Add option to make ldap groups visible to everyone

A non-admin user was not allowed to add ldap group as member
of another group if user did not belong to this ldap group.

When the option ldap.visibleToAll in gerrit.config is set to
true ldap groups are visible to everyone.

Issue:2255
Change-Id: Ibd234c6dfc8d890edde2304e820d01d359fda0fd

gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java

@@ -70,6 +70,7 @@ import javax.security.auth.login.LoginException;
   private final String readTimeoutMillis;
   private final String connectTimeoutMillis;
   private final boolean useConnectionPooling;
+  private final boolean groupsVisibleToAll;
 
   @Inject
   Helper(@GerritServerConfig final Config config,
@@ -81,6 +82,7 @@ import javax.security.auth.login.LoginException;
     this.password = LdapRealm.optional(config, "password", "");
     this.referral = LdapRealm.optional(config, "referral", "ignore");
     this.sslVerify = config.getBoolean("ldap", "sslverify", true);
+    this.groupsVisibleToAll = config.getBoolean("ldap", "groupsVisibleToAll", false);
     this.authentication =
         LdapRealm.optional(config, "authentication", "simple");
     String readTimeout = LdapRealm.optional(config, "readTimeout");
@@ -309,6 +311,10 @@ import javax.security.auth.login.LoginException;
     }
   }
 
+  public boolean groupsVisibleToAll() {
+    return this.groupsVisibleToAll;
+  }
+
   class LdapSchema {
     final LdapType type;
 

gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapGroupBackend.java

@@ -250,4 +250,9 @@ public class LdapGroupBackend extends AbstractGroupBackend {
     }
     return out;
   }
+
+  @Override
+  public boolean isVisibleToAll(AccountGroup.UUID uuid) {
+    return handles(uuid) && helper.groupsVisibleToAll();
+  }
 }