Merge branch 'stable-2.12'

* stable-2.12:
  Document that ldap.groupBase and ldap.accountBase are repeatable
  Put Change-Id after Test: footers in commit messages.
  Remove bucklets/local_jar.bucklet soft-link to removed lib/local.defs
  Normalize case of {Author,Committer}Predicate
  OAuth-Linking: Don't create new account when claimed identity unknown
  Update 2.11.5 release notes to mention forked buck
  Revert "Update buck to ba9f239f69287a553ca93af76a27484d83693563"

Change-Id: I46c53b5c43ecbdc4d63cb03da25c35737b2c5afd

Author: EdwinKempin

Documentation/config-gerrit.txt

@@ -2561,6 +2561,9 @@ server to respond until the TCP connection times out.
 +
 Root of the tree containing all user accounts.  This is typically
 of the form `ou=people,dc=example,dc=com`.
++
+This setting may be added multiple times to specify more than
+one root.
 
 [[ldap.accountScope]]ldap.accountScope::
 +
@@ -2672,6 +2675,9 @@ Active Directory.
 +
 Root of the tree containing all group objects.  This is typically
 of the form `ou=groups,dc=example,dc=com`.
++
+This setting may be added multiple times to specify more than
+one root.
 
 [[ldap.groupScope]]ldap.groupScope::
 +

ReleaseNotes/ReleaseNotes-2.11.5.txt

@@ -9,6 +9,22 @@ https://gerrit-releases.storage.googleapis.com/gerrit-2.11.5.war]
 There are no schema changes from link:ReleaseNotes-2.11.4.html[2.11.4].
 
 
+Important Notes
+---------------
+
+*WARNING:* This release uses a forked version of buck.
+
+Buck was forked to cherry-pick an upstream fix for building on Mac OSX
+El Capitan.
+
+To build this release from source, the Google repository must be added to
+the remotes in the buck checkout:
+
+----
+ $ git remote add google https://gerrit.googlesource.com/buck
+----
+
+
 Bug Fixes
 ---------
 

bucklets/local_jar.bucklet

@@ -125,26 +125,41 @@ private void authenticateAndRedirect(HttpServletRequest req,
     try {
       String claimedIdentifier = user.getClaimedIdentity();
       Account.Id actualId = accountManager.lookup(user.getExternalId());
-      // Use case 1: claimed identity was provided during handshake phase
+      Account.Id claimedId = null;
+
+      // We try to retrieve claimed identity.
+      // For some reason, for example staging instance
+      // it may deviate from the really old OpenID identity.
+      // What we want to avoid in any event is to create new
+      // account instead of linking to the existing one.
+      // That why we query it here, not to lose linking mode.
       if (!Strings.isNullOrEmpty(claimedIdentifier)) {
-        log.debug("Claimed identity is set");
-        Account.Id claimedId = accountManager.lookup(claimedIdentifier);
-        if (claimedId != null && actualId != null) {
+        claimedId = accountManager.lookup(claimedIdentifier);
+        if (claimedId == null) {
+          log.debug("Claimed identity is unknown");
+        }
+      }
+
+      // Use case 1: claimed identity was provided during handshake phase
+      // and user account exists for this identity
+      if (claimedId != null) {
+        log.debug("Claimed identity is set and is known");
+        if (actualId != null) {
           if (claimedId.equals(actualId)) {
             // Both link to the same account, that's what we expected.
             log.debug("Both link to the same account. All is fine.");
           } else {
             // This is (for now) a fatal error. There are two records
-            // for what might be the same user.
-            //
+            // for what might be the same user. The admin would have to
+            // link the accounts manually.
             log.error("OAuth accounts disagree over user identity:\n"
                 + "  Claimed ID: " + claimedId + " is " + claimedIdentifier
                 + "\n" + "  Delgate ID: " + actualId + " is "
                 + user.getExternalId());
             rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
             return;
           }
-        } else if (claimedId != null && actualId == null) {
+        } else {
           // Claimed account already exists: link to it.
           log.debug("Claimed account already exists: link to it.");
           try {

gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OAuthSessionOverOpenID.java

@@ -23,7 +23,7 @@
 
 public class AuthorPredicate extends IndexPredicate<ChangeData>  {
   AuthorPredicate(String value) {
-    super(AUTHOR, FIELD_AUTHOR, value);
+    super(AUTHOR, FIELD_AUTHOR, value.toLowerCase());
   }
 
   @Override

gerrit-server/src/main/java/com/google/gerrit/server/query/change/AuthorPredicate.java

@@ -23,7 +23,7 @@
 
 public class CommitterPredicate extends IndexPredicate<ChangeData>  {
   CommitterPredicate(String value) {
-    super(COMMITTER, FIELD_COMMITTER, value);
+    super(COMMITTER, FIELD_COMMITTER, value.toLowerCase());
   }
 
   @Override

gerrit-server/src/main/java/com/google/gerrit/server/query/change/CommitterPredicate.java

@@ -378,6 +378,10 @@ public void byAuthor() throws Exception {
     // By name part
     assertQuery("author:Author", change1);
 
+    // Case insensitive
+    assertQuery("author:jAuThOr", change1);
+    assertQuery("author:ExAmPlE", change1);
+
     // By non-existing email address / name / part
     assertQuery("author:jcommitter@example.com");
     assertQuery("author:somewhere.com");
@@ -401,6 +405,10 @@ public void byCommitter() throws Exception {
     // By name part
     assertQuery("committer:Committer", change1);
 
+    // Case insensitive
+    assertQuery("committer:jCoMmItTeR", change1);
+    assertQuery("committer:ExAmPlE", change1);
+
     // By non-existing email address / name / part
     assertQuery("committer:jauthor@example.com");
     assertQuery("committer:somewhere.com");