Expose the GENERATE_HTTP_PASSWORD capability permssion.

Gerrit has a GENERATE_HTTP_PASSWORD capability but it is not exposed
as a permission in the Gerrit Access UI.  This change exposes the
GENERATE_HTTP_PASSWORD capability and restricts REST API action for
getting and generating the HTTP password.

Bug: Issue 2790
Change-Id: Ie7cfeac9090462758438ebe6710dffae4368ccd4

gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java

@@ -20,6 +20,7 @@ import static com.google.gerrit.common.data.GlobalCapability.CREATE_GROUP;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT;
 import static com.google.gerrit.common.data.GlobalCapability.EMAIL_REVIEWERS;
 import static com.google.gerrit.common.data.GlobalCapability.FLUSH_CACHES;
+import static com.google.gerrit.common.data.GlobalCapability.GENERATE_HTTP_PASSWORD;
 import static com.google.gerrit.common.data.GlobalCapability.KILL_TASK;
 import static com.google.gerrit.common.data.GlobalCapability.PRIORITY;
 import static com.google.gerrit.common.data.GlobalCapability.RUN_GC;
@@ -113,6 +114,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
     have.put(CREATE_PROJECT, cc.canCreateProject());
     have.put(EMAIL_REVIEWERS, cc.canEmailReviewers());
     have.put(FLUSH_CACHES, cc.canFlushCaches());
+    have.put(GENERATE_HTTP_PASSWORD, cc.canGenerateHttpPassword());
     have.put(KILL_TASK, cc.canKillTask());
     have.put(RUN_GC, cc.canRunGC());
     have.put(STREAM_EVENTS, cc.canStreamEvents());

gerrit-server/src/main/java/com/google/gerrit/server/account/GetHttpPassword.java

@@ -36,7 +36,7 @@ public class GetHttpPassword implements RestReadView<AccountResource> {
   public String apply(AccountResource rsrc) throws AuthException,
       ResourceNotFoundException {
     if (self.get() != rsrc.getUser()
-        && !self.get().getCapabilities().canAdministrateServer()) {
+        && !self.get().getCapabilities().canGenerateHttpPassword()) {
       throw new AuthException("not allowed to get http password");
     }
     AccountState s = rsrc.getUser().state();

gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java

@@ -86,14 +86,14 @@ public class PutHttpPassword implements RestModifyView<AccountResource, Input> {
 
     } else if (input.httpPassword == null) {
       if (self.get() != rsrc.getUser()
-          && !self.get().getCapabilities().canAdministrateServer()) {
+          && !self.get().getCapabilities().canGenerateHttpPassword()) {
         throw new AuthException("not allowed to clear HTTP password");
       }
       newPassword = null;
     } else {
-      if (!self.get().getCapabilities().canAdministrateServer()) {
+      if (!self.get().getCapabilities().canGenerateHttpPassword()) {
         throw new AuthException("not allowed to set HTTP password directly, "
-            + "need to be Gerrit administrator");
+            + "requires the Generate HTTP Password permission");
       }
       newPassword = input.httpPassword;
     }

gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java

@@ -29,6 +29,7 @@ public class CapabilityConstants extends TranslationBundle {
   public String createProject;
   public String emailReviewers;
   public String flushCaches;
+  public String generateHttpPassword;
   public String killTask;
   public String priority;
   public String queryLimit;