diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt index 57386bf8ca..e493a870f7 100644 --- a/Documentation/config-gerrit.txt +++ b/Documentation/config-gerrit.txt @@ -466,9 +466,10 @@ By default this is set to false. [[auth.gitBasicAuthPolicy]]auth.gitBasicAuthPolicy:: + -When `auth.type` is `LDAP`, it allows using either the generated HTTP password, -the LDAP password, or both, to authenticate Git over HTTP and REST API -requests. The supported values are: +When `auth.type` is `LDAP` or `OAUTH`, it allows using either the generated +HTTP password, the LDAP or OAUTH password, or a combination of HTTP and LDAP +authentication, to authenticate Git over HTTP and REST API requests. +The supported values are: + *`HTTP` + @@ -480,12 +481,18 @@ and REST API requests. Only the `LDAP` password is allowed when doing Git over HTTP and REST API requests. + +*`OAUTH` ++ +Only the `OAUTH` password is allowed when doing Git over HTTP and REST API +requests. ++ *`HTTP_LDAP` + The password in the request is first checked against the HTTP password and, if it does not match, it is then validated against the `LDAP` password. + -By default this is set to `LDAP` when link:#auth.type[`auth.type`] is `LDAP`. +By default this is set to `LDAP` when link:#auth.type[`auth.type`] is `LDAP` +and `OAUTH` when link:#auth.type[`auth.type`] is `OAUTH`. Otherwise, the default value is `HTTP`. [[auth.gitOAuthProvider]]auth.gitOAuthProvider:: diff --git a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java index 6450b0dc15..028c9110ca 100644 --- a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java +++ b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/client/GitBasicAuthPolicy.java @@ -17,5 +17,6 @@ package com.google.gerrit.extensions.client; public enum GitBasicAuthPolicy { HTTP, LDAP, - HTTP_LDAP + HTTP_LDAP, + OAUTH } diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java index 3be9a12afc..d8ec107524 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java @@ -14,9 +14,9 @@ package com.google.gerrit.httpd; -import static com.google.gerrit.extensions.client.AuthType.OAUTH; import static com.google.gerrit.httpd.plugins.LfsPluginServlet.LFS_REST; +import com.google.gerrit.extensions.client.GitBasicAuthPolicy; import com.google.gerrit.reviewdb.client.CoreDownloadSchemes; import com.google.gerrit.server.config.AuthConfig; import com.google.gerrit.server.config.DownloadConfig; @@ -42,10 +42,11 @@ public class GitOverHttpModule extends ServletModule { Class authFilter; if (authConfig.isTrustContainerAuth()) { authFilter = ContainerAuthFilter.class; - } else if (authConfig.getAuthType() == OAUTH) { - authFilter = ProjectOAuthFilter.class; } else { - authFilter = ProjectBasicAuthFilter.class; + authFilter = + authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH + ? ProjectOAuthFilter.class + : ProjectBasicAuthFilter.class; } if (isHttpEnabled()) { diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java index cc9133e5c3..6cdb5e56c2 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java @@ -132,7 +132,9 @@ public class AuthConfig { private GitBasicAuthPolicy getBasicAuthPolicy(Config cfg) { GitBasicAuthPolicy defaultAuthPolicy = - isLdapAuthType() ? GitBasicAuthPolicy.LDAP : GitBasicAuthPolicy.HTTP; + isLdapAuthType() + ? GitBasicAuthPolicy.LDAP + : isOAuthType() ? GitBasicAuthPolicy.OAUTH : GitBasicAuthPolicy.HTTP; return cfg.getEnum("auth", null, "gitBasicAuthPolicy", defaultAuthPolicy); } @@ -315,6 +317,10 @@ public class AuthConfig { return authType == AuthType.LDAP || authType == AuthType.LDAP_BIND; } + public boolean isOAuthType() { + return authType == AuthType.OAUTH; + } + public boolean isAllowRegisterNewEmail() { return allowRegisterNewEmail; }