mamh-java
diff --git a/‎github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java‎
Lines changed: 30 additions & 37 deletions b/‎github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java‎
Lines changed: 30 additions & 37 deletions
diff --git a/‎github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/PasswordGenerator.java‎
Lines changed: 99 additions & 0 deletions b/‎github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/PasswordGenerator.java‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java‎
Lines changed: 44 additions & 23 deletions b/‎github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java‎
Lines changed: 44 additions & 23 deletions
@@ -13,6 +13,8 @@
 // limitations under the License.
 package com.googlesource.gerrit.plugins.github.oauth;
 
+import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.PASSWORD_DEVICE_CONFIG_LABEL;
+
 import com.google.common.base.CharMatcher;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Preconditions;
@@ -38,13 +40,9 @@
 import javax.servlet.http.HttpServletRequest;
 import lombok.Getter;
 import org.eclipse.jgit.lib.Config;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 @Singleton
 public class GitHubOAuthConfig {
-  private static Logger logger = LoggerFactory.getLogger(GitHubOAuthConfig.class);
-
   private final Config config;
   private final CanonicalWebUrl canonicalWebUrl;
 
@@ -138,25 +136,16 @@ protected GitHubOAuthConfig(@GerritServerConfig Config config, CanonicalWebUrl c
         config.getSubsections(CONF_KEY_SECTION).stream()
             .map(KeyConfig::new)
             .collect(Collectors.toMap(KeyConfig::getKeyId, Function.identity()));
-
-    if (configuredKeyConfig.isEmpty()) {
-      logger.warn(
-          "No configured '{}' sections found. Default configuration should NOT be used in production code.",
-          CONF_KEY_SECTION);
-      currentKeyConfig = new KeyConfig();
-      keyConfigMap = Map.of(currentKeyConfig.getKeyId(), currentKeyConfig);
-    } else {
-      keyConfigMap = configuredKeyConfig;
-      List<KeyConfig> currentKeyConfigs =
-          keyConfigMap.values().stream().filter(KeyConfig::isCurrent).collect(Collectors.toList());
-      if (currentKeyConfigs.size() != 1) {
-        throw new IllegalStateException(
-            String.format(
-                "Expected exactly 1 subsection of '%s' to be configured as 'current', %d found",
-                CONF_KEY_SECTION, currentKeyConfigs.size()));
-      }
-      currentKeyConfig = currentKeyConfigs.get(0);
+    keyConfigMap = configuredKeyConfig;
+    List<KeyConfig> currentKeyConfigs =
+        keyConfigMap.values().stream().filter(KeyConfig::isCurrent).collect(Collectors.toList());
+    if (currentKeyConfigs.size() != 1) {
+      throw new IllegalStateException(
+          String.format(
+              "Expected exactly 1 subsection of '%s' to be configured as 'current', %d found",
+              CONF_KEY_SECTION, currentKeyConfigs.size()));
     }
+    currentKeyConfig = currentKeyConfigs.get(0);
   }
 
   public String getOAuthFinalRedirectUrl(HttpServletRequest req) {
@@ -220,7 +209,6 @@ public KeyConfig getKeyConfig(String subsection) {
 
   public class KeyConfig {
 
-    public static final String PASSWORD_DEVICE_DEFAULT = "/dev/zero";
     public static final int PASSWORD_LENGTH_DEFAULT = 16;
     public static final String CIPHER_ALGORITHM_DEFAULT = "AES/ECB/PKCS5Padding";
     public static final String SECRET_KEY_ALGORITHM_DEFAULT = "AES";
@@ -251,11 +239,7 @@ public class KeyConfig {
                 CONF_KEY_SECTION, keyId, KEY_DELIMITER));
       }
 
-      this.passwordDevice =
-          trimTrailingSlash(
-              MoreObjects.firstNonNull(
-                  config.getString(CONF_KEY_SECTION, keyId, PASSWORD_DEVICE_CONFIG_LABEL),
-                  PASSWORD_DEVICE_DEFAULT));
+      this.passwordDevice = trimTrailingSlash(getPasswordDeviceOrThrow(config, keyId));
       this.passwordLength =
           config.getInt(
               CONF_KEY_SECTION, keyId, PASSWORD_LENGTH_CONFIG_LABEL, PASSWORD_LENGTH_DEFAULT);
@@ -274,15 +258,6 @@ public class KeyConfig {
       this.keyId = keyId;
     }
 
-    private KeyConfig() {
-      passwordDevice = PASSWORD_DEVICE_DEFAULT;
-      passwordLength = PASSWORD_LENGTH_DEFAULT;
-      isCurrent = true;
-      cipherAlgorithm = CIPHER_ALGORITHM_DEFAULT;
-      keyId = KEY_ID_DEFAULT;
-      secretKeyAlgorithm = SECRET_KEY_ALGORITHM_DEFAULT;
-    }
-
     public byte[] readPassword() throws IOException {
       Path devicePath = Paths.get(passwordDevice);
       try (FileInputStream in = new FileInputStream(devicePath.toFile())) {
@@ -311,4 +286,22 @@ public String getKeyId() {
       return keyId;
     }
   }
+
+  /**
+   * Method returns the password device value for a given {@code keyId}.
+   *
+   * @throws {@link IllegalStateException} when password device is not configured for {@code keyId}
+   */
+  private static String getPasswordDeviceOrThrow(Config config, String keyId) {
+    String passwordDevice =
+        config.getString(CONF_KEY_SECTION, keyId, KeyConfig.PASSWORD_DEVICE_CONFIG_LABEL);
+    if (Strings.isNullOrEmpty(passwordDevice)) {
+      throw new IllegalStateException(
+          String.format(
+              "Configuration error. Missing %s.%s for key-id '%s'",
+              CONF_KEY_SECTION, PASSWORD_DEVICE_CONFIG_LABEL, keyId));
+    }
+
+    return passwordDevice;
+  }
 }
@@ -0,0 +1,99 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.github.oauth;
+
+import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.PASSWORD_LENGTH_DEFAULT;
+import static java.util.Objects.requireNonNull;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.SecureRandom;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class PasswordGenerator {
+  private static final Logger logger = LoggerFactory.getLogger(PasswordGenerator.class);
+  public static final String DEFAULT_PASSWORD_FILE = "default.key";
+
+  /**
+   * Generates default password and stores under given {@code Path}. Note that if password already
+   * exists it is not regenerated.
+   *
+   * @param passwordFilePath path that should contain the default password; cannot be {@code null}
+   * @throws {@link IllegalStateException} when file denoted by given {@code Path} is a directory,
+   *     cannot be read, has invalid length or doesn't exist and cannot be created
+   * @return {@code true} if password was generated, {@code false} if it already exists
+   */
+  public boolean generate(Path passwordFilePath) {
+    requireNonNull(passwordFilePath);
+
+    File passwordFile = passwordFilePath.toFile();
+
+    if (passwordFile.isDirectory()) {
+      throw logErrorAndCreateRuntimeException(
+          "'%s' is directory whilst a regular file was expected.", passwordFilePath);
+    }
+
+    if (passwordFile.isFile()) {
+      if (!passwordFile.canRead()) {
+        throw logErrorAndCreateRuntimeException(
+            "'%s' password file exists, but cannot be read.", passwordFilePath);
+      }
+
+      long length = passwordFile.length();
+      if (length != PASSWORD_LENGTH_DEFAULT) {
+        throw logErrorAndCreateRuntimeException(
+            "'%s' password file exists but has an invalid length of %d bytes. The expected length is %d bytes.",
+            passwordFilePath, length, PASSWORD_LENGTH_DEFAULT);
+      }
+      return false;
+    }
+
+    byte[] token = generateToken();
+    try {
+      Files.write(passwordFilePath, token);
+      logger.info("Password was stored in {} file", passwordFilePath);
+      return true;
+    } catch (IOException e) {
+      throw logErrorAndCreateRuntimeException(e, "Password generation has failed");
+    }
+  }
+
+  private byte[] generateToken() {
+    SecureRandom random = new SecureRandom();
+    byte[] token = new byte[PASSWORD_LENGTH_DEFAULT];
+    random.nextBytes(token);
+    return token;
+  }
+
+  private IllegalStateException logErrorAndCreateRuntimeException(
+      String msg, Object... parameters) {
+    return logErrorAndCreateRuntimeException(null, msg, parameters);
+  }
+
+  private IllegalStateException logErrorAndCreateRuntimeException(
+      Exception e, String msg, Object... parameters) {
+    String log = String.format(msg, parameters);
+    if (e != null) {
+      logger.error(log, e);
+      return new IllegalStateException(log, e);
+    }
+
+    logger.error(log);
+    return new IllegalStateException(log);
+  }
+}
@@ -15,12 +15,10 @@
 
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.CONF_KEY_SECTION;
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.CONF_SECTION;
-import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.CIPHER_ALGORITHM_DEFAULT;
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.CIPHER_ALGO_CONFIG_LABEL;
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.CURRENT_CONFIG_LABEL;
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.KEY_DELIMITER;
-import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.KEY_ID_DEFAULT;
-import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.SECRET_KEY_ALGORITHM_DEFAULT;
+import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.PASSWORD_DEVICE_CONFIG_LABEL;
 import static com.googlesource.gerrit.plugins.github.oauth.GitHubOAuthConfig.KeyConfig.SECRET_KEY_CONFIG_LABEL;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
@@ -38,6 +36,7 @@ public class GitHubOAuthConfigTest {
 
   CanonicalWebUrl canonicalWebUrl;
   Config config;
+  private static final String testPasswordDevice = "/dev/zero";
 
   @Before
   public void setUp() {
@@ -60,29 +59,14 @@ protected void configure() {
             .getInstance(CanonicalWebUrl.class);
   }
 
-  @Test
-  public void shouldDefaultKeyConfigWhenNoSpecificConfigurationIsSet() {
-    GitHubOAuthConfig objectUnderTest = objectUnderTest();
-    assertEquals(objectUnderTest.getCurrentKeyConfig().isCurrent(), true);
-    assertEquals(
-        objectUnderTest.getCurrentKeyConfig().getCipherAlgorithm(), CIPHER_ALGORITHM_DEFAULT);
-    assertEquals(
-        objectUnderTest.getCurrentKeyConfig().getSecretKeyAlgorithm(),
-        SECRET_KEY_ALGORITHM_DEFAULT);
-    assertEquals(objectUnderTest.getCurrentKeyConfig().getKeyId(), KEY_ID_DEFAULT);
-  }
-
-  @Test
-  public void shouldDBeAbleToLookupDefaultKeyWhenNoSpecificConfigurationIsSet() {
-    assertEquals(objectUnderTest().getKeyConfig(KEY_ID_DEFAULT).isCurrent(), true);
-  }
-
   @Test
   public void shouldReadASpecificKeyConfig() {
     String keySubsection = "someKeyConfig";
     String cipherAlgorithm = "AES/CFB8/NoPadding";
     String secretKeyAlgorithm = "DES";
     config.setBoolean(CONF_KEY_SECTION, keySubsection, CURRENT_CONFIG_LABEL, true);
+    config.setString(
+        CONF_KEY_SECTION, keySubsection, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
     config.setString(CONF_KEY_SECTION, keySubsection, CIPHER_ALGO_CONFIG_LABEL, cipherAlgorithm);
     config.setString(CONF_KEY_SECTION, keySubsection, SECRET_KEY_CONFIG_LABEL, secretKeyAlgorithm);
 
@@ -96,25 +80,47 @@ public void shouldReadASpecificKeyConfig() {
 
   @Test
   public void shouldReturnTheExpectedKeyConfigAsCurrent() {
-    config.setBoolean(CONF_KEY_SECTION, "currentKeyConfig", CURRENT_CONFIG_LABEL, true);
-    config.setBoolean(CONF_KEY_SECTION, "someOtherKeyConfig", CURRENT_CONFIG_LABEL, false);
+    String currentKeyConfig = "currentKeyConfig";
+    String someOtherKeyConfig = "someOtherKeyConfig";
+    config.setBoolean(CONF_KEY_SECTION, currentKeyConfig, CURRENT_CONFIG_LABEL, true);
+    config.setString(
+        CONF_KEY_SECTION, currentKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
+    config.setBoolean(CONF_KEY_SECTION, someOtherKeyConfig, CURRENT_CONFIG_LABEL, false);
+    config.setString(
+        CONF_KEY_SECTION, someOtherKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
 
-    assertEquals(objectUnderTest().getCurrentKeyConfig().getKeyId(), "currentKeyConfig");
+    assertEquals(objectUnderTest().getCurrentKeyConfig().getKeyId(), currentKeyConfig);
   }
 
   @Test
   public void shouldReadMultipleKeyConfigs() {
     String currentKeyConfig = "currentKeyConfig";
     String someOtherKeyConfig = "someOtherKeyConfig";
     config.setBoolean(CONF_KEY_SECTION, currentKeyConfig, CURRENT_CONFIG_LABEL, true);
+    config.setString(
+        CONF_KEY_SECTION, currentKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
     config.setBoolean(CONF_KEY_SECTION, someOtherKeyConfig, CURRENT_CONFIG_LABEL, false);
+    config.setString(
+        CONF_KEY_SECTION, someOtherKeyConfig, PASSWORD_DEVICE_CONFIG_LABEL, testPasswordDevice);
 
     GitHubOAuthConfig objectUnderTest = objectUnderTest();
 
     assertEquals(objectUnderTest.getKeyConfig(currentKeyConfig).getKeyId(), currentKeyConfig);
     assertEquals(objectUnderTest.getKeyConfig(someOtherKeyConfig).getKeyId(), someOtherKeyConfig);
   }
 
+  @Test
+  public void shouldThrowWhenNoKeyIdIsConfigured() {
+    IllegalStateException illegalStateException =
+        assertThrows(IllegalStateException.class, this::objectUnderTest);
+
+    assertEquals(
+        illegalStateException.getMessage(),
+        String.format(
+            "Expected exactly 1 subsection of '%s' to be configured as 'current', %d found",
+            CONF_KEY_SECTION, 0));
+  }
+
   @Test
   public void shouldThrowWhenNoKeyConfigIsSetAsCurrent() {
     config.setBoolean(CONF_KEY_SECTION, "someKeyConfig", CURRENT_CONFIG_LABEL, false);
@@ -145,6 +151,21 @@ public void shouldThrowWhenMoreThanOneKeyConfigIsSetAsCurrent() {
     assertThrows(IllegalStateException.class, this::objectUnderTest);
   }
 
+  @Test
+  public void shouldThrowWhenKeyIdMissesPasswordDevice() {
+    String someKeyConfig = "someKeyConfig";
+    config.setBoolean(CONF_KEY_SECTION, someKeyConfig, CURRENT_CONFIG_LABEL, true);
+
+    IllegalStateException illegalStateException =
+        assertThrows(IllegalStateException.class, this::objectUnderTest);
+
+    assertEquals(
+        String.format(
+            "Configuration error. Missing %s.%s for key-id '%s'",
+            CONF_KEY_SECTION, PASSWORD_DEVICE_CONFIG_LABEL, someKeyConfig),
+        illegalStateException.getMessage());
+  }
+
   private GitHubOAuthConfig objectUnderTest() {
     return new GitHubOAuthConfig(config, canonicalWebUrl);
   }