AuthConfig: Disallow invalid combination of auth.type and auth.gitBasicAuthPolicy

Add checks and throw an invalid state exception when an invalid
combination of auth.gitBasicAuthPolicy and auth.type is detected.

- When auth.gitBasicAuthPolicy is HTTP_LDAP, the auth.type should be
  either LDAP or LDAP_BIND.

- When auth.gitBasicAuthPolicy is OAUTH, auth.type should be OAUTH.

Also add missing reference to LDAP_BIND in the documentation.

Bug: Issue 7086
Change-Id: I4917a45a8ea21af7afa870900caa29224fd0606e

Documentation/config-gerrit.txt

@@ -537,7 +537,7 @@ By default this is set to false.
 
 [[auth.gitBasicAuthPolicy]]auth.gitBasicAuthPolicy::
 +
-When `auth.type` is `LDAP` or `OAUTH`, it allows using either the generated
+When `auth.type` is `LDAP`, `LDAP_BIND` or `OAUTH`, it allows using either the generated
 HTTP password, the LDAP or OAUTH password, or a combination of HTTP and LDAP
 authentication, to authenticate Git over HTTP and REST API requests.
 The supported values are:

gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java

@@ -96,6 +96,16 @@ public class AuthConfig {
     userNameToLowerCase = cfg.getBoolean("auth", "userNameToLowerCase", false);
     allowRegisterNewEmail = cfg.getBoolean("auth", "allowRegisterNewEmail", true);
 
+    if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP
+        && authType != AuthType.LDAP
+        && authType != AuthType.LDAP_BIND) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy HTTP_LDAP only with auth.type LDAP or LDAP_BIND");
+    } else if (gitBasicAuthPolicy == GitBasicAuthPolicy.OAUTH && authType != AuthType.OAUTH) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy OAUTH only with auth.type OAUTH");
+    }
+
     String key = cfg.getString("auth", null, "registerEmailPrivateKey");
     if (key != null && !key.isEmpty()) {
       int age =