Add Forge Identity +3 to permit pushing filtered history

If a project's history has been rewritten using git filter-branch
it may need to be force pushed back into the branch.  Normally this
is rejected if the history contains merge commits authored by this
Gerrit Code Review server, as the server is trying to prevent the
common case of an innocent user amending a merge commit to add new
code, rather than making a brand new commit.

Enable Forge Identity +3 to work around this check, by permitting
the end user to forge the server's own identity on commit objects.

Change-Id: I84cbf750b209563e93ab0b35a9e1bc1743497172
Signed-off-by: Shawn O. Pearce <sop@google.com>

7 files changed, 61 insertions, 2 deletions

diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index 931ca3f953..d6592c4ee1 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -352,6 +352,15 @@ unverified committer line in commit objects, or an unverified tagger
 line in annotated tag objects.  Typically this is only required
 when mirroring commits from an upstream project repository.
 
+* +3 Forge Gerrit Code Review Server Identity
++
+Implies 'Forge Committer or Tagger Identity' as well as 'Forge
+Author Identity', but additionally allows the use of the server's
+own name and email on the committer line of a new commit object.
+This should only be necessary when force pushing a commit history
+which has been rewritten by 'git filter-branch' and that contains
+merge commits previously created by this Gerrit Code Review server.
+
 [[category_VRIF]]
 Verified
 ~~~~~~~~
diff --git a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/ApprovalCategory.java b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/ApprovalCategory.java
index 03b0029f72..5a006e7984 100644
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/ApprovalCategory.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/ApprovalCategory.java
@@ -49,6 +49,7 @@ public final class ApprovalCategory {
       new ApprovalCategory.Id("FORG");
   public static final short FORGE_AUTHOR = 1;
   public static final short FORGE_COMMITTER = 2;
+  public static final short FORGE_SERVER = 3;
 
   public static class Id extends StringKey<Key<?>> {
     private static final long serialVersionUID = 1L;
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java b/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
index 14e0481c72..a01582ca23 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
@@ -1279,7 +1279,8 @@ public class ReceiveCommits implements PreReceiveHook, PostReceiveHook {
     //
     if (c.getParentCount() > 1
         && author.getName().equals(gerritIdent.getName())
-        && author.getEmailAddress().equals(gerritIdent.getEmailAddress())) {
+        && author.getEmailAddress().equals(gerritIdent.getEmailAddress())
+        && !ctl.canForgeGerritServerIdentity()) {
       reject(cmd, "do not amend merges not made by you");
       return false;
     }
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
index efc1e364ed..b9ff895625 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.project;
 import static com.google.gerrit.reviewdb.ApprovalCategory.FORGE_AUTHOR;
 import static com.google.gerrit.reviewdb.ApprovalCategory.FORGE_COMMITTER;
 import static com.google.gerrit.reviewdb.ApprovalCategory.FORGE_IDENTITY;
+import static com.google.gerrit.reviewdb.ApprovalCategory.FORGE_SERVER;
 import static com.google.gerrit.reviewdb.ApprovalCategory.OWN;
 import static com.google.gerrit.reviewdb.ApprovalCategory.PUSH_HEAD;
 import static com.google.gerrit.reviewdb.ApprovalCategory.PUSH_HEAD_CREATE;
@@ -206,6 +207,11 @@ public class RefControl {
     return canForgeCommitter;
   }
 
+  /** @return true if this user can forge the server on the committer line. */
+  public boolean canForgeGerritServerIdentity() {
+    return canPerform(FORGE_IDENTITY, FORGE_SERVER);
+  }
+
   private boolean canPerform(ApprovalCategory.Id actionId, short level) {
     final Set<AccountGroup.Id> groups = getCurrentUser().getEffectiveGroups();
     int val = Integer.MIN_VALUE;
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
index 309d8fad4e..fc813b506d 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
@@ -320,6 +320,8 @@ public class SchemaCreator {
         "Forge Author Identity"));
     values.add(value(cat, ApprovalCategory.FORGE_COMMITTER,
         "Forge Committer or Tagger Identity"));
+    values.add(value(cat, ApprovalCategory.FORGE_SERVER,
+        "Forge Gerrit Code Review Server Identity"));
     c.approvalCategories().insert(Collections.singleton(cat));
     c.approvalCategoryValues().insert(values);
 
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java
index 2c26104025..0ca68624e4 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java
@@ -32,7 +32,7 @@ import java.util.List;
 /** A version of the database schema. */
 public abstract class SchemaVersion {
   /** The current schema version. */
-  private static final Class<? extends SchemaVersion> C = Schema_29.class;
+  private static final Class<? extends SchemaVersion> C = Schema_30.class;
 
   public static class Module extends AbstractModule {
     @Override
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_30.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_30.java
new file mode 100644
index 0000000000..f302856896
--- /dev/null
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_30.java
@@ -0,0 +1,40 @@
+// Copyright (C) 2010 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.server.schema;
+
+import com.google.gerrit.reviewdb.ApprovalCategory;
+import com.google.gerrit.reviewdb.ApprovalCategoryValue;
+import com.google.gerrit.reviewdb.ReviewDb;
+import com.google.gwtorm.client.OrmException;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+
+import java.util.Collections;
+
+class Schema_30 extends SchemaVersion {
+  @Inject
+  Schema_30(Provider<Schema_29> prior) {
+    super(prior);
+  }
+
+  @Override
+  protected void migrateData(ReviewDb db) throws OrmException {
+    db.approvalCategoryValues().insert(
+        Collections.singleton(new ApprovalCategoryValue(
+            new ApprovalCategoryValue.Id(ApprovalCategory.FORGE_IDENTITY,
+                ApprovalCategory.FORGE_SERVER),
+            "Forge Gerrit Code Review Server Identity")));
+  }
+}