[Kerberos] Fix to audit log authc_failed event once (#32220)

The exception was being sent twice due to incorrect handling
of conditional statements causing multiple authentication_failed
events in audit logs.

Author: bizybot

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java

@@ -96,11 +96,11 @@ public void validateTicket(final byte[] decodedToken, final Path keytabPath, fin
         } catch (PrivilegedActionException pve) {
             if (pve.getCause() instanceof LoginException) {
                 actionListener.onFailure((LoginException) pve.getCause());
-            }
-            if (pve.getCause() instanceof GSSException) {
+            } else if (pve.getCause() instanceof GSSException) {
                 actionListener.onFailure((GSSException) pve.getCause());
+            } else {
+                actionListener.onFailure(pve.getException());
             }
-            actionListener.onFailure(pve.getException());
         } finally {
             privilegedLogoutNoThrow(loginContext);
             privilegedDisposeNoThrow(gssContext);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java

@@ -6,14 +6,14 @@
 
 package org.elasticsearch.xpack.security.authc.kerberos;
 
+import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.util.concurrent.UncategorizedExecutionException;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
-import org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator;
 import org.ietf.jgss.GSSException;
 
 import java.io.IOException;
@@ -25,6 +25,7 @@
 import javax.security.auth.login.LoginException;
 
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
@@ -57,10 +58,23 @@ public void testInvalidKerbTicketFailsValidation() throws Exception {
 
         final Environment env = TestEnvironment.newEnvironment(globalSettings);
         final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings));
-        final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>();
-        kerberosTicketValidator.validateTicket(Base64.getDecoder().decode(base64KerbToken), keytabPath, true, future);
-        final GSSException gssException = expectThrows(GSSException.class, () -> unwrapExpectedExceptionFromFutureAndThrow(future));
-        assertThat(gssException.getMajor(), equalTo(GSSException.DEFECTIVE_TOKEN));
+        kerberosTicketValidator.validateTicket(Base64.getDecoder().decode(base64KerbToken), keytabPath, true,
+                new ActionListener<Tuple<String, String>>() {
+                    boolean exceptionHandled = false;
+
+                    @Override
+                    public void onResponse(Tuple<String, String> response) {
+                        fail("expected exception to be thrown of type GSSException");
+                    }
+
+                    @Override
+                    public void onFailure(Exception e) {
+                        assertThat(exceptionHandled, is(false));
+                        assertThat(e, instanceOf(GSSException.class));
+                        assertThat(((GSSException) e).getMajor(), equalTo(GSSException.DEFECTIVE_TOKEN));
+                        exceptionHandled = true;
+                    }
+                });
     }
 
     public void testWhenKeyTabWithInvalidContentFailsValidation()