From 3d1706fcbe7f95830ff6fd23cf679ee55c6d0595 Mon Sep 17 00:00:00 2001
From: Instrumental <jonathan.gathman@att.com>
Date: Wed, 7 Aug 2019 13:40:39 -0500
Subject: Remove Tabs, per Jococo

Issue-ID: AAF-932
Change-Id: I3ab0ebcc082048d2d1424a58a90ea479fb005ee6
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---
 .../org/onap/aaf/auth/service/AAF_Service.java     |  20 +-
 .../aaf/auth/service/AuthzCassServiceImpl.java     | 952 ++++++++++-----------
 .../org/onap/aaf/auth/service/AuthzService.java    |   2 +-
 .../org/onap/aaf/auth/service/api/API_Creds.java   |   2 +-
 .../onap/aaf/auth/service/api/API_UserRole.java    |   4 +-
 .../onap/aaf/auth/service/facade/AuthzFacade.java  |   2 +-
 .../aaf/auth/service/facade/AuthzFacadeImpl.java   |  20 +-
 .../onap/aaf/auth/service/mapper/Mapper_2_0.java   |  72 +-
 .../auth/service/validation/ServiceValidator.java  |  10 +-
 .../aaf/auth/service/test/JU_BaseServiceImpl.java  | 112 +--
 .../test/JU_ServiceImpl_createUserCred.java        | 152 ++--
 11 files changed, 674 insertions(+), 674 deletions(-)

(limited to 'auth/auth-service')

diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
index 333c0fc1..bdba4696 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
@@ -196,11 +196,11 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
     
     @Override 
     public void postStartup(final String hostname, final int port) throws APIException {
-    	try {
-			CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port);
-		} catch (CadiException | LocatorException e) {
-			throw new APIException(e);
-		}
+        try {
+            CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port);
+        } catch (CadiException | LocatorException e) {
+            throw new APIException(e);
+        }
     }
 
     @Override
@@ -241,11 +241,11 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
             
             try {
                 new JettyServiceStarter<AuthzEnv,AuthzTrans>(
-                	new AAF_Service(new AuthzEnv(propAccess)),true)
-                		.start();
-	        } catch (Exception e) {
-	            propAccess.log(e);
-	        }
+                    new AAF_Service(new AuthzEnv(propAccess)),true)
+                        .start();
+            } catch (Exception e) {
+                propAccess.log(e);
+            }
         } catch (Exception e) {
             e.printStackTrace();
         }
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index d102b045..3b010821 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -118,7 +118,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
     implements AuthzService            <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> {
     
     private static final String TWO_SPACE = "  ";
-	private Mapper                    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper;
+    private Mapper                    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper;
     @Override
     public Mapper                    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper() {return mapper;}
     
@@ -816,120 +816,120 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 
         // User Permission mechanism
         if(newPd.value.ns.indexOf('@')>0) {
-        	PermDAO.Data pdd = newPd.value;
-        	if(trans.user().equals(newPd.value.ns)) {
-        		CachedPermDAO permDAO = ques.permDAO();
-        		Result<List<PermDAO.Data>> rlpdd = permDAO.read(trans, pdd);
-        		if(rlpdd.notOK()) {
-        			return Result.err(rlpdd);
-        		}
-        		if(!rlpdd.isEmpty()) {
-        			return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); 
-        		}
-
-				RoleDAO.Data rdd = new RoleDAO.Data();
-				rdd.ns = pdd.ns;
-				rdd.name = "user";
-
-				pdd.roles(true).add(rdd.fullName());
-				Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd);
-				if(rpdd.notOK()) {
-					return Result.err(rpdd);
-				}
-				
-        		CachedRoleDAO roleDAO = ques.roleDAO();
-        		Result<List<RoleDAO.Data>> rlrdd = roleDAO.read(trans, rdd);
-        		if(rlrdd.notOK()) {
-        			return Result.err(rlrdd);
-        		} else {
-        			if(!rlrdd.isEmpty()) {
-        				rdd = rlrdd.value.get(0);
-        			}
-        		}
-        		
-        		String eperm = pdd.encode();
-        		rdd.perms(true).add(eperm);
-        		Result<Void> rv = roleDAO.update(trans, rdd);
-        		if(rv.notOK()) {
-        			return rv;
-        		}
-        		 
-        		CachedUserRoleDAO urDAO = ques.userRoleDAO();
-    			UserRoleDAO.Data urdd = new UserRoleDAO.Data();
-    			urdd.user = trans.user();
-    			urdd.ns = rdd.ns;
-    			urdd.rname = rdd.name;
-    			urdd.role = rdd.fullName();
-        		Result<List<UserRoleDAO.Data>> rlurdd = urDAO.read(trans, urdd);
-        		if(rlurdd.notOK()) {
-        			return Result.err(rlrdd);
-        		} else if(rlurdd.isEmpty()) {
-        			GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole);
-        			if(gc==null) {
-        				return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole");
-        			} else {
-        				urdd.expires = gc.getTime();
-        			}
-        			Result<UserRoleDAO.Data> rurdd = urDAO.create(trans, urdd);
-        			return Result.err(rurdd);
-        		}
-        		return rv;
-        	} else {
-        		return Result.err(Result.ERR_Security,"Only the User can create User Permissions");
-        	}
+            PermDAO.Data pdd = newPd.value;
+            if(trans.user().equals(newPd.value.ns)) {
+                CachedPermDAO permDAO = ques.permDAO();
+                Result<List<PermDAO.Data>> rlpdd = permDAO.read(trans, pdd);
+                if(rlpdd.notOK()) {
+                    return Result.err(rlpdd);
+                }
+                if(!rlpdd.isEmpty()) {
+                    return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); 
+                }
+
+                RoleDAO.Data rdd = new RoleDAO.Data();
+                rdd.ns = pdd.ns;
+                rdd.name = "user";
+
+                pdd.roles(true).add(rdd.fullName());
+                Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd);
+                if(rpdd.notOK()) {
+                    return Result.err(rpdd);
+                }
+                
+                CachedRoleDAO roleDAO = ques.roleDAO();
+                Result<List<RoleDAO.Data>> rlrdd = roleDAO.read(trans, rdd);
+                if(rlrdd.notOK()) {
+                    return Result.err(rlrdd);
+                } else {
+                    if(!rlrdd.isEmpty()) {
+                        rdd = rlrdd.value.get(0);
+                    }
+                }
+                
+                String eperm = pdd.encode();
+                rdd.perms(true).add(eperm);
+                Result<Void> rv = roleDAO.update(trans, rdd);
+                if(rv.notOK()) {
+                    return rv;
+                }
+                 
+                CachedUserRoleDAO urDAO = ques.userRoleDAO();
+                UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+                urdd.user = trans.user();
+                urdd.ns = rdd.ns;
+                urdd.rname = rdd.name;
+                urdd.role = rdd.fullName();
+                Result<List<UserRoleDAO.Data>> rlurdd = urDAO.read(trans, urdd);
+                if(rlurdd.notOK()) {
+                    return Result.err(rlrdd);
+                } else if(rlurdd.isEmpty()) {
+                    GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole);
+                    if(gc==null) {
+                        return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole");
+                    } else {
+                        urdd.expires = gc.getTime();
+                    }
+                    Result<UserRoleDAO.Data> rurdd = urDAO.create(trans, urdd);
+                    return Result.err(rurdd);
+                }
+                return rv;
+            } else {
+                return Result.err(Result.ERR_Security,"Only the User can create User Permissions");
+            }
         } else {
-	        // Does Perm Type exist as a Namespace?
-	        if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) {
-	            return Result.err(Status.ERR_ConflictAlreadyExists,
-	                    "Permission Type exists as a Namespace");
-	        }
-	        
-	        Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false,
-	            new Mapper.Memo() {
-	                @Override
-	                public String get() {
-	                    return "Create Permission [" + 
-	                        newPd.value.fullType() + '|' + 
-	                        newPd.value.instance + '|' + 
-	                        newPd.value.action + ']';
-	                }
-	            },
-	            new MayChange() {
-	                private Result<NsDAO.Data> nsd;
-	                @Override
-	                public Result<?> mayChange() {
-	                    if (nsd==null) {
-	                        nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write);
-	                    }
-	                    return nsd;
-	                }
-	            });
-	        
-	        Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns);
-	        if (nsr.notOKorIsEmpty()) {
-	            return Result.err(nsr);
-	        }
-	        switch(fd.status) {
-	            case OK:
-	                Result<String> rfc = func.createFuture(trans,fd.value, 
-	                        newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action,
-	                        trans.user(),
-	                        nsr.value.get(0),
-	                        FUTURE_OP.C);
-	                if (rfc.isOK()) {
-	                    return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
-	                            newPd.value.ns,
-	                            newPd.value.type,
-	                            newPd.value.instance,
-	                            newPd.value.action);
-	                } else {
-	                    return Result.err(rfc);
-	                }
-	            case Status.ACC_Now:
-	                return func.createPerm(trans, newPd.value, true);
-	            default:
-	                return Result.err(fd);
-	        }
+            // Does Perm Type exist as a Namespace?
+            if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) {
+                return Result.err(Status.ERR_ConflictAlreadyExists,
+                        "Permission Type exists as a Namespace");
+            }
+            
+            Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false,
+                new Mapper.Memo() {
+                    @Override
+                    public String get() {
+                        return "Create Permission [" + 
+                            newPd.value.fullType() + '|' + 
+                            newPd.value.instance + '|' + 
+                            newPd.value.action + ']';
+                    }
+                },
+                new MayChange() {
+                    private Result<NsDAO.Data> nsd;
+                    @Override
+                    public Result<?> mayChange() {
+                        if (nsd==null) {
+                            nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write);
+                        }
+                        return nsd;
+                    }
+                });
+            
+            Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns);
+            if (nsr.notOKorIsEmpty()) {
+                return Result.err(nsr);
+            }
+            switch(fd.status) {
+                case OK:
+                    Result<String> rfc = func.createFuture(trans,fd.value, 
+                            newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action,
+                            trans.user(),
+                            nsr.value.get(0),
+                            FUTURE_OP.C);
+                    if (rfc.isOK()) {
+                        return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+                                newPd.value.ns,
+                                newPd.value.type,
+                                newPd.value.instance,
+                                newPd.value.action);
+                    } else {
+                        return Result.err(rfc);
+                    }
+                case Status.ACC_Now:
+                    return func.createPerm(trans, newPd.value, true);
+                default:
+                    return Result.err(fd);
+            }
         }
     }
 
@@ -1995,7 +1995,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                         if (nsd==null) {
                             nsd = ques.mayUser(trans, trans.user(), rpd.value, Access.write);
                             if(nsd.notOK()) {
-                            	trans.requested(REQD_TYPE.future,true);
+                                trans.requested(REQD_TYPE.future,true);
                             }
                         }
                         return nsd;
@@ -2006,32 +2006,32 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             return Result.err(nsr);
         }
         switch(fd.status) {
-	        case OK:
-	            Result<String> rfc = func.createFuture(trans,fd.value, 
-	                    rpd.value.fullPerm(),
-	                    trans.user(),
-	                    nsr.value.get(0),
-	                    FUTURE_OP.G);
-	            if (rfc.isOK()) {
-	                return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
-	                        rpd.value.ns,
-	                        rpd.value.type,
-	                        rpd.value.instance,
-	                        rpd.value.action);
-	            } else { 
-	                return Result.err(rfc);
-	            }
-	        case Status.ACC_Now:
-	            Result<Void> rv = null;
-	            if (createPerm!=null) {// has been validated for creating
-	                rv = func.createPerm(trans, createPerm, false);
-	            }
-	            if (rv==null || rv.isOK()) {
-	                rv = func.addPermToRole(trans, rrd.value, rpd.value, false);
-	            }
-	            return rv;
-	        default:
-	            return Result.err(fd);
+            case OK:
+                Result<String> rfc = func.createFuture(trans,fd.value, 
+                        rpd.value.fullPerm(),
+                        trans.user(),
+                        nsr.value.get(0),
+                        FUTURE_OP.G);
+                if (rfc.isOK()) {
+                    return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+                            rpd.value.ns,
+                            rpd.value.type,
+                            rpd.value.instance,
+                            rpd.value.action);
+                } else { 
+                    return Result.err(rfc);
+                }
+            case Status.ACC_Now:
+                Result<Void> rv = null;
+                if (createPerm!=null) {// has been validated for creating
+                    rv = func.createPerm(trans, createPerm, false);
+                }
+                if (rv==null || rv.isOK()) {
+                    rv = func.addPermToRole(trans, rrd.value, rpd.value, false);
+                }
+                return rv;
+            default:
+                return Result.err(fd);
         }
         
     }
@@ -2310,12 +2310,12 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 
     private class MayChangeCred implements MayChange {
         private static final String EXTEND = "extend";
-		private static final String RESET = "reset";
-		private static final String DELETE = "delete";
-		private Result<NsDAO.Data> nsd;
+        private static final String RESET = "reset";
+        private static final String DELETE = "delete";
+        private Result<NsDAO.Data> nsd;
         private AuthzTrans trans;
         private CredDAO.Data cred;
-		private String action;
+        private String action;
         public MayChangeCred(AuthzTrans trans, CredDAO.Data cred, String action) {
             this.trans = trans;
             this.cred = cred;
@@ -2330,35 +2330,35 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             }
             // Get the Namespace
             if (nsd.isOK()) {
-        		String ns = nsd.value.name;
-        		String user = trans.user();
-            	String company;
-            	String temp[] = Split.split('.',ns);
-            	switch(temp.length) {
-            		case 0:
-            			company = Defaults.AAF_NS;
-            			break;
-            		case 1:
-            			company = temp[0];
-            			break;
-            		default:
-            			company = temp[0] + '.' + temp[1];
-            	}
-            	switch(action) {
-            		case DELETE:
-            			if(ques.isOwner(trans, user,ns) ||
-                     		   ques.isAdmin(trans, user,ns) ||
-         					   ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
-                     				return Result.ok();
-            			}
-            			break;
-            		case RESET:
-            		case EXTEND:
+                String ns = nsd.value.name;
+                String user = trans.user();
+                String company;
+                String temp[] = Split.split('.',ns);
+                switch(temp.length) {
+                    case 0:
+                        company = Defaults.AAF_NS;
+                        break;
+                    case 1:
+                        company = temp[0];
+                        break;
+                    default:
+                        company = temp[0] + '.' + temp[1];
+                }
+                switch(action) {
+                    case DELETE:
+                        if(ques.isOwner(trans, user,ns) ||
+                                ques.isAdmin(trans, user,ns) ||
+                                ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
+                                     return Result.ok();
+                        }
+                        break;
+                    case RESET:
+                    case EXTEND:
                         if (ques.isGranted(trans, trans.user(), ROOT_NS,"password",company,action)) {
                             return Result.ok();
                         }
                         break;
-            	}
+                }
             }
             return Result.err(Status.ERR_Denied,"%s is not allowed to %s %s in %s",trans.user(),action,cred.id,cred.ns);
         }
@@ -2432,27 +2432,27 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                         // password to validate char differences.
                         
 //                      byte[] rawCred = rcred.value.type==CredDAO.RAW?null:;                            return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
-                    	if(rcred.value.type==CredDAO.FQI ) {
-                    		if(curr.type==CredDAO.FQI) {
-                    	        return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
-                    		}
-                    	} else {
-	
-	                        rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null);
-	                        if (rb.notOK()) {
-	                            return Result.err(rb);
-	                        } else if (rb.value){
-	                            return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
-	                        } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) 
-	                        		&& curr.type==rcred.value.type 
-	                        		) {
-	                        	// Allow if expiring differential is greater than 1 day (for TEMP)
-	                        	// Unless expiring in 1 day
-	                        	if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) {
-	                        		return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
-	                        	}
-	                        }
-                    	}
+                        if(rcred.value.type==CredDAO.FQI ) {
+                            if(curr.type==CredDAO.FQI) {
+                                return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+                            }
+                        } else {
+    
+                            rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null);
+                            if (rb.notOK()) {
+                                return Result.err(rb);
+                            } else if (rb.value){
+                                return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
+                            } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) 
+                                    && curr.type==rcred.value.type 
+                                    ) {
+                                // Allow if expiring differential is greater than 1 day (for TEMP)
+                                // Unless expiring in 1 day
+                                if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) {
+                                    return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+                                }
+                            }
+                        }
                     }    
                 } else {
                     try {
@@ -2510,18 +2510,18 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                             if (firstID) {
                                 // OK, it's a first ID, and not by NS Owner
                                 if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
-                                	// Admins are not allowed to set first Cred, but Org has already
-                                	// said entity MAY create, typically by Permission
-                                	// We can't know which reason they are allowed here, so we 
-                                	// have to assume that any with Special Permission would not be 
-                                	// an Admin.
-                                	if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
-                                		return Result.err(Result.ERR_Denied, 
-                                			"Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
-                                	} else {
-                                		// Allow IDs that AREN'T part of NS with Org Onboarding Permission  (see Org object) to create Temp Passwords.
+                                    // Admins are not allowed to set first Cred, but Org has already
+                                    // said entity MAY create, typically by Permission
+                                    // We can't know which reason they are allowed here, so we 
+                                    // have to assume that any with Special Permission would not be 
+                                    // an Admin.
+                                    if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+                                        return Result.err(Result.ERR_Denied, 
+                                            "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
+                                    } else {
+                                        // Allow IDs that AREN'T part of NS with Org Onboarding Permission  (see Org object) to create Temp Passwords.
                                         rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
-                                	}
+                                    }
                                 }
                             }
                         } catch (Exception e) {
@@ -2852,7 +2852,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             cd.tag = found.tag;
             cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
             if(cd.expires.before(found.expires)) {
-            	return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days));
+                return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days));
             }
             
             cred = ques.credDAO().create(trans, cd);
@@ -2866,249 +2866,249 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
     }    
 
     @ApiDoc( 
-	        method = DELETE,  
-	        path = "/authn/cred",
-	        params = {},
-	        expectedCode = 200,
-	        errorCodes = {300,403,404,406}, 
-	        text = { "Delete a Credential. If multiple credentials exist for this",
-	                "ID, you will need to specify which entry you are deleting in the",
-	                "CredRequest object."
-	                 }
-	        )
-	@Override
-	public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from)  {
-	    final Result<CredDAO.Data> cred = mapper.cred(trans, from, false);
-	    final Validator v = new ServiceValidator();
-	    if (v.nullOrBlank("cred", cred.value.id).err()) {
-	        return Result.err(Status.ERR_BadData,v.errs());
-	    }
-
-	    MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE);
-	    Result<?> rmc = mc.mayChange(); 
-	    if (rmc.notOK()) {
-	        return Result.err(rmc);
-	    }
-	    
-	    boolean doForce = trans.requested(force);
-	    Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id);
-	    if (rlcd.notOKorIsEmpty()) {
-	        // Empty Creds should not have user_roles.
-	        Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
-	        if (rlurd.isOKhasData()) {
-	            for (UserRoleDAO.Data data : rlurd.value) {
-	                ques.userRoleDAO().delete(trans, data, false);
-	            }
-        	}
-	        return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
-	    }
-	    boolean isLastCred = rlcd.value.size()==1;
-	    
-	    int entry;
-	    CredRequest cr = (CredRequest)from;
-	    if(isLastCred) {
-	    	if(cr.getEntry()==null || "1".equals(cr.getEntry())) {
-	    		entry = 0;
-	    	} else {
-	            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-	    	}
-	    } else {
-		    entry = -1;
-	    	int fentry = entry;
-		    if(cred.value.type==CredDAO.FQI) {
-		    	entry = -1;
-		    	for(CredDAO.Data cdd : rlcd.value) {
-		    		++fentry;
-		    		if(cdd.type == CredDAO.FQI) {
-		    			entry = fentry;
-		    			break; 
-		    		}
-		    	}
-		    } else {
-			    if (!doForce) {
-			        if (rlcd.value.size() > 1) {
-			            String inputOption = cr.getEntry();
-			            if (inputOption == null) {
-			            	List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
-			                String message = selectCredFromList(list, MayChangeCred.DELETE);
-			                Object[] variables = buildVariables(list);
-			                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
-			            } else {
-			                try {
-			                    if (inputOption.length()>5) { // should be a date
-			                        Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
-			                        for (CredDAO.Data cd : rlcd.value) {
-			                        	++fentry;
-			                            if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
-			                            	entry = fentry;
-			                                break;
-			                            }
-			                        }
-			                    } else {
-		                        	entry = Integer.parseInt(inputOption) - 1;
-		                        	int count = 0;
-			                        for (CredDAO.Data cd : rlcd.value) {
-			                        	if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
-			                        		++entry;
-			                        	}
-			                        	if(++count>entry) {
-			                        		break;
-			                        	}
-			                        }
-			                    }
-			                } catch (NullPointerException e) {
-			                    return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
-			                } catch (NumberFormatException e) {
-			                    return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-			                }
-			            }
-			            isLastCred = (entry==-1);
-			        } else {
-			            isLastCred = true;
-			        }
-			        if (entry < -1 || entry >= rlcd.value.size()) {
-			            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-			        }
-			    }
-		    }
-	    }
-	    
-	    Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false,
-	        () -> "Delete Credential [" +
-	            cred.value.id +
-	            ']',
-	        mc);
-	
-	    Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, cred.value.ns);
-	    if (nsr.notOKorIsEmpty()) {
-	        return Result.err(nsr);
-	    }
-	
-	    switch(fd.status) {
-	        case OK:
-	            Result<String> rfc = func.createFuture(trans, fd.value, cred.value.id,
-	                    trans.user(), nsr.value.get(0), FUTURE_OP.D);
-	
-	            if (rfc.isOK()) {
-	                return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id);
-	            } else { 
-	                return Result.err(rfc);
-	            }
-	        case Status.ACC_Now:
-	            Result<?>udr = null;
-	            if (!trans.requested(force)) {
-	                if (entry<0 || entry >= rlcd.value.size()) {
-	                	if(cred.value.type==CredDAO.FQI) {
-	                		return Result.err(Status.ERR_BadData,"FQI does not exist");
-	                	} else {
-	                		return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
-	                	}
-	                }
-	                udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false);
-	            } else {
-	                for (CredDAO.Data curr : rlcd.value) {
-	                    udr = ques.credDAO().delete(trans, curr, false);
-	                    if (udr.notOK()) {
-	                        return Result.err(udr);
-	                    }
-	                }
-	            }
-	            if (isLastCred) {
-	                Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
-	                if (rlurd.isOK()) {
-	                    for (UserRoleDAO.Data data : rlurd.value) {
-	                        ques.userRoleDAO().delete(trans, data, false);
-	                    }
-	                }
-	            }
-	            if (udr==null) {
-	                return Result.err(Result.ERR_NotFound,"No User Data found");
-	            }
-	            if (udr.isOK()) {
-	                return Result.ok();
-	            }
-	            return Result.err(udr);
-	        default:
-	            return Result.err(fd);
-	    }
-	
-	}
-
-	/*
-	 * Codify the way to get Either Choice Needed or actual Integer from Credit Request
-	 */
-	private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd, String action) {
-	    int entry = 0;
-	    if (lcd.size() > 1) {
-	        String inputOption = cr.getEntry();
-	        if (inputOption == null) {
-	            String message = selectCredFromList(lcd, action);
-	            Object[] variables = buildVariables(lcd);
-	            return Result.err(Status.ERR_ChoiceNeeded, message, variables);
-	        } else {
-	        	if(MayChangeCred.EXTEND.equals(action)) {
-	        		// might be Tag
-	        		if(inputOption.length()>4) { //Tag is at least 12
-	        			int e = 0;
-	        			CredDAO.Data last = null;
-	        			int lastIdx = -1;
-	        			for(CredDAO.Data cdd : lcd) {
-	        				if(inputOption.equals(cdd.tag)) {
-	        					if(last==null) {
-	        						last = cdd;
-	        						lastIdx = e;
-	        					} else {
-	        						if(last.expires.before(cdd.expires)) {
-	        							last = cdd;
-	        							lastIdx = e;
-	        						}
-	        					}
-	        				}
-	        				++e;
-	        			}
-	        			if(last!=null) {
-	        				return Result.ok(lastIdx);
-	        			}
-	        			return Result.err(Status.ERR_BadData, "User chose unknown Tag");
-	        		}
-	        	}
-	            entry = Integer.parseInt(inputOption) - 1;
-	        }
-	        if (entry < 0 || entry >= lcd.size()) {
-	            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-	        }
-	    }
-	    return Result.ok(entry);
-	}
-
-	private List<CredDAO.Data> filterList(List<CredDAO.Data> orig, Integer ... types) {
-    	List<CredDAO.Data> rv = new ArrayList<>();
+            method = DELETE,  
+            path = "/authn/cred",
+            params = {},
+            expectedCode = 200,
+            errorCodes = {300,403,404,406}, 
+            text = { "Delete a Credential. If multiple credentials exist for this",
+                    "ID, you will need to specify which entry you are deleting in the",
+                    "CredRequest object."
+                     }
+            )
+    @Override
+    public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from)  {
+        final Result<CredDAO.Data> cred = mapper.cred(trans, from, false);
+        final Validator v = new ServiceValidator();
+        if (v.nullOrBlank("cred", cred.value.id).err()) {
+            return Result.err(Status.ERR_BadData,v.errs());
+        }
+
+        MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE);
+        Result<?> rmc = mc.mayChange(); 
+        if (rmc.notOK()) {
+            return Result.err(rmc);
+        }
+        
+        boolean doForce = trans.requested(force);
+        Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id);
+        if (rlcd.notOKorIsEmpty()) {
+            // Empty Creds should not have user_roles.
+            Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
+            if (rlurd.isOKhasData()) {
+                for (UserRoleDAO.Data data : rlurd.value) {
+                    ques.userRoleDAO().delete(trans, data, false);
+                }
+            }
+            return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
+        }
+        boolean isLastCred = rlcd.value.size()==1;
+        
+        int entry;
+        CredRequest cr = (CredRequest)from;
+        if(isLastCred) {
+            if(cr.getEntry()==null || "1".equals(cr.getEntry())) {
+                entry = 0;
+            } else {
+                return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+            }
+        } else {
+            entry = -1;
+            int fentry = entry;
+            if(cred.value.type==CredDAO.FQI) {
+                entry = -1;
+                for(CredDAO.Data cdd : rlcd.value) {
+                    ++fentry;
+                    if(cdd.type == CredDAO.FQI) {
+                        entry = fentry;
+                        break; 
+                    }
+                }
+            } else {
+                if (!doForce) {
+                    if (rlcd.value.size() > 1) {
+                        String inputOption = cr.getEntry();
+                        if (inputOption == null) {
+                            List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
+                            String message = selectCredFromList(list, MayChangeCred.DELETE);
+                            Object[] variables = buildVariables(list);
+                            return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+                        } else {
+                            try {
+                                if (inputOption.length()>5) { // should be a date
+                                    Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+                                    for (CredDAO.Data cd : rlcd.value) {
+                                        ++fentry;
+                                        if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+                                            entry = fentry;
+                                            break;
+                                        }
+                                    }
+                                } else {
+                                    entry = Integer.parseInt(inputOption) - 1;
+                                    int count = 0;
+                                    for (CredDAO.Data cd : rlcd.value) {
+                                        if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
+                                            ++entry;
+                                        }
+                                        if(++count>entry) {
+                                            break;
+                                        }
+                                    }
+                                }
+                            } catch (NullPointerException e) {
+                                return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+                            } catch (NumberFormatException e) {
+                                return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+                            }
+                        }
+                        isLastCred = (entry==-1);
+                    } else {
+                        isLastCred = true;
+                    }
+                    if (entry < -1 || entry >= rlcd.value.size()) {
+                        return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+                    }
+                }
+            }
+        }
+        
+        Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false,
+            () -> "Delete Credential [" +
+                cred.value.id +
+                ']',
+            mc);
+    
+        Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, cred.value.ns);
+        if (nsr.notOKorIsEmpty()) {
+            return Result.err(nsr);
+        }
+    
+        switch(fd.status) {
+            case OK:
+                Result<String> rfc = func.createFuture(trans, fd.value, cred.value.id,
+                        trans.user(), nsr.value.get(0), FUTURE_OP.D);
+    
+                if (rfc.isOK()) {
+                    return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id);
+                } else { 
+                    return Result.err(rfc);
+                }
+            case Status.ACC_Now:
+                Result<?>udr = null;
+                if (!trans.requested(force)) {
+                    if (entry<0 || entry >= rlcd.value.size()) {
+                        if(cred.value.type==CredDAO.FQI) {
+                            return Result.err(Status.ERR_BadData,"FQI does not exist");
+                        } else {
+                            return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+                        }
+                    }
+                    udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false);
+                } else {
+                    for (CredDAO.Data curr : rlcd.value) {
+                        udr = ques.credDAO().delete(trans, curr, false);
+                        if (udr.notOK()) {
+                            return Result.err(udr);
+                        }
+                    }
+                }
+                if (isLastCred) {
+                    Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
+                    if (rlurd.isOK()) {
+                        for (UserRoleDAO.Data data : rlurd.value) {
+                            ques.userRoleDAO().delete(trans, data, false);
+                        }
+                    }
+                }
+                if (udr==null) {
+                    return Result.err(Result.ERR_NotFound,"No User Data found");
+                }
+                if (udr.isOK()) {
+                    return Result.ok();
+                }
+                return Result.err(udr);
+            default:
+                return Result.err(fd);
+        }
+    
+    }
+
+    /*
+     * Codify the way to get Either Choice Needed or actual Integer from Credit Request
+     */
+    private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd, String action) {
+        int entry = 0;
+        if (lcd.size() > 1) {
+            String inputOption = cr.getEntry();
+            if (inputOption == null) {
+                String message = selectCredFromList(lcd, action);
+                Object[] variables = buildVariables(lcd);
+                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+            } else {
+                if(MayChangeCred.EXTEND.equals(action)) {
+                    // might be Tag
+                    if(inputOption.length()>4) { //Tag is at least 12
+                        int e = 0;
+                        CredDAO.Data last = null;
+                        int lastIdx = -1;
+                        for(CredDAO.Data cdd : lcd) {
+                            if(inputOption.equals(cdd.tag)) {
+                                if(last==null) {
+                                    last = cdd;
+                                    lastIdx = e;
+                                } else {
+                                    if(last.expires.before(cdd.expires)) {
+                                        last = cdd;
+                                        lastIdx = e;
+                                    }
+                                }
+                            }
+                            ++e;
+                        }
+                        if(last!=null) {
+                            return Result.ok(lastIdx);
+                        }
+                        return Result.err(Status.ERR_BadData, "User chose unknown Tag");
+                    }
+                }
+                entry = Integer.parseInt(inputOption) - 1;
+            }
+            if (entry < 0 || entry >= lcd.size()) {
+                return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+            }
+        }
+        return Result.ok(entry);
+    }
+
+    private List<CredDAO.Data> filterList(List<CredDAO.Data> orig, Integer ... types) {
+        List<CredDAO.Data> rv = new ArrayList<>();
         for(CredDAO.Data cdd : orig) {
-        	if(cdd!=null) {
-	        	for(int t : types) {
-	        		if(t==cdd.type) {
-	           			rv.add(cdd);
-	        		}
-	        	}
-        	}
+            if(cdd!=null) {
+                for(int t : types) {
+                    if(t==cdd.type) {
+                           rv.add(cdd);
+                    }
+                }
+            }
         }
         Collections.sort(rv, (o1,o2) -> {
-        	if(o1.type==o2.type) {
-        		return o1.expires.compareTo(o2.expires);
-        	} else {
-        		return o1.type.compareTo(o2.type);
-        	}
+            if(o1.type==o2.type) {
+                return o1.expires.compareTo(o2.expires);
+            } else {
+                return o1.type.compareTo(o2.type);
+            }
         });
-		return rv;
-	}
+        return rv;
+    }
 
-	private String[] buildVariables(List<CredDAO.Data> value) {
+    private String[] buildVariables(List<CredDAO.Data> value) {
         String [] vars = new String[value.size()];
         CredDAO.Data cdd;
         
         for (int i = 0; i < value.size(); i++) {
-        	cdd = value.get(i);
-        	vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag;
+            cdd = value.get(i);
+            vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag;
         }
         return vars;
     }
@@ -3116,8 +3116,8 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
     private String selectCredFromList(List<CredDAO.Data> value, String action) {
         StringBuilder errMessage = new StringBuilder();
         String userPrompt = MayChangeCred.DELETE.equals(action)?
-        		"Select which cred to delete (set force=true to delete all):":
-        		"Select which cred to " + action + ':';
+                "Select which cred to delete (set force=true to delete all):":
+                "Select which cred to " + action + ':';
         int numSpaces = value.get(0).id.length() - "Id".length();
         
         errMessage.append(userPrompt + '\n');
@@ -3132,7 +3132,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         if(MayChangeCred.EXTEND.equals(action)) {
             errMessage.append("Run same command again with chosen entry or Tag as last parameter");
         } else {
-        	errMessage.append("Run same command again with chosen entry as last parameter");
+            errMessage.append("Run same command again with chosen entry as last parameter");
         }
         return errMessage.toString();
         
@@ -3193,20 +3193,20 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
     }
 
 @ApiDoc( 
-	        method = GET,  
-	        path = "/authn/basicAuth",
-	        params = {},
-	        expectedCode = 200,
-	        errorCodes = { 403 }, 
-	        text = { "!!!! DEPRECATED without X509 Authentication STOP USING THIS API BY DECEMBER 2017, or use Certificates !!!!\n" 
-	                + "Use /authn/validate instead\n"
-	                + "Note: Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast"
-	                + " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth "
-	            + "security, and 403 if it does not." }
-	        )
-	private void basicAuth() {
-	    // This is a place holder for Documentation.  The real BasicAuth API does not call Service.
-	}
+            method = GET,  
+            path = "/authn/basicAuth",
+            params = {},
+            expectedCode = 200,
+            errorCodes = { 403 }, 
+            text = { "!!!! DEPRECATED without X509 Authentication STOP USING THIS API BY DECEMBER 2017, or use Certificates !!!!\n" 
+                    + "Use /authn/validate instead\n"
+                    + "Note: Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast"
+                    + " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth "
+                + "security, and 403 if it does not." }
+            )
+    private void basicAuth() {
+        // This is a place holder for Documentation.  The real BasicAuth API does not call Service.
+    }
 
 /***********************************
  * USER-ROLE 
@@ -3251,9 +3251,9 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                     private Result<NsDAO.Data> nsd;
                     @Override
                     public Result<?> mayChange() {
-                    	if(urr.value.role.startsWith(urr.value.user)) {
-                    		return Result.ok((NsDAO.Data)null);
-                    	}
+                        if(urr.value.role.startsWith(urr.value.user)) {
+                            return Result.ok((NsDAO.Data)null);
+                        }
                         if (nsd==null) {
                             RoleDAO.Data r = RoleDAO.Data.decode(userRole);
                             nsd = ques.mayUser(trans, trans.user(), r, Access.write);
@@ -3264,15 +3264,15 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             
             NsDAO.Data ndd;
             if(userRole.role.startsWith(userRole.user)) {
-            	userRole.ns=userRole.user;
-            	userRole.rname="user";
-            	ndd = null;
+                userRole.ns=userRole.user;
+                userRole.rname="user";
+                ndd = null;
             } else {
-	            Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
-	            if (nsr.notOK()) {
-	                return Result.err(nsr);
-	            }
-	            ndd = nsr.value;
+                Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
+                if (nsr.notOK()) {
+                    return Result.err(nsr);
+                }
+                ndd = nsr.value;
             }
 
             switch(fd.status) {
@@ -3820,17 +3820,17 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         // May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of")
         Result<List<HistoryDAO.Data>> resp;
         if(type.startsWith(trans.user())) {
-        	resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
+            resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
         } else {
             Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
-	        if (rnd.notOK()) {
-	            return Result.err(rnd);
-	        }
-	        rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
-	        if (rnd.notOK()) {
-	            return Result.err(rnd);    
-	        }
-	        resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
+            if (rnd.notOK()) {
+                return Result.err(rnd);
+            }
+            rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+            if (rnd.notOK()) {
+                return Result.err(rnd);    
+            }
+            resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
         }
         
         if (resp.notOK()) {
@@ -3864,8 +3864,8 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 
     @Override
     public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, final int sort) {
-    	NsDAO.Data ndd = new NsDAO.Data();
-    	ndd.name = FQI.reverseDomain(subject);
+        NsDAO.Data ndd = new NsDAO.Data();
+        ndd.name = FQI.reverseDomain(subject);
         Result<Data> rnd = ques.mayUser(trans, trans.user(), ndd, Access.read);
         if (rnd.notOK()) {
             return Result.err(rnd);    
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java
index 80d317f0..f9f23f46 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java
@@ -644,7 +644,7 @@ public interface AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERT
      * @param sort
      * @return
      */
-	public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, int sort);
+    public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, int sort);
 
 /***********************************
  * DELEGATE 
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
index c8bae9f0..f7c38681 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
@@ -194,7 +194,7 @@ public class API_Creds {
         authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) {
             @Override
             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {                
-            	Result<Void> r = context.createUserCred(trans, req);
+                Result<Void> r = context.createUserCred(trans, req);
                 if (r.isOK()) {
                     resp.setStatus(HttpStatus.CREATED_201);
                 } else {
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java
index a56b7c26..15d2302f 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java
@@ -114,7 +114,7 @@ public class API_UserRole {
         authzAPI.route(PUT,"/authz/userRole/user",API.USER_ROLE_REQ,new Code(facade,"Update Roles for a user", true) {
             @Override
             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
-            	context.error(trans,resp,removeAPI);
+                context.error(trans,resp,removeAPI);
             }
         });
         
@@ -125,7 +125,7 @@ public class API_UserRole {
         authzAPI.route(PUT,"/authz/userRole/role",API.USER_ROLE_REQ,new Code(facade,"Update Users for a role", true) {
             @Override
             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
-            	context.error(trans,resp,removeAPI);
+                context.error(trans,resp,removeAPI);
             }
         });
 
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java
index 80e02264..f9ea39d6 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java
@@ -243,7 +243,7 @@ public interface AuthzFacade {
 
     public abstract Result<Void> getHistoryBySubject(AuthzTrans trans, HttpServletResponse resp, String type, String subject, int[] yyyymm, int sort);
 
-	/*
+    /*
      * Cache 
      */
     public abstract Result<Void> cacheClear(AuthzTrans trans, String pathParam);
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
index 323c9fe0..10138d2c 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
@@ -174,16 +174,16 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         if (result.variables==null || result.variables.length<1) {
             detail = new String[1];
         } else {
-        	List<String> dlist = new ArrayList<String>();
-        	dlist.add(null);
-        	String os;
-        	for(Object s : result.variables) {
-        		if(s!=null && (os=s.toString()).length()>0) {
-        			dlist.add(os);
-        		}
-        	}
-        	detail = new String[dlist.size()];
-        	dlist.toArray(detail);
+            List<String> dlist = new ArrayList<String>();
+            dlist.add(null);
+            String os;
+            for(Object s : result.variables) {
+                if(s!=null && (os=s.toString()).length()>0) {
+                    dlist.add(os);
+                }
+            }
+            detail = new String[dlist.size()];
+            dlist.toArray(detail);
         }
         //int httpstatus;
         
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java
index 56ba5f5f..26216c65 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java
@@ -367,30 +367,30 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo
         PermRequest from = (PermRequest)req;
         String type = from.getType();
         if(type==null) {
-        	return Result.err(Result.ERR_BadData, "Invalid Perm Type");
+            return Result.err(Result.ERR_BadData, "Invalid Perm Type");
         }
         PermDAO.Data pd = new PermDAO.Data();
         if(type.contains("@")) {
-        	String[] split = Split.splitTrim(':', type);
-        	pd.ns = split[0];
-        	pd.type=split.length>1?split[1]:"";
-        	pd.instance = from.getInstance();
-        	pd.action = from.getAction();
-        	pd.description = from.getDescription();
-        	return Result.ok(pd);
+            String[] split = Split.splitTrim(':', type);
+            pd.ns = split[0];
+            pd.type=split.length>1?split[1]:"";
+            pd.instance = from.getInstance();
+            pd.action = from.getAction();
+            pd.description = from.getDescription();
+            return Result.ok(pd);
         }  else {
-	        Result<NsSplit> nss = q.deriveNsSplit(trans, from.getType());
-	        if (nss.isOK()) { 
-	            pd.ns=nss.value.ns;
-	            pd.type = nss.value.name;
-	            pd.instance = from.getInstance();
-	            pd.action = from.getAction();
-	            pd.description = from.getDescription();
-	            trans.checkpoint(pd.fullPerm(), Env.ALWAYS);
-	            return Result.ok(pd);
-	        } else {
-	            return Result.err(nss);
-	        }
+            Result<NsSplit> nss = q.deriveNsSplit(trans, from.getType());
+            if (nss.isOK()) { 
+                pd.ns=nss.value.ns;
+                pd.type = nss.value.name;
+                pd.instance = from.getInstance();
+                pd.action = from.getAction();
+                pd.description = from.getDescription();
+                trans.checkpoint(pd.fullPerm(), Env.ALWAYS);
+                return Result.ok(pd);
+            } else {
+                return Result.err(nss);
+            }
         }
     }
     
@@ -526,23 +526,23 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo
         to.ns = Question.domain2ns(to.id);
         to.type = from.getType();
         if(to.type!=null && to.type==CredDAO.FQI) {
-        	to.cred = null;
+            to.cred = null;
         } else {
-        	String passwd = from.getPassword();
-	        if (requiresPass) {
-	            String ok = trans.org().isValidPassword(trans, to.id,passwd);
-	            if (ok.length()>0) {
-	                return Result.err(Status.ERR_BadData,ok);
-	            }
-	        }
-	        if (passwd != null) {
-	            to.cred = ByteBuffer.wrap(passwd.getBytes());
-	            to.type = CredDAO.RAW; 
-	        } else {
-	            to.type = CredDAO.NONE;
-	        }
-        }
-	        
+            String passwd = from.getPassword();
+            if (requiresPass) {
+                String ok = trans.org().isValidPassword(trans, to.id,passwd);
+                if (ok.length()>0) {
+                    return Result.err(Status.ERR_BadData,ok);
+                }
+            }
+            if (passwd != null) {
+                to.cred = ByteBuffer.wrap(passwd.getBytes());
+                to.type = CredDAO.RAW; 
+            } else {
+                to.type = CredDAO.NONE;
+            }
+        }
+            
         // Note: Ensure requested EndDate created will match Organization Password Rules
         //  P.S. Do not apply TempPassword rule here. Do that when you know you are doing a Create/Reset (see Service)
         to.expires = getExpires(trans.org(),Expiration.Password,base,from.getId());
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
index df8bde8b..56785fee 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
@@ -57,9 +57,9 @@ public class ServiceValidator extends Validator {
         if (pd==null) {
             msg("Perm Data is null.");
         } else {
-        	if(!pd.ns.contains("@")) { 
-        		ns(pd.ns);
-        	}
+            if(!pd.ns.contains("@")) { 
+                ns(pd.ns);
+            }
             permType(pd.type,pd.ns);
             permInstance(pd.instance);
             permAction(pd.action);
@@ -222,8 +222,8 @@ public class ServiceValidator extends Validator {
     public ServiceValidator user_role(String user, UserRoleDAO.Data urdd) {
         role(user,urdd.role);
         if(!urdd.role.startsWith(user)) { 
-	        nullOrBlank("UserRole.ns",urdd.ns);
-	        nullOrBlank("UserRole.rname",urdd.rname);
+            nullOrBlank("UserRole.ns",urdd.ns);
+            nullOrBlank("UserRole.rname",urdd.rname);
         }
         return this;
     }
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java
index 5e6cfb62..9a804c98 100644
--- a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java
@@ -75,20 +75,20 @@ import aaf.v2_0.Users;
 
 @RunWith(MockitoJUnitRunner.class)
 public abstract class JU_BaseServiceImpl {
-	protected AuthzCassServiceImpl<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> 
-		acsi;
-	protected Mapper_2_0 mapper;
+    protected AuthzCassServiceImpl<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> 
+        acsi;
+    protected Mapper_2_0 mapper;
 
-	@Mock
+    @Mock
     protected DefaultOrg org;
-	@Mock
+    @Mock
     protected DefaultOrgIdentity orgIdentity;
 
 //
 // NOTE: Annotation format (@Mock and @Spy) do NOT seem to always work as a Base Class,
 //       so we construct manually.
 //
-// Mock Objects	
+// Mock Objects    
     protected HistoryDAO historyDAO = mock(HistoryDAO.class);
     protected CacheInfoDAO cacheInfoDAO = mock(CacheInfoDAO.class);
     protected CachedNSDAO nsDAO = mock(CachedNSDAO.class);
@@ -102,47 +102,47 @@ public abstract class JU_BaseServiceImpl {
     protected DelegateDAO delegateDAO = mock(DelegateDAO.class);
     protected ApprovalDAO approvalDAO = mock(ApprovalDAO.class);
 
- // Spy Objects	
+ // Spy Objects    
     @Spy
     protected static PropAccess access = new PropAccess();
     @Spy
-	protected static AuthzEnv env = new AuthzEnv(access);
+    protected static AuthzEnv env = new AuthzEnv(access);
     @Spy
     protected static AuthzTrans trans = env.newTransNoAvg();
     
     // @Spy doesn't seem to work on Question.
     @Spy
     protected Question question = spy(new Question(trans,
-	    		historyDAO,cacheInfoDAO,nsDAO,permDAO,
-	    		roleDAO,userRoleDAO,credDAO,certDAO,
-	    		locateDAO,futureDAO,delegateDAO,approvalDAO));
+                historyDAO,cacheInfoDAO,nsDAO,permDAO,
+                roleDAO,userRoleDAO,credDAO,certDAO,
+                locateDAO,futureDAO,delegateDAO,approvalDAO));
     
-	public void setUp() throws Exception {
-	    when(trans.org()).thenReturn(org);
-	    when(org.getDomain()).thenReturn("org.onap");
-	    Define.set(access);
-		access.setProperty(Config.CADI_LATITUDE, "38.0");
-		access.setProperty(Config.CADI_LONGITUDE, "-72.0");
-		
-	    mapper = new Mapper_2_0(question);
-		acsi = new AuthzCassServiceImpl<>(trans, mapper, question);
-	}
-	
-	//////////
-	//  Common Data Objects
-	/////////
+    public void setUp() throws Exception {
+        when(trans.org()).thenReturn(org);
+        when(org.getDomain()).thenReturn("org.onap");
+        Define.set(access);
+        access.setProperty(Config.CADI_LATITUDE, "38.0");
+        access.setProperty(Config.CADI_LONGITUDE, "-72.0");
+        
+        mapper = new Mapper_2_0(question);
+        acsi = new AuthzCassServiceImpl<>(trans, mapper, question);
+    }
+    
+    //////////
+    //  Common Data Objects
+    /////////
     protected List<NsDAO.Data> nsData(String name) {
-    	NsDAO.Data ndd = new NsDAO.Data();
-    	ndd.name=name;
-    	int dot = name.lastIndexOf('.');
-    	if(dot<0) {
-    		ndd.parent=".";
-    	} else {
-    		ndd.parent=name.substring(0,dot);
-    	}
-    	List<NsDAO.Data> rv = new ArrayList<NsDAO.Data>();
-    	rv.add(ndd);
-    	return rv;
+        NsDAO.Data ndd = new NsDAO.Data();
+        ndd.name=name;
+        int dot = name.lastIndexOf('.');
+        if(dot<0) {
+            ndd.parent=".";
+        } else {
+            ndd.parent=name.substring(0,dot);
+        }
+        List<NsDAO.Data> rv = new ArrayList<NsDAO.Data>();
+        rv.add(ndd);
+        return rv;
     }
     
     /**
@@ -155,36 +155,36 @@ public abstract class JU_BaseServiceImpl {
      * @param days
      */
     protected void whenRole(AuthzTrans trans, String user, String ns, String role, boolean exists, int days) {
-    	Result<List<UserRoleDAO.Data>> result;
-    	if(exists) {
-    		result = Result.ok(listOf(urData(user,ns,role,days)));
-    	} else {
-    		result = Result.ok(emptyList(UserRoleDAO.Data.class));
-    	}
-    	when(question.userRoleDAO().read(trans, user, ns+'.'+role)).thenReturn(result);
+        Result<List<UserRoleDAO.Data>> result;
+        if(exists) {
+            result = Result.ok(listOf(urData(user,ns,role,days)));
+        } else {
+            result = Result.ok(emptyList(UserRoleDAO.Data.class));
+        }
+        when(question.userRoleDAO().read(trans, user, ns+'.'+role)).thenReturn(result);
     }
     
     protected UserRoleDAO.Data urData(String user, String ns, String rname, int days) {
-    	UserRoleDAO.Data urdd = new UserRoleDAO.Data();
-    	urdd.user = user;
-    	urdd.ns = ns;
-    	urdd.rname = rname;
-    	urdd.role = ns + '.' + rname;
-    	GregorianCalendar gc = new GregorianCalendar();
-    	gc.add(GregorianCalendar.DAY_OF_YEAR, days);
-    	urdd.expires = gc.getTime();
-    	return urdd;
+        UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+        urdd.user = user;
+        urdd.ns = ns;
+        urdd.rname = rname;
+        urdd.role = ns + '.' + rname;
+        GregorianCalendar gc = new GregorianCalendar();
+        gc.add(GregorianCalendar.DAY_OF_YEAR, days);
+        urdd.expires = gc.getTime();
+        return urdd;
     }
 
 
     protected <T> List<T> listOf(T t) {
-    	List<T> list = new ArrayList<>();
-    	list.add(t);
-    	return list;
+        List<T> list = new ArrayList<>();
+        list.add(t);
+        return list;
     }
     
     protected <T> List<T> emptyList(Class<T> cls) {
-    	return new ArrayList<>();
+        return new ArrayList<>();
     }
 
 }
diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java
index 00da6b4c..2bb907ac 100644
--- a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java
+++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java
@@ -49,100 +49,100 @@ import junit.framework.Assert;
 
 @RunWith(MockitoJUnitRunner.class)
 public class JU_ServiceImpl_createUserCred extends JU_BaseServiceImpl  {
-	@Mock 
-    private Result<CredDAO.Data> rcdd;	
-	
-	@Before
-	public void setUp() throws Exception {
-	    super.setUp();
-	}
+    @Mock 
+    private Result<CredDAO.Data> rcdd;    
+    
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+    }
 
     @Test
     public void validCreateNewIsOwner() throws OrganizationException {
-    	CredRequest cr = credRequest1();
-    	final String fqi = "bob@people.onap.org";
-    	when(trans.user()).thenReturn(fqi);
-    	when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
-    	when(org.isValidCred(trans, cr.getId())).thenReturn(true);
-    	when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
-		when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
-		when(orgIdentity.isFound()).thenReturn(true);
-		final String ns = "org.onap.sample";
-		whenRole(trans, fqi, ns, "owner", false, 100);
-	    when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
-	    when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class)));
-	    when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100)));
-	    when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100))));
-	    Result<?> result = acsi.createUserCred(trans,cr);
-	    // Owner may do FIRST Creds
-    	Assert.assertEquals(Result.OK,result.status);
+        CredRequest cr = credRequest1();
+        final String fqi = "bob@people.onap.org";
+        when(trans.user()).thenReturn(fqi);
+        when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
+        when(org.isValidCred(trans, cr.getId())).thenReturn(true);
+        when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
+        when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
+        when(orgIdentity.isFound()).thenReturn(true);
+        final String ns = "org.onap.sample";
+        whenRole(trans, fqi, ns, "owner", false, 100);
+        when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
+        when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class)));
+        when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100)));
+        when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100))));
+        Result<?> result = acsi.createUserCred(trans,cr);
+        // Owner may do FIRST Creds
+        Assert.assertEquals(Result.OK,result.status);
     }
 
     @Test
     public void validCreateNewOnlyAdmin() throws OrganizationException {
-    	CredRequest cr = credRequest1();
-    	final String fqi = "bob@people.onap.org";
-    	when(trans.user()).thenReturn(fqi);
-    	when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
-    	when(org.isValidCred(trans, cr.getId())).thenReturn(true);
-    	when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
-		when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
-		when(orgIdentity.isFound()).thenReturn(true);
-		final String ns = "org.onap.sample";
-		whenRole(trans,fqi,ns,"owner",false, 100);
-		whenRole(trans,fqi,ns,"admin",true, 100);
- 	    when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
-	    when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class)));
-	    when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100)));
-	    when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100))));
-	    Result<?> result = acsi.createUserCred(trans,cr);
-	    // Admins may not do FIRST Creds
-    	Assert.assertEquals(Result.ERR_Denied,result.status);
+        CredRequest cr = credRequest1();
+        final String fqi = "bob@people.onap.org";
+        when(trans.user()).thenReturn(fqi);
+        when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
+        when(org.isValidCred(trans, cr.getId())).thenReturn(true);
+        when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
+        when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
+        when(orgIdentity.isFound()).thenReturn(true);
+        final String ns = "org.onap.sample";
+        whenRole(trans,fqi,ns,"owner",false, 100);
+        whenRole(trans,fqi,ns,"admin",true, 100);
+         when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
+        when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class)));
+        when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100)));
+        when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100))));
+        Result<?> result = acsi.createUserCred(trans,cr);
+        // Admins may not do FIRST Creds
+        Assert.assertEquals(Result.ERR_Denied,result.status);
     }
 
     @Test
     public void validCreateExisting() throws OrganizationException {
-    	CredRequest cr = credRequest1();
-    	when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
-    	when(org.isValidCred(trans, cr.getId())).thenReturn(true);
-    	when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
-		when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
-		when(orgIdentity.isFound()).thenReturn(true);
-		String ns = "org.onap.sample";
-	    when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
-	    
-	    CredDAO.Data cdd = credDataFound(cr,100);
-	    when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(cdd));
-	    when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(listOf(cdd)));
+        CredRequest cr = credRequest1();
+        when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn("");
+        when(org.isValidCred(trans, cr.getId())).thenReturn(true);
+        when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true);
+        when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity);
+        when(orgIdentity.isFound()).thenReturn(true);
+        String ns = "org.onap.sample";
+        when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns)));
+        
+        CredDAO.Data cdd = credDataFound(cr,100);
+        when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(cdd));
+        when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(listOf(cdd)));
 
-	    Result<?> result = acsi.createUserCred(trans,cr);
-    	Assert.assertEquals(Result.OK,result.status);
+        Result<?> result = acsi.createUserCred(trans,cr);
+        Assert.assertEquals(Result.OK,result.status);
     }
 
     private CredRequest credRequest1() {
-    	CredRequest cr = new CredRequest();
-    	cr.setId("m12345@sample.onap.org");
-    	cr.setPassword("BobAndWeave");
-    	cr.setType(CredDAO.RAW);
-    	return cr;
+        CredRequest cr = new CredRequest();
+        cr.setId("m12345@sample.onap.org");
+        cr.setPassword("BobAndWeave");
+        cr.setType(CredDAO.RAW);
+        return cr;
     }
     
    private CredDAO.Data credDataFound(CredRequest cr, int days) {
-    	CredDAO.Data cdd = new CredDAO.Data();
-    	cdd.id = cr.getId();
-    	cdd.ns = FQI.reverseDomain(cr.getId());
-    	cdd.other = 12345;
-    	cdd.tag = "1355434";
-    	cdd.type = CredDAO.BASIC_AUTH_SHA256;
-    	try {
-			cdd.cred = ByteBuffer.wrap(Hash.hashSHA256(cr.getPassword().getBytes()));
-		} catch (NoSuchAlgorithmException e) {
-			Assert.fail(e.getMessage());
-		}
-    	GregorianCalendar gc = new GregorianCalendar();
-    	gc.add(GregorianCalendar.DAY_OF_YEAR, days);
-    	cdd.expires = gc.getTime();
-    	return cdd;
+        CredDAO.Data cdd = new CredDAO.Data();
+        cdd.id = cr.getId();
+        cdd.ns = FQI.reverseDomain(cr.getId());
+        cdd.other = 12345;
+        cdd.tag = "1355434";
+        cdd.type = CredDAO.BASIC_AUTH_SHA256;
+        try {
+            cdd.cred = ByteBuffer.wrap(Hash.hashSHA256(cr.getPassword().getBytes()));
+        } catch (NoSuchAlgorithmException e) {
+            Assert.fail(e.getMessage());
+        }
+        GregorianCalendar gc = new GregorianCalendar();
+        gc.add(GregorianCalendar.DAY_OF_YEAR, days);
+        cdd.expires = gc.getTime();
+        return cdd;
     }
     
 }
\ No newline at end of file
-- 
cgit 1.2.3-korg