Reintroduce Git/REST HTTP password with OAUTH

Since the merge of I26f5bcd784 the ability to use OAUTH for WebUX and
Gerrit HTTP auth for Git/REST API has been lost.

That was a useful use-case when people needed to use a random password
for batch operations using Git/HTTP or for REST API processing.

By using the same technique experimented for LDAP/HTTP authentication
it is possible to choose if Git/HTTP and REST need to be validated
against OAUTH or using the Gerrit's hashed HTTP password.

Change-Id: I1fbabc3fa11ae0cb98308592e1be09039be78ff5

Documentation/config-gerrit.txt

@@ -466,9 +466,10 @@ By default this is set to false.
 
 [[auth.gitBasicAuthPolicy]]auth.gitBasicAuthPolicy::
 +
-When `auth.type` is `LDAP`, it allows using either the generated HTTP password,
-the LDAP password, or both, to authenticate Git over HTTP and REST API
-requests. The supported values are:
+When `auth.type` is `LDAP` or `OAUTH`, it allows using either the generated
+HTTP password, the LDAP or OAUTH password, or a combination of HTTP and LDAP
+authentication, to authenticate Git over HTTP and REST API requests.
+The supported values are:
 +
 *`HTTP`
 +
@@ -480,12 +481,18 @@ and REST API requests.
 Only the `LDAP` password is allowed when doing Git over HTTP and REST API
 requests.
 +
+*`OAUTH`
++
+Only the `OAUTH` password is allowed when doing Git over HTTP and REST API
+requests.
++
 *`HTTP_LDAP`
 +
 The password in the request is first checked against the HTTP password and, if
 it does not match, it is then validated against the `LDAP` password.
 +
-By default this is set to `LDAP` when link:#auth.type[`auth.type`] is `LDAP`.
+By default this is set to `LDAP` when link:#auth.type[`auth.type`] is `LDAP`
+and `OAUTH` when link:#auth.type[`auth.type`] is `OAUTH`.
 Otherwise, the default value is `HTTP`.
 
 [[auth.gitOAuthProvider]]auth.gitOAuthProvider::

gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java

@@ -17,5 +17,6 @@ package com.google.gerrit.extensions.client;
 public enum GitBasicAuthPolicy {
   HTTP,
   LDAP,
-  HTTP_LDAP
+  HTTP_LDAP,
+  OAUTH
 }

gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java

@@ -14,9 +14,9 @@
 
 package com.google.gerrit.httpd;
 
-import static com.google.gerrit.extensions.client.AuthType.OAUTH;
 import static com.google.gerrit.httpd.plugins.LfsPluginServlet.LFS_REST;
 
+import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
 import com.google.gerrit.reviewdb.client.CoreDownloadSchemes;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gerrit.server.config.DownloadConfig;
@@ -42,10 +42,11 @@ public class GitOverHttpModule extends ServletModule {
     Class<? extends Filter> authFilter;
     if (authConfig.isTrustContainerAuth()) {
       authFilter = ContainerAuthFilter.class;
-    } else if (authConfig.getAuthType() == OAUTH) {
-      authFilter = ProjectOAuthFilter.class;
     } else {
-      authFilter = ProjectBasicAuthFilter.class;
+      authFilter =
+          authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH
+              ? ProjectOAuthFilter.class
+              : ProjectBasicAuthFilter.class;
     }
 
     if (isHttpEnabled()) {

gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java

@@ -132,7 +132,9 @@ public class AuthConfig {
 
   private GitBasicAuthPolicy getBasicAuthPolicy(Config cfg) {
     GitBasicAuthPolicy defaultAuthPolicy =
-        isLdapAuthType() ? GitBasicAuthPolicy.LDAP : GitBasicAuthPolicy.HTTP;
+        isLdapAuthType()
+            ? GitBasicAuthPolicy.LDAP
+            : isOAuthType() ? GitBasicAuthPolicy.OAUTH : GitBasicAuthPolicy.HTTP;
     return cfg.getEnum("auth", null, "gitBasicAuthPolicy", defaultAuthPolicy);
   }
 
@@ -315,6 +317,10 @@ public class AuthConfig {
     return authType == AuthType.LDAP || authType == AuthType.LDAP_BIND;
   }
 
+  public boolean isOAuthType() {
+    return authType == AuthType.OAUTH;
+  }
+
   public boolean isAllowRegisterNewEmail() {
     return allowRegisterNewEmail;
   }