Exclude local gerrit accounts from scheduled deactivation task

Currently, local-only gerrit accounts can be included in the deactivation
sweep. This is not always desirable (as in the case of functional
accounts not backed by an auth backend). This change excludes such accounts
not backed by an auth backend.

Change-Id: I68eb1d0a6b986ff47d39dcfb95b8e020adf13043

gerrit-server/src/main/java/com/google/gerrit/server/account/AccountDeactivator.java

@@ -115,7 +115,9 @@ public class AccountDeactivator implements Runnable {
   private boolean processAccount(AccountState account) {
     log.debug("processing account " + account.getUserName());
     try {
-      if (account.getUserName() != null && !realm.isActive(account.getUserName())) {
+      if (account.getUserName() != null
+          && realm.accountBelongsToRealm(account.getExternalIds())
+          && !realm.isActive(account.getUserName())) {
         sif.deactivate(account.getAccount().getId());
         log.info("deactivated account " + account.getUserName());
         return true;

gerrit-server/src/main/java/com/google/gerrit/server/account/Realm.java

@@ -17,7 +17,9 @@ package com.google.gerrit.server.account;
 import com.google.gerrit.extensions.client.AccountFieldName;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.IdentifiedUser;
+import com.google.gerrit.server.account.externalids.ExternalId;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.Set;
 import javax.naming.NamingException;
 import javax.security.auth.login.LoginException;
@@ -58,4 +60,10 @@ public interface Realm {
       throws LoginException, NamingException, AccountException {
     return true;
   }
+
+  /** @return true if the account is backed by the realm, false otherwise. */
+  default boolean accountBelongsToRealm(
+      @SuppressWarnings("unused") Collection<ExternalId> externalIds) {
+    return false;
+  }
 }

gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java

@@ -40,6 +40,7 @@ import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.google.inject.name.Named;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -337,6 +338,16 @@ class LdapRealm extends AbstractRealm {
     }
   }
 
+  @Override
+  public boolean accountBelongsToRealm(Collection<ExternalId> externalIds) {
+    for (ExternalId id : externalIds) {
+      if (id.toString().contains(SCHEME_GERRIT)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   static class UserLoader extends CacheLoader<String, Optional<Account.Id>> {
     private final ExternalIds externalIds;
 

gerrit-server/src/main/java/com/google/gerrit/server/auth/oauth/OAuthRealm.java

@@ -14,6 +14,8 @@
 
 package com.google.gerrit.server.auth.oauth;
 
+import static com.google.gerrit.server.account.externalids.ExternalId.SCHEME_EXTERNAL;
+
 import com.google.common.base.Strings;
 import com.google.gerrit.extensions.auth.oauth.OAuthLoginProvider;
 import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
@@ -24,10 +26,12 @@ import com.google.gerrit.server.account.AbstractRealm;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
 import com.google.gerrit.server.account.AuthRequest;
+import com.google.gerrit.server.account.externalids.ExternalId;
 import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 import org.eclipse.jgit.lib.Config;
@@ -115,4 +119,14 @@ public class OAuthRealm extends AbstractRealm {
   public Account.Id lookup(String accountName) {
     return null;
   }
+
+  @Override
+  public boolean accountBelongsToRealm(Collection<ExternalId> externalIds) {
+    for (ExternalId id : externalIds) {
+      if (id.toString().contains(SCHEME_EXTERNAL)) {
+        return true;
+      }
+    }
+    return false;
+  }
 }