Merge branch 'ac2' into s1832

dbe9e244 · Adrian Damian · 0a9cb74b · 0245eee6 · dbe9e244 · dbe9e244
Commit dbe9e244 authored 9 years ago by Adrian Damian
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java
@@ -82,41 +82,41 @@ public interface UserPersistence<T extends Principal>
 {
    /**
     * Get all user names.
-     * 
+     *
     * @return A collection of strings.
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
    Collection<User<Principal>> getUsers()
            throws TransientException, AccessControlException;
-    
+
    /**
     * Add the new user.
     *
     * @param user      The user request to put into the request tree.
     *
     * @return User instance.
-     * 
+     *
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
-    User<T> addUser(UserRequest<T> user)
+    void addUser(UserRequest<T> user)
        throws TransientException, AccessControlException,
               UserAlreadyExistsException;
-    
+
    /**
     * Get the user specified by userID.
     *
     * @param userID The userID.
     *
     * @return User instance.
-     * 
+     *
     * @throws UserNotFoundException when the user is not found.
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
    User<T> getUser(T userID)
-        throws UserNotFoundException, TransientException, 
+        throws UserNotFoundException, TransientException,
               AccessControlException;

    /**
@@ -156,40 +156,40 @@ public interface UserPersistence<T extends Principal>
     * @param password The password.
     *
     * @return Boolean
-     * 
+     *
     * @throws UserNotFoundException when the user is not found.
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
    Boolean doLogin(String userID, String password)
-            throws UserNotFoundException, TransientException, 
+            throws UserNotFoundException, TransientException,
                   AccessControlException;
-   
+
    /**
     * Updated the user specified by User.
     *
     * @param user      The user instance to modify.
     *
     * @return User instance.
-     * 
+     *
     * @throws UserNotFoundException when the user is not found.
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
    User<T> modifyUser(User<T> user)
-        throws UserNotFoundException, TransientException, 
+        throws UserNotFoundException, TransientException,
               AccessControlException;
-    
+
    /**
     * Delete the user specified by userID.
     *
     * @param userID The userID.
-     * 
+     *
     * @throws UserNotFoundException when the user is not found.
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
    void deleteUser(T userID)
-        throws UserNotFoundException, TransientException, 
+        throws UserNotFoundException, TransientException,
               AccessControlException;
 }
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
@@ -284,7 +284,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
     * @throws AccessControlException     If the operation is not permitted.
     * @throws UserAlreadyExistsException If the user already exists.
     */
-    public User<T> addUser(final UserRequest<T> userRequest)
+    public void addUser(final UserRequest<T> userRequest)
            throws TransientException, UserAlreadyExistsException
    {
        DN userDN;
@@ -301,19 +301,6 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO

            userDN = getUserRequestsDN(userID.getName());
            addUser(userRequest, userDN);
-
-            // AD: Search results sometimes come incomplete if
-            // connection is not reset - not sure why.
-            getConnection().reconnect();
-            try
-            {
-                return getUser(userID, config.getUserRequestsDN());
-            }
-            catch (UserNotFoundException e)
-            {
-                throw new RuntimeException("BUG: new user " + userDN.toNormalizedString() +
-                    " not found");
-            }
        }
        catch (LDAPException e)
        {
@@ -507,9 +494,13 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
                                      searchField, userAttribs);
            if (proxy && isSecure(usersDN))
            {
-                searchRequest.addControl(
-                        new ProxiedAuthorizationV2RequestControl(
-                                "dn:" + getSubjectDN().toNormalizedString()));
+                String proxyDN = "dn:" + getSubjectDN().toNormalizedString();
+                logger.debug("Proxying auth as: " + proxyDN);
+                searchRequest.addControl(new ProxiedAuthorizationV2RequestControl(proxyDN));
+            }
+            else
+            {
+                logger.debug("Not proxying authorization");
            }

            searchResult = getConnection().searchForEntry(searchRequest);
@@ -530,9 +521,18 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
        user.getIdentities().add(new HttpPrincipal(
                searchResult.getAttributeValue(
                       userLdapAttrib.get(HttpPrincipal.class))));
-        user.getIdentities().add(new NumericPrincipal(
-                searchResult.getAttributeValueAsLong(
-                        userLdapAttrib.get(NumericPrincipal.class))));
+
+        Long numericID = searchResult.getAttributeValueAsLong(userLdapAttrib.get(NumericPrincipal.class));
+        logger.debug("Numeric id is: " + numericID);
+        if (numericID == null)
+        {
+            // If the numeric ID does not return it means the user
+            // does not have permission
+            throw new AccessControlException("Permission denied");
+        }
+        NumericPrincipal numericPrincipal = new NumericPrincipal(numericID);
+        user.getIdentities().add(numericPrincipal);
+
        user.getIdentities().add(new X500Principal(
                searchResult.getAttributeValue(
                        userLdapAttrib.get(X500Principal.class))));

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
@@ -126,7 +126,7 @@ public class LdapUserPersistence<T extends Principal>
     * @throws TransientException If an temporary, unexpected problem occurred.
     * @throws AccessControlException If the operation is not permitted.
     */
-    public User<T> addUser(UserRequest<T> user)
+    public void addUser(UserRequest<T> user)
        throws TransientException, AccessControlException,
               UserAlreadyExistsException
    {
@@ -134,7 +134,7 @@ public class LdapUserPersistence<T extends Principal>
        try
        {
            userDAO = new LdapUserDAO<T>(this.config);
-            return userDAO.addUser(user);
+            userDAO.addUser(user);
        }
        finally
        {

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/ACSearchRunner.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/ACSearchRunner.java
@@ -66,7 +66,7 @@
 *
 ************************************************************************
 */
-package ca.nrc.cadc.ac.server.web.groups;
+package ca.nrc.cadc.ac.server.web;

 import ca.nrc.cadc.ac.Group;
 import ca.nrc.cadc.ac.GroupNotFoundException;

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/GroupServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/GroupServlet.java
@@ -66,7 +66,7 @@
 *
 ************************************************************************
 */
-package ca.nrc.cadc.ac.server.web.groups;
+package ca.nrc.cadc.ac.server.web;

 import java.io.IOException;
 import java.security.PrivilegedActionException;
@@ -76,9 +76,11 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

+import ca.nrc.cadc.ac.server.web.groups.AbstractGroupAction;
+import ca.nrc.cadc.ac.server.web.groups.GroupLogInfo;
+import ca.nrc.cadc.ac.server.web.groups.GroupsActionFactory;
 import org.apache.log4j.Logger;

-import ca.nrc.cadc.ac.server.web.SyncOutput;
 import ca.nrc.cadc.auth.AuthenticationUtil;

 /**

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/LoginServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/LoginServlet.java
@@ -66,7 +66,7 @@
 *
 ************************************************************************
 */
-package ca.nrc.cadc.ac.server.web.users;
+package ca.nrc.cadc.ac.server.web;

 import java.io.IOException;
 import java.security.AccessControlException;

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/PasswordServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/PasswordServlet.java
@@ -66,33 +66,25 @@
 *
 ************************************************************************
 */
-package ca.nrc.cadc.ac.server.web.users;
-
-import java.io.IOException;
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-import java.util.TreeSet;
-
-import javax.security.auth.Subject;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import ca.nrc.cadc.ac.UserNotFoundException;
-import ca.nrc.cadc.ac.server.ldap.LdapUserDAO;
-import ca.nrc.cadc.net.TransientException;
-import org.apache.log4j.Logger;
+package ca.nrc.cadc.ac.server.web;

 import ca.nrc.cadc.ac.User;
+import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
 import ca.nrc.cadc.auth.AuthenticationUtil;
-import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.log.ServletLogInfo;
 import ca.nrc.cadc.util.StringUtil;
-import org.omg.CORBA.UserException;
+import org.apache.log4j.Logger;

+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.TreeSet;

 /**
 * Servlet to handle password changes.  Passwords are an integral part of the
@@ -106,7 +98,6 @@ public class PasswordServlet extends HttpServlet
 {
    private static final Logger log = Logger.getLogger(PasswordServlet.class);

-
    /**
     * Attempt to change password.
     *

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
@@ -66,13 +66,14 @@
 *
 ************************************************************************
 */
-package ca.nrc.cadc.ac.server.web.users;
+package ca.nrc.cadc.ac.server.web;

-import ca.nrc.cadc.ac.server.web.SyncOutput;
+import ca.nrc.cadc.ac.server.web.users.AbstractUserAction;
+import ca.nrc.cadc.ac.server.web.users.GetUserAction;
+import ca.nrc.cadc.ac.server.web.users.UserActionFactory;
+import ca.nrc.cadc.ac.server.web.users.UserLogInfo;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.ServletPrincipalExtractor;
-import ca.nrc.cadc.auth.X509CertificateChain;
-import ca.nrc.cadc.util.ArrayUtil;
 import ca.nrc.cadc.util.StringUtil;
 import org.apache.log4j.Logger;

@@ -87,8 +88,6 @@ import java.io.IOException;
 import java.security.AccessController;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.Set;

 public class UserServlet extends HttpServlet
@@ -260,7 +259,6 @@ public class UserServlet extends HttpServlet
    {
        ServletPrincipalExtractor extractor = new ServletPrincipalExtractor(request);
        Set<Principal> principals = extractor.getPrincipals();
-        log.debug("Principals: " + principals);

        for (Principal principal : principals)
        {
@@ -268,12 +266,12 @@ public class UserServlet extends HttpServlet
            {
                if (principal.getName().equalsIgnoreCase(notAugmentedX500User))
                {
+                    log.debug("found notAugmentedX500User " + notAugmentedX500User);
                    return true;
                }
            }
        }

        return false;
-
    }
 }
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/WhoAmIServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/WhoAmIServlet.java
+/*
+ ************************************************************************
+ *******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+ **************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+ *
+ *  (c) 2015.                            (c) 2015.
+ *  Government of Canada                 Gouvernement du Canada
+ *  National Research Council            Conseil national de recherches
+ *  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+ *  All rights reserved                  Tous droits réservés
+ *
+ *  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+ *  expressed, implied, or               énoncée, implicite ou légale,
+ *  statutory, of any kind with          de quelque nature que ce
+ *  respect to the software,             soit, concernant le logiciel,
+ *  including without limitation         y compris sans restriction
+ *  any warranty of merchantability      toute garantie de valeur
+ *  or fitness for a particular          marchande ou de pertinence
+ *  purpose. NRC shall not be            pour un usage particulier.
+ *  liable in any event for any          Le CNRC ne pourra en aucun cas
+ *  damages, whether direct or           être tenu responsable de tout
+ *  indirect, special or general,        dommage, direct ou indirect,
+ *  consequential or incidental,         particulier ou général,
+ *  arising from the use of the          accessoire ou fortuit, résultant
+ *  software.  Neither the name          de l'utilisation du logiciel. Ni
+ *  of the National Research             le nom du Conseil National de
+ *  Council of Canada nor the            Recherches du Canada ni les noms
+ *  names of its contributors may        de ses  participants ne peuvent
+ *  be used to endorse or promote        être utilisés pour approuver ou
+ *  products derived from this           promouvoir les produits dérivés
+ *  software without specific prior      de ce logiciel sans autorisation
+ *  written permission.                  préalable et particulière
+ *                                       par écrit.
+ *
+ *  This file is part of the             Ce fichier fait partie du projet
+ *  OpenCADC project.                    OpenCADC.
+ *
+ *  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+ *  you can redistribute it and/or       vous pouvez le redistribuer ou le
+ *  modify it under the terms of         modifier suivant les termes de
+ *  the GNU Affero General Public        la “GNU Affero General Public
+ *  License as published by the          License” telle que publiée
+ *  Free Software Foundation,            par la Free Software Foundation
+ *  either version 3 of the              : soit la version 3 de cette
+ *  License, or (at your option)         licence, soit (à votre gré)
+ *  any later version.                   toute version ultérieure.
+ *
+ *  OpenCADC is distributed in the       OpenCADC est distribué
+ *  hope that it will be useful,         dans l’espoir qu’il vous
+ *  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+ *  without even the implied             GARANTIE : sans même la garantie
+ *  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+ *  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+ *  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+ *  General Public License for           Générale Publique GNU Affero
+ *  more details.                        pour plus de détails.
+ *
+ *  You should have received             Vous devriez avoir reçu une
+ *  a copy of the GNU Affero             copie de la Licence Générale
+ *  General Public License along         Publique GNU Affero avec
+ *  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+ *  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+ *                                       <http://www.gnu.org/licenses/>.
+ *
+ *
+ ************************************************************************
+ */
+
+package ca.nrc.cadc.ac.server.web;
+
+import ca.nrc.cadc.ac.AC;
+import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.log.ServletLogInfo;
+import ca.nrc.cadc.reg.client.RegistryClient;
+import org.apache.log4j.Logger;
+
+import javax.security.auth.Subject;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Set;
+
+/**
+ * Servlet to handle GET requests asking for the current User.  This servlet
+ * will implement the /whoami functionality to return details about the
+ * currently authenticated user, or rather, the user whose Subject is currently
+ * found in this context.
+ */
+public class WhoAmIServlet extends HttpServlet
+{
+    private static final Logger log = Logger.getLogger(WhoAmIServlet.class);
+
+    static final String USER_GET_PATH = "/users/%s?idType=HTTP";
+
+    /**
+     * Handle a /whoami GET operation.
+     *
+     * @param request  The HTTP Request.
+     * @param response The HTTP Response.
+     * @throws ServletException Anything goes wrong at the Servlet level.
+     * @throws IOException      Any reading/writing errors.
+     */
+    @Override
+    protected void doGet(final HttpServletRequest request,
+                         final HttpServletResponse response)
+            throws ServletException, IOException
+    {
+        final long start = System.currentTimeMillis();
+        final ServletLogInfo logInfo = new ServletLogInfo(request);
+        log.info(logInfo.start());
+        try
+        {
+            final Subject currentSubject = getSubject(request);
+            final Set<HttpPrincipal> currentWebPrincipals =
+                    currentSubject.getPrincipals(HttpPrincipal.class);
+
+            if (currentWebPrincipals.isEmpty())
+            {
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            }
+            else
+            {
+                redirect(response, currentWebPrincipals.toArray(
+                        new HttpPrincipal[1])[0]);
+            }
+        }
+        catch (IllegalArgumentException e)
+        {
+            log.debug(e.getMessage(), e);
+            logInfo.setMessage(e.getMessage());
+            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+        }
+        catch (Throwable t)
+        {
+            String message = "Internal Server Error: " + t.getMessage();
+            log.error(message, t);
+            logInfo.setSuccess(false);
+            logInfo.setMessage(message);
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+        }
+        finally
+        {
+            logInfo.setElapsedTime(System.currentTimeMillis() - start);
+            log.info(logInfo.end());
+        }
+    }
+
+    /**
+     * Forward on to the Service's user endpoint.
+     *
+     * @param response     The HTTP response.
+     * @param webPrincipal The HttpPrincipal instance.
+     */
+    void redirect(final HttpServletResponse response,
+                  final HttpPrincipal webPrincipal) throws IOException
+    {
+        final RegistryClient registryClient = getRegistryClient();
+        final URL redirectURL =
+                registryClient.getServiceURL(
+                        URI.create(AC.GMS_SERVICE_URI), "https", USER_GET_PATH);
+
+        // Take the first one.
+        final String redirectUrl =
+            String.format(redirectURL.toString(), webPrincipal.getName());
+        log.debug("redirecting to " + redirectUrl);
+        response.sendRedirect(redirectUrl);
+    }
+
+    /**
+     * Tests will need to override this method so as not to rely on the
+     * environment.
+     *
+     * @return      Registry Client instance.
+     */
+    RegistryClient getRegistryClient()
+    {
+        return new RegistryClient();
+    }
+
+    /**
+     * Get and augment the Subject. Tests can override this method.
+     *
+     * @param request Servlet request
+     * @return augmented Subject
+     */
+    Subject getSubject(final HttpServletRequest request)
+    {
+        return AuthenticationUtil.getSubject(request);
+    }
+}
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/AbstractGroupAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/groups/AbstractGroupAction.java
@@ -101,17 +101,17 @@ public abstract class AbstractGroupAction implements PrivilegedExceptionAction<O

    abstract void doAction() throws Exception;

-    void setLogInfo(GroupLogInfo logInfo)
+    public void setLogInfo(GroupLogInfo logInfo)
    {
        this.logInfo = logInfo;
    }

-    void setHttpServletRequest(HttpServletRequest request)
+    public void setHttpServletRequest(HttpServletRequest request)
    {
        this.request = request;
    }

-    void setSyncOut(SyncOutput syncOut)
+    public void setSyncOut(SyncOutput syncOut)
    {
        this.syncOut = syncOut;
    }

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java
@@ -105,8 +105,8 @@ import java.util.Set;
 public abstract class AbstractUserAction implements PrivilegedExceptionAction<Object>
 {
    private static final Logger log = Logger.getLogger(AbstractUserAction.class);
-    static final String DEFAULT_CONTENT_TYPE = "text/xml";
-    static final String JSON_CONTENT_TYPE = "application/json";
+    public static final String DEFAULT_CONTENT_TYPE = "text/xml";
+    public static final String JSON_CONTENT_TYPE = "application/json";

    protected boolean isAugmentUser;
    protected UserLogInfo logInfo;

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/CreateUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/CreateUserAction.java
@@ -93,10 +93,10 @@ public class CreateUserAction extends AbstractUserAction
    {
        final UserPersistence<Principal> userPersistence = getUserPersistence();
        final UserRequest<Principal> userRequest = readUserRequest(this.inputStream);
-        final User<Principal> newUser = userPersistence.addUser(userRequest);
+        userPersistence.addUser(userRequest);

        syncOut.setCode(201);
-        logUserInfo(newUser.getUserID().getName());
+        logUserInfo(userRequest.getUser().getUserID().getName());
    }

 }
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java
@@ -102,9 +102,13 @@ public class AuthenticatorImpl implements Authenticator
     */
    public Subject getSubject(Subject subject)
    {
+        log.debug("ac augment subject: " + subject);
        AuthMethod am = AuthenticationUtil.getAuthMethod(subject);
        if (am == null || AuthMethod.ANON.equals(am))
+        {
+            log.debug("returning anon subject");
            return subject;
+        }

        if (subject != null && subject.getPrincipals().size() > 0)
        {
@@ -126,14 +130,13 @@ public class AuthenticatorImpl implements Authenticator

    public void augmentSubject(final Subject subject)
    {
-
        try
        {
            LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>();
            User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next());
            if (user.getIdentities() != null)
            {
-                log.debug("Found " + user.getIdentities().size() + " principals after agument");
+                log.debug("Found " + user.getIdentities().size() + " principals after argument");
            }
            else
            {
@@ -150,7 +153,6 @@ public class AuthenticatorImpl implements Authenticator
        {
            throw new IllegalStateException("Internal error", e);
        }
-
    }

 }
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java
@@ -145,8 +145,8 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
        testUser.getIdentities().add(new NumericPrincipal(666));

        testUserDN = "uid=cadcdaotest1," + config.getUsersDN();
-        
-        
+
+
        // member returned by getMember contains only the fields required by
        // the GMS
        testMember = new User<X500Principal>(testUserX500Princ);
@@ -184,7 +184,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
        expected.getIdentities().add(new X500Principal("cn=" + userID + ",ou=cadc,o=hia,c=ca"));
        nextUserNumericID = ran.nextInt(Integer.MAX_VALUE);
        expected.getIdentities().add(new NumericPrincipal(nextUserNumericID));
-        
+
        expected.details.add(new PersonalDetails("foo", "bar"));

        final UserRequest<HttpPrincipal> userRequest =
@@ -194,7 +194,10 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
        subject.getPrincipals().add(testUser.getUserID());

        final LdapUserDAO<HttpPrincipal> userDAO = getUserDAO();
-        User<HttpPrincipal> actual = userDAO.addUser(userRequest);
+        userDAO.addUser(userRequest);
+
+        User<HttpPrincipal> actual = userDAO.getPendingUser(userRequest.getUser().getUserID());
+
        check(expected, actual);
    }

@@ -346,7 +349,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
        Subject subject = new Subject();
        subject.getPrincipals().add(testUser.getUserID());
        subject.getPrincipals().add(testUser1DNPrincipal);
-        
+
        // do everything as owner
        Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
        {

--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/users/UserServletTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/users/UserServletTest.java
-package ca.nrc.cadc.ac.server.web.users;
+package ca.nrc.cadc.ac.server.web;


 import javax.servlet.http.HttpServletRequest;

+import ca.nrc.cadc.ac.server.web.UserServlet;
 import org.junit.Test;
 import static org.easymock.EasyMock.*;
 import static org.junit.Assert.*;

--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/WhoAmIServletTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/WhoAmIServletTest.java
+/*
+ ************************************************************************
+ *******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+ **************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+ *
+ *  (c) 2015.                            (c) 2015.
+ *  Government of Canada                 Gouvernement du Canada
+ *  National Research Council            Conseil national de recherches
+ *  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+ *  All rights reserved                  Tous droits réservés
+ *
+ *  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+ *  expressed, implied, or               énoncée, implicite ou légale,
+ *  statutory, of any kind with          de quelque nature que ce
+ *  respect to the software,             soit, concernant le logiciel,
+ *  including without limitation         y compris sans restriction
+ *  any warranty of merchantability      toute garantie de valeur
+ *  or fitness for a particular          marchande ou de pertinence
+ *  purpose. NRC shall not be            pour un usage particulier.
+ *  liable in any event for any          Le CNRC ne pourra en aucun cas
+ *  damages, whether direct or           être tenu responsable de tout
+ *  indirect, special or general,        dommage, direct ou indirect,
+ *  consequential or incidental,         particulier ou général,
+ *  arising from the use of the          accessoire ou fortuit, résultant
+ *  software.  Neither the name          de l'utilisation du logiciel. Ni
+ *  of the National Research             le nom du Conseil National de
+ *  Council of Canada nor the            Recherches du Canada ni les noms
+ *  names of its contributors may        de ses  participants ne peuvent
+ *  be used to endorse or promote        être utilisés pour approuver ou
+ *  products derived from this           promouvoir les produits dérivés
+ *  software without specific prior      de ce logiciel sans autorisation
+ *  written permission.                  préalable et particulière
+ *                                       par écrit.
+ *
+ *  This file is part of the             Ce fichier fait partie du projet
+ *  OpenCADC project.                    OpenCADC.
+ *
+ *  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+ *  you can redistribute it and/or       vous pouvez le redistribuer ou le
+ *  modify it under the terms of         modifier suivant les termes de
+ *  the GNU Affero General Public        la “GNU Affero General Public
+ *  License as published by the          License” telle que publiée
+ *  Free Software Foundation,            par la Free Software Foundation
+ *  either version 3 of the              : soit la version 3 de cette
+ *  License, or (at your option)         licence, soit (à votre gré)
+ *  any later version.                   toute version ultérieure.
+ *
+ *  OpenCADC is distributed in the       OpenCADC est distribué
+ *  hope that it will be useful,         dans l’espoir qu’il vous
+ *  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+ *  without even the implied             GARANTIE : sans même la garantie
+ *  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+ *  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+ *  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+ *  General Public License for           Générale Publique GNU Affero
+ *  more details.                        pour plus de détails.
+ *
+ *  You should have received             Vous devriez avoir reçu une
+ *  a copy of the GNU Affero             copie de la Licence Générale
+ *  General Public License along         Publique GNU Affero avec
+ *  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+ *  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+ *                                       <http://www.gnu.org/licenses/>.
+ *
+ *
+ ************************************************************************
+ */
+
+package ca.nrc.cadc.ac.server.web;
+
+import ca.nrc.cadc.ac.AC;
+import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.reg.client.RegistryClient;
+import org.junit.Test;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.net.URI;
+import java.net.URL;
+import java.security.PrivilegedExceptionAction;
+
+import static org.easymock.EasyMock.*;
+
+
+public class WhoAmIServletTest
+{
+    @Test
+    public void doGet() throws Exception
+    {
+        final Subject subject = new Subject();
+        subject.getPrincipals().add(new HttpPrincipal("CADCtest"));
+
+        final RegistryClient mockRegistry = createMock(RegistryClient.class);
+        final WhoAmIServlet testSubject = new WhoAmIServlet()
+        {
+            /**
+             * Tests will need to override this method so as not to rely on the
+             * environment.
+             *
+             * @return Registry Client instance.
+             */
+            @Override
+            RegistryClient getRegistryClient()
+            {
+                return mockRegistry;
+            }
+
+            @Override
+            Subject getSubject(final HttpServletRequest request)
+            {
+                return subject;
+            }
+        };
+
+        final HttpServletRequest mockRequest =
+                createMock(HttpServletRequest.class);
+        final HttpServletResponse mockResponse =
+                createMock(HttpServletResponse.class);
+
+        expect(mockRequest.getPathInfo()).andReturn("users/CADCtest").once();
+        expect(mockRequest.getMethod()).andReturn("GET").once();
+        expect(mockRequest.getRemoteAddr()).andReturn("mysite.com").once();
+
+        mockResponse.sendRedirect("https://mysite.com/ac/users/CADCtest?idType=HTTP");
+        expectLastCall().once();
+
+        expect(mockRegistry.getServiceURL(URI.create(AC.GMS_SERVICE_URI),
+                                          "http", "/users/%s?idType=HTTP")).
+                andReturn(new URL("https://mysite.com/ac/users/CADCtest?idType=HTTP")).once();
+
+        replay(mockRequest, mockResponse, mockRegistry);
+
+
+        Subject.doAs(subject, new PrivilegedExceptionAction<Void>()
+        {
+            @Override
+            public Void run() throws Exception
+            {
+                testSubject.doGet(mockRequest, mockResponse);
+                return null;
+            }
+        });
+
+        verify(mockRequest, mockResponse, mockRegistry);
+    }
+}