Factor out Contributor Agreements from ProjectControl

This commit factors out the check for valid CLAs from ProjectControl.
CLAs will continue to exist separate of permission backend as the fact
if a user has signed a CLA has nothing to do with permissions per-se.

This refactoring also removes the callers of
ProjectControl#canPushToAtLeastOneRef() which will be removed in a
follow-up change when the last caller was migrated.

Change-Id: Ib3f0849f9fbb720fee2cbc422127f7769a45a20f

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ChangeProjectAccess.java

@@ -25,6 +25,7 @@ import com.google.gerrit.server.extensions.events.GitReferenceUpdated;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.ProjectConfig;
 import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.project.ContributorAgreementsChecker;
 import com.google.gerrit.server.project.NoSuchProjectException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectControl;
@@ -62,6 +63,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
       AllProjectsName allProjects,
       Provider<SetParent> setParent,
       GitReferenceUpdated gitRefUpdated,
+      ContributorAgreementsChecker contributorAgreements,
       @Assisted("projectName") Project.NameKey projectName,
       @Nullable @Assisted ObjectId base,
       @Assisted List<AccessSection> sectionList,
@@ -78,6 +80,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
         sectionList,
         parentProjectName,
         message,
+        contributorAgreements,
         true);
     this.projectAccessFactory = projectAccessFactory;
     this.projectCache = projectCache;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectAccessHandler.java

@@ -18,7 +18,6 @@ import static com.google.gerrit.common.ProjectAccessUtil.mergeSections;
 
 import com.google.common.base.MoreObjects;
 import com.google.gerrit.common.data.AccessSection;
-import com.google.gerrit.common.data.Capable;
 import com.google.gerrit.common.data.GroupReference;
 import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.common.data.PermissionRule;
@@ -37,6 +36,7 @@ import com.google.gerrit.server.config.AllProjectsName;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.ProjectConfig;
 import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.project.ContributorAgreementsChecker;
 import com.google.gerrit.server.project.NoSuchProjectException;
 import com.google.gerrit.server.project.ProjectControl;
 import com.google.gerrit.server.project.RefPattern;
@@ -58,6 +58,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
   private final MetaDataUpdate.User metaDataUpdateFactory;
   private final AllProjectsName allProjects;
   private final Provider<SetParent> setParent;
+  private final ContributorAgreementsChecker contributorAgreements;
 
   protected final Project.NameKey projectName;
   protected final ObjectId base;
@@ -77,6 +78,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
       List<AccessSection> sectionList,
       Project.NameKey parentProjectName,
       String message,
+      ContributorAgreementsChecker contributorAgreements,
       boolean checkIfOwner) {
     this.projectControlFactory = projectControlFactory;
     this.groupBackend = groupBackend;
@@ -89,6 +91,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
     this.sectionList = sectionList;
     this.parentProjectName = parentProjectName;
     this.message = message;
+    this.contributorAgreements = contributorAgreements;
     this.checkIfOwner = checkIfOwner;
   }
 
@@ -99,9 +102,10 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
           PermissionDeniedException, PermissionBackendException {
     final ProjectControl projectControl = projectControlFactory.controlFor(projectName);
 
-    Capable r = projectControl.canPushToAtLeastOneRef();
-    if (r != Capable.OK) {
-      throw new PermissionDeniedException(r.getMessage());
+    try {
+      contributorAgreements.check(projectName, projectControl.getUser());
+    } catch (AuthException e) {
+      throw new PermissionDeniedException(e.getMessage());
     }
 
     try (MetaDataUpdate md = metaDataUpdateFactory.create(projectName)) {

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java

@@ -43,6 +43,7 @@ import com.google.gerrit.server.group.SystemGroupBackend;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.permissions.RefPermission;
+import com.google.gerrit.server.project.ContributorAgreementsChecker;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectControl;
 import com.google.gerrit.server.project.SetParent;
@@ -94,6 +95,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
       BatchUpdate.Factory updateFactory,
       Provider<SetParent> setParent,
       Sequences seq,
+      ContributorAgreementsChecker contributorAgreements,
       @Assisted("projectName") Project.NameKey projectName,
       @Nullable @Assisted ObjectId base,
       @Assisted List<AccessSection> sectionList,
@@ -110,6 +112,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
         sectionList,
         parentProjectName,
         message,
+        contributorAgreements,
         false);
     this.db = db;
     this.permissionBackend = permissionBackend;