Handle unexpected/unchecked exceptions correctly (#49080) (#49139)

Ensures that methods that are called from different threads ( i.e. from the callbacks of org.apache.http.concurrent.FutureCallback ) catch `Exception` instead of only the expected checked exceptions. This resolves a bug where OpenIdConnectAuthenticator#mergeObjects would throw an IllegalStateException that was never caught causing the thread to hang and the listener to never be called. This would in turn cause Kibana requests to authenticate with OpenID Connect to timeout and fail without even logging anything relevant. This also guards against unexpected Exceptions that might be thrown by invoked library methods while performing the necessary operations in these callbacks.
elastic · Nov 15, 2019 · 2b9d4c7 · 2b9d4c7
1 parent 43f91a3
commit 2b9d4c7
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/...src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/...src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java
@@ -92,7 +92,6 @@
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
@@ -433,7 +432,7 @@ private void handleUserinfoResponse(HttpResponse httpResponse, JWTClaimsSet veri
                             httpResponse.getStatusLine().getReasonPhrase()));
                 }
             }
-        } catch (IOException | com.nimbusds.oauth2.sdk.ParseException | ParseException e) {
+        } catch (Exception e) {
             claimsListener.onFailure(new ElasticsearchSecurityException("Failed to get user information from the UserInfo endpoint.",
                 e));
         }
@@ -541,7 +540,7 @@ private void handleTokenResponse(HttpResponse httpResponse, ActionListener<Tuple
                 }
                 tokensListener.onResponse(new Tuple<>(accessToken, idToken));
             }
-        } catch (IOException | com.nimbusds.oauth2.sdk.ParseException e) {
+        } catch (Exception e) {
             tokensListener.onFailure(
                 new ElasticsearchSecurityException("Failed to exchange code for Id Token using the Token Endpoint. " +
                     "Unable to parse Token Response", e));
@@ -738,7 +737,7 @@ public void onFileChanged(Path file) {
     /**
      * Remote JSON Web Key source specified by a JWKSet URL. The retrieved JWK set is cached to
      * avoid unnecessary http requests. A single attempt to update the cached set is made
-     * (with {@ling ReloadableJWKSource#triggerReload}) when the {@link IDTokenValidator} fails
+     * (with {@link ReloadableJWKSource#triggerReload}) when the {@link IDTokenValidator} fails
      * to validate an ID Token (because of an unknown key) as this might mean that the OpenID
      * Connect Provider has rotated the signing keys.
      */
@@ -785,7 +784,7 @@ public void completed(HttpResponse result) {
                                 reloadFutureRef.set(null);
                                 LOGGER.trace("Successfully refreshed and cached remote JWKSet");
                                 future.onResponse(null);
-                            } catch (IOException | ParseException e) {
+                            } catch (Exception e) {
                                 failed(e);
                             }
                         }
@@ -805,7 +804,7 @@ public void cancelled() {
                     });
                     return null;
                 });
-            } catch (URISyntaxException e) {
+            } catch (Exception e) {
                 future.onFailure(e);
                 reloadFutureRef.set(null);
             }