Authenticate /p/ HTTP and SSH access by password

Use HTTP digest authentication to verify user access to any of
the /p/ URLs which do not permit anonymous requests.

The SSH daemon now also honors the user's password.

Change-Id: I6f8775077b3ee8fcb66a2d07c225f668afa0d530
Signed-off-by: Shawn O. Pearce <sop@google.com>

gerrit-server/src/main/java/com/google/gerrit/server/account/AccountCache.java

@@ -20,5 +20,9 @@ import com.google.gerrit.reviewdb.Account;
 public interface AccountCache {
   public AccountState get(Account.Id accountId);
 
+  public AccountState getByUsername(String username);
+
   public void evict(Account.Id accountId);
+
+  public void evictByUsername(String username);
 }

gerrit-server/src/main/java/com/google/gerrit/server/account/AccountCacheImpl.java

@@ -45,8 +45,8 @@ public class AccountCacheImpl implements AccountCache {
     return new CacheModule() {
       @Override
       protected void configure() {
-        final TypeLiteral<Cache<Account.Id, AccountState>> type =
-            new TypeLiteral<Cache<Account.Id, AccountState>>() {};
+        final TypeLiteral<Cache<Object, AccountState>> type =
+            new TypeLiteral<Cache<Object, AccountState>>() {};
         core(type, CACHE_NAME);
         bind(AccountCacheImpl.class);
         bind(AccountCache.class).to(AccountCacheImpl.class);
@@ -56,7 +56,8 @@ public class AccountCacheImpl implements AccountCache {
 
   private final SchemaFactory<ReviewDb> schema;
   private final GroupCache groupCache;
-  private final SelfPopulatingCache<Account.Id, AccountState> self;
+  private final SelfPopulatingCache<Account.Id, AccountState> byId;
+  private final SelfPopulatingCache<String, Account.Id> byName;
 
   private final Set<AccountGroup.Id> registered;
   private final Set<AccountGroup.Id> anonymous;
@@ -64,13 +65,13 @@ public class AccountCacheImpl implements AccountCache {
   @Inject
   AccountCacheImpl(final SchemaFactory<ReviewDb> sf, final AuthConfig auth,
       final GroupCache groupCache,
-      @Named(CACHE_NAME) final Cache<Account.Id, AccountState> rawCache) {
+      @Named(CACHE_NAME) final Cache<Object, AccountState> rawCache) {
     schema = sf;
     registered = auth.getRegisteredGroups();
     anonymous = auth.getAnonymousGroups();
     this.groupCache = groupCache;
 
-    self = new SelfPopulatingCache<Account.Id, AccountState>(rawCache) {
+    byId = new SelfPopulatingCache<Account.Id, AccountState>((Cache) rawCache) {
       @Override
       protected AccountState createEntry(Account.Id key) throws Exception {
         return lookup(key);
@@ -81,44 +82,72 @@ public class AccountCacheImpl implements AccountCache {
         return missingAccount(key);
       }
     };
+
+    byName = new SelfPopulatingCache<String, Account.Id>((Cache) rawCache) {
+      @Override
+      protected Account.Id createEntry(String username) throws Exception {
+        return lookup(username);
+      }
+    };
   }
 
   private AccountState lookup(final Account.Id who) throws OrmException {
     final ReviewDb db = schema.open();
     try {
-      final Account account = db.accounts().get(who);
-      if (account == null) {
-        // Account no longer exists? They are anonymous.
-        //
-        return missingAccount(who);
+      final AccountState state = load(db, who);
+      if (state.getUserName() != null) {
+        byName.put(state.getUserName(), state.getAccount().getId());
       }
-
-      final Collection<AccountExternalId> externalIds =
-          Collections.unmodifiableCollection(db.accountExternalIds().byAccount(
-              who).toList());
-
-      Set<AccountGroup.Id> internalGroups = new HashSet<AccountGroup.Id>();
-      for (AccountGroupMember g : db.accountGroupMembers().byAccount(who)) {
-        final AccountGroup.Id groupId = g.getAccountGroupId();
-        final AccountGroup group = groupCache.get(groupId);
-        if (group != null && group.getType() == AccountGroup.Type.INTERNAL) {
-          internalGroups.add(groupId);
-        }
-      }
-
-      if (internalGroups.isEmpty()) {
-        internalGroups = registered;
-      } else {
-        internalGroups.addAll(registered);
-        internalGroups = Collections.unmodifiableSet(internalGroups);
-      }
-
-      return new AccountState(account, internalGroups, externalIds);
+      return state;
     } finally {
       db.close();
     }
   }
 
+  private Account.Id lookup(final String username) throws OrmException {
+    final ReviewDb db = schema.open();
+    try {
+      final AccountExternalId.Key key =
+          new AccountExternalId.Key(AccountExternalId.SCHEME_USERNAME, username);
+      final AccountExternalId id = db.accountExternalIds().get(key);
+      return id != null ? id.getAccountId() : null;
+    } finally {
+      db.close();
+    }
+  }
+
+  private AccountState load(final ReviewDb db, final Account.Id who)
+      throws OrmException {
+    final Account account = db.accounts().get(who);
+    if (account == null) {
+      // Account no longer exists? They are anonymous.
+      //
+      return missingAccount(who);
+    }
+
+    final Collection<AccountExternalId> externalIds =
+        Collections.unmodifiableCollection(db.accountExternalIds().byAccount(
+            who).toList());
+
+    Set<AccountGroup.Id> internalGroups = new HashSet<AccountGroup.Id>();
+    for (AccountGroupMember g : db.accountGroupMembers().byAccount(who)) {
+      final AccountGroup.Id groupId = g.getAccountGroupId();
+      final AccountGroup group = groupCache.get(groupId);
+      if (group != null && group.getType() == AccountGroup.Type.INTERNAL) {
+        internalGroups.add(groupId);
+      }
+    }
+
+    if (internalGroups.isEmpty()) {
+      internalGroups = registered;
+    } else {
+      internalGroups.addAll(registered);
+      internalGroups = Collections.unmodifiableSet(internalGroups);
+    }
+
+    return new AccountState(account, internalGroups, externalIds);
+  }
+
   private AccountState missingAccount(final Account.Id accountId) {
     final Account account = new Account(accountId);
     final Collection<AccountExternalId> ids = Collections.emptySet();
@@ -126,10 +155,20 @@ public class AccountCacheImpl implements AccountCache {
   }
 
   public AccountState get(final Account.Id accountId) {
-    return self.get(accountId);
+    return byId.get(accountId);
+  }
+
+  @Override
+  public AccountState getByUsername(String username) {
+    Account.Id id = byName.get(username);
+    return id != null ? get(id) : null;
   }
 
   public void evict(final Account.Id accountId) {
-    self.remove(accountId);
+    byId.remove(accountId);
+  }
+
+  public void evictByUsername(String username) {
+    byName.remove(username);
   }
 }

gerrit-server/src/main/java/com/google/gerrit/server/account/AccountState.java

@@ -53,6 +53,17 @@ public class AccountState {
     return account.getUserName();
   }
 
+  /** @return the password matching the requested username; or null. */
+  public String getPassword(String username) {
+    for (AccountExternalId id : getExternalIds()) {
+      if (id.isScheme(AccountExternalId.SCHEME_USERNAME)
+          && username.equals(id.getSchemeRest())) {
+        return id.getPassword();
+      }
+    }
+    return null;
+  }
+
   /**
    * All email addresses registered to this account.
    * <p>

gerrit-server/src/main/java/com/google/gerrit/server/account/ChangeUserName.java

@@ -127,9 +127,11 @@ public class ChangeUserName implements Callable<VoidResult> {
     db.accountExternalIds().delete(old);
     for (AccountExternalId i : old) {
       sshKeyCache.evict(i.getSchemeRest());
+      accountCache.evictByUsername(i.getSchemeRest());
     }
 
     accountCache.evict(user.getAccountId());
+    accountCache.evictByUsername(newUsername);
     sshKeyCache.evict(newUsername);
     return VoidResult.INSTANCE;
   }