(cherry picked from commit 3853b381)

[JENKINS-47909] Handle false hex escapes

(cherry picked from commit 7c06a9ba)

* Add ExtensionList#lookupFirst convenience method

* Fix Javadoc

* Convert to lookupSingleton, which throws unless there's only 1

* Address review comments

Signed-off-by: NNicolas De Loof <nicolas.deloof@gmail.com>

[JENKINS-45737] - User mapping should be stored in a per-Jenkins field and getAll should be called just once per session unless we reload (#2928)

[JENKINS-45737] - User mapping should be stored in a per-Jenkins field and getAll should be called just once per session unless we reload

(cherry picked from commit f091c9de)

* spelling: abstract

* spelling: about

* spelling: absolute

* spelling: across

* spelling: activity

* spelling: actually

* spelling: addition

* spelling: allocating

* spelling: ambiguous

* spelling: analyzes

* spelling: analysis

* spelling: another

* spelling: appear

* spelling: arbitrary

* spelling: artifact

* spelling: assignment

* spelling: associated

* spelling: augment

* spelling: authentication

* spelling: automatically

* spelling: available

* spelling: availability

* spelling: because

* spelling: background

* spelling: beginning

* spelling: boolean

* spelling: browsers

* spelling: building

* spelling: calculation

* spelling: channel

* spelling: column

* spelling: concatenation

* spelling: connect

* spelling: contribute

* spelling: convert

* spelling: copied

* spelling: couldn't

* spelling: scrambled

* spelling: creates-a

* spelling: curr-entry

* spelling: customize

* spelling: diagnostic

* spelling: contain

* spelling: default

* spelling: delimiter

* spelling: descriptor

* spelling: disambiguates

* spelling: different

* spelling: diligently

* spelling: disabled

* spelling: discovered

* spelling: display

* spelling: doesn't

* spelling: dollar

* spelling: downstream

* spelling: dynamically

* spelling: preemptively

* spelling: encrypt

* spelling: erroneous

* spelling: examine

* spelling: existence

* spelling: value

* spelling: february

* spelling: handling

* spelling: hostname

* spelling: convenient

* spelling: identify

* spelling: implementation

* spelling: incorrect

* spelling: individual

* spelling: initialization

* spelling: initialized

* spelling: inputstream

* spelling: instantiated

* spelling: instantiation

* spelling: intended

* spelling: interpreted

* spelling: interrupted

* spelling: invocations

* spelling: kern

* spelling: localization

* spelling: logger

* spelling: malfunctioning

* spelling: methods

* spelling: monitor

* spelling: mutator

* spelling: multiple

* spelling: object

* spelling: configured

* spelling: optionally

* spelling: option

* spelling: overridden

* spelling: parameterized

* spelling: parent

* spelling: permissions

* spelling: plugin

* spelling: potentially

* spelling: preferable

* spelling: problems like

* spelling: programmatically

* spelling: property

* spelling: reallocate

* spelling: recommended

* spelling: redirected

* spelling: registered

* spelling: reliable

* spelling: remember

* spelling: recurrence

* spelling: repeatable

* spelling: repeated

* spelling: resource

* spelling: retrieve

* spelling: returned

* spelling: revision

* spelling: sandwich

* spelling: separator

* spelling: serialization

* spelling: settings

* spelling: shadow

* spelling: should

* spelling: someone

* spelling: source

* spelling: specified

* spelling: style

* spelling: subversion

* spelling: sufficient

* spelling: supplementary

* spelling: suppressing

* spelling: synchronization

* spelling: synchronized

* spelling: this

* spelling: transitioning

* spelling: termination

* spelling: trying

* spelling: truncatable

* spelling: unknown

* spelling: undeployed

* spelling: unnecessary

* spelling: unparseable

* spelling: update

* spelling: upper

* spelling: verify

* spelling: visible

* spelling: warning

* spelling: we're

* spelling: whitespace

* spelling: wide

* spelling: with

* spelling: workspace

* spelling: yielding

* spelling: to

* spelling: by

* spelling: the

* spelling: hours

- Also switch in cases where we have a subset that is likely significantly smaller and hence quicker to sort

[FIXED JENKINS-35967] - Make User#isIdOrFullnameAllowed() more robust against restricted usernames (#2413)

This change hardens username verification in user creation commands. See the issue to get rexamples.

https://issues.jenkins-ci.org/browse/JENKINS-35967

[JENKINS-35493] Introduce a UserDetails cache
(cherry picked from commit 06e99bd9)

to fix performance regression after SECURITY-243

Better exception message if a SecurityRealm doesn't respect the API contract and return null (#2407)

* Getter exception message if the SecurityRealm doesn't respect the API contract and return null.

* Use NullPointerException instead of IllegalStateException to not change the behaviour of the method.

* [JENKINS-33600] - User#isIdOrFullnameAllowed() should be tolerant against null parameters

* [JENKINS-33600] - Add the follow-up TODO

[JENKINS-34755] Migrate to SystemProperties and restrict access to the engine

Make it possible to disable SecurityRealm.loadUserByUsername call with a system property if it proves too slow in certain circumstances.

Unclear if, say, LDAPSecurityRealm ever throws this.

Introduce a new API User.getById that will only ever get a user by their
ID as suggested by @jglick (adapted from the original suggestion).

When looking up users we must always try to use the id first and fallback
to other methods only if this is unsucessful.

- Code that is running from a plugin and on the master's JVM is guaranteed to never get null from this method (any cases where you do get null are bugs in core)
- Code that is running from a plugin and on a remote JVM should never be allowed to load the Jenkins class in their classloader, so should never use Jenkins.getInstance()... we are annotating the method with @Nullable so that such code can have some evolution time
- Code that is running in core and on one of two special paths should use the Jenkins.getInstanceOrNull() method so that the UI can be presented to users before the singleton has been instantiated / after the singleton has been destroyed
- The remaining 95% of uses in core (and 100% of uses in plugins) can safely assume that the instance is never null