Enable Gerrit CLA and Contact Store on review-dev.

This replaces the previous Echosign+Launchpad+Wiki+approver-based
asynchronous contributor license agreement signing process with a
fully-automated one contained entirely within Gerrit itself.

Note that the CLA features in Gerrit's WebUI depend on a modified
gerrit.war with an earlier patch reverted:

    https://review.openstack.org/12716

* manifests/site.pp(review-dev.openstack.org): Fill contactstore_appsec
and contactstore_pubkey private material from hiera, for use by Gerrit's
contact store feature. Similar entries should be added for
review.openstack.org before going into production.

* modules/gerrit/manifests/init.pp(gerrit): Add contactstore,
contactstore_appsec and contactstore_url variables needed by the
gerrit.config.erb template, and contactstore_pubkey needed by the
contact_information.pub.erb template. Add a conditional block so that if
contactstore is enabled it installs the libbcpg-java package which
Bouncy Castle needs for OpenPGP operations, links the bcpg.jar into
Gerrit's lib directory, and builds contact_information.pub from the
contact_information.pub.erb template.

* modules/gerrit/templates/contact_information.pub.erb: New template
which is effectively an empty file waiting to be filled with the
contents of the contactstore_pubkey variable. The
gerrit_contact_information.pub file built from it gets used to encrypt
contact information filed by users in such a way that it can only be
decrypted by the private key held by the Foundation.

* modules/gerrit/templates/gerrit.config.erb(contactstore): New section,
implemented conditionally for safety. Once enabled, if the
contactstore_appsec and contactstore_url are unset then Gerrit will
refuse to start. If the system referred to by contactstore_url is
unresponsive or contactstore_appsec does not contain the shared secret
it's expecting, contributors will be unable to file initial or updated
contact information through Gerrit's WebUI.

* modules/openstack_project/files/gerrit/cla.html: A stripped-down HTML
copy of http://wiki.openstack.org/CLA retaining all the original
wording. This will probably need updating by OpenStack Foundation staff.

* modules/openstack_project/manifests/gerrit.pp
(openstack_project::gerrit): Add contactstore, contactstore_appsec,
contactstore_pubkey and contactstore_url variables to pass back into the
gerrit module. Also define the cla_description, cla_file, cla_id and
cla_name variables which get used in the gerrit_set_agreements.sh.erb
template. Add an entry to install the cla.html file.

* modules/openstack_project/manifests/review_dev.pp
(openstack_project::review_dev): Add the contactstore_appsec and
contactstore_pubkey variables so they can be filled in by hiera.
Override the war to pull in the g69c8fa6 test build which has the
aforementioned CLA bits restored. Turn on contactstore and set
contactstore_url to point to an existing test CGI on the Internet until
the Foundation has theirs ready. Pass contactstore_appsec and
contactstore_pubkey through up into gerrit.pp. Add an entry for the
set_agreements.sh script built from the gerrit_set_agreements.sh.erb
template and then execute it to add the new CLA to Gerrit's DB and mark
the old one expired. Similar changes should be made in review.pp before
going into production.

* modules/openstack_project/templates/gerrit_set_agreements.sh.erb: New
template used to build a set_agreements.sh script which checks Gerrit's
database and, if necessary, expires the old Echosign CLA and adds the
new local CLA. These conditions are checked and associated operations
performed independently, so subsequent runs become a no-op.
Post-migration, this can probably be neutered further and kept around
for pushing future CLA modifications into the database when needed.

Change-Id: Ib7136fef23dbd5602955649b33a57bc8d7106026
Reviewed-on: https://review.openstack.org/13058
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins

manifests/site.pp

@@ -28,6 +28,8 @@ node "gerrit-dev.openstack.org", "review-dev.openstack.org" {
     mysql_password => hiera('gerrit_dev_mysql_password'),
     mysql_root_password => hiera('gerrit_dev_mysql_root_password'),
     email_private_key => hiera('gerrit_dev_email_private_key'),
+    contactstore_appsec => hiera('gerrit_dev_contactstore_appsec'),
+    contactstore_pubkey => hiera('gerrit_dev_contactstore_pubkey'),
     sysadmins => hiera('sysadmins'),
   }
 }

modules/gerrit/manifests/init.pp

@@ -42,6 +42,14 @@
 #     to:
 #       http://tarballs.openstack.org/ci/gerrit-2.3.0.war
 #     Gerrit will be upgraded on the next puppet run.
+#   contactstore:
+#     A boolean enabling the contact store feature
+#   contactstore_appsec:
+#     An application shared secret for the contact store protocol
+#   contactstore_pubkey:
+#     A public key with which to encrypt contact information
+#   contactstore_url:
+#     A URL for the remote contact store application
 #   replicate_github:
 #     A boolean enabling replication to github
 #   replicate_local:
@@ -73,6 +81,10 @@ class gerrit($vhost_name=$fqdn,
       $httpd_maxwait='',
       $commentlinks = [],
       $war,
+      $contactstore=false,
+      $contactstore_appsec='',
+      $contactstore_pubkey='',
+      $contactstore_url='',
       $projects_file = 'UNDEF',
       $enable_melody = 'false',
       $melody_session = 'false',
@@ -390,4 +402,26 @@ class gerrit($vhost_name=$fqdn,
                 "puppet:///modules/gerrit/scripts",
               ],
   }
+
+  # Install Bouncy Castle's OpenPGP plugin and populate the contact store
+  # public key file if we're using that feature.
+  if ($contactstore == true) {
+    package { "libbcpg-java":
+      ensure => installed,
+    }
+    file { "/home/gerrit2/review_site/lib/bcpg.jar":
+      ensure => link,
+      target => "/usr/share/java/bcpg.jar",
+      require => File["/usr/share/java/bcpg.jar"],
+    }
+    file { '/home/gerrit2/review_site/etc/contact_information.pub':
+      owner => 'root',
+      group => 'root',
+      mode => 444,
+      ensure => 'present',
+      content => template('gerrit/contact_information.pub.erb'),
+      replace => 'true',
+      require => File["/home/gerrit2/review_site/etc"],
+    }
+  }
 }

modules/gerrit/templates/contact_information.pub.erb

@@ -0,0 +1 @@
+<%= contactstore_pubkey %>

modules/gerrit/templates/gerrit.config.erb

@@ -82,3 +82,8 @@
 [gitweb]
 	revision = "?p=${project}.git;a=commitdiff;h=${commit}"
 <% end -%>
+<% if contactstore == true -%>
+[contactstore]
+	appsec = <%= contactstore_appsec %>
+	url = <%= contactstore_url %>
+<% end -%>

modules/openstack_project/files/gerrit/cla.html

@@ -0,0 +1,116 @@
+<html><body><div>
+
+<h1>OpenStack Project Individual Contributor License Agreement</h1>
+
+<p>Everyone should fill out an Individual Contributor License agreement.  (If
+you are covered by a Corporate Contributor License Agreement, you still need to
+sign an individual CLA.)</p>
+
+<p>If you are contributing on behalf of a company, an authorized representative
+of your company should also sign a Corporate Contributor License Agreement.</p>
+
+<p><em>In order to clarify the intellectual property license granted with
+Contributions from any person or entity, the OpenStack Project (the "Project")
+must have a Contributor License Agreement ("Agreement") on file that has been
+signed by each Contributor, indicating agreement to the license terms below.
+This license is for your protection as a Contributor as well as the protection
+of OpenStack, LLC as Project manager (the "Project Manager") and the Project
+users; it does not change your rights to use your own Contributions for any
+other purpose. If you have not already done so, please complete and sign this
+Individual License Agreement by following the instructions embedded below.
+After you fill in the required information and apply your digital signature to
+the Agreement, the signature service will generate an email to you. You must
+confirm your digital signature as instructed in this email to complete the
+signing process. The signature service will then send you a signed copy of this
+Agreement for your records.</em></p>
+
+<p><em>You accept and agree to the following terms and conditions for Your
+present and future Contributions submitted to the Project Manager.  Except for
+the license granted herein to the Project Manager and recipients of software
+distributed by the Project Manager, You reserve all right, title, and interest
+in and to Your Contributions.</em></p>
+
+<h2>Definitions</h2>
+
+<p>"You" (or "Your") shall mean the copyright owner or legal entity authorized
+by the copyright owner that is making this Agreement with the Project Manager.
+For legal entities, the entity making a Contribution and all other entities
+that control, are controlled by, or are under common control with that entity
+are considered to be a single Contributor. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the direction or
+management of such entity, whether by contract or otherwise, or (ii) ownership
+of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial
+ownership of such entity.</p>
+
+<p>"Contribution" shall mean any original work of authorship, including any
+modifications or additions to an existing work, that is intentionally submitted
+by You to the Project Manager for inclusion in, or documentation of, any of the
+projects owned or managed by the Project Manager (the "Work"). For the purposes
+of this definition, "submitted" means any form of electronic, verbal, or
+written communication sent to the Project Manager or its representatives,
+including but not limited to communication on electronic mailing lists, source
+code control systems, and issue tracking systems that are managed by, or on
+behalf of, the Project Manager for the purpose of discussing and improving the
+Work, but excluding communication that is conspicuously marked or otherwise
+designated in writing by You as "Not a Contribution."</p>
+
+<ol>
+    <li><strong>Grant of Copyright License.</strong> Subject to the terms and
+    conditions of this Agreement, You hereby grant to the Project Manager and
+    to recipients of software distributed by the Project Manager a perpetual,
+    worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright
+    license to reproduce, prepare derivative works of, publicly display,
+    publicly perform, sublicense, and distribute Your Contributions and such
+    derivative works.</li>
+
+    <li><strong>Grant of Patent License.</strong> Subject to the terms and
+    conditions of this Agreement, You hereby grant to the Project Manager and
+    to recipients of software distributed by the Project Manager a perpetual,
+    worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as
+    stated in this section) patent license to make, have made, use, offer to
+    sell, sell, import, and otherwise transfer the Work, where such license
+    applies only to those patent claims licensable by You that are necessarily
+    infringed by Your Contribution(s) alone or by combination of Your
+    Contribution(s) with the Work to which such Contribution(s) was submitted.
+    If any entity institutes patent litigation against You or any other entity
+    (including a cross-claim or counterclaim in a lawsuit) alleging that Your
+    Contribution, or the Work to which You have contributed, constitutes direct
+    or contributory patent infringement, then any patent licenses granted to
+    that entity under this Agreement for that Contribution or Work shall
+    terminate as of the date such litigation is filed.</li>
+
+    <li>You represent that you are legally entitled to grant the above license.
+    If your employer(s) has rights to intellectual property that you create
+    that includes your Contributions, You represent that you have received
+    permission to make Contributions on behalf of that employer, that your
+    employer has waived such rights for your Contributions to the Project
+    Manager, or that your employer has executed a separate Corporate
+    Contributor License Agreement with the Project Manager.</li>
+
+    <li>You represent that each of Your Contributions is Your original creation
+    (see Section 7 for submissions on behalf other others). You represent that
+    Your Contribution submissions include complete details of any third-party
+    license or other restriction (including, but not limited to, related
+    patents and trademarks) of which you are personally aware and which are
+    associated with any part of Your Contributions.</li>
+
+    <li>You are not expected to provide support for Your Contributions, except
+    to the extent You desire to provide support. You may provide support for
+    free, for a fee, or not at all. Unless required by applicable law or agreed
+    to in writing, You provide Your Contributions on as "AS IS" BASIS, WITHOUT
+    WARRANTIES OR CONDITIONS OR ANY KIND, either express or implied, including,
+    without limitation, any warranties or conditions of TITLE, NONINFRINGEMENT,
+    MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. 7. Should You wish to
+    submit work that is not Your original creation, You may submit it to the
+    Project Manager separately from any Contribution, identifying the complete
+    details of its source and of any license or other restriction (including,
+    but not limited to, related patents, trademarks, and license agreements) of
+    which you are personally aware, and conspicuously marking the work as
+    "Submitted on behalf of a third-party: [named here]".</li>
+
+    <li>You agree to notify the Project Manager of any facts or circumstances
+    of which you become aware that would make these representations inaccurate
+    in any respect.</li>
+</ol>
+
+</div></body></html>

modules/openstack_project/manifests/gerrit.pp

@@ -23,6 +23,14 @@ class openstack_project::gerrit (
       $httpd_maxthreads='',
       $httpd_maxwait='',
       $war,
+      $contactstore,
+      $contactstore_appsec,
+      $contactstore_pubkey,
+      $contactstore_url,
+      $cla_description='OpenStack Individual Contributor License Agreement',
+      $cla_file='static/cla.html',
+      $cla_id='2',
+      $cla_name='ICLA',
       $script_user='update',
       $script_key_file='/home/gerrit2/.ssh/id_rsa',
       $script_logging_conf='/home/gerrit2/.sync_logging.conf',
@@ -76,6 +84,10 @@ class openstack_project::gerrit (
                        link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' },
                   ],
     war => $war,
+    contactstore => $contactstore,
+    contactstore_appsec => $contactstore_appsec,
+    contactstore_pubkey => $contactstore_pubkey,
+    contactstore_url => $contactstore_url,
     mysql_password => $mysql_password,
     mysql_root_password => $mysql_root_password,
     email_private_key => $email_private_key,
@@ -106,6 +118,16 @@ class openstack_project::gerrit (
     require => Class['::gerrit'],
   }
 
+  file { '/home/gerrit2/review_site/static/cla.html':
+    owner => 'root',
+    group => 'root',
+    mode => 444,
+    ensure => 'present',
+    source => 'puppet:///modules/openstack_project/gerrit/cla.html',
+    replace => 'true',
+    require => Class['::gerrit'],
+  }
+
   file { '/home/gerrit2/review_site/static/title.png':
     ensure => 'present',
     source => "puppet:///modules/openstack_project/openstack.png",

modules/openstack_project/manifests/review_dev.pp

@@ -3,6 +3,8 @@ class openstack_project::review_dev (
   $mysql_password,
   $mysql_root_password,
   $email_private_key,
+  $contactstore_appsec,
+  $contactstore_pubkey,
   $sysadmins = []
 ) {
   class { 'openstack_project::gerrit':
@@ -12,7 +14,11 @@ class openstack_project::review_dev (
     ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
     ssl_chain_file => '',
     email => "review-dev@openstack.org",
-    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
+    war => 'http://tarballs.openstack.org/ci/test/gerrit-2.4.2-13-g69c8fa6.war',
+    contactstore => true,
+    contactstore_appsec => $contactstore_appsec,
+    contactstore_pubkey => $contactstore_pubkey,
+    contactstore_url => 'https://www.yuggoth.org/gerrit_test',
     script_user => 'launchpadsync',
     script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
     script_logging_conf => '/home/gerrit2/.sync_logging.conf',
@@ -41,4 +47,19 @@ class openstack_project::review_dev (
     source => 'puppet:///modules/openstack_project/gerrit/launchpad_sync_logging.conf',
     require => User['gerrit2']
   }
+  file { '/home/gerrit2/review_site/bin/set_agreements.sh':
+    ensure => present,
+    owner => root,
+    group => root,
+    mode => 0755,
+    content => template('openstack_project/gerrit_set_agreements.sh.erb'),
+    replace => 'true',
+    require => Class['::gerrit']
+  }
+  exec { 'set_contributor_agreements':
+    path    => ['/bin', '/usr/bin'],
+    command => '/home/gerrit2/review_site/bin/set_agreements.sh',
+    require => [Class['mysql'],
+                File['/home/gerrit2/review_site/bin/set_agreements.sh']]
+  }
 }

modules/openstack_project/templates/gerrit_set_agreements.sh.erb

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# The point of this script is to update the list of contributor license
+# agreements Gerrit knows about. More specifically, in its current form,
+# it's being used by Puppet to perform database-specific parts of a
+# migration for OpenStack's development and production Gerrit servers
+# from Echosign to a Gerrit-managed CLA. As such, a lot of this code can
+# be ripped out once that migration is complete (though it doesn't
+# necessarily need to be, and can be left in place more or less
+# indefinitely without impact).
+
+# This function takes a contributor agreement ID and returns 0 if Y
+# (active), 1 if N (inactive) or anything else (including if the CLA
+# does not exist). It would be nice to implement this by short name
+# instead, but Gerrit does not create the id column with auto_increment
+# so we have to know what ID integers we want when creating anyway.
+is_active () {
+    ACTIVE=$(
+        mysql --defaults-file=/etc/mysql/debian.cnf --batch \
+            --skip-column-names --execute '
+                SELECT active FROM contributor_agreements WHERE id='$1';
+            ' reviewdb
+    )
+    if test "$ACTIVE" = "Y" ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# The old Echosign CLA needs to be invalidated, so if it's active then
+# update it to an inactive state.
+is_active 1 \
+&& mysql --defaults-file=/etc/mysql/debian.cnf --execute '
+        UPDATE contributor_agreements SET active="N" WHERE id=1;
+    ' reviewdb
+
+# The new Gerrit-managed CLA should be created if it does not yet exist.
+# It's added as ID 2 to accomodate the existence of the old Echosign CLA
+# occupying ID 1.
+is_active 2 \
+|| mysql --defaults-file=/etc/mysql/debian.cnf --execute '
+        INSERT INTO contributor_agreements VALUES (
+            "Y", "Y", "Y", "<%= cla_name %>",
+            "<%= cla_description %>",
+            "<%= cla_file %>", <%= cla_id %>
+        );
+    ' reviewdb