Google Git
Sign in
gerrit/plugins/serviceuser/1abe11e3cc5b32fc9a30bed4ded3a2aa5378446b^!/.
commit
1abe11e3cc5b32fc9a30bed4ded3a2aa5378446b
[log]
author
Thomas Draebing <thomas.draebing@sap.com>
Mon Oct 18 16:54:31 2021 +0200
committer
Thomas Draebing <thomas.draebing@sap.com>
Thu Oct 28 14:49:15 2021 +0200
tree
0027c3441ae937c79947cf76cf42115b876f47a1
parent
e8aed08631e3a8797afa7e176f92944548a96360 [diff]
Add option to allow to set custom HTTP passwords

It was only possible for administrators to set custom passwords for
serviceusers. However, there might be a legitimate reason for owners
of a serviceuser to do so, instead of only generating a password.

This change adds an option that allows serviceuser owners to set a
custom HTTP password. This was made optional, since allowing this
might not be compliant with all security standards.

Change-Id: Id674fcbe312f7d912790e0b7fecaa9fd093a085b

diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java
index 16e200a..c4aa9e1 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/GetConfig.java

@@ -67,6 +67,7 @@
     info.onSuccess = Strings.emptyToNull(cfg.getString("onSuccessMessage"));
     info.allowEmail = toBoolean(cfg.getBoolean("allowEmail", false));
     info.allowHttpPassword = toBoolean(cfg.getBoolean("allowHttpPassword", false));
+    info.allowCustomHttpPassword = toBoolean(cfg.getBoolean("allowCustomHttpPassword", false));
     info.allowOwner = toBoolean(cfg.getBoolean("allowOwner", false));
     info.createNotes = toBoolean(cfg.getBoolean("createNotes", true));
     info.createNotesAsync = toBoolean(cfg.getBoolean("createNotesAsync", false));
@@ -100,6 +101,7 @@
     public String onSuccess;
     public Boolean allowEmail;
     public Boolean allowHttpPassword;
+    public Boolean allowCustomHttpPassword;
     public Boolean allowOwner;
     public Boolean createNotes;
     public Boolean createNotesAsync;

diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
index 4ff0525..16cfab8 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java

@@ -28,6 +28,7 @@
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
+import com.googlesource.gerrit.plugins.serviceuser.GetConfig.ConfigInfo;
 import com.googlesource.gerrit.plugins.serviceuser.PutHttpPassword.Input;
 import java.io.IOException;
 import org.eclipse.jgit.errors.ConfigInvalidException;
@@ -65,19 +66,19 @@
     }
     input.httpPassword = Strings.emptyToNull(input.httpPassword);
 
-    Boolean httpPasswordAllowed;
+    ConfigInfo config;
     try {
-      httpPasswordAllowed = getConfig.get().apply(new ConfigResource()).value().allowHttpPassword;
+      config = getConfig.get().apply(new ConfigResource()).value();
     } catch (Exception e) {
       throw asRestApiException("Cannot get configuration", e);
     }
 
-    if (input.generate || input.httpPassword == null) {
-      if ((httpPasswordAllowed == null || !httpPasswordAllowed)) {
+    if ((config.allowHttpPassword == null || !config.allowHttpPassword)) {
+      permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
+    } else if (!input.generate && input.httpPassword != null) {
+      if ((config.allowCustomHttpPassword == null || !config.allowCustomHttpPassword)) {
         permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
       }
-    } else {
-      permissionBackend.user(self.get()).check(ADMINISTRATE_SERVER);
     }
 
     String newPassword = input.generate ? generate() : input.httpPassword;

diff --git a/src/main/resources/Documentation/config.md b/src/main/resources/Documentation/config.md
index aa2e4b5..b66c181 100644
--- a/src/main/resources/Documentation/config.md
+++ b/src/main/resources/Documentation/config.md

@@ -59,6 +59,15 @@
     passwords for any service user.
     By default false.
 
+<a id="allowCustomHttpPassword"></a>
+`plugin.@PLUGIN@.allowCustomHttpPassword`
+:	Whether it is allowed for service user owners to set custom HTTP
+	passwords for their service users. This option requires
+	`plugin.@PLUGIN@.allowHttpPassword` to be true. Independent of this
+	setting Gerrit administrators are always able to set custom HTTP
+	passwords for any service user.
+	By default false.
+
 <a id="allowOwner"></a>
 `plugin.@PLUGIN@.allowOwner`
 :	Whether it is allowed to set an owner group for a service user.