Merge branch 'stable-3.9'

* stable-3.9:
  Invalidate service user cache each time All-Projects is updated
  Fix missing group add of serviceuser for ssh register command

Bug: Issue 372736304
Bug: Issue 367623920
Change-Id: I13a1b29290632f6433659b62ff1bcdbd3aa3055a
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/CacheInvalidator.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/CacheInvalidator.java
new file mode 100644
index 0000000..fbf1eac
--- /dev/null
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/CacheInvalidator.java
@@ -0,0 +1,51 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.serviceuser;
+
+import com.google.common.flogger.FluentLogger;
+import com.google.gerrit.entities.RefNames;
+import com.google.gerrit.server.config.AllProjectsName;
+import com.google.gerrit.server.events.Event;
+import com.google.gerrit.server.events.EventListener;
+import com.google.gerrit.server.events.RefUpdatedEvent;
+import com.google.inject.Inject;
+
+class CacheInvalidator implements EventListener {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private final AllProjectsName allProjects;
+  private final StorageCache storageCache;
+
+  @Inject
+  CacheInvalidator(AllProjectsName allProjects, StorageCache storageCache) {
+    this.allProjects = allProjects;
+    this.storageCache = storageCache;
+  }
+
+  @Override
+  public void onEvent(Event event) {
+    // This is needed in a multi-site setup to make sure every Gerrit instance
+    // has the latest created serviceuser in cache.
+    if (event.getType().equals(RefUpdatedEvent.TYPE)) {
+      RefUpdatedEvent refUpdatedEvent = (RefUpdatedEvent) event;
+      if (refUpdatedEvent.getProjectNameKey().get().equals(allProjects.get())
+          && refUpdatedEvent.getRefName().equals(RefNames.REFS_CONFIG)) {
+        logger.atFine().log(
+            "%s ref update triggered, invalidate serviceuser cache", allProjects.get());
+        storageCache.invalidate();
+      }
+    }
+  }
+}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/Module.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/Module.java
index 85eaae7..1baa0ee 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/Module.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/Module.java
@@ -26,6 +26,7 @@
 import com.google.gerrit.extensions.registration.DynamicSet;
 import com.google.gerrit.extensions.restapi.RestApiModule;
 import com.google.gerrit.extensions.webui.TopMenu;
+import com.google.gerrit.server.events.EventListener;
 import com.google.gerrit.server.git.meta.VersionedConfigFile;
 import com.google.gerrit.server.git.validators.CommitValidationListener;
 import com.google.inject.AbstractModule;
@@ -42,6 +43,7 @@
     DynamicSet.bind(binder(), TopMenu.class).to(ServiceUserTopMenu.class);
     DynamicSet.bind(binder(), GitReferenceUpdatedListener.class).to(RefUpdateListener.class);
     DynamicSet.bind(binder(), CommitValidationListener.class).to(ValidateServiceUserCommits.class);
+    DynamicSet.bind(binder(), EventListener.class).to(CacheInvalidator.class);
     install(new FactoryModuleBuilder().build(CreateServiceUserNotes.Factory.class));
     install(
         new RestApiModule() {
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/RegisterServiceUser.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/RegisterServiceUser.java
index ef0d9e1..0d36a5e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/RegisterServiceUser.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/RegisterServiceUser.java
@@ -14,6 +14,7 @@
 
 package com.googlesource.gerrit.plugins.serviceuser;
 
+import static com.google.gerrit.server.api.ApiUtil.asRestApiException;
 import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
 import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.KEY_CREATED_AT;
 import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.KEY_CREATED_BY;
@@ -22,8 +23,13 @@
 import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.USER;
 
 import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
 import com.google.gerrit.entities.Account;
+import com.google.gerrit.entities.AccountGroup;
 import com.google.gerrit.entities.Project;
+import com.google.gerrit.exceptions.NoSuchGroupException;
+import com.google.gerrit.extensions.annotations.PluginName;
 import com.google.gerrit.extensions.annotations.RequiresCapability;
 import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.extensions.restapi.AuthException;
@@ -36,14 +42,18 @@
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.GerritPersonIdent;
 import com.google.gerrit.server.IdentifiedUser;
+import com.google.gerrit.server.ServerInitiated;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.account.AccountResolver;
 import com.google.gerrit.server.account.AccountResolver.UnresolvableAccountException;
 import com.google.gerrit.server.config.AllProjectsName;
 import com.google.gerrit.server.config.ConfigResource;
+import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.gerrit.server.git.meta.MetaDataUpdate;
 import com.google.gerrit.server.git.meta.VersionedConfigFile;
 import com.google.gerrit.server.group.GroupResolver;
+import com.google.gerrit.server.group.db.GroupDelta;
+import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
@@ -83,6 +93,9 @@
   private final StorageCache storageCache;
   private final PermissionBackend permissionBackend;
   private final BlockedNameFilter blockedNameFilter;
+  private final Provider<GroupsUpdate> groupsUpdateProvider;
+  private final Config config;
+  private final String pluginName;
 
   @Inject
   RegisterServiceUser(
@@ -96,7 +109,10 @@
       AccountLoader.Factory accountLoader,
       StorageCache storageCache,
       PermissionBackend permissionBackend,
-      BlockedNameFilter blockedNameFilter) {
+      BlockedNameFilter blockedNameFilter,
+      @ServerInitiated Provider<GroupsUpdate> groupsUpdateProvider,
+      @GerritServerConfig Config config,
+      @PluginName String pluginName) {
     this.configProvider = configProvider;
     this.accountResolver = accountResolver;
     this.groupResolver = groupResolver;
@@ -110,6 +126,9 @@
     this.storageCache = storageCache;
     this.permissionBackend = permissionBackend;
     this.blockedNameFilter = blockedNameFilter;
+    this.groupsUpdateProvider = groupsUpdateProvider;
+    this.config = config;
+    this.pluginName = pluginName;
   }
 
   @Override
@@ -183,6 +202,16 @@
       storageCache.invalidate();
     }
 
+    Account.Id accountId = user.getAccountId();
+    for (String groupName : config.getStringList("plugin", pluginName, "group")) {
+      AccountGroup.UUID groupUuid = groupResolver.parse(groupName).getGroupUUID();
+      try {
+        addGroupMember(groupUuid, accountId);
+      } catch (NoSuchGroupException e) {
+        throw asRestApiException("Cannot add account: " + accountId + " to group: " + groupName, e);
+      }
+    }
+
     ServiceUserInfo info = new ServiceUserInfo(new AccountInfo(user.getAccountId().get()));
     AccountLoader al = accountLoader.create(true);
     info.createdBy = al.get(creatorId);
@@ -190,4 +219,13 @@
     info.createdAt = creationDate;
     return Response.created(info);
   }
+
+  private void addGroupMember(AccountGroup.UUID groupUuid, Account.Id accountId)
+      throws IOException, NoSuchGroupException, ConfigInvalidException {
+    GroupDelta groupDelta =
+        GroupDelta.builder()
+            .setMemberModification(memberIds -> Sets.union(memberIds, ImmutableSet.of(accountId)))
+            .build();
+    groupsUpdateProvider.get().updateGroup(groupUuid, groupDelta);
+  }
 }