Verify labels in Prolog using PermissionBackend

user_label_range/4 needs to compute the min and max values, so this
predicate uses test(LabelType) to determine the set of allowed values
and picks the min and max.

The new check_user_label/3 takes a specific value and uses the
backend's check method to assert the label can be set to that value.
This improves logic at submit time to use check just before the change
is submitted to the destination branch.

Change-Id: Ia29f16ffc50712ed1b57ec964b9e7930b35a5673

gerrit-server/src/main/java/com/google/gerrit/rules/PrologEnvironment.java

@@ -20,6 +20,7 @@ import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.patch.PatchListCache;
 import com.google.gerrit.server.patch.PatchSetInfoFactory;
+import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -166,6 +167,7 @@ public class PrologEnvironment extends BufferingPrologControl {
     }
 
     private final ProjectCache projectCache;
+    private final PermissionBackend permissionBackend;
     private final GitRepositoryManager repositoryManager;
     private final PatchListCache patchListCache;
     private final PatchSetInfoFactory patchSetInfoFactory;
@@ -177,6 +179,7 @@ public class PrologEnvironment extends BufferingPrologControl {
     @Inject
     Args(
         ProjectCache projectCache,
+        PermissionBackend permissionBackend,
         GitRepositoryManager repositoryManager,
         PatchListCache patchListCache,
         PatchSetInfoFactory patchSetInfoFactory,
@@ -184,6 +187,7 @@ public class PrologEnvironment extends BufferingPrologControl {
         Provider<AnonymousUser> anonymousUser,
         @GerritServerConfig Config config) {
       this.projectCache = projectCache;
+      this.permissionBackend = permissionBackend;
       this.repositoryManager = repositoryManager;
       this.patchListCache = patchListCache;
       this.patchSetInfoFactory = patchSetInfoFactory;
@@ -213,6 +217,10 @@ public class PrologEnvironment extends BufferingPrologControl {
       return projectCache;
     }
 
+    public PermissionBackend getPermissionBackend() {
+      return permissionBackend;
+    }
+
     public GitRepositoryManager getGitRepositoryManager() {
       return repositoryManager;
     }

gerrit-server/src/main/java/com/google/gerrit/rules/StoredValues.java

@@ -33,6 +33,7 @@ import com.google.gerrit.server.patch.PatchListKey;
 import com.google.gerrit.server.patch.PatchListNotAvailableException;
 import com.google.gerrit.server.patch.PatchSetInfoFactory;
 import com.google.gerrit.server.patch.PatchSetInfoNotAvailableException;
+import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ChangeControl;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gwtorm.server.OrmException;
@@ -130,6 +131,15 @@ public final class StoredValues {
         }
       };
 
+  public static final StoredValue<PermissionBackend> PERMISSION_BACKEND =
+      new StoredValue<PermissionBackend>() {
+        @Override
+        protected PermissionBackend createValue(Prolog engine) {
+          PrologEnvironment env = (PrologEnvironment) engine.control;
+          return env.getArgs().getPermissionBackend();
+        }
+      };
+
   public static final StoredValue<AnonymousUser> ANONYMOUS_USER =
       new StoredValue<AnonymousUser>() {
         @Override