s1651 - Added caching to GMSClient

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

@@ -68,6 +68,17 @@
  */
 package ca.nrc.cadc.ac.server.ldap;
 
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
+import java.util.List;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.apache.log4j.Logger;
+
 import ca.nrc.cadc.ac.ActivatedGroup;
 import ca.nrc.cadc.ac.Group;
 import ca.nrc.cadc.ac.GroupAlreadyExistsException;
@@ -76,6 +87,7 @@ import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.net.TransientException;
+
 import com.unboundid.ldap.sdk.AddRequest;
 import com.unboundid.ldap.sdk.Attribute;
 import com.unboundid.ldap.sdk.DN;
@@ -90,15 +102,6 @@ import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
 import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-import java.util.logging.Level;
-import javax.security.auth.x500.X500Principal;
-import org.apache.log4j.Logger;
 
 public class LdapGroupDAO<T extends Principal> extends LdapDAO
 {
@@ -112,9 +115,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
             "(version 3.0;acl \"Group Write\";allow " + 
             "(read,compare,search,selfwrite,write,add)" + 
             "(groupdn = \"ldap:///<ACTUAL_GROUP>\");)";
-    private static final String PUB_GROUP_ACI = "(targetattr = \"*\") " + 
-            "(version 3.0;acl \"Group Public\";" + 
-            "allow (read,compare,search)userdn=\"ldap:///all\";)";
     
     private LdapUserDAO<T> userPersist;
 
@@ -185,7 +185,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
                             new ActivatedGroup(modifiedGroup.getID(),
                                                modifiedGroup.getOwner());
                     activatedGroup.description = modifiedGroup.description;
-                    activatedGroup.publicRead = modifiedGroup.publicRead;
                     activatedGroup.groupRead = modifiedGroup.groupRead;
                     activatedGroup.groupWrite = modifiedGroup.groupWrite;
                     activatedGroup.getProperties()
@@ -240,10 +239,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
 
                 // acis
                 List<String> acis = new ArrayList<String>();
-                if (group.publicRead)
-                {
-                    acis.add(PUB_GROUP_ACI);
-                }
                 if (groupWriteAci != null)
                 {
                     acis.add(groupWriteAci);
@@ -428,10 +423,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
                             Group groupWrite = getGroup(grWrite.trim());
                             ldapGroup.groupWrite = groupWrite;
                         }
-                        else if (aci.equals(PUB_GROUP_ACI))
-                        {
-                            ldapGroup.publicRead = true;
-                        }
                     }
                 }
             }
@@ -529,10 +520,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
                                              writeGrDN.toNormalizedString()));
         }
 
-        if (newGroup.publicRead)
-        {
-            acis.add(PUB_GROUP_ACI);
-        }
         modifs.add(new Modification(ModificationType.REPLACE, "aci", (String[]) 
                                     acis.toArray(new String[acis.size()])));
 
@@ -645,8 +632,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
         }
         
         if (group.groupRead != null || 
-            group.groupWrite != null || 
-            group.publicRead)
+            group.groupWrite != null)
         {
             modifs.add(new Modification(ModificationType.DELETE, "aci"));
         }

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java

@@ -34,17 +34,24 @@
 
 package ca.nrc.cadc.ac.server.ldap;
 
-import ca.nrc.cadc.ac.ActivatedGroup;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
+import java.security.AccessControlException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Collection;
+import java.util.Set;
 
 import javax.security.auth.Subject;
 import javax.security.auth.x500.X500Principal;
 
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.BeforeClass;
 import org.junit.Test;
 
+import ca.nrc.cadc.ac.ActivatedGroup;
 import ca.nrc.cadc.ac.Group;
 import ca.nrc.cadc.ac.GroupAlreadyExistsException;
 import ca.nrc.cadc.ac.GroupNotFoundException;
@@ -53,14 +60,6 @@ import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.util.Log4jInit;
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.Set;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import static org.junit.Assert.fail;
-import org.junit.BeforeClass;
 
 public class LdapGroupDAOTest
 {
@@ -177,15 +176,6 @@ public class LdapGroupDAOTest
                     actualGroup = getGroupDAO().modifyGroup(expectGroup);
                     assertGroupsEqual(expectGroup, actualGroup);
 
-                    // publicRead
-                    expectGroup.publicRead = true;
-                    actualGroup = getGroupDAO().modifyGroup(expectGroup);
-                    assertGroupsEqual(expectGroup, actualGroup);
-                    
-                    expectGroup.publicRead = false;
-                    actualGroup = getGroupDAO().modifyGroup(expectGroup);
-                    assertGroupsEqual(expectGroup, actualGroup);
-
                     // userMembers
                     expectGroup.getUserMembers().add(daoTestUser2);
                     actualGroup = getGroupDAO().modifyGroup(expectGroup);
@@ -208,7 +198,6 @@ public class LdapGroupDAOTest
                     expectGroup.description = "Happy testing";
                     expectGroup.groupRead = otherGroup;
                     expectGroup.groupWrite = otherGroup;
-                    expectGroup.publicRead = true;
                     expectGroup.getUserMembers().add(daoTestUser2);
                     expectGroup.getGroupMembers().add(otherGroup);
                     
@@ -662,7 +651,6 @@ public class LdapGroupDAOTest
         {
             assertTrue(gr2.getUserMembers().contains(user));
         }
-        assertEquals(gr1.publicRead, gr2.publicRead);
         assertEquals(gr1.groupRead, gr2.groupRead);
         assertEquals(gr1.groupWrite, gr2.groupWrite);
         assertEquals(gr1.groupWrite, gr2.groupWrite);

projects/cadcAccessControl/build.xml

@@ -88,13 +88,14 @@
     <property name="project"    value="cadcAccessControl" />
 
     <property name="cadcUtil"           value="${lib}/cadcUtil.jar" />
+	<property name="cadcRegistryClient" value="${lib}/cadcRegistryClient.jar" />
     
     <property name="jdom2"      value="${ext.lib}/jdom2.jar" />
     <property name="log4j"      value="${ext.lib}/log4j.jar" />
     <property name="unboundid"  value="${ext.lib}/unboundid-ldapsdk-se.jar" />
 
 
-    <property name="jars" value="${cadcUtil}:${jdom2}:${log4j}:${unboundid}" />
+    <property name="jars" value="${cadcUtil}:${cadcRegistryClient}:${jdom2}:${log4j}:${unboundid}" />
     
     <target name="build" depends="compile">
         <jar jarfile="${build}/lib/${project}.jar"
@@ -114,30 +115,4 @@
     
     <property name="testingJars" value="${build}/class:${jars}:${xerces}:${asm}:${cglib}:${easymock}:${junit}:${objenesis}" />
 
-    <target name="test" depends="compile-test">
-        <echo message="Running test" />
-
-        <!-- Run the junit test suite -->
-        <echo message="Running test suite..." />
-        <junit printsummary="yes" haltonfailure="yes" fork="yes">
-            <classpath>
-                <pathelement path="${build}/class"/>
-                <pathelement path="${build}/test/class"/>
-                <pathelement path="${testingJars}"/>
-            </classpath>
-            <test name="ca.nrc.cadc.ac.GroupTest" />
-            <test name="ca.nrc.cadc.ac.GroupPropertyTest" />
-            <test name="ca.nrc.cadc.ac.GroupPropertyReaderWriterTest" />
-            <test name="ca.nrc.cadc.ac.GroupReaderWriterTest" />
-            <test name="ca.nrc.cadc.ac.IdentityReaderWriterTest" />
-            <test name="ca.nrc.cadc.ac.PersonalDetailsTest" />
-            <test name="ca.nrc.cadc.ac.PosixDetailsTest" />
-            <test name="ca.nrc.cadc.ac.UserDetailsReaderWriterTest" />
-            <test name="ca.nrc.cadc.ac.UserReaderWriterTest" />
-            <test name="ca.nrc.cadc.ac.UserTest" />
-            
-            <formatter type="plain" usefile="false" />
-        </junit>
-    </target>
-
 </project>

projects/cadcAccessControl/src/ca/nrc/cadc/ac/AC.java

@@ -85,13 +85,9 @@ public class AC
     // Denotes a group readable by public
     public static final String PROPERTY_PUBLIC = "ivo://ivoa.net/gms#public";
     
-    public static final String GMS_SERVICE_URI = "ivo://cadc.nrc.ca/ac";
+    public static final String GMS_SERVICE_URI = "ivo://cadc.nrc.ca/gms";
     
     // Group URI attribute once the group name is appended
     public static final String GROUP_URI = "ivo://cadc.nrc.ca/gms#";
     
-//    public static final String ID_TYPE_X500 = "X500";
-//    public static final String ID_TYPE_OPENID = "OpenID";
-//    public static final String ID_TYPE_USERNAME = "HTTP";
-//    public static final String ID_TYPE_UID = "UID";
 }

projects/cadcAccessControl/src/ca/nrc/cadc/ac/Group.java

@@ -104,12 +104,6 @@ public class Group
      */
     public Group groupWrite;
     
-    /**
-     * flag that show whether the details of this group are publicly readable
-     * Note: this class does not enforce any access control rules
-     */
-    public boolean publicRead = false;
-    
     /**
      * Ctor.
      * 

projects/cadcAccessControl/src/ca/nrc/cadc/ac/GroupReader.java

@@ -68,8 +68,6 @@
  */
 package ca.nrc.cadc.ac;
 
-import ca.nrc.cadc.date.DateUtil;
-import ca.nrc.cadc.xml.XmlUtil;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -81,11 +79,14 @@ import java.security.Principal;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.util.List;
-import java.util.Set;
+
 import org.jdom2.Document;
 import org.jdom2.Element;
 import org.jdom2.JDOMException;
 
+import ca.nrc.cadc.date.DateUtil;
+import ca.nrc.cadc.xml.XmlUtil;
+
 public class GroupReader
 {
 
@@ -238,13 +239,6 @@ public class GroupReader
 
         }
         
-        // publicRead
-        Element publicReadElement = groupElement.getChild("publicRead");
-        if (publicReadElement != null)
-        {
-            group.publicRead = Boolean.valueOf(publicReadElement.getText());
-        }
-
         // properties
         Element propertiesElement = groupElement.getChild("properties");
         if (propertiesElement != null)

projects/cadcAccessControl/src/ca/nrc/cadc/ac/GroupWriter.java

@@ -68,8 +68,6 @@
  */
 package ca.nrc.cadc.ac;
 
-import ca.nrc.cadc.date.DateUtil;
-import ca.nrc.cadc.util.StringBuilderWriter;
 import java.io.BufferedWriter;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -78,13 +76,16 @@ import java.io.UnsupportedEncodingException;
 import java.io.Writer;
 import java.security.Principal;
 import java.text.DateFormat;
-import java.util.Set;
+
 import org.jdom2.Attribute;
 import org.jdom2.Document;
 import org.jdom2.Element;
 import org.jdom2.output.Format;
 import org.jdom2.output.XMLOutputter;
 
+import ca.nrc.cadc.date.DateUtil;
+import ca.nrc.cadc.util.StringBuilderWriter;
+
 public class GroupWriter
 {
     /**
@@ -181,11 +182,6 @@ public class GroupWriter
                 groupElement.addContent(descriptionElement);
             }
 
-            // Group publicRead
-            Element publicReadElement = new Element("publicRead");
-            publicReadElement.setText(String.valueOf(group.publicRead));
-            groupElement.addContent(publicReadElement);
-
             // lastModified
             if (group.lastModified != null)
             {

projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/GMSClient.java

@@ -79,10 +79,10 @@ import java.security.AccessControlContext;
 import java.security.AccessControlException;
 import java.security.AccessController;
 import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collection;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.HttpsURLConnection;
@@ -108,8 +108,6 @@ import ca.nrc.cadc.net.NetUtil;
 
 /**
  * Client class for communicating with the access control web service.
- * 
- * TODO: Cache the group memberships using getCachedGroups(), setCachedGroups()
  */
 public class GMSClient
 {
@@ -652,6 +650,12 @@ public class GMSClient
             throw new IllegalArgumentException("userID and role are required.");
         }
         
+        List<Group> cachedGroups = getCachedGroups(userID, role);
+        if (cachedGroups != null)
+        {
+            return cachedGroups;
+        }
+        
         String idType = AuthenticationUtil.getPrincipalType(userID);
         String id = userID.getName();
         String roleString = role.getValue();
@@ -697,7 +701,9 @@ public class GMSClient
         {
             String groupsXML = new String(out.toByteArray(), "UTF-8");
             log.debug("getMemberships returned: " + groupsXML);
-            return GroupsReader.read(groupsXML);
+            List<Group> groups = GroupsReader.read(groupsXML);
+            setCachedGroups(userID, groups, role);
+            return groups;
         }
         catch (Exception bug)
         {
@@ -720,6 +726,20 @@ public class GMSClient
             throw new IllegalArgumentException("userID and role are required.");
         }
         
+        List<Group> cachedGroups = getCachedGroups(userID, role);
+        if (cachedGroups != null)
+        {
+            int index = cachedGroups.indexOf(groupName);
+            if (index != -1)
+            {
+                return cachedGroups.get(index);
+            }
+            else
+            {
+                return null;
+            }
+        }
+        
         String idType = AuthenticationUtil.getPrincipalType(userID);
         String id = userID.getName();
         String roleString = role.getValue();
@@ -730,7 +750,7 @@ public class GMSClient
         searchGroupURL.append("ID=" + URLEncoder.encode(id, "UTF-8"));
         searchGroupURL.append("&TYPE=" + URLEncoder.encode(idType, "UTF-8"));
         searchGroupURL.append("&ROLE=" + URLEncoder.encode(roleString, "UTF-8"));
-        searchGroupURL.append("&GURI=" + URLEncoder.encode(groupName, "UTF-8"));
+        searchGroupURL.append("&GROUPID=" + URLEncoder.encode(groupName, "UTF-8"));
         
         log.debug("getMembership request to " + searchGroupURL.toString());
         ByteArrayOutputStream out = new ByteArrayOutputStream();
@@ -773,6 +793,8 @@ public class GMSClient
             }
             if (groups.size() == 1)
             {
+                // don't cache these results as it is not a complete
+                // list of memberships--it only applies to one group.
                 return groups.get(0);
             }
             throw new IllegalStateException(
@@ -821,45 +843,83 @@ public class GMSClient
         return this.sslSocketFactory;
     }
 
-    protected Collection<Group> getCachedGroups()
+    protected List<Group> getCachedGroups(Principal userID, Role role)
     {
         AccessControlContext acContext = AccessController.getContext();
         Subject subject = Subject.getSubject(acContext);
-        if (subject != null)
+        
+        // only consult cache if the userID is of the calling subject
+        if (userIsSubject(userID, subject))
         {
-            Set groupCredentialSet = 
-                    subject.getPrivateCredentials(GroupCredentials.class);
+            
+            Set groupCredentialSet = subject.getPrivateCredentials(GroupMemberships.class);
             if ((groupCredentialSet != null) && 
                 (groupCredentialSet.size() == 1))
             {
                 Iterator i = groupCredentialSet.iterator();
-                return ((GroupCredentials) i.next()).groupMemberships;
+                GroupMemberships groupMemberships = ((GroupMemberships) i.next());
+                return groupMemberships.memberships.get(role);
             }
         }
         return null;
     }
 
-    protected void setCachedGroups(Collection<Group> groups)
+    protected void setCachedGroups(Principal userID, List<Group> groups, Role role)
     {
         AccessControlContext acContext = AccessController.getContext();
         Subject subject = Subject.getSubject(acContext);
-        if (subject != null)
+        
+        // only save to cache if the userID is of the calling subject
+        if (userIsSubject(userID, subject))
+        {
+            GroupMemberships groupCredentials = null;
+            Set groupCredentialSet = subject.getPrivateCredentials(GroupMemberships.class);
+            if ((groupCredentialSet != null) && 
+                (groupCredentialSet.size() == 1))
             {
-            GroupCredentials groupCredentials = new GroupCredentials();
-            groupCredentials.groupMemberships.addAll(groups);
+                Iterator i = groupCredentialSet.iterator();
+                groupCredentials = ((GroupMemberships) i.next());
+            }
+            else
+            {
+                groupCredentials = new GroupMemberships();
                 subject.getPrivateCredentials().add(groupCredentials);
             }
+            
+            groupCredentials.memberships.put(role,  groups);
+        }
+    }
+    
+    protected boolean userIsSubject(Principal userID, Subject subject)
+    {
+        if (userID == null || subject == null)
+        {
+            return false;
+        }
+        
+        Set<Principal> subjectPrincipals = subject.getPrincipals();
+        Iterator<Principal> i = subjectPrincipals.iterator();
+        Principal next = null;
+        while (i.hasNext())
+        {
+            next = i.next();
+            if (next.equals(userID))
+            {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**
      * Class used to hold list of groups in which
      * a user is a member.
      */
-    protected class GroupCredentials
+    protected class GroupMemberships
     {
-        Collection<Group> groupMemberships = new ArrayList<Group>();
+        Map<Role, List<Group>> memberships = new HashMap<Role, List<Group>>();
 
-        protected GroupCredentials()
+        protected GroupMemberships()
         {
         }
 

projects/cadcAccessControl/test/src/ca/nrc/cadc/ac/GroupReaderWriterTest.java

@@ -68,18 +68,25 @@
  */
 package ca.nrc.cadc.ac;
 
-import ca.nrc.cadc.auth.HttpPrincipal;
-import ca.nrc.cadc.auth.NumericPrincipal;
-import ca.nrc.cadc.auth.OpenIdPrincipal;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Reader;
 import java.security.Principal;
 import java.util.Date;
+
 import javax.security.auth.x500.X500Principal;
+
 import org.apache.log4j.Logger;
 import org.junit.Test;
-import static org.junit.Assert.*;
+
+import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.auth.NumericPrincipal;
+import ca.nrc.cadc.auth.OpenIdPrincipal;
 
 /**
  *
@@ -152,7 +159,6 @@ public class GroupReaderWriterTest
         Group expected = new Group("groupID", new User<Principal>(new HttpPrincipal("foo")));
         expected.description = "description";
         expected.lastModified = new Date();
-        expected.publicRead = true;
         expected.properties.add(new GroupProperty("key", "value", true));
         
         Group readGroup = new Group("read", new User<Principal>(new X500Principal("cn=foo,o=ca")));
@@ -174,7 +180,6 @@ public class GroupReaderWriterTest
         assertEquals(expected, actual);
         assertEquals(expected.description, actual.description);
         assertEquals(expected.lastModified, actual.lastModified);
-        assertEquals(expected.publicRead, actual.publicRead);
         assertEquals(expected.getProperties(), actual.getProperties());
         assertEquals(expected.groupRead, actual.groupRead);
         assertEquals(expected.groupWrite, actual.groupWrite);

projects/cadcAccessControl/test/src/ca/nrc/cadc/ac/GroupTest.java

@@ -68,9 +68,13 @@
  */
 package ca.nrc.cadc.ac;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 import org.apache.log4j.Logger;
 import org.junit.Test;
-import static org.junit.Assert.*;
 
 import ca.nrc.cadc.auth.HttpPrincipal;
 
@@ -125,10 +129,6 @@ public class GroupTest
         assertEquals(group3.hashCode(), group4.hashCode());
         assertEquals(group3,group4);
         
-        group3.publicRead = true;
-        assertEquals(group3.hashCode(), group4.hashCode());
-        assertEquals(group3,group4);
-        
         group4 = new Group("NewTestGroup-._~.", owner);
         assertFalse(group3.hashCode() == group4.hashCode());
         assertFalse(group3.equals(group4));

projects/cadcAccessControl/test/src/ca/nrc/cadc/ac/client/GMSClientTest.java

+/*
+ ************************************************************************
+ *******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+ **************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+ *
+ *  (c) 2014.                            (c) 2014.
+ *  Government of Canada                 Gouvernement du Canada
+ *  National Research Council            Conseil national de recherches
+ *  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+ *  All rights reserved                  Tous droits réservés
+ *
+ *  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+ *  expressed, implied, or               énoncée, implicite ou légale,
+ *  statutory, of any kind with          de quelque nature que ce
+ *  respect to the software,             soit, concernant le logiciel,
+ *  including without limitation         y compris sans restriction
+ *  any warranty of merchantability      toute garantie de valeur
+ *  or fitness for a particular          marchande ou de pertinence
+ *  purpose. NRC shall not be            pour un usage particulier.
+ *  liable in any event for any          Le CNRC ne pourra en aucun cas
+ *  damages, whether direct or           être tenu responsable de tout
+ *  indirect, special or general,        dommage, direct ou indirect,
+ *  consequential or incidental,         particulier ou général,
+ *  arising from the use of the          accessoire ou fortuit, résultant
+ *  software.  Neither the name          de l'utilisation du logiciel. Ni
+ *  of the National Research             le nom du Conseil National de
+ *  Council of Canada nor the            Recherches du Canada ni les noms
+ *  names of its contributors may        de ses  participants ne peuvent
+ *  be used to endorse or promote        être utilisés pour approuver ou
+ *  products derived from this           promouvoir les produits dérivés
+ *  software without specific prior      de ce logiciel sans autorisation
+ *  written permission.                  préalable et particulière
+ *                                       par écrit.
+ *
+ *  This file is part of the             Ce fichier fait partie du projet
+ *  OpenCADC project.                    OpenCADC.
+ *
+ *  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+ *  you can redistribute it and/or       vous pouvez le redistribuer ou le
+ *  modify it under the terms of         modifier suivant les termes de
+ *  the GNU Affero General Public        la “GNU Affero General Public
+ *  License as published by the          License” telle que publiée
+ *  Free Software Foundation,            par la Free Software Foundation
+ *  either version 3 of the              : soit la version 3 de cette
+ *  License, or (at your option)         licence, soit (à votre gré)
+ *  any later version.                   toute version ultérieure.
+ *
+ *  OpenCADC is distributed in the       OpenCADC est distribué
+ *  hope that it will be useful,         dans l’espoir qu’il vous
+ *  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+ *  without even the implied             GARANTIE : sans même la garantie
+ *  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+ *  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+ *  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+ *  General Public License for           Générale Publique GNU Affero
+ *  more details.                        pour plus de détails.
+ *
+ *  You should have received             Vous devriez avoir reçu une
+ *  a copy of the GNU Affero             copie de la Licence Générale
+ *  General Public License along         Publique GNU Affero avec
+ *  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+ *  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+ *                                       <http://www.gnu.org/licenses/>.
+ *
+ *  $Revision: 4 $
+ *
+ ************************************************************************
+ */
+
+package ca.nrc.cadc.ac.client;
+
+import java.net.URI;
+import java.net.URL;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.security.auth.Subject;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.Assert;
+import org.junit.Test;
+
+import ca.nrc.cadc.ac.AC;
+import ca.nrc.cadc.ac.Group;
+import ca.nrc.cadc.ac.Role;
+import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.reg.client.RegistryClient;
+import ca.nrc.cadc.util.Log4jInit;
+
+public class GMSClientTest
+{
+    
+    private static final Logger log = Logger.getLogger(GMSClientTest.class);
+    
+    public GMSClientTest()
+    {
+        Log4jInit.setLevel("ca.nrc.cadc.ac", Level.INFO);
+    }
+    
+    @Test
+    public void testGroupCaching()
+    {
+        try
+        {
+            Subject subject = new Subject();
+            final HttpPrincipal userID = new HttpPrincipal("test");
+            subject.getPrincipals().add(userID);
+
+            Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
+                {
+                    @Override
+                    public Object run() throws Exception
+                    {
+                        RegistryClient regClient = new RegistryClient();
+                        URL baseURL = regClient.getServiceURL(new URI(AC.GMS_SERVICE_URI));
+                        GMSClient client = new GMSClient(baseURL.toString());
+
+                        List<Group> initial = client.getCachedGroups(userID, Role.MEMBER);
+                        Assert.assertNull("Cache should be null", initial);
+
+                        List<Group> expected = new ArrayList<Group>();
+                        Group group1 = new Group("1");
+                        Group group2 = new Group("2");
+                        expected.add(group1);
+                        expected.add(group2);
+
+                        client.setCachedGroups(userID, expected, Role.MEMBER);
+
+                        List<Group> actual = client.getCachedGroups(userID, Role.MEMBER);
+                        Assert.assertEquals("Wrong cached groups", expected, actual);
+                        
+                        // check against another role
+                        actual = client.getCachedGroups(userID, Role.OWNER);
+                        Assert.assertNull("Cache should be null", actual);
+                        
+                        // check against another userid
+                        final HttpPrincipal userID2 = new HttpPrincipal("test2");
+                        actual = client.getCachedGroups(userID2, Role.MEMBER);
+                        Assert.assertNull("Cache should be null", actual);
+
+                        return null;
+                    }
+                });
+
+            // do the same without a subject
+            RegistryClient regClient = new RegistryClient();
+            URL baseURL = regClient.getServiceURL(new URI(AC.GMS_SERVICE_URI));
+            GMSClient client = new GMSClient(baseURL.toString());
+
+            List<Group> initial = client.getCachedGroups(userID, Role.MEMBER);
+            Assert.assertNull("Cache should be null", initial);
+
+            List<Group> newgroups = new ArrayList<Group>();
+            Group group1 = new Group("1");
+            Group group2 = new Group("2");
+            newgroups.add(group1);
+            newgroups.add(group2);
+
+            client.setCachedGroups(userID, newgroups, Role.MEMBER);
+
+            List<Group> actual = client.getCachedGroups(userID, Role.MEMBER);
+            Assert.assertNull("Cache should still be null", actual);
+        }
+
+        catch (Throwable t)
+        {
+            log.error("Unexpected exception", t);
+            Assert.fail("Unexpected exception: " + t.getMessage());
+        }
+    }
+
+}