Add option to allow to set custom HTTP passwords
It was only possible for administrators to set custom passwords for
serviceusers. However, there might be a legitimate reason for owners
of a serviceuser to do so, instead of only generating a password.
This change adds an option that allows serviceuser owners to set a
custom HTTP password. This was made optional, since allowing this
might not be compliant with all security standards.
Change-Id: Id674fcbe312f7d912790e0b7fecaa9fd093a085b
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java
index 16e200a..c4aa9e1 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java
@@ -67,6 +67,7 @@
info.onSuccess = Strings.emptyToNull(cfg.getString("onSuccessMessage"));
info.allowEmail = toBoolean(cfg.getBoolean("allowEmail", false));
info.allowHttpPassword = toBoolean(cfg.getBoolean("allowHttpPassword", false));
+ info.allowCustomHttpPassword = toBoolean(cfg.getBoolean("allowCustomHttpPassword", false));
info.allowOwner = toBoolean(cfg.getBoolean("allowOwner", false));
info.createNotes = toBoolean(cfg.getBoolean("createNotes", true));
info.createNotesAsync = toBoolean(cfg.getBoolean("createNotesAsync", false));
@@ -100,6 +101,7 @@
public String onSuccess;
public Boolean allowEmail;
public Boolean allowHttpPassword;
+ public Boolean allowCustomHttpPassword;
public Boolean allowOwner;
public Boolean createNotes;
public Boolean createNotesAsync;
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
index 4ff0525..16cfab8 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
@@ -28,6 +28,7 @@
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
+import com.googlesource.gerrit.plugins.serviceuser.GetConfig.ConfigInfo;
import com.googlesource.gerrit.plugins.serviceuser.PutHttpPassword.Input;
import java.io.IOException;
import org.eclipse.jgit.errors.ConfigInvalidException;
@@ -65,19 +66,19 @@
}
input.httpPassword = Strings.emptyToNull(input.httpPassword);
- Boolean httpPasswordAllowed;
+ ConfigInfo config;
try {
- httpPasswordAllowed = getConfig.get().apply(new ConfigResource()).value().allowHttpPassword;
+ config = getConfig.get().apply(new ConfigResource()).value();
} catch (Exception e) {
throw asRestApiException("Cannot get configuration", e);
}
- if (input.generate || input.httpPassword == null) {
- if ((httpPasswordAllowed == null || !httpPasswordAllowed)) {
+ if ((config.allowHttpPassword == null || !config.allowHttpPassword)) {
+ permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
+ } else if (!input.generate && input.httpPassword != null) {
+ if ((config.allowCustomHttpPassword == null || !config.allowCustomHttpPassword)) {
permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
}
- } else {
- permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
}
String newPassword = input.generate ? generate() : input.httpPassword;
diff --git a/src/main/resources/Documentation/config.md b/src/main/resources/Documentation/config.md
index aa2e4b5..b66c181 100644
--- a/src/main/resources/Documentation/config.md
+++ b/src/main/resources/Documentation/config.md
@@ -59,6 +59,15 @@
passwords for any service user.
By default false.
+<a id="allowCustomHttpPassword"></a>
+`plugin.@PLUGIN@.allowCustomHttpPassword`
+: Whether it is allowed for service user owners to set custom HTTP
+ passwords for their service users. This option requires
+ `plugin.@PLUGIN@.allowHttpPassword` to be true. Independent of this
+ setting Gerrit administrators are always able to set custom HTTP
+ passwords for any service user.
+ By default false.
+
<a id="allowOwner"></a>
`plugin.@PLUGIN@.allowOwner`
: Whether it is allowed to set an owner group for a service user.
