hashing algorithm to be. Could be strong by default, and weaken for ITs.
Another benefit of this task will be to reduce the overall computation needed for the QA to pass, reducing costs and carbon footprint (save the penguins!)
In order to not have to update all ITs and to not change production source code, we have decided to use Byteman to disable password check (make org.mindrot.jbcrypt.BCrypt#checkpw do nothing) with an Orchestrator server property.