From 427777a04851c1176c5da486b757eebfbd93e7dc Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Tue, 17 Nov 2020 21:31:30 +0000
Subject: [PATCH] ACS-778: Fixed IDS auth component by allowing other
 authentication components in the chain to have a go at authenticating the
 given user.

---
 ...dentityServiceAuthenticationComponent.java | 20 ++++++++++
 .../org/alfresco/AppContext05TestSuite.java   |  1 +
 ...ityServiceAuthenticationComponentTest.java | 39 +++++++++++++++++--
 3 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
index 83b89d9c59..ccf6787de6 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
@@ -25,6 +25,9 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
+import java.net.ConnectException;
+
+import org.alfresco.error.ExceptionStackUtil;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
@@ -91,6 +94,23 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati
 
             throw new AuthenticationException("Failed to authenticate user against Keycloak.", e);
         }
+        catch (RuntimeException e)
+        {
+            Throwable cause = ExceptionStackUtil.getCause(e, ConnectException.class);
+            if (cause != null)
+            {
+                if (logger.isWarnEnabled())
+                {
+                    logger.warn("Couldn't connect to Keycloak server to authenticate user. Reason: " + cause.getMessage());
+                }
+                throw new AuthenticationException("Couldn't connect to Keycloak server to authenticate user.", cause);
+            }
+            if (logger.isDebugEnabled())
+            {
+                logger.debug("Error occurred while authenticating user against Keycloak. Reason: " + e.getMessage());
+            }
+            throw new AuthenticationException("Error occurred while authenticating user against Keycloak.", e);
+        }
     }
 
     public void setActive(boolean active)
diff --git a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
index f07a6e0b86..4bf1627dad 100644
--- a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
@@ -58,6 +58,7 @@ import org.junit.runners.Suite;
     org.alfresco.repo.security.person.HomeFolderProviderSynchronizerTest.class,
     org.alfresco.repo.domain.permissions.FixedAclUpdaterTest.class,
     org.alfresco.repo.security.authentication.external.DefaultRemoteUserMapperTest.class,
+    org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponentTest.class,
     org.alfresco.repo.security.authentication.identityservice.IdentityServiceRemoteUserMapperTest.class,
     org.alfresco.repo.security.authentication.subsystems.SubsystemChainingFtpAuthenticatorTest.class,
     org.alfresco.repo.security.authentication.external.LocalAuthenticationServiceTest.class,
diff --git a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java
index 0b6c3dbbba..4366a9ff48 100644
--- a/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java
@@ -25,6 +25,12 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.net.ConnectException;
+
+import org.alfresco.error.ExceptionStackUtil;
 import org.alfresco.repo.security.authentication.AuthenticationContext;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
@@ -39,12 +45,10 @@ import org.keycloak.authorization.client.AuthzClient;
 import org.keycloak.authorization.client.util.HttpResponseException;
 import org.keycloak.representations.AccessTokenResponse;
 import org.springframework.beans.factory.annotation.Autowired;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
 {
-    private IdentityServiceAuthenticationComponent authComponent = new IdentityServiceAuthenticationComponent();
+    private final IdentityServiceAuthenticationComponent authComponent = new IdentityServiceAuthenticationComponent();
 
     @Autowired
     private AuthenticationContext authenticationContext;
@@ -91,6 +95,33 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         authComponent.authenticateImpl("username", "password".toCharArray());
     }
 
+    @Test(expected = AuthenticationException.class)
+    public void testAuthenticationFail_connectionException()
+    {
+        when(mockAuthzClient.obtainAccessToken("username", "password")).thenThrow(
+                    new RuntimeException("Couldn't connect to server", new ConnectException("ConnectionRefused")));
+
+        try
+        {
+            authComponent.authenticateImpl("username", "password".toCharArray());
+        }
+        catch (RuntimeException ex)
+        {
+            Throwable cause = ExceptionStackUtil.getCause(ex, ConnectException.class);
+            assertNotNull(cause);
+            throw ex;
+        }
+    }
+
+    @Test (expected=AuthenticationException.class)
+    public void testAuthenticationFail_otherException()
+    {
+        when(mockAuthzClient.obtainAccessToken("username", "password"))
+                    .thenThrow(new RuntimeException("Some other errors!"));
+
+        authComponent.authenticateImpl("username", "password".toCharArray());
+    }
+
     @Test
     public void testAuthenticationPass()
     {
@@ -119,4 +150,4 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         authComponent.setAllowGuestLogin(false);
         assertFalse(authComponent.guestUserAuthenticationAllowed());
     }
-}
\ No newline at end of file
+}