Merge branch 'stable-2.14'

* stable-2.14:
  AuthConfig: Disallow invalid combination of auth.type and auth.gitBasicAuthPolicy
  Fix documentation of auth.gitBasicAuthPolicy and add Javadoc
  Clarify HTTP_LDAP and CLIENT_SSL_CERT_LDAP

Change-Id: I4994d52ad98dfe1ed0c1b08da85a863ce8e6c5b7

Documentation/config-gerrit.txt

@@ -180,7 +180,9 @@ Exactly like `HTTP` (above), but additionally Gerrit pre-populates
 a user's full name and email address based on information obtained
 from the user's account object in LDAP.  The user's group membership
 is also pulled from LDAP, making any LDAP groups that a user is a
-member of available as groups in Gerrit.
+member of available as groups in Gerrit. Hence the `_LDAP` suffix in
+the name of this authentication type. Gerrit does NOT authenticate
+the user via LDAP.
 +
 * `CLIENT_SSL_CERT_LDAP`
 +
@@ -191,7 +193,8 @@ certificate of the trust chain used to issue the client's certificate
 into the <review-site>/etc/keystore.
 After the authentication is done Gerrit will obtain basic user
 registration (name and email) from LDAP, and some group memberships.
-Therefore, the "_LDAP" suffix in the name of this authentication type.
+Hence the `_LDAP` suffix in the name of this authentication type.
+Gerrit does NOT authenticate the user via LDAP.
 This authentication type can only be used under hosted daemon mode, and
 the httpd.listenUrl must use https:// as the protocol.
 Optionally, certificate revocation list file can be used
@@ -540,15 +543,14 @@ By default this is set to false.
 
 [[auth.gitBasicAuthPolicy]]auth.gitBasicAuthPolicy::
 +
-When `auth.type` is `LDAP` or `OAUTH`, it allows using either the generated
+When `auth.type` is `LDAP`, `LDAP_BIND` or `OAUTH`, it allows using either the generated
 HTTP password, the LDAP or OAUTH password, or a combination of HTTP and LDAP
 authentication, to authenticate Git over HTTP and REST API requests.
 The supported values are:
 +
 *`HTTP`
 +
-Only the randomly generated HTTP password is accepted when doing Git over HTTP
-and REST API requests.
+Only the HTTP password is accepted when doing Git over HTTP and REST API requests.
 +
 *`LDAP`
 +
@@ -557,7 +559,7 @@ requests.
 +
 *`OAUTH`
 +
-Only the `OAUTH` password is allowed when doing Git over HTTP and REST API
+Only the `OAUTH` authentication is allowed when doing Git over HTTP and REST API
 requests.
 +
 *`HTTP_LDAP`

gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/AuthType.java

@@ -32,14 +32,17 @@ public enum AuthType {
   HTTP,
 
   /**
-   * Login relies upon the container/web server security, but also uses LDAP.
+   * Login relies upon the container/web server security.
    *
    * <p>Like {@link #HTTP}, the container or web server must populate an HTTP header with a unique
    * name for the current user. Gerrit will implicitly trust the value of this header to supply the
    * unique identity.
    *
-   * <p>In addition to trusting the HTTP headers, Gerrit will obtain basic user registration (name
-   * and email) from LDAP, and some group memberships.
+   * <p>After the authentication is done Gerrit will obtain basic user registration (name and
+   * email), and some group memberships, from LDP. Hence the "_LDAP" suffix in the name of this
+   * authentication type.
+   *
+   * <p>Gerrit will NOT authenticate the user via LDAP.
    */
   HTTP_LDAP,
 
@@ -51,9 +54,11 @@ public enum AuthType {
    * to import the root certificate of the trust chain used to issue the client's certificate into
    * the &lt;review-site&gt;/etc/keystore.
    *
-   * <p>After the authentication is done Gerrit will obtain basic user registration (name and email)
-   * from LDAP, and some group memberships. Therefore, the "_LDAP" suffix in the name of this
+   * <p>After the authentication is done Gerrit will obtain basic user registration (name and
+   * email), and some group memberships, from LDP. Hence the "_LDAP" suffix in the name of this
    * authentication type.
+   *
+   * <p>Gerrit will NOT authenticate the user via LDAP.
    */
   CLIENT_SSL_CERT_LDAP,
 

gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java

@@ -15,8 +15,18 @@
 package com.google.gerrit.extensions.client;
 
 public enum GitBasicAuthPolicy {
+  /** Only the HTTP password is accepted when doing Git over HTTP and REST API requests. */
   HTTP,
+
+  /** Only the LDAP password is allowed when doing Git over HTTP and REST API requests. */
   LDAP,
+
+  /**
+   * The password in the request is first checked against the HTTP password and, if it does not
+   * match, it is then validated against the LDAP password.
+   */
   HTTP_LDAP,
+
+  /** Only the `OAUTH` authentication is allowed when doing Git over HTTP and REST API requests. */
   OAUTH
 }

gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java

@@ -96,6 +96,16 @@ public class AuthConfig {
     userNameToLowerCase = cfg.getBoolean("auth", "userNameToLowerCase", false);
     allowRegisterNewEmail = cfg.getBoolean("auth", "allowRegisterNewEmail", true);
 
+    if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP
+        && authType != AuthType.LDAP
+        && authType != AuthType.LDAP_BIND) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy HTTP_LDAP only with auth.type LDAP or LDAP_BIND");
+    } else if (gitBasicAuthPolicy == GitBasicAuthPolicy.OAUTH && authType != AuthType.OAUTH) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy OAUTH only with auth.type OAUTH");
+    }
+
     String key = cfg.getString("auth", null, "registerEmailPrivateKey");
     if (key != null && !key.isEmpty()) {
       int age =