🥅 Cancel AUTHENTICATE if process raises an error [🚧 server error]

The exception will be re-raised after the protocol cancel response has
been sent.

Author: nevans

lib/net/imap.rb

@@ -1351,11 +1351,19 @@ def authenticate(mechanism, *creds,
         response = authenticator.process(nil)
         cmdargs << (response.empty? ? "=" : [response].pack("m0"))
       end
+      process_error = nil
       result = send_command_with_continuations(*cmdargs) {|data|
-        challenge = data.unpack1("m")
-        response  = authenticator.process challenge
-        [response].pack("m0")
+        unless process_error
+          challenge = data.unpack1("m")
+          response  = begin
+            authenticator.process challenge
+          rescue => ex
+            process_error = ex
+          end
+        end
+        process_error ? "*" : [response].pack("m0")
       }
+      raise process_error if process_error
       if authenticator.respond_to?(:done?) && !authenticator.done?
         logout!
         raise SASL::AuthenticationIncomplete, result

lib/net/imap/sasl/authentication_exchange.rb

@@ -6,8 +6,6 @@ module SASL
 
       # This API is *experimental*, and may change.
       #
-      # TODO: catch exceptions in #process and send #cancel_response.
-      # TODO: raise an error if the command succeeds after being canceled.
       # TODO: use with more clients, to verify the API can accommodate them.
       # TODO: pass ClientAdapter#service to SASL.authenticator
       #
@@ -80,6 +78,9 @@ def self.build(client, mechanism, *args, sasl_ir: true, **kwargs, &block)
 
         attr_reader :mechanism, :authenticator
 
+        # An exception that has been raised by <tt>authenticator.process</tt>.
+        attr_reader :process_error
+
         def initialize(client, mechanism, authenticator, sasl_ir: true)
           @client = client
           @mechanism = Authenticators.normalize_name(mechanism)
@@ -92,8 +93,17 @@ def initialize(client, mechanism, authenticator, sasl_ir: true)
         # using #authenticator.  Authentication failures will raise an
         # exception.  Any exceptions other than AuthenticationCanceled or those
         # in <tt>client.response_errors</tt> will drop the connection.
+        #
+        # When <tt>authenticator.process</tt> raises any StandardError
+        # (including AuthenticationCanceled), the authentication exchange will
+        # be canceled before re-raising the exception.  The server will usually
+        # respond with an error response, and the client will most likely raise
+        # that error.  This client error will supercede the original error.
+        # Unfortunately, the original error will not be the +#cause+ for the
+        # client error.  But it will be available on #process_error.
         def authenticate
           client.run_command(mechanism, initial_response) { process _1 }
+            .tap { raise process_error if process_error }
             .tap { raise AuthenticationIncomplete, _1 unless done? }
         rescue AuthenticationCanceled, *client.response_errors
           raise # but don't drop the connection
@@ -127,9 +137,12 @@ def initial_response
         end
 
         def process(challenge)
-          client.encode authenticator.process client.decode challenge
-        ensure
           @processed = true
+          return client.cancel_response if process_error
+          client.encode authenticator.process client.decode challenge
+        rescue => process_error
+          @process_error = process_error
+          client.cancel_response
         end
 
       end

test/net/imap/fake_server/command_router.rb

@@ -97,8 +97,9 @@ def handler_for(command)
         response_b64 = resp.request_continuation("") || ""
         state.commands << {continuation: response_b64}
       end
-      response = Base64.decode64(response_b64)
-      response.empty?                   and return resp.fail_bad "canceled"
+      response_b64.strip == ?*          and return resp.fail_bad "canceled"
+      response = Base64.decode64(response_b64) rescue :decode64_failed
+      response == :decode64_failed      and return resp.fail_bad "invalid b64"
       # TODO: support mechanisms other than PLAIN.
       parts = response.split("\0")
       parts.length == 3                  or return resp.fail_bad "invalid"

test/net/imap/test_imap.rb

@@ -1014,6 +1014,25 @@ def test_id
     end
   end
 
+  test "#authenticate can be canceled with SASL::AuthenticationCanceled" do
+    with_fake_server(
+      preauth: false, cleartext_auth: true,
+      sasl_ir: false, sasl_mechanisms: %i[PLAIN]
+    ) do |server, imap|
+      registry = Net::IMAP::SASL::Authenticators.new(use_defaults: false)
+      registry.add_authenticator :plain, ->(*a, **kw, &b) {
+        ->(challenge) {
+          raise(Net::IMAP::SASL::AuthenticationCanceled,
+                "a: %p, kw: %p, b: %p" % [a, kw, b])
+        }
+      }
+      assert_raise_with_message(Net::IMAP::BadResponseError, "canceled") do
+        imap.authenticate(:plain, hello: :world, registry: registry)
+      end
+      refute imap.disconnected?
+    end
+  end
+
   def test_uidplus_uid_expunge
     with_fake_server(select: "INBOX",
                      extensions: %i[UIDPLUS]) do |server, imap|