Move trusted_external_ids to auth.trustedOpenID

Instead of storing this list in the database, we now store it in the
gerrit.config as it applies more to the server instance than it does
to the metadata database.  This follows with the general pattern to
push as much of the configuration out of the database and into the
local gerrit.config file as possible.

Signed-off-by: Shawn O. Pearce <sop@google.com>

11 files changed, 49 insertions, 197 deletions

diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index 4ac48f564f..1438fa9726 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -138,7 +138,7 @@ If the Gerrit instance is configured to use OpenID authentication,
 an account's effective group membership will be restricted to only
 the `Anonymous Users` and `Registered Users` groups, unless *all*
 of its OpenID identities match one or more of the patterns listed
-in the `trusted_external_ids` table.
+in the `auth.trustedOpenID` list from `gerrit.config`.
 
 All Projects
 ~~~~~~~~~~~~
diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 2fbc166a96..3782f688f7 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -64,6 +64,22 @@ authentication is not possible.
 +
 By default, OpenID.
 
+auth.trustedOpenID::
++
+List of trusted OpenID providers.  Only used if `auth.type` was
+set to OpenID (the default).
++
+In order for a user to take advantage of permissions beyond those
+granted to the `Anonymous Users` and `Registered Users` groups,
+the user account must only have OpenIDs which match at least one
+pattern from this list.
++
+Patterns may be either a regular expression (start with `^` and
+end with `$`) or be a simple prefix (any other string).
++
+By default, the list contains two values, `http://` and `https://`,
+allowing Gerrit to trust any OpenID it receives.
+
 auth.httpHeader::
 +
 HTTP header to trust the username from, or unset to select HTTP basic
diff --git a/Documentation/config-sso.txt b/Documentation/config-sso.txt
index 5b7b1ca094..a2a640cff1 100644
--- a/Documentation/config-sso.txt
+++ b/Documentation/config-sso.txt
@@ -33,31 +33,19 @@ Add the following to `$JETTY_HOME/etc/jetty.xml` under
 In order to use permissions beyond those granted to the
 `Anonymous Users` and `Registered Users` groups, an account
 must only have OpenIDs which match at least one pattern from the
-`trusted_external_ids` table.  Patterns may be either a regular
-expression (must start with `^` and end with `$`) or be a simple
-prefix (any other string).
+`auth.trustedOpenID` list in `gerrit.config`.  Patterns may be
+either a regular expression (must start with `^` and end with `$`)
+or be a simple prefix (any other string).
 
-Out of the box Gerrit is configured to trust three patterns:
+Out of the box Gerrit is configured to trust two patterns, which
+will match any OpenID provider on the Internet:
 
 * `http://` -- trust all OpenID providers using the HTTP protocol
 * `https://` -- trust all OpenID providers using the HTTPS protocol
-* `https://www.google.com/accounts/o8/id?id=` -- trust Google Accounts
-
-The first two patterns trust all OpenID providers on the Internet.
-The Google specific pattern is obviously also implied by the second
-pattern (`https://`), but is inserted by default in order to permit
-securing Gerrit to trust only Google Accounts easier:
-
-====
-  DELETE FROM trusted_external_ids
-  WHERE external_id IN ('http://', 'https://');
-====
-
-After making changes to `trusted_external_ids`, either restart
-Gerrit, or force a cache flush over SSH:
 
+To trust only Google Accounts:
 ====
-  ssh -p 29418 review.example.com gerrit flush-caches
+  git config --file $site_path/gerrit.config auth.trustedOpenID 'https://www.google.com/accounts/o8/id?id='
 ====
 
 Database Schema
diff --git a/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java b/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
index 50cb87a592..c8449d2b91 100644
--- a/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
+++ b/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
@@ -40,9 +40,6 @@ public interface ReviewDb extends Schema {
   SystemConfigAccess systemConfig();
 
   @Relation
-  TrustedExternalIdAccess trustedExternalIds();
-
-  @Relation
   ApprovalCategoryAccess approvalCategories();
 
   @Relation
@@ -140,7 +137,7 @@ public interface ReviewDb extends Schema {
 
   /**
    * Next id for a block of {@link ChangeMessage} records.
-   * 
+   *
    * @see com.google.gerrit.server.ChangeUtil#messageUUID(ReviewDb)
    */
   @Sequence
diff --git a/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalId.java b/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalId.java
deleted file mode 100644
index 550e0e3c95..0000000000
--- a/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalId.java
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright (C) 2009 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package com.google.gerrit.client.reviewdb;
-
-import com.google.gwtorm.client.Column;
-import com.google.gwtorm.client.StringKey;
-
-public final class TrustedExternalId {
-  public static class Key extends StringKey<com.google.gwtorm.client.Key<?>> {
-    private static final long serialVersionUID = 1L;
-
-    @Column
-    protected String pattern;
-
-    protected Key() {
-    }
-
-    public Key(final String re) {
-      pattern = re;
-    }
-
-    @Override
-    public String get() {
-      return pattern;
-    }
-
-    @Override
-    protected void set(String newValue) {
-      pattern = newValue;
-    }
-  }
-
-  @Column
-  protected Key idPattern;
-
-  protected TrustedExternalId() {
-  }
-
-  public TrustedExternalId(final TrustedExternalId.Key k) {
-    idPattern = k;
-  }
-
-  public TrustedExternalId.Key getKey() {
-    return idPattern;
-  }
-
-  public String getIdPattern() {
-    return idPattern.pattern;
-  }
-
-  public boolean matches(final AccountExternalId id) {
-    final String p = getIdPattern();
-    if (p.startsWith("^") && p.endsWith("$")) {
-      return id.getExternalId().matches(p);
-    }
-    return id.getExternalId().startsWith(p);
-  }
-}
diff --git a/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalIdAccess.java b/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalIdAccess.java
deleted file mode 100644
index e7979de870..0000000000
--- a/src/main/java/com/google/gerrit/client/reviewdb/TrustedExternalIdAccess.java
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (C) 2009 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package com.google.gerrit.client.reviewdb;
-
-import com.google.gwtorm.client.Access;
-import com.google.gwtorm.client.OrmException;
-import com.google.gwtorm.client.PrimaryKey;
-import com.google.gwtorm.client.Query;
-import com.google.gwtorm.client.ResultSet;
-
-public interface TrustedExternalIdAccess extends
-    Access<TrustedExternalId, TrustedExternalId.Key> {
-  @PrimaryKey("idPattern")
-  TrustedExternalId get(TrustedExternalId.Key key) throws OrmException;
-
-  @Query
-  ResultSet<TrustedExternalId> all() throws OrmException;
-}
diff --git a/src/main/java/com/google/gerrit/server/config/AuthConfig.java b/src/main/java/com/google/gerrit/server/config/AuthConfig.java
index 2ac6aa2406..a9872ba795 100644
--- a/src/main/java/com/google/gerrit/server/config/AuthConfig.java
+++ b/src/main/java/com/google/gerrit/server/config/AuthConfig.java
@@ -17,7 +17,6 @@ package com.google.gerrit.server.config;
 import com.google.gerrit.client.reviewdb.AccountExternalId;
 import com.google.gerrit.client.reviewdb.LoginType;
 import com.google.gerrit.client.reviewdb.SystemConfig;
-import com.google.gerrit.client.reviewdb.TrustedExternalId;
 import com.google.gwtjsonrpc.server.SignedToken;
 import com.google.gwtjsonrpc.server.XsrfException;
 import com.google.inject.Inject;
@@ -33,7 +32,7 @@ public class AuthConfig {
   private final int sessionAge;
   private final LoginType loginType;
   private final String httpHeader;
-  private final Collection<TrustedExternalId> trusted;
+  private final String[] trusted;
 
   private final SignedToken xsrfToken;
   private final SignedToken accountToken;
@@ -42,12 +41,12 @@ public class AuthConfig {
   private final boolean allowGoogleAccountUpgrade;
 
   @Inject
-  AuthConfig(@GerritServerConfig final Config cfg, final SystemConfig s,
-      final Collection<TrustedExternalId> tei) throws XsrfException {
+  AuthConfig(@GerritServerConfig final Config cfg, final SystemConfig s)
+      throws XsrfException {
     sessionAge = cfg.getInt("auth", "maxsessionage", 12 * 60) * 60;
     loginType = toType(cfg);
     httpHeader = cfg.getString("auth", null, "httpheader");
-    trusted = tei;
+    trusted = toTrusted(cfg);
 
     xsrfToken = new SignedToken(getSessionAge(), s.xsrfPrivateKey);
     final int accountCookieAge;
@@ -67,6 +66,14 @@ public class AuthConfig {
         cfg.getBoolean("auth", "allowgoogleaccountupgrade", false);
   }
 
+  private String[] toTrusted(final Config cfg) {
+    final String[] r = cfg.getStringList("auth", null, "trustedopenid");
+    if (r.length == 0) {
+      return new String[] {"http://", "https://"};
+    }
+    return r;
+  }
+
   private static LoginType toType(final Config cfg) {
     if (isBecomeAnyoneEnabled()) {
       return LoginType.DEVELOPMENT_BECOME_ANY_ACCOUNT;
@@ -165,11 +172,20 @@ public class AuthConfig {
       return true;
     }
 
-    for (final TrustedExternalId t : trusted) {
-      if (t.matches(id)) {
+    for (final String p : trusted) {
+      if (matches(p, id)) {
         return true;
       }
     }
     return false;
   }
+
+  private boolean matches(final String p, final AccountExternalId id) {
+    if (p.startsWith("^") && p.endsWith("$")) {
+      return id.getExternalId().matches(p);
+
+    } else {
+      return id.getExternalId().startsWith(p);
+    }
+  }
 }
diff --git a/src/main/java/com/google/gerrit/server/config/GerritGlobalModule.java b/src/main/java/com/google/gerrit/server/config/GerritGlobalModule.java
index 58571238a7..855970fc34 100644
--- a/src/main/java/com/google/gerrit/server/config/GerritGlobalModule.java
+++ b/src/main/java/com/google/gerrit/server/config/GerritGlobalModule.java
@@ -17,7 +17,6 @@ package com.google.gerrit.server.config;
 import static com.google.inject.Scopes.SINGLETON;
 
 import com.google.gerrit.client.reviewdb.Project;
-import com.google.gerrit.client.reviewdb.TrustedExternalId;
 import com.google.gerrit.git.ChangeMergeQueue;
 import com.google.gerrit.git.MergeOp;
 import com.google.gerrit.git.MergeQueue;
@@ -54,14 +53,12 @@ import com.google.gerrit.server.patch.PatchSetInfoFactory;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.ssh.SshKeyCache;
 import com.google.gerrit.server.workflow.FunctionState;
-import com.google.inject.TypeLiteral;
 
 import net.sf.ehcache.CacheManager;
 
 import org.spearce.jgit.lib.Config;
 
 import java.io.File;
-import java.util.Collection;
 
 /** Starts global state with standard dependencies. */
 public class GerritGlobalModule extends FactoryModule {
@@ -76,8 +73,6 @@ public class GerritGlobalModule extends FactoryModule {
     bind(AuthConfig.class).in(SINGLETON);
     bind(EmailExpander.class).toProvider(EmailExpanderProvider.class).in(
         SINGLETON);
-    bind(new TypeLiteral<Collection<TrustedExternalId>>() {}).toProvider(
-        TrustedExternalIdsProvider.class).in(SINGLETON);
     bind(AnonymousUser.class);
 
     // Note that the CanonicalWebUrl itself must not be a singleton, but its
diff --git a/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java b/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
index 1fa2984015..628f1143f6 100644
--- a/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
+++ b/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
@@ -22,7 +22,6 @@ import com.google.gerrit.client.reviewdb.ProjectRight;
 import com.google.gerrit.client.reviewdb.ReviewDb;
 import com.google.gerrit.client.reviewdb.SchemaVersion;
 import com.google.gerrit.client.reviewdb.SystemConfig;
-import com.google.gerrit.client.reviewdb.TrustedExternalId;
 import com.google.gerrit.server.workflow.NoOpFunction;
 import com.google.gerrit.server.workflow.SubmitFunction;
 import com.google.gwtjsonrpc.server.SignedToken;
@@ -109,7 +108,6 @@ class SystemConfigProvider implements Provider<SystemConfig> {
     db.schemaVersion().insert(Collections.singleton(sVer));
 
     final SystemConfig sConfig = initSystemConfig(db);
-    initTrustedExternalIds(db);
     initOwnerCategory(db);
     initReadCategory(db, sConfig);
     initVerifiedCategory(db);
@@ -169,21 +167,6 @@ class SystemConfigProvider implements Provider<SystemConfig> {
     return s;
   }
 
-  private void initTrustedExternalIds(final ReviewDb c) throws OrmException {
-    // By default with OpenID trust any http:// or https:// provider
-    //
-    initTrustedExternalId(c, "http://");
-    initTrustedExternalId(c, "https://");
-    initTrustedExternalId(c, "https://www.google.com/accounts/o8/id?id=");
-  }
-
-  private void initTrustedExternalId(final ReviewDb c, final String re)
-      throws OrmException {
-    c.trustedExternalIds().insert(
-        Collections.singleton(new TrustedExternalId(new TrustedExternalId.Key(
-            re))));
-  }
-
   private void initWildCardProject(final ReviewDb c) throws OrmException {
     final Project p;
 
diff --git a/src/main/java/com/google/gerrit/server/config/TrustedExternalIdsProvider.java b/src/main/java/com/google/gerrit/server/config/TrustedExternalIdsProvider.java
deleted file mode 100644
index 016b211164..0000000000
--- a/src/main/java/com/google/gerrit/server/config/TrustedExternalIdsProvider.java
+++ /dev/null
@@ -1,44 +0,0 @@
-package com.google.gerrit.server.config;
-
-import com.google.gerrit.client.reviewdb.ReviewDb;
-import com.google.gerrit.client.reviewdb.SystemConfig;
-import com.google.gerrit.client.reviewdb.TrustedExternalId;
-import com.google.gwtorm.client.OrmException;
-import com.google.gwtorm.client.SchemaFactory;
-import com.google.inject.Inject;
-import com.google.inject.Provider;
-import com.google.inject.ProvisionException;
-
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
-class TrustedExternalIdsProvider implements Provider<Collection<TrustedExternalId>> {
-  private final SchemaFactory<ReviewDb> schema;
-
-  @Inject
-  TrustedExternalIdsProvider(final SchemaFactory<ReviewDb> schema,
-  /*
-   * Unused, but we need to force it to load before we do, otherwise we risk
-   * reading an empty database without the wild project being in the database.
-   * Asking for it should ensures Guice loads it first.
-   */
-  final SystemConfig config) {
-    this.schema = schema;
-  }
-
-  public Collection<TrustedExternalId> get() {
-    final List<TrustedExternalId> l;
-    try {
-      final ReviewDb db = schema.open();
-      try {
-        l = db.trustedExternalIds().all().toList();
-      } finally {
-        db.close();
-      }
-    } catch (OrmException e) {
-      throw new ProvisionException("Cannot load TrustedExternalIds", e);
-    }
-    return Collections.unmodifiableList(l);
-  }
-}
diff --git a/src/main/webapp/WEB-INF/sql/upgrade015_016_part2.sql b/src/main/webapp/WEB-INF/sql/upgrade015_016_part2.sql
index b58a4e289a..21fdc9cfe0 100644
--- a/src/main/webapp/WEB-INF/sql/upgrade015_016_part2.sql
+++ b/src/main/webapp/WEB-INF/sql/upgrade015_016_part2.sql
@@ -1 +1,2 @@
 DROP TABLE patch_set_info;
+DROP TABLE trusted_external_ids;