From c06ddf9047ff428022ae6a2dbfe02f5a62b81789 Mon Sep 17 00:00:00 2001
From: Yogesh Gaikwad <yogesh.gaikwad@elastic.co>
Date: Fri, 20 Jul 2018 11:20:09 +1000
Subject: [PATCH] [Kerberos] Fix to audit log authc_failed event once

The exception was being sent twice due to incorrect handling
of conditional statements causing multiple authentication_failed
events in audit logs.
---
 .../kerberos/KerberosTicketValidator.java     |  6 ++---
 .../KerberosTicketValidatorTests.java         | 24 +++++++++++++++----
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java
index 689ba69f78254..a63d90178dca4 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java
@@ -96,11 +96,11 @@ public void validateTicket(final byte[] decodedToken, final Path keytabPath, fin
         } catch (PrivilegedActionException pve) {
             if (pve.getCause() instanceof LoginException) {
                 actionListener.onFailure((LoginException) pve.getCause());
-            }
-            if (pve.getCause() instanceof GSSException) {
+            } else if (pve.getCause() instanceof GSSException) {
                 actionListener.onFailure((GSSException) pve.getCause());
+            } else {
+                actionListener.onFailure(pve.getException());
             }
-            actionListener.onFailure(pve.getException());
         } finally {
             privilegedLogoutNoThrow(loginContext);
             privilegedDisposeNoThrow(gssContext);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java
index e12b9c5a692c6..8f35e0bde4454 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java
@@ -6,6 +6,7 @@
 
 package org.elasticsearch.xpack.security.authc.kerberos;
 
+import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.SecureString;
@@ -13,7 +14,6 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
-import org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator;
 import org.ietf.jgss.GSSException;
 
 import java.io.IOException;
@@ -25,6 +25,7 @@
 import javax.security.auth.login.LoginException;
 
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
@@ -57,10 +58,23 @@ public void testInvalidKerbTicketFailsValidation() throws Exception {
 
         final Environment env = TestEnvironment.newEnvironment(globalSettings);
         final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings));
-        final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>();
-        kerberosTicketValidator.validateTicket(Base64.getDecoder().decode(base64KerbToken), keytabPath, true, future);
-        final GSSException gssException = expectThrows(GSSException.class, () -> unwrapExpectedExceptionFromFutureAndThrow(future));
-        assertThat(gssException.getMajor(), equalTo(GSSException.DEFECTIVE_TOKEN));
+        kerberosTicketValidator.validateTicket(Base64.getDecoder().decode(base64KerbToken), keytabPath, true,
+                new ActionListener<Tuple<String, String>>() {
+                    boolean exceptionHandled = false;
+
+                    @Override
+                    public void onResponse(Tuple<String, String> response) {
+                        fail("expected exception to be thrown of type GSSException");
+                    }
+
+                    @Override
+                    public void onFailure(Exception e) {
+                        assertThat(exceptionHandled, is(false));
+                        assertThat(e, instanceOf(GSSException.class));
+                        assertThat(((GSSException) e).getMajor(), equalTo(GSSException.DEFECTIVE_TOKEN));
+                        exceptionHandled = true;
+                    }
+                });
     }
 
     public void testWhenKeyTabWithInvalidContentFailsValidation()