Expose the GENERATE_HTTP_PASSWORD capability permssion.
Gerrit has a GENERATE_HTTP_PASSWORD capability but it is not exposed
as a permission in the Gerrit Access UI. This change exposes the
GENERATE_HTTP_PASSWORD capability and restricts REST API action for
getting and generating the HTTP password.
Bug: Issue 2790
Change-Id: Ie7cfeac9090462758438ebe6710dffae4368ccd4
diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
index d9ad274..f42811c 100644
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
@@ -106,6 +106,7 @@
NAMES_ALL.add(CREATE_PROJECT);
NAMES_ALL.add(EMAIL_REVIEWERS);
NAMES_ALL.add(FLUSH_CACHES);
+ NAMES_ALL.add(GENERATE_HTTP_PASSWORD);
NAMES_ALL.add(KILL_TASK);
NAMES_ALL.add(PRIORITY);
NAMES_ALL.add(QUERY_LIMIT);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
index 47047ed..1a66277 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -20,6 +20,7 @@
import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT;
import static com.google.gerrit.common.data.GlobalCapability.EMAIL_REVIEWERS;
import static com.google.gerrit.common.data.GlobalCapability.FLUSH_CACHES;
+import static com.google.gerrit.common.data.GlobalCapability.GENERATE_HTTP_PASSWORD;
import static com.google.gerrit.common.data.GlobalCapability.KILL_TASK;
import static com.google.gerrit.common.data.GlobalCapability.PRIORITY;
import static com.google.gerrit.common.data.GlobalCapability.RUN_GC;
@@ -113,6 +114,7 @@
have.put(CREATE_PROJECT, cc.canCreateProject());
have.put(EMAIL_REVIEWERS, cc.canEmailReviewers());
have.put(FLUSH_CACHES, cc.canFlushCaches());
+ have.put(GENERATE_HTTP_PASSWORD, cc.canGenerateHttpPassword());
have.put(KILL_TASK, cc.canKillTask());
have.put(RUN_GC, cc.canRunGC());
have.put(STREAM_EVENTS, cc.canStreamEvents());
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetHttpPassword.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetHttpPassword.java
index c49ab98..e080015 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetHttpPassword.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetHttpPassword.java
@@ -36,7 +36,7 @@
public String apply(AccountResource rsrc) throws AuthException,
ResourceNotFoundException {
if (self.get() != rsrc.getUser()
- && !self.get().getCapabilities().canAdministrateServer()) {
+ && !self.get().getCapabilities().canGenerateHttpPassword()) {
throw new AuthException("not allowed to get http password");
}
AccountState s = rsrc.getUser().state();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
index 3903050..93b35c6 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
@@ -86,14 +86,14 @@
} else if (input.httpPassword == null) {
if (self.get() != rsrc.getUser()
- && !self.get().getCapabilities().canAdministrateServer()) {
+ && !self.get().getCapabilities().canGenerateHttpPassword()) {
throw new AuthException("not allowed to clear HTTP password");
}
newPassword = null;
} else {
- if (!self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().getCapabilities().canGenerateHttpPassword()) {
throw new AuthException("not allowed to set HTTP password directly, "
- + "need to be Gerrit administrator");
+ + "requires the Generate HTTP Password permission");
}
newPassword = input.httpPassword;
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
index 289173b..2c1632f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
@@ -29,6 +29,7 @@
public String createProject;
public String emailReviewers;
public String flushCaches;
+ public String generateHttpPassword;
public String killTask;
public String priority;
public String queryLimit;
diff --git a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
index 9eb7d9b..a1e0e1d 100644
--- a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
+++ b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
@@ -5,6 +5,7 @@
createProject = Create Project
emailReviewers = Email Reviewers
flushCaches = Flush Caches
+generateHttpPassword = Generate HTTP Password
killTask = Kill Task
priority = Priority
queryLimit = Query Limit
