Merge "Allows explicit login with auth.type = HTTP*"

Documentation/config-gerrit.txt

@@ -255,6 +255,26 @@ The "Sign In" link will send users directly to this URL.
 HTTP header to trust the username from, or unset to select HTTP basic
 or digest authentication.  Only used if `auth.type` is set to HTTP.
 
+[[auth.loginUrl]]auth.loginUrl::
++
+URL to redirect a browser to after the end-user has clicked on the
+login link in the upper right corner. Only used if 'auth.type' was set
+to HTTP or HTTP_LDAP.
+Organizations using an enterprise single-sign-on solution may want to
+redirect the browser to the SSO product's sign-in page for completing the
+login process and validate their credentials.
++
+If set, Gerrit allows to access anonymously until the end-user performs the login
+and then provides a trusted identity through the HTTP header.
+If not set, Gerrit requires the HTTP header with a trusted identity
+otherwise returns the error page LoginRedirect.html.
+
+[[auth.loginText]]auth.loginText::
++
+Text displayed in the loginUrl link. Only used if 'auth.loginUrl' was set.
++
+If not set, the 'Sign In' text is used.
+
 [[auth.logoutUrl]]auth.logoutUrl::
 +
 URL to redirect a browser to after the end-user has clicked on the

gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java

@@ -26,6 +26,8 @@ import java.util.Set;
 public class GerritConfig implements Cloneable {
   protected String registerUrl;
   protected String registerText;
+  protected String loginUrl;
+  protected String loginText;
   protected String httpPasswordUrl;
   protected String reportBugUrl;
 
@@ -48,6 +50,22 @@ public class GerritConfig implements Cloneable {
   protected int suggestFrom;
   protected int changeUpdateDelay;
 
+  public String getLoginUrl() {
+    return loginUrl;
+  }
+
+  public void setLoginUrl(final String u) {
+    loginUrl = u;
+  }
+
+  public String getLoginText() {
+    return loginText;
+  }
+
+  public void setLoginText(String signinText) {
+    this.loginText = signinText;
+  }
+
   public String getRegisterUrl() {
     return registerUrl;
   }

gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java

@@ -729,8 +729,6 @@ public class Gerrit implements EntryPoint {
       whoAmI(cfg.getAuthType() != AuthType.CLIENT_SSL_CERT_LDAP);
     } else {
       switch (cfg.getAuthType()) {
-        case HTTP:
-        case HTTP_LDAP:
         case CLIENT_SSL_CERT_LDAP:
           break;
 
@@ -759,6 +757,14 @@ public class Gerrit implements EntryPoint {
           });
           break;
 
+        case HTTP:
+        case HTTP_LDAP:
+          if (cfg.getLoginUrl() != null) {
+            final String signinText = cfg.getLoginText() == null ? C.menuSignIn() : cfg.getLoginText();
+            menuRight.add(anchor(signinText, cfg.getLoginUrl()));
+          }
+          break;
+
         case LDAP:
         case LDAP_BIND:
         case CUSTOM_EXTENSION:

gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java

@@ -94,10 +94,14 @@ class GerritConfigProvider implements Provider<GerritConfig> {
         config.setHttpPasswordUrl(cfg.getString("auth", null, "httpPasswordUrl"));
         break;
 
-      case CLIENT_SSL_CERT_LDAP:
-      case DEVELOPMENT_BECOME_ANY_ACCOUNT:
       case HTTP:
       case HTTP_LDAP:
+        config.setLoginUrl(cfg.getString("auth", null, "loginurl"));
+        config.setLoginText(cfg.getString("auth", null, "logintext"));
+        break;
+
+      case CLIENT_SSL_CERT_LDAP:
+      case DEVELOPMENT_BECOME_ANY_ACCOUNT:
       case OPENID:
       case OPENID_SSO:
         break;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebModule.java

@@ -88,7 +88,7 @@ public class WebModule extends FactoryModule {
     switch (authConfig.getAuthType()) {
       case HTTP:
       case HTTP_LDAP:
-        install(new HttpAuthModule());
+        install(new HttpAuthModule(authConfig));
         break;
 
       case CLIENT_SSL_CERT_LDAP:

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthModule.java

@@ -14,13 +14,22 @@
 
 package com.google.gerrit.httpd.auth.container;
 
+import com.google.gerrit.server.config.AuthConfig;
 import com.google.inject.servlet.ServletModule;
 
 /** Servlets and support related to HTTP authentication. */
 public class HttpAuthModule extends ServletModule {
+  private final AuthConfig authConfig;
+
+  public HttpAuthModule(final AuthConfig authConfig) {
+    this.authConfig = authConfig;
+  }
+
   @Override
   protected void configureServlets() {
+    if (authConfig.getLoginUrl() == null) {
       filter("/").through(HttpAuthFilter.class);
+    }
     serve("/login", "/login/*").with(HttpLoginServlet.class);
   }
 }

gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java

@@ -40,6 +40,7 @@ public class AuthConfig {
   private final boolean enableRunAs;
   private final boolean userNameToLowerCase;
   private final boolean gitBasicAuth;
+  private final String loginUrl;
   private final String logoutUrl;
   private final String openIdSsoUrl;
   private final List<String> openIdDomains;
@@ -57,6 +58,7 @@ public class AuthConfig {
       throws XsrfException {
     authType = toType(cfg);
     httpHeader = cfg.getString("auth", null, "httpheader");
+    loginUrl = cfg.getString("auth", null, "loginurl");
     logoutUrl = cfg.getString("auth", null, "logouturl");
     openIdSsoUrl = cfg.getString("auth", null, "openidssourl");
     openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain"));
@@ -124,6 +126,10 @@ public class AuthConfig {
     return httpHeader;
   }
 
+  public String getLoginUrl() {
+    return loginUrl;
+  }
+
   public String getLogoutURL() {
     return logoutUrl;
   }