master - fixed merge conflicts

cadcAccessControl-Admin/build.xml

@@ -161,16 +161,4 @@
 
   <property name="testingJars" value="${jsonassert}:${junit}:${asm}:${cglib}:${easymock}:${objenesis}:${jdom2}:${json}:${cadcLog}"/>
 
-  <target name="int-test" depends="build,compile-test,setup-test">
-    <echo message="Running test suite..."/>
-    <junit printsummary="yes" haltonfailure="yes" fork="yes">
-      <classpath>
-        <pathelement path="${build}/class"/>
-        <pathelement path="${build}/test/class"/>
-        <pathelement path="${jars}:${testingJars}"/>
-      </classpath>
-      <test name="ca.nrc.cadc.ac.admin.integration.UserAdminIntTest"/>
-      <formatter type="plain" usefile="false"/>
-    </junit>
-  </target>
 </project>

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/AbstractCommand.java

@@ -71,7 +71,6 @@ package ca.nrc.cadc.ac.admin;
 
 import java.io.PrintStream;
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.security.PrivilegedAction;
 
 import ca.nrc.cadc.ac.server.UserPersistence;
@@ -88,7 +87,7 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
     protected PrintStream systemOut = System.out;
     protected PrintStream systemErr = System.err;
 
-    private UserPersistence<Principal> userPersistence;
+    private UserPersistence userPersistence;
 
 
     protected abstract void doRun()
@@ -135,12 +134,12 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
     }
 
     protected void setUserPersistence(
-            final UserPersistence<Principal> userPersistence)
+            final UserPersistence userPersistence)
     {
         this.userPersistence = userPersistence;
     }
 
-    public UserPersistence<Principal> getUserPersistence()
+    public UserPersistence getUserPersistence()
     {
         return userPersistence;
     }

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/AbstractListUsers.java

@@ -70,14 +70,15 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.util.Collection;
 import java.util.Set;
 
+import javax.security.auth.x500.X500Principal;
+
 import org.apache.log4j.Logger;
 
-import ca.nrc.cadc.ac.PersonalDetails;
 import ca.nrc.cadc.ac.User;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 
 /**
@@ -89,14 +90,14 @@ public abstract class AbstractListUsers extends AbstractCommand
 {
     private static final Logger log = Logger.getLogger(AbstractListUsers.class);
 
-    protected abstract Collection<User<Principal>> getUsers()
+    protected abstract Collection<User> getUsers()
     		throws AccessControlException, TransientException;
 
     protected void doRun() throws AccessControlException, TransientException
     {
-        Collection<User<Principal>> users = this.getUsers();
+        Collection<User> users = this.getUsers();
 
-        for (User<Principal> user : users)
+        for (User user : users)
         {
             this.systemOut.println(getUserString(user));
         }
@@ -106,21 +107,36 @@ public abstract class AbstractListUsers extends AbstractCommand
 
     private String getUserString(User user)
     {
-        StringBuilder sb = new StringBuilder(user.getUserID().getName());
+        StringBuilder sb = new StringBuilder();
+        HttpPrincipal username = user.getHttpPrincipal();
+        if (username != null)
+        {
+            sb.append(username.getName());
+        }
+        else
+        {
+            Set<X500Principal> x500Principals = user.getIdentities(X500Principal.class);
+            if (!x500Principals.isEmpty())
+            {
+                sb.append(x500Principals.iterator().next().getName());
+            }
+            else
+            {
+                sb.append("Internal ID: " + user.getID().getURI());
+            }
+        }
 
-        Set<PersonalDetails> detailSet = user.getDetails(PersonalDetails.class);
-        if (detailSet.size() > 0)
+        if (user.personalDetails != null)
         {
             sb.append(" [");
-            PersonalDetails details = detailSet.iterator().next();
-            sb.append(details.getFirstName());
+            sb.append(user.personalDetails.getFirstName());
             sb.append(" ");
-            sb.append(details.getLastName());
+            sb.append(user.personalDetails.getLastName());
             sb.append("]");
-            if (details.institute != null)
+            if (user.personalDetails.institute != null)
             {
                 sb.append(" [");
-                sb.append(details.institute);
+                sb.append(user.personalDetails.institute);
                 sb.append("]");
             }
         }

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/AbstractUserCommand.java

@@ -75,7 +75,6 @@ import java.util.Set;
 
 import org.apache.log4j.Logger;
 
-import ca.nrc.cadc.ac.PersonalDetails;
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.auth.HttpPrincipal;
@@ -121,7 +120,7 @@ public abstract class AbstractUserCommand extends AbstractCommand
         }
     }
 
-    protected void printUser(final User<Principal> user)
+    protected void printUser(final User user)
     {
         if (user != null)
         {
@@ -136,10 +135,9 @@ public abstract class AbstractUserCommand extends AbstractCommand
 
             // print user's personal details
             this.systemOut.println();
-            PersonalDetails personalDetails = user.getUserDetail(PersonalDetails.class);
-            if (personalDetails != null)
+            if (user.personalDetails != null)
             {
-                this.systemOut.println(personalDetails.toStringFormatted());
+                this.systemOut.println(user.personalDetails.toStringFormatted());
             }
         }
     }

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ApproveUser.java

@@ -70,11 +70,9 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.util.Date;
 import java.util.IllegalFormatException;
 import java.util.Properties;
-import java.util.Set;
 
 import javax.mail.Address;
 import javax.mail.Message;
@@ -86,14 +84,12 @@ import javax.security.auth.x500.X500Principal;
 
 import org.apache.log4j.Logger;
 
-import ca.nrc.cadc.ac.PersonalDetails;
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.util.PropertiesReader;
 
-
 /**
  * This class approves the specified pending user by moving the user
  * from a pending user to an active user in the LDAP server.
@@ -115,11 +111,9 @@ public class ApproveUser extends AbstractUserCommand
 
     private String dn;
 
-
     /**
      * Constructor
      * @param userID Id of the pending user to be approved
-     * @param dn of the pending user to be approved
      */
     public ApproveUser(final String userID, final String dn)
     {
@@ -127,57 +121,9 @@ public class ApproveUser extends AbstractUserCommand
     	this.dn = dn;
     }
 
-
-    /**
-     * Constructor
-     * @param userID Id of the pending user to be approved
-     */
-    public ApproveUser(final String userID)
-    {
-    	super(userID);
-    }
-
-
     protected void execute()
 	throws AccessControlException, UserNotFoundException, TransientException
     {
-        User<Principal> user = null;
-        try
-        {
-            // Search the user in the pending tree
-            user = this.getUserPersistence().getPendingUser(this.getPrincipal());
-        }
-        catch (Exception e)
-        {
-            log.info("User not found in userRequests");
-            this.systemOut.println("User not found in userRequests. Impossible to approve it.");
-            this.systemOut.println("Check the validity of the provided uid.");
-            return;
-        }
-        log.debug("User found in userRequests");
-        // If user DN is not provided by command line, search if it is available in UserRequests
-        if (dn == null || dn.isEmpty()) {
-            boolean foundDN = false;
-            for (Principal p : user.getIdentities())
-            {
-                 if (p instanceof X500Principal)
-                 {
-                     this.dn = p.getName();
-                     log.debug("User DN FOUND in pendingUser. userDN = " + dn);
-                     foundDN = true;
-                     break;
-                 }
-            }
-            if(!foundDN)
-            {
-                log.debug("User DN NOT FOUND in UserRequests.");
-                this.systemOut.println("User DN not found in userRequests.");
-                this.systemOut.println("Use --dn option to provide a valid user DN");
-                return;
-            }
-
-        }
-
         X500Principal dnPrincipal = null;
         try
         {
@@ -192,16 +138,17 @@ public class ApproveUser extends AbstractUserCommand
 
         try
         {
-            this.getUserPersistence().approvePendingUser(this.getPrincipal());
+            this.getUserPersistence().approveUserRequest(this.getPrincipal());
             this.systemOut.println("User " + this.getPrincipal().getName() + " was approved successfully.");
             approved = true;
         }
         catch (UserNotFoundException e)
         {
-            this.systemOut.println("Could not find pending user " + this.getPrincipal());
+            this.systemOut.println("Could not find userRequest " + this.getPrincipal());
+            return;
         }
 
-        user = null;
+        User user = null;
         try
         {
             user = this.getUserPersistence().getUser(this.getPrincipal());
@@ -226,7 +173,7 @@ public class ApproveUser extends AbstractUserCommand
 
     }
 
-    private void emailUser(User<Principal>  user)
+    private void emailUser(User  user)
     {
         try
         {
@@ -252,12 +199,10 @@ public class ApproveUser extends AbstractUserCommand
                 return;
             }
 
-            Set<PersonalDetails> pds = user.getDetails(PersonalDetails.class);
             String recipient = null;
-            if (pds != null && !pds.isEmpty())
+            if (user.personalDetails != null)
             {
-                PersonalDetails pd = pds.iterator().next();
-                recipient = pd.email;
+                recipient = user.personalDetails.email;
             }
             if (recipient == null)
             {

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CmdLineParser.java

@@ -187,13 +187,13 @@ public class CmdLineParser
     	if (am.isSet("list"))
     	{
             System.out.println("--list");
-            this.command = new ListActiveUsers();
+            this.command = new ListUsers();
             count++;
     	}
 
     	if (am.isSet("list-pending"))
     	{
-            this.command = new ListPendingUsers();
+            this.command = new ListUserRequests();
             count++;
     	}
 
@@ -231,7 +231,7 @@ public class CmdLineParser
                 }
                 else
                 {
-                    this.command = new ApproveUser(userID);
+                    throw new UsageException("Missing parameter 'dn'");
                 }
     	    }
 

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CommandRunner.java

@@ -92,11 +92,11 @@ public class CommandRunner
 {
     private final static Logger LOGGER = Logger.getLogger(CommandRunner.class);
     private final CmdLineParser commandLineParser;
-    private final UserPersistence<Principal> userPersistence;
+    private final UserPersistence userPersistence;
 
 
     public CommandRunner(final CmdLineParser commandLineParser,
-                         final UserPersistence<Principal> userPersistence)
+                         final UserPersistence userPersistence)
     {
         this.commandLineParser = commandLineParser;
         this.userPersistence = userPersistence;

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ListPendingUsers.java → cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ListUserRequests.java

@@ -70,7 +70,6 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.util.Collection;
 
 import org.apache.log4j.Logger;
@@ -84,13 +83,13 @@ import ca.nrc.cadc.net.TransientException;
  * @author yeunga
  *
  */
-public class ListPendingUsers extends AbstractListUsers 
+public class ListUserRequests extends AbstractListUsers
 {
-    private static final Logger log = Logger.getLogger(ListPendingUsers.class);
+    private static final Logger log = Logger.getLogger(ListUserRequests.class);
 
-    protected Collection<User<Principal>> getUsers() 
+    protected Collection<User> getUsers()
     		throws AccessControlException, TransientException
     {
-    	return this.getUserPersistence().getPendingUsers();
+    	return this.getUserPersistence().getUserRequests();
     }
 }

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ListActiveUsers.java → cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ListUsers.java

@@ -70,7 +70,6 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.util.Collection;
 
 import org.apache.log4j.Logger;
@@ -84,11 +83,11 @@ import ca.nrc.cadc.net.TransientException;
  * @author yeunga
  *
  */
-public class ListActiveUsers extends AbstractListUsers 
+public class ListUsers extends AbstractListUsers
 {
-    private static final Logger log = Logger.getLogger(ListActiveUsers.class);
+    private static final Logger log = Logger.getLogger(ListUsers.class);
 
-    protected Collection<User<Principal>> getUsers() 
+    protected Collection<User> getUsers()
     		throws AccessControlException, TransientException
     {
     	return this.getUserPersistence().getUsers();

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/Main.java

@@ -70,7 +70,6 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.io.PrintStream;
-import java.security.Principal;
 import java.security.cert.CertificateException;
 
 import org.apache.log4j.Logger;
@@ -151,7 +150,7 @@ public class Main
                 // Set the necessary JNDI system property for lookups.
                 System.setProperty("java.naming.factory.initial",  ContextFactoryImpl.class.getName());
 
-                UserPersistence<Principal> userPersistence = new PluginFactory().createUserPersistence();
+                UserPersistence userPersistence = new PluginFactory().createUserPersistence();
                 final CommandRunner runner =  new CommandRunner(parser, userPersistence);
 
                 runner.run();

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/RejectUser.java

@@ -98,7 +98,7 @@ public class RejectUser extends AbstractUserCommand
         throws AccessControlException, UserNotFoundException, TransientException 
     {
         // delete user from the pending tree
-        this.getUserPersistence().deletePendingUser(this.getPrincipal());
+        this.getUserPersistence().deleteUserRequest(this.getPrincipal());
         String msg = "User " + this.getPrincipal().getName() + " was rejected successfully.";
         this.systemOut.println(msg);
     }

cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/ViewUser.java

@@ -70,7 +70,6 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 
 import org.apache.log4j.Logger;
 
@@ -104,13 +103,13 @@ public class ViewUser extends AbstractUserCommand
         {
             // Try the main tree first
             log.debug("principal: " + this.getPrincipal());
-            User<Principal> user = this.getUserPersistence().getUser(this.getPrincipal());
+            User user = this.getUserPersistence().getUser(this.getPrincipal());
             this.printUser(user);
         }
         catch (UserNotFoundException e)
         {
             // Not in the main tree, try the pending tree
-            User<Principal> user = this.getUserPersistence().getPendingUser(this.getPrincipal());
+            User user = this.getUserPersistence().getUserRequest(this.getPrincipal());
             this.printUser(user);
         }
     }

cadcAccessControl-Admin/test/src/ca/nrc/cadc/ac/admin/CmdLineParserTest.java

@@ -223,7 +223,7 @@ public class CmdLineParserTest
     	    String[] dArgs = {"--list", "-d"};
     	    CmdLineParser parser = new CmdLineParser(dArgs, sysOut, sysErr);
     	    Assert.assertEquals(Level.DEBUG, parser.getLogLevel());
-    	    Assert.assertTrue(parser.getCommand() instanceof ListActiveUsers);
+    	    Assert.assertTrue(parser.getCommand() instanceof ListUsers);
     	}
     	catch (Exception e)
     	{
@@ -236,7 +236,7 @@ public class CmdLineParserTest
     	    String[] dArgs = {"--list-pending", "-d"};
     	    CmdLineParser parser = new CmdLineParser(dArgs, sysOut, sysErr);
     	    Assert.assertEquals(Level.DEBUG, parser.getLogLevel());
-    	    Assert.assertTrue(parser.getCommand() instanceof ListPendingUsers);
+    	    Assert.assertTrue(parser.getCommand() instanceof ListUserRequests);
     	}
     	catch (Exception e)
     	{

cadcAccessControl-Server/build.xml

@@ -138,7 +138,35 @@
         <pathelement path="${jars}:${testingJars}"/>
       </classpath>
       <sysproperty key="ca.nrc.cadc.util.PropertiesReader.dir" value="test"/>
+
+      <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapConfigTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapConnectionsTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapDAOTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapGroupDAOTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.ldap.LdapPersistenceTest" />-->
       <test name="ca.nrc.cadc.ac.server.ldap.LdapUserDAOTest" />
+
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.AddGroupMemberActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.AddUserMemberActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.DeleteGroupActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.GetGroupNamesActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.GroupActionFactoryTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.RemoveGroupMemberActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.groups.RemoveUserMemberActionTest" />-->
+
+      <!--<test name="ca.nrc.cadc.ac.server.web.users.GetUserActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.users.GetUserListActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.users.ModifyUserActionTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.users.UserActionFactoryTest" />-->
+
+      <!--<test name="ca.nrc.cadc.ac.server.web.ModifyPasswordServletTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.ResetPasswordServletTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.UserLoginServletTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.UserServletTest" />-->
+      <!--<test name="ca.nrc.cadc.ac.server.web.WhoAmIServletTest" />-->
+
+      <!--<test name="ca.nrc.cadc.ac.server.RequestValidatorTest" />-->
+
       <formatter type="plain" usefile="false" />
     </junit>
   </target>

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ACScopeValidator.java

+/*
+************************************************************************
+*******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+**************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+*
+*  (c) 2009.                            (c) 2009.
+*  Government of Canada                 Gouvernement du Canada
+*  National Research Council            Conseil national de recherches
+*  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+*  All rights reserved                  Tous droits réservés
+*                                       
+*  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+*  expressed, implied, or               énoncée, implicite ou légale,
+*  statutory, of any kind with          de quelque nature que ce
+*  respect to the software,             soit, concernant le logiciel,
+*  including without limitation         y compris sans restriction
+*  any warranty of merchantability      toute garantie de valeur
+*  or fitness for a particular          marchande ou de pertinence
+*  purpose. NRC shall not be            pour un usage particulier.
+*  liable in any event for any          Le CNRC ne pourra en aucun cas
+*  damages, whether direct or           être tenu responsable de tout
+*  indirect, special or general,        dommage, direct ou indirect,
+*  consequential or incidental,         particulier ou général,
+*  arising from the use of the          accessoire ou fortuit, résultant
+*  software.  Neither the name          de l'utilisation du logiciel. Ni
+*  of the National Research             le nom du Conseil National de
+*  Council of Canada nor the            Recherches du Canada ni les noms
+*  names of its contributors may        de ses  participants ne peuvent
+*  be used to endorse or promote        être utilisés pour approuver ou
+*  products derived from this           promouvoir les produits dérivés
+*  software without specific prior      de ce logiciel sans autorisation
+*  written permission.                  préalable et particulière
+*                                       par écrit.
+*                                       
+*  This file is part of the             Ce fichier fait partie du projet
+*  OpenCADC project.                    OpenCADC.
+*                                       
+*  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+*  you can redistribute it and/or       vous pouvez le redistribuer ou le
+*  modify it under the terms of         modifier suivant les termes de
+*  the GNU Affero General Public        la “GNU Affero General Public
+*  License as published by the          License” telle que publiée
+*  Free Software Foundation,            par la Free Software Foundation
+*  either version 3 of the              : soit la version 3 de cette
+*  License, or (at your option)         licence, soit (à votre gré)
+*  any later version.                   toute version ultérieure.
+*                                       
+*  OpenCADC is distributed in the       OpenCADC est distribué
+*  hope that it will be useful,         dans l’espoir qu’il vous
+*  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+*  without even the implied             GARANTIE : sans même la garantie
+*  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+*  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+*  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+*  General Public License for           Générale Publique GNU Affero
+*  more details.                        pour plus de détails.
+*                                       
+*  You should have received             Vous devriez avoir reçu une
+*  a copy of the GNU Affero             copie de la Licence Générale
+*  General Public License along         Publique GNU Affero avec
+*  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+*  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+*                                       <http://www.gnu.org/licenses/>.
+*
+*  $Revision: 4 $
+*
+************************************************************************
+*/
+
+package ca.nrc.cadc.ac.server;
+
+import ca.nrc.cadc.auth.DelegationToken;
+import ca.nrc.cadc.auth.InvalidDelegationTokenException;
+import java.net.URI;
+
+/**
+ * A class to validate the scope of a delegation token for access control.
+ * The scope of a delegation token is composed of the service endpoint
+ * and the action allowed with the service endpoint. Both the service endpoint 
+ * and the action are validated.
+ * @author yeunga
+ */
+public class ACScopeValidator extends DelegationToken.ScopeValidator
+{
+    public static final String RESET_PASSWORD_SCOPE = "/resetPassword";
+    
+    public ACScopeValidator() { }
+
+    @Override
+    public void verifyScope(URI scope, String requestURI)
+        throws InvalidDelegationTokenException 
+    {
+        if (!requestURI.endsWith(RESET_PASSWORD_SCOPE)
+            && !scope.toASCIIString().equals(RESET_PASSWORD_SCOPE))
+        {
+            throw new InvalidDelegationTokenException("invalid scope: "
+                                                      + scope);
+        }
+    }
+}

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/GroupPersistence.java

@@ -69,7 +69,6 @@
 package ca.nrc.cadc.ac.server;
 
 import java.security.AccessControlException;
-import java.security.Principal;
 import java.util.Collection;
 
 import ca.nrc.cadc.ac.Group;
@@ -79,7 +78,7 @@ import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.net.TransientException;
 
-public interface GroupPersistence<T extends Principal>
+public interface GroupPersistence
 {
     /**
      * Call if this object is to be shut down.

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/PluginFactory.java

@@ -68,18 +68,14 @@
  */
 package ca.nrc.cadc.ac.server;
 
-import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
-import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
-
-import java.lang.reflect.Constructor;
 import java.net.URL;
-import java.security.AccessControlException;
 import java.security.Principal;
 import java.util.Properties;
-import java.util.Set;
+
 import org.apache.log4j.Logger;
 
-import com.unboundid.ldap.sdk.LDAPException;
+import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
+import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
 
 public class PluginFactory
 {
@@ -118,20 +114,20 @@ public class PluginFactory
     }
 
     @SuppressWarnings("unchecked")
-    public <T extends Principal> GroupPersistence<T> createGroupPersistence()
+    public <T extends Principal> GroupPersistence createGroupPersistence()
     {
         String name = GroupPersistence.class.getName();
         String cname = config.getProperty(name);
         if (cname == null)
         {
-            return new LdapGroupPersistence<T>();
+            return new LdapGroupPersistence();
         }
         else
         {
             try
             {
                 Class<?> c = Class.forName(cname);
-                return (GroupPersistence<T>) c.newInstance();
+                return (GroupPersistence) c.newInstance();
             }
             catch (Exception ex)
             {
@@ -141,14 +137,14 @@ public class PluginFactory
     }
 
     @SuppressWarnings("unchecked")
-    public <T extends Principal> UserPersistence<T> createUserPersistence()
+    public <T extends Principal> UserPersistence createUserPersistence()
     {
         String name = UserPersistence.class.getName();
         String cname = config.getProperty(name);
 
         if (cname == null)
         {
-            return new LdapUserPersistence<T>();
+            return new LdapUserPersistence();
         }
         else
         {

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java

@@ -68,6 +68,10 @@
  */
 package ca.nrc.cadc.ac.server;
 
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.util.Collection;
+
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserAlreadyExistsException;
 import ca.nrc.cadc.ac.UserNotFoundException;
@@ -75,11 +79,7 @@ import ca.nrc.cadc.ac.UserRequest;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.util.Collection;
-
-public interface UserPersistence<T extends Principal>
+public interface UserPersistence
 {
 
     /**
@@ -88,15 +88,15 @@ public interface UserPersistence<T extends Principal>
     void destroy();
 
     /**
-     * Add the user to the active users tree.
+     * Add the user to the users tree.
      *
-     * @param user      The user request to put into the active users tree.
+     * @param user      The user request to put into the users tree.
      *
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      * @throws ca.nrc.cadc.ac.UserAlreadyExistsException
      */
-    void addUser(UserRequest<T> user)
+    void addUser(User user)
         throws TransientException, AccessControlException,
         UserAlreadyExistsException;
 
@@ -109,7 +109,7 @@ public interface UserPersistence<T extends Principal>
      * @throws AccessControlException If the operation is not permitted.
      * @throws ca.nrc.cadc.ac.UserAlreadyExistsException
      */
-    void addPendingUser(UserRequest<T> user)
+    void addUserRequest(UserRequest user)
         throws TransientException, AccessControlException,
         UserAlreadyExistsException;
 
@@ -124,14 +124,30 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    User<T> getUser(T userID)
+    User getUser(Principal userID)
         throws UserNotFoundException, TransientException,
         AccessControlException;
 
     /**
-     * Get the user specified by userID whose account is pending approval.
+     * Get the user specified by email address exists in the active users tree.
      *
-     * @param userID The userID.
+     * @param emailAddress The user's email address.
+     *
+     * @return User instance.
+     *
+     * @throws UserNotFoundException when the user is not found.
+     * @throws UserAlreadyExistsException A user with the email address already exists
+     * @throws TransientException If an temporary, unexpected problem occurred.
+     * @throws AccessControlException If the operation is not permitted.
+     */
+    User getUserByEmailAddress(String emailAddress)
+            throws UserNotFoundException, UserAlreadyExistsException,
+            TransientException, AccessControlException;
+
+    /**
+     * Get the user with the specified Principal whose account is pending approval.
+     *
+     * @param userID A Principal of the User.
      *
      * @return User instance.
      *
@@ -139,14 +155,14 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    User<T> getPendingUser(T userID)
+    User getUserRequest(Principal userID)
         throws UserNotFoundException, TransientException,
         AccessControlException;
 
     /**
-     * Get the user specified by userID with all of the users identities.
+     * Get the user with the specified Principal with all of the users identities.
      *
-     * @param userID The userID.
+     * @param userID A Principal of the User.
      *
      * @return User instance.
      *
@@ -154,7 +170,7 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    User<T> getAugmentedUser(T userID)
+    User getAugmentedUser(Principal userID)
         throws UserNotFoundException, TransientException,
         AccessControlException;
 
@@ -165,7 +181,7 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    Collection<User<Principal>> getUsers()
+    Collection<User> getUsers()
             throws TransientException, AccessControlException;
 
     /**
@@ -175,14 +191,14 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    Collection<User<Principal>> getPendingUsers()
+    Collection<User> getUserRequests()
         throws TransientException, AccessControlException;
 
     /**
-     * Move the pending user specified by userID from the
+     * Move the pending user with the specified Principal from the
      * pending users tree to the active users tree.
      *
-     * @param userID      The userID.
+     * @param userID A Principal of the User.
      *
      * @return User instance.
      *
@@ -190,12 +206,12 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    User<T> approvePendingUser(T userID)
+    User approveUserRequest(Principal userID)
         throws UserNotFoundException, TransientException,
         AccessControlException;
 
     /**
-     * Update the user specified by userID in the active users tree.
+     * Update the user with the specified Principal in the active users tree.
      *
      * @param user      The user instance to modify.
      *
@@ -205,33 +221,46 @@ public interface UserPersistence<T extends Principal>
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    User<T> modifyUser(User<T> user)
+    User modifyUser(User user)
         throws UserNotFoundException, TransientException,
                AccessControlException;
 
     /**
-     * Delete the user specified by userID from the active users tree.
+     * Delete the user with the specified Principal from the active users tree.
      *
-     * @param userID The userID.
+     * @param userID A Principal of the User.
      *
      * @throws UserNotFoundException when the user is not found.
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    void deleteUser(T userID)
+    void deleteUser(Principal userID)
         throws UserNotFoundException, TransientException,
                AccessControlException;
 
     /**
-     * Delete the user specified by userID from the pending users tree.
+     * Deactivate the user with the specified Principal from the active users tree.
      *
-     * @param userID The userID.
+     * @param userID A Principal of the User.
+     *
+     * @throws UserNotFoundException when the user is not found.
+     * @throws TransientException If an temporary, unexpected problem occurred.
+     * @throws AccessControlException If the operation is not permitted.
+     */
+    void deactivateUser(Principal userID)
+        throws UserNotFoundException, TransientException,
+               AccessControlException;
+
+    /**
+     * Delete the user with the specified Principal from the pending users tree.
+     *
+     * @param userID A Principal of the User.
      *
      * @throws UserNotFoundException when the user is not found.
      * @throws TransientException If an temporary, unexpected problem occurred.
      * @throws AccessControlException If the operation is not permitted.
      */
-    void deletePendingUser(T userID)
+    void deleteUserRequest(Principal userID)
         throws UserNotFoundException, TransientException,
                AccessControlException;
 
@@ -264,4 +293,16 @@ public interface UserPersistence<T extends Principal>
     void setPassword(HttpPrincipal userID, String oldPassword, String newPassword)
         throws UserNotFoundException, TransientException, AccessControlException;
 
+    /**
+     * Reset a user's password. The given user and authenticating user must match.
+     *
+     * @param userID
+     * @param newPassword   new password.
+     * @throws UserNotFoundException If the given user does not exist.
+     * @throws TransientException   If an temporary, unexpected problem occurred.
+     * @throws AccessControlException If the operation is not permitted.
+     */
+    void resetPassword(HttpPrincipal userID, String newPassword)
+        throws UserNotFoundException, TransientException, AccessControlException;
+
 }

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapConfig.java

@@ -115,8 +115,15 @@ public class LdapConfig
     public enum PoolPolicy
     {
         roundRobin,
-        fewestConnections;
-    };
+        fewestConnections
+    }
+
+    public enum SystemState
+    {
+        ONLINE,
+        READONLY,
+        OFFLINE
+    }
 
     public class LdapPool
     {
@@ -210,6 +217,7 @@ public class LdapConfig
     private String proxyUserDN;
     private String proxyPasswd;
     private String dbrcHost;
+    private SystemState systemState;
 
     public String getProxyUserDN()
     {
@@ -251,6 +259,8 @@ public class LdapConfig
         ldapConfig.groupsDN = getProperty(pr, LDAP_GROUPS_DN);
         ldapConfig.adminGroupsDN = getProperty(pr, LDAP_ADMIN_GROUPS_DN);
 
+        ldapConfig.systemState = getSystemState(ldapConfig);
+
         try
         {
             DBConfig dbConfig = new DBConfig();
@@ -304,6 +314,27 @@ public class LdapConfig
         return Arrays.asList(props);
     }
 
+    private static SystemState getSystemState(LdapConfig ldapConfig)
+    {
+        if (ldapConfig.getReadOnlyPool().getMaxSize() == 0)
+        {
+            return SystemState.OFFLINE;
+        }
+
+        if (ldapConfig.getUnboundReadOnlyPool().getMaxSize() == 0)
+        {
+            return SystemState.OFFLINE;
+        }
+
+        if (ldapConfig.getReadWritePool().getMaxSize() == 0)
+        {
+            return SystemState.READONLY;
+        }
+
+        return SystemState.ONLINE;
+    }
+
+
     @Override
     public boolean equals(Object other)
     {
@@ -409,6 +440,17 @@ public class LdapConfig
         return this.proxyPasswd;
     }
 
+    /**
+     * Check if in read-only or offline mode.
+     *
+     * A read max connection size of zero implies offline mode.
+     * A read-wrtie max connection size of zero implies read-only mode.
+     */
+    public SystemState getSystemState()
+    {
+        return systemState;
+    }
+
     public String toString()
     {
         StringBuilder sb = new StringBuilder();
@@ -421,4 +463,5 @@ public class LdapConfig
 
         return sb.toString();
     }
+
 }

cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapConnectionPool.java

@@ -73,18 +73,16 @@ import org.apache.log4j.Logger;
 
 import ca.nrc.cadc.ac.server.ldap.LdapConfig.LdapPool;
 import ca.nrc.cadc.ac.server.ldap.LdapConfig.PoolPolicy;
+import ca.nrc.cadc.ac.server.ldap.LdapConfig.SystemState;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.profiler.Profiler;
 
 import com.unboundid.ldap.sdk.FewestConnectionsServerSet;
-import com.unboundid.ldap.sdk.Filter;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPConnectionOptions;
 import com.unboundid.ldap.sdk.LDAPConnectionPool;
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.RoundRobinServerSet;
-import com.unboundid.ldap.sdk.SearchRequest;
-import com.unboundid.ldap.sdk.SearchScope;
 import com.unboundid.ldap.sdk.ServerSet;
 import com.unboundid.ldap.sdk.SimpleBindRequest;
 
@@ -100,15 +98,15 @@ public class LdapConnectionPool
 {
     private static final Logger logger = Logger.getLogger(LdapConnectionPool.class);
 
-    Profiler profiler = new Profiler(LdapConnectionPool.class);
-
     protected LdapConfig currentConfig;
     private String poolName;
     private LDAPConnectionPool pool;
     private Object poolMonitor = new Object();
     private LDAPConnectionOptions connectionOptions;
+    private boolean readOnly;
+    private SystemState systemState;
 
-    public LdapConnectionPool(LdapConfig config, LdapPool poolConfig, String poolName, boolean boundPool)
+    public LdapConnectionPool(LdapConfig config, LdapPool poolConfig, String poolName, boolean boundPool, boolean readOnly)
     {
         if (config == null)
             throw new IllegalArgumentException("config required");
@@ -122,38 +120,73 @@ public class LdapConnectionPool
         connectionOptions.setAutoReconnect(true);
         currentConfig = config;
         this.poolName = poolName;
+        this.readOnly = readOnly;
+
+        systemState = config.getSystemState();
+        logger.debug("Construct pool: " + poolName + ". system state: " + systemState);
+        if (SystemState.ONLINE.equals(systemState) || (SystemState.READONLY.equals(systemState) && readOnly))
+        {
+            Profiler profiler = new Profiler(LdapConnectionPool.class);
             synchronized (poolMonitor)
             {
                 if (!boundPool)
                     pool = createPool(config, poolConfig, poolName, null, null);
                 else
                     pool = createPool(config, poolConfig, poolName, config.getAdminUserDN(), config.getAdminPasswd());
+
+                if (pool != null)
+                {
                     logger.debug(poolName + " statistics after create:\n" + pool.getConnectionPoolStatistics());
                     profiler.checkpoint("Create read only pool.");
                 }
             }
+        }
+        else
+        {
+            logger.debug("Not creating pool " + poolName + " because system state is " + systemState);
+        }
+    }
 
     public LDAPConnection getConnection() throws TransientException
     {
+
+        logger.debug("Get connection: " + poolName + ". system state: " + systemState);
+        if (SystemState.OFFLINE.equals(systemState))
+        {
+            throw new TransientException("The system is down for maintenance.", 600);
+        }
+
+        if (SystemState.READONLY.equals(systemState))
+        {
+            if (!readOnly)
+            {
+                throw new TransientException("The system is in read-only mode.", 600);
+            }
+        }
+
         try
         {
+            Profiler profiler = new Profiler(LdapConnectionPool.class);
             LDAPConnection conn = null;
             synchronized (poolMonitor)
             {
                 conn = pool.getConnection();
-                profiler.checkpoint("pool.getConnection");
 
                 // BM: This query to the base dn (starting at dc=) has the
                 // effect of clearing any proxied authorization state associated
                 // with the receiving ldap server connection.  Without this in
                 // place, proxied authorization information is sometimes ignored.
-                logger.debug("Testing connection");
-                int dcIndex = currentConfig.getGroupsDN().indexOf("dc=");
-                String dcDN = currentConfig.getGroupsDN().substring(dcIndex);
-                Filter filter = Filter.createEqualityFilter("dc", "*");
-                SearchRequest searchRequest = new SearchRequest(dcDN, SearchScope.BASE, filter, new String[] {"entrydn"});
-                conn.search(searchRequest);
-                profiler.checkpoint("pool.initConnection");
+//                logger.debug("Testing connection");
+//                int index = currentConfig.getGroupsDN().indexOf(',');
+//                String rdn = currentConfig.getGroupsDN().substring(0, index);
+//                Filter filter = Filter.create("(" + rdn + ")");
+//
+//                index = rdn.indexOf('=');
+//                String attribute = rdn.substring(0, index);
+//
+//                SearchRequest searchRequest = new SearchRequest(currentConfig.getGroupsDN(), SearchScope.BASE, filter, new String[] {attribute});
+//                conn.search(searchRequest);
+//                profiler.checkpoint("pool.initConnection");
             }
             logger.debug(poolName + " pool statistics after borrow:\n" + pool.getConnectionPoolStatistics());
             profiler.checkpoint("get " + poolName + " only connection");
@@ -169,9 +202,14 @@ public class LdapConnectionPool
 
     public void releaseConnection(LDAPConnection conn)
     {
+        if (pool != null)
+        {
+            Profiler profiler = new Profiler(LdapConnectionPool.class);
             pool.releaseConnection(conn);
+            profiler.checkpoint("pool.releaseConnection");
             logger.debug(poolName + " pool statistics after release:\n" + pool.getConnectionPoolStatistics());
         }
+    }
 
     public LdapConfig getCurrentConfig()
     {
@@ -179,10 +217,14 @@ public class LdapConnectionPool
     }
 
     public void shutdown()
+    {
+        if (pool != null)
         {
             logger.debug("Closing pool...");
+            Profiler profiler = new Profiler(LdapConnectionPool.class);
             pool.close();
-        profiler.checkpoint("Pool closed.");
+            profiler.checkpoint("pool.shutdown");
+        }
     }
 
     public String getName()
@@ -191,7 +233,6 @@ public class LdapConnectionPool
     }
 
     private LDAPConnectionPool createPool(LdapConfig config, LdapPool poolConfig, String poolName, String bindID, String bindPW)
-
     {
         try
         {
@@ -244,5 +285,4 @@ public class LdapConnectionPool
         }
     }
 
-
 }