Fix NPE in LdapRealm caused by non-LDAP users

Servers that are connected to LDAP but have non-LDAP user accounts
created by `gerrit create-account` (e.g. batch role accounts for
build systems) were crashing with a NullPointerException when the
LdapRealm tried to discover which LDAP groups the non-LDAP user
was a member of in the directory.

If there is no LDAP identity for the user account, use an empty
set of groups as the LDAP contribution to the GroupMembership.

Change-Id: Ibd918a8705481e4b6bd2f34500fa79fa0d5f43a4

gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java

@@ -17,6 +17,7 @@ package com.google.gerrit.server.auth.ldap;
 import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_GERRIT;
 
 import com.google.common.base.Optional;
+import com.google.common.base.Strings;
 import com.google.common.cache.CacheLoader;
 import com.google.common.cache.LoadingCache;
 import com.google.common.collect.Iterables;
@@ -269,10 +270,14 @@ class LdapRealm implements Realm {
   public GroupMembership groups(final AccountState who) {
     String id = findId(who.getExternalIds());
     Set<AccountGroup.UUID> groups;
-    try {
+    if (id != null) {
-      groups = membershipCache.get(id);
+      try {
-    } catch (ExecutionException e) {
+        groups = membershipCache.get(id);
-      log.warn(String.format("Cannot lookup groups for %s in LDAP", id), e);
+      } catch (ExecutionException e) {
+        log.warn(String.format("Cannot lookup groups for %s in LDAP", id), e);
+        groups = Collections.emptySet();
+      }
+    } else {
       groups = Collections.emptySet();
     }
     return groupMembershipFactory.create(Iterables.concat(
@@ -291,6 +296,9 @@ class LdapRealm implements Realm {
 
   @Override
   public Account.Id lookup(String accountName) {
+    if (Strings.isNullOrEmpty(accountName)) {
+      return null;
+    }
     try {
       Optional<Account.Id> id = usernameCache.get(accountName);
       return id != null ? id.orNull() : null;