Fix double sending of response in TransportOpenIdConnectPrepareAuthenticationAction (#89930) (#89954)

original-brownbear · web-flow · commit 02e0c8fb9923 · 2022-09-09T18:29:03.000+09:30
This fixes an obvious bug where the listener was resolved twice if any of the first two failure conditions in the changed method were met. Prior to #89873 this would lead to a memory leak.
diff --git a/docs/changelog/89930.yaml b/docs/changelog/89930.yaml
@@ -0,0 +1,5 @@
+pr: 89930
+summary: Fix double sending of response in `TransportOpenIdConnectPrepareAuthenticationAction`
+area: Authentication
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectPrepareAuthenticationAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectPrepareAuthenticationAction.java
@@ -13,7 +13,6 @@
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;
-import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationAction;
@@ -24,7 +23,6 @@
 import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
 public class TransportOpenIdConnectPrepareAuthenticationAction extends HandledTransportAction<
     OpenIdConnectPrepareAuthenticationRequest,
@@ -42,7 +40,7 @@ public TransportOpenIdConnectPrepareAuthenticationAction(
             OpenIdConnectPrepareAuthenticationAction.NAME,
             transportService,
             actionFilters,
-            (Writeable.Reader<OpenIdConnectPrepareAuthenticationRequest>) OpenIdConnectPrepareAuthenticationRequest::new
+            OpenIdConnectPrepareAuthenticationRequest::new
         );
         this.realms = realms;
     }
@@ -58,15 +56,17 @@ protected void doExecute(
             List<OpenIdConnectRealm> matchingRealms = this.realms.stream()
                 .filter(r -> r instanceof OpenIdConnectRealm && ((OpenIdConnectRealm) r).isIssuerValid(request.getIssuer()))
                 .map(r -> (OpenIdConnectRealm) r)
-                .collect(Collectors.toList());
+                .toList();
             if (matchingRealms.isEmpty()) {
                 listener.onFailure(
                     new ElasticsearchSecurityException("Cannot find OpenID Connect realm with issuer [{}]", request.getIssuer())
                 );
+                return;
             } else if (matchingRealms.size() > 1) {
                 listener.onFailure(
                     new ElasticsearchSecurityException("Found multiple OpenID Connect realm with issuer [{}]", request.getIssuer())
                 );
+                return;
             } else {
                 realm = matchingRealms.get(0);
             }
