chore(3p/gerrit_plugins): init oauth

Add the OAuth gerrit plugin to our mini collection of Gerrit plugins.

This includes a patch to make the plugin work correctly with CAS 6.x,
which has changed the attributes into a JSON object with the attributes
nested inside, instead of a JSON list.

Change-Id: I4741f137cca9c8eb45b9ea660fb4cbf6962be9a4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2782
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>

third_party/gerrit_plugins/builder.nix

@@ -7,6 +7,7 @@
     overlayPluginCmd ? ''
       cp -R "${src}" "$out/plugins/${name}"
     '',
+    postPatch ? "",
   }: ((depot.third_party.gerrit.override {
     name = "${name}.jar";
 
@@ -24,5 +25,9 @@
     installPhase = ''
       cp "bazel-bin/plugins/${name}/${name}.jar" "$out"
     '';
+    postPatch = if super ? postPatch then ''
+      ${super.postPatch}
+      ${postPatch}
+    '' else postPatch;
   }));
 }

third_party/gerrit_plugins/oauth/cas-6x.patch

@@ -0,0 +1,41 @@
+diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java
+index 450549f..27310cd 100644
+--- a/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java
++++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java
+@@ -15,7 +15,7 @@
+ package com.googlesource.gerrit.plugins.oauth;
+ 
+ import com.github.scribejava.core.builder.api.DefaultApi20;
+-import com.github.scribejava.core.extractors.OAuth2AccessTokenExtractor;
++import com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor;
+ import com.github.scribejava.core.extractors.TokenExtractor;
+ import com.github.scribejava.core.model.OAuth2AccessToken;
+ import com.github.scribejava.core.oauth2.bearersignature.BearerSignature;
+@@ -47,6 +47,6 @@ public class CasApi extends DefaultApi20 {
+ 
+   @Override
+   public TokenExtractor<OAuth2AccessToken> getAccessTokenExtractor() {
+-    return OAuth2AccessTokenExtractor.instance();
++    return OAuth2AccessTokenJsonExtractor.instance();
+   }
+ }
+diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java
+index 5f3e4a1..5594b26 100644
+--- a/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java
++++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java
+@@ -135,6 +135,15 @@ class CasOAuthService implements OAuthServiceProvider {
+           property = getStringElement(obj, "login");
+           if (property != null) login = property;
+         }
++      } else if (attrListJson.isJsonObject()) {
++        JsonObject obj = attrListJson.getAsJsonObject();
++
++        String property = getStringElement(obj, "mail");
++        if (property != null) email = property;
++        property = getStringElement(obj, "displayName");
++        if (property != null) name = property;
++        property = getStringElement(obj, "uid");
++        if (property != null) login = property;
+       }
+ 
+       return new OAuthUserInfo(

third_party/gerrit_plugins/oauth/default.nix

@@ -0,0 +1,26 @@
+{ depot, pkgs, ... }@args:
+
+let
+  inherit (import ../builder.nix args) buildGerritBazelPlugin;
+in buildGerritBazelPlugin rec {
+  name = "oauth";
+  depsOutputHash = "sha256:0g0cga9s1bmzvii8nh372kdaxypc1rj0hlyhralwiyh67r4zlv2c";
+  src = pkgs.fetchgit {
+    url = "https://gerrit.googlesource.com/plugins/oauth";
+    rev = "4aa7322db5ec221b2419e12a9ec7af5b8c66659c";
+    sha256 = "1szra3pjl0axf4a7k96flpk7rhfvp37rdxay4gbglh939gzbba88";
+  };
+  overlayPluginCmd = ''
+    chmod +w "$out" "$out/plugins/external_plugin_deps.bzl"
+    cp -R "${src}" "$out/plugins/${name}"
+    cp "${src}/external_plugin_deps.bzl" "$out/plugins/external_plugin_deps.bzl"
+  '';
+
+  # The code in the OAuth repo expects CAS to return oauth2 access tokens as urlencoded.
+  # Our version of CAS returns them as JSON instead.
+  postPatch = ''
+    pushd plugins/oauth
+    patch -p1 <${./cas-6x.patch}
+    popd
+  '';
+}