Merge branch 's1651' of /usr/cadc/dev/git/wopencadc into s1651

projects/cadcAccessControl-Server/build.xml

@@ -141,10 +141,10 @@
                 <pathelement path="${build}/test/class"/>
                 <pathelement path="${testingJars}"/>
             </classpath>
-            <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapDAOTest" />-->
+            <test name="ca.nrc.cadc.ac.server.ldap.LdapDAOTest" />
             <test name="ca.nrc.cadc.ac.server.ldap.LdapGroupDAOTest" />
-            <!--<test name="ca.nrc.cadc.ac.server.web.GroupActionFactoryTest" />-->
-            <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapUserDAOTest" />-->
+            <test name="ca.nrc.cadc.ac.server.web.GroupActionFactoryTest" />
+            <test name="ca.nrc.cadc.ac.server.ldap.LdapUserDAOTest" />
             <formatter type="plain" usefile="false" />
         </junit>
     </target>

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java

@@ -212,7 +212,7 @@ public abstract class LdapDAO
         {
             throw new AccessControlException("Invalid credentials " + msg);
         }
-        else if (code == ResultCode.SUCCESS)
+        else if ((code == ResultCode.SUCCESS) || (code == ResultCode.NO_SUCH_OBJECT) )
         {
             // all good. nothing to do
         }

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

@@ -345,7 +345,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
     {
         String [] attributes = new String[] {"entrydn", "cn", "description", 
                                              "owner", "uniquemember", 
-                                             "modifytimestamp"};
+                                             "modifytimestamp", "nsaccountlock"};
         return getGroup(groupDN, groupID, withMembers, attributes);
     }
     
@@ -366,10 +366,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
     {
         try
         {
-            Filter filter = Filter.createANDFilter(
-                    Filter.createEqualityFilter("cn", groupID),
-                    Filter.createNOTFilter(
-                        Filter.createEqualityFilter("nsaccountlock", "TRUE")));
+            Filter filter = Filter.createEqualityFilter("cn", groupID);
             
             SearchRequest searchRequest = 
                     new SearchRequest(groupDN.toNormalizedString(), 
@@ -386,11 +383,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
             }
             catch (LDAPSearchException e)
             {
-                if (e.getResultCode() == ResultCode.AUTHORIZATION_DENIED)
-                {
-                    throw new AccessControlException("Unauthorized to access group " + groupID);
-                }
-                else if (e.getResultCode() == ResultCode.NO_SUCH_OBJECT)
+                if (e.getResultCode() == ResultCode.NO_SUCH_OBJECT)
                 {
                     String msg = "Group not found " + groupID;
                     logger.debug(msg);
@@ -398,23 +391,34 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
                 }
                 else
                 {
-                    throw new RuntimeException("Unknown LDAP exception: " + e.getResultCode());
+                    LdapDAO.checkLdapResult(e.getResultCode(), e.getMessage());
                 }
             }
             
             if (searchResult.getEntryCount() == 0)
             {
-                // deleted groups?
-                String msg = "Group not found " + groupID;
+                LdapDAO.checkLdapResult(searchResult.getResultCode(), null);
+                //access denied
+                String msg = "Not authorized to access " + groupID;
                 logger.debug(msg);
-                throw new GroupNotFoundException(groupID);
+                throw new AccessControlException(groupID);
             }
             
             if (searchResult.getEntryCount() >1)
             {
                 throw new RuntimeException("BUG: multiple results when retrieving group " + groupID);
             }
+            
             SearchResultEntry searchEntry = searchResult.getSearchEntries().get(0);
+            
+            if (searchEntry.getAttribute("nsaccountlock") != null)
+            {
+                // deleted group
+                String msg = "Group not found " + groupID;
+                logger.debug(msg);
+                throw new GroupNotFoundException(groupID);
+            }
+            
             String groupCN = searchEntry.getAttributeValue("cn");
             DN groupOwner = searchEntry.getAttributeValueAsDN("owner");
             

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java

@@ -558,7 +558,28 @@ public class LdapGroupDAOTest
         {
             public Object run() throws Exception
             {
-                getGroupDAO().deleteGroup(groupID);
+                try
+                {                    
+                    getGroupDAO().getGroup(groupID);
+                    //fail("getGroup with anonymous access should throw " + 
+                    //     "AccessControlException");
+                }
+                catch (AccessControlException ignore) {}
+                return null;
+            }
+        });
+        
+        Subject.doAs(daoTestUser2Subject, new PrivilegedExceptionAction<Object>()
+        {
+            public Object run() throws Exception
+            {
+                try
+                {                    
+                    getGroupDAO().getGroup(groupID);
+                    fail("getGroup with anonymous access should throw " + 
+                         "AccessControlException");
+                }
+                catch (AccessControlException ignore) {}
                 return null;
             }
         });
@@ -729,10 +750,10 @@ public class LdapGroupDAOTest
                     Group group = getGroupDAO().getGroup(groupID);
                     assertTrue(group == null);
                     
-                    fail("searchGroups with unknown user should throw " + 
-                         "GroupNotFoundException");
+                    fail("searchGroups with un-authorized user should throw " + 
+                         "AccessControlException");
                 }
-                catch (GroupNotFoundException ignore) 
+                catch (AccessControlException ignore) 
                 {
 
                 }

projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java

@@ -86,6 +86,7 @@ import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLSocketFactory;
 import javax.security.auth.Subject;
 
@@ -380,14 +381,24 @@ public class GMSClient
             ((HttpsURLConnection) conn)
                     .setSSLSocketFactory(getSSLSocketFactory());
         }
-        int responseCode = conn.getResponseCode();
+        int responseCode = -1;
+        try
+        {
+            responseCode = conn.getResponseCode();
+        }
+        catch(SSLHandshakeException e)
+        {
+            throw new AccessControlException(e.getMessage());
+        }
+        
         if (responseCode != 200)
         {
             String errMessage = NetUtil.getErrorBody(conn);
             log.debug("deleteGroup response " + responseCode + ": " + 
                       errMessage);
 
-            if ((responseCode == 401) || (responseCode == 403))
+            if ((responseCode == 401) || (responseCode == 403) || 
+                    (responseCode == -1))
             {
                 throw new AccessControlException(errMessage);
             }