Move registerEmailPrivateKey to secure.config

This is the last column in the system_config table that is needed by
the stand-alone daemon installation format. Later we can look into
dropping the entire system_config table.

Change-Id: I8448c79e959b465e370a10a7fa6751c200c1b1a0

8 files changed, 54 insertions, 78 deletions

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index c8d17ed6..c7a45d56 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -165,6 +165,22 @@ to express their setting:
 +
 Default is -1, permitting infinite time between authentications.
 
+[[auth.maxRegisterEmailTokenAge]]auth.maxRegisterEmailTokenAge::
++
+Time in seconds before an email verification token sent to a user in
+order to validate their email address expires.
++
+* s, sec, second, seconds
+* m, min, minute, minutes
+* h, hr, hour, hours
+* d, day, days
+* w, week, weeks (`1 week` is treated as `7 days`)
+* mon, month, months (`1 month` is treated as `30 days`)
+* y, year, years (`1 year` is treated as `365 days`)
+
++
+Default is 5 days.
+
 [[auth.httpHeader]]auth.httpHeader::
 +
 HTTP header to trust the username from, or unset to select HTTP basic
@@ -1971,6 +1987,9 @@ be exposed to everyone.
 
 Sample `etc/secure.config`:
 ----
+[auth]
+  registerEmailPrivateKey = 2zHNrXE2bsoylzUqDxZp0H1cqUmjgWb6
+
 [database]
   username = webuser
   password = s3kr3t
@@ -2024,64 +2043,6 @@ Other files support site customization.
 * link:config-headerfooter.html[Site Header/Footer]
 * link:config-replication.html[Git Replication/Mirroring]
 
-Not User Serviceable
-~~~~~~~~~~~~~~~~~~~~
-
-These fields generally shouldn't be modified.
-
-register_email_private_key::
-+
-Private key used to sign the links emailed to users when they
-request to register a new email address on their user account.
-When the link is activated, the private key authenticates the link
-was created and sent by this Gerrit server, proving that the user
-can receive email at the address they are registering.
-+
-This column is automatically generated when the database is
-initialized.  Changing it to a new value would cause all current
-links to be invalidated.
-+
-Changing it is not recommended.
-
-admin_group_id::
-+
-Unique identity of the group with full privileges.  Any user who
-is a member of this group may manage any other group, any project,
-and other system settings over the web.
-+
-This is initialized by Gerrit to be the "Administrators" group.
-+
-Changing it is not recommended.
-
-anonymous_group_id::
-+
-Unique identity of the group for anonymous (not authenticated) users.
-+
-All users are a member of this group, whether or not they are
-actually signed in to Gerrit.  Any access rights assigned to
-this group are inherited by all users.
-+
-This is initialized by Gerrit to be the "Anonymous Users" group.
-+
-Changing it is not recommended.
-
-registered_group_id::
-+
-Unique identity of the group for all authenticated users.
-+
-All signed-in users are a member of this group.  Any access rights
-assigned to this group are inherited by all users once they have
-authenticated to Gerrit.
-+
-Since account registration is open and fairly easy to obtain,
-moving from the "Anonymous Users" group to this group is not
-very difficult.  Caution should be taken when assigning any
-permissions to this group.
-+
-This is initialized by Gerrit to be the "Registered Users" group.
-+
-Changing it is not recommended.
-
 GERRIT
 ------
 Part of link:index.html[Gerrit Code Review]
diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitAuth.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitAuth.java
index a5c7d9b2..a4007d5e 100644
--- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitAuth.java
+++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitAuth.java
@@ -18,6 +18,7 @@ import static com.google.gerrit.pgm.init.InitUtil.dnOf;
 
 import com.google.gerrit.pgm.util.ConsoleUI;
 import com.google.gerrit.reviewdb.AuthType;
+import com.google.gwtjsonrpc.server.SignedToken;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 
@@ -80,5 +81,9 @@ class InitAuth implements InitStep {
         break;
       }
     }
+
+    if (auth.getSecure("registerEmailPrivateKey") == null) {
+      auth.setSecure("registerEmailPrivateKey", SignedToken.generateRandomKey());
+    }
   }
 }
diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/Section.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/Section.java
index 005904c2..02ed991a 100644
--- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/Section.java
+++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/Section.java
@@ -126,7 +126,7 @@ class Section {
   }
 
   String password(final String username, final String password) {
-    final String ov = flags.sec.getString(section, null, password);
+    final String ov = getSecure(password);
 
     String user = flags.sec.getString(section, null, username);
     if (user == null) {
@@ -149,15 +149,23 @@ class Section {
 
     final String nv = ui.password("%s's password", user);
     if (!eq(ov, nv)) {
-      if (nv != null) {
-        flags.sec.setString(section, null, password, nv);
-      } else {
-        flags.sec.unset(section, null, password);
-      }
+      setSecure(password, nv);
     }
     return nv;
   }
 
+  String getSecure(String name) {
+    return flags.sec.getString(section, null, name);
+  }
+
+  void setSecure(String name, String value) {
+    if (value != null) {
+      flags.sec.setString(section, null, name, value);
+    } else {
+      flags.sec.unset(section, null, name);
+    }
+  }
+
   private static boolean eq(final String a, final String b) {
     if (a == null && b == null) {
       return true;
diff --git a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/SystemConfig.java b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/SystemConfig.java
index c5524ae1..e366a47a 100644
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/SystemConfig.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/SystemConfig.java
@@ -52,10 +52,6 @@ public final class SystemConfig {
   @Column(id = 1)
   protected Key singleton;
 
-  /** Private key to sign account identification cookies. */
-  @Column(id = 2, length = 36)
-  public transient String registerEmailPrivateKey;
-
   /**
    * Local filesystem location of header/footer/CSS configuration files
    */
@@ -67,6 +63,9 @@ public final class SystemConfig {
   // but survive to support schema upgrade code.
 
   /** DEPRECATED DO NOT USE */
+  @Column(id = 2, length = 36, notNull = false)
+  public transient String registerEmailPrivateKey;
+  /** DEPRECATED DO NOT USE */
   @Column(id = 4, notNull = false)
   public AccountGroup.Id adminGroupId;
   /** DEPRECATED DO NOT USE */
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
index 50fc2051..a789546a 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.concurrent.TimeUnit;
 
 /** Authentication related settings from {@code gerrit.config}. */
 @Singleton
@@ -54,7 +55,17 @@ public class AuthConfig {
     allowedOpenIDs = toPatterns(cfg, "allowedOpenID");
     cookiePath = cfg.getString("auth", null, "cookiepath");
     cookieSecure = cfg.getBoolean("auth", "cookiesecure", false);
-    emailReg = new SignedToken(5 * 24 * 60 * 60, s.registerEmailPrivateKey);
+
+    String key = cfg.getString("auth", null, "registerEmailPrivateKey");
+    if (key != null && !key.isEmpty()) {
+      int age = (int) ConfigUtil.getTimeUnit(cfg,
+          "auth", null, "maxRegisterEmailTokenAge",
+          TimeUnit.SECONDS.convert(5, TimeUnit.DAYS),
+          TimeUnit.SECONDS);
+      emailReg = new SignedToken(age, key);
+    } else {
+      emailReg = null;
+    }
 
     if (authType == AuthType.OPENID) {
       allowGoogleAccountUpgrade =
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
index 4fa79ef5..08e9b556 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java
@@ -36,7 +36,6 @@ import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.NoReplication;
 import com.google.gerrit.server.git.ProjectConfig;
-import com.google.gwtjsonrpc.server.SignedToken;
 import com.google.gwtorm.client.OrmException;
 import com.google.gwtorm.jdbc.JdbcExecutor;
 import com.google.gwtorm.jdbc.JdbcSchema;
@@ -192,8 +191,6 @@ public class SchemaCreator {
         Collections.singleton(new AccountGroupName(owners)));
 
     final SystemConfig s = SystemConfig.create();
-    s.registerEmailPrivateKey = SignedToken.generateRandomKey();
-
     try {
       s.sitePath = site_path.getCanonicalPath();
     } catch (IOException e) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_57.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_57.java
index f7ed79ed..2ae1b7a9 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_57.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_57.java
@@ -163,6 +163,7 @@ public class Schema_57 extends SchemaVersion {
     sc.ownerGroupId = new AccountGroup.Id(0);
     sc.batchUsersGroupId = new AccountGroup.Id(0);
     sc.batchUsersGroupUUID = new AccountGroup.UUID("DELETED");
+    sc.registerEmailPrivateKey = "DELETED";
 
     db.systemConfig().update(Collections.singleton(sc));
   }
diff --git a/gerrit-server/src/test/java/com/google/gerrit/server/schema/SchemaCreatorTest.java b/gerrit-server/src/test/java/com/google/gerrit/server/schema/SchemaCreatorTest.java
index 9ac88581..90cb0d34 100644
--- a/gerrit-server/src/test/java/com/google/gerrit/server/schema/SchemaCreatorTest.java
+++ b/gerrit-server/src/test/java/com/google/gerrit/server/schema/SchemaCreatorTest.java
@@ -78,11 +78,6 @@ public class SchemaCreatorTest extends TestCase {
       sitePath = sitePath.getParentFile();
     }
     assertEquals(sitePath.getAbsolutePath(), config.sitePath);
-
-    // This is randomly generated and should be at least 20 bytes long.
-    //
-    assertNotNull(config.registerEmailPrivateKey);
-    assertTrue(20 < config.registerEmailPrivateKey.length());
   }
 
   public void testSubsequentGetReads() throws OrmException {
@@ -92,7 +87,6 @@ public class SchemaCreatorTest extends TestCase {
 
     assertNotSame(exp, act);
     assertEquals(exp.sitePath, act.sitePath);
-    assertEquals(exp.registerEmailPrivateKey, act.registerEmailPrivateKey);
   }
 
   public void testCreateSchema_ApprovalCategory_CodeReview()