fix credentials cast + some better code

Author: zvonand

src/Access/AccessTokenProcessor.cpp

@@ -173,17 +173,22 @@ bool GoogleAccessTokenProcessor::resolveAndValidate(const TokenCredentials & cre
         {
             auto groups_response = getObjectFromURI(get_groups_uri, token);
 
-            if (!groups_response.contains("memberships")) {
+            if (!groups_response.contains("memberships") || !groups_response["memberships"].is<picojson::array>())
+            {
                 LOG_TRACE(getLogger("AccessTokenProcessor"),
                           "{}: Failed to get Google groups: invalid content in response from server", name);
                 return true;
             }
 
-            picojson::array groups_array = groups_response["memberships"].get<picojson::array>();
-
-            /// TODO: check for invalid JSON, LOG something meaningful
-            for (const auto & group: groups_array)
+            for (const auto & group: groups_response["memberships"].get<picojson::array>())
             {
+                if (!group.is<picojson::object>())
+                {
+                    LOG_TRACE(getLogger("AccessTokenProcessor"),
+                              "{}: Failed to get Google groups: invalid content in response from server", name);
+                    continue;
+                }
+
                 auto group_data = group.get<picojson::object>();
                 String group_name = getValueByKey(group_data["groupKey"].get<picojson::object>(), "id");
                 external_groups_names.insert(group_name);
@@ -267,22 +272,29 @@ bool AzureAccessTokenProcessor::resolveAndValidate(const TokenCredentials & cred
     {
         auto groups_response = getObjectFromURI(get_groups_uri, token);
 
-        if (!groups_response.contains("value")) {
+        if (!groups_response.contains("value") || !groups_response["value"].is<picojson::array>())
+        {
             LOG_TRACE(getLogger("AccessTokenProcessor"),
                       "{}: Failed to get Azure groups: invalid content in response from server", name);
             return true;
         }
 
         picojson::array groups_array = groups_response["value"].get<picojson::array>();
 
-        /// TODO: check for invalid JSON
         for (const auto & group: groups_array)
         {
+            /// Got some invalid response. Ignore this, log this.
+            if (!group.is<picojson::object >())
+            {
+                LOG_TRACE(getLogger("AccessTokenProcessor"),
+                          "{}: Failed to get Azure groups: invalid content in response from server", name);
+                continue;
+            }
+
             auto group_data = group.get<picojson::object>();
             String group_name = getValueByKey(group_data, "id");
             external_groups_names.insert(group_name);
-            LOG_TRACE(getLogger("AccessTokenProcessor"),
-                      "{}: User {}: new external group {}", name, credentials.getUserName(), group_name);
+            LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: User {}: new external group {}", name, credentials.getUserName(), group_name);
         }
     }
     catch (const Exception & e)

src/Access/ExternalAuthenticators.cpp

@@ -717,7 +717,7 @@ bool ExternalAuthenticators::checkAccessTokenCredentials(const TokenCredentials
             {
                 cache_entry.expires_at = default_expiration_ts;
             }
-            LOG_TRACE(getLogger("AccessTokenAuthentication"), "Cache entry for user {} added", cached_entry_iter->second.user_name);
+            LOG_TRACE(getLogger("AccessTokenAuthentication"), "Cache entry for user {} added", cache_entry.user_name);
 
             access_token_cache[credentials.getToken()] = cache_entry;
             LOG_DEBUG(getLogger("AccessTokenAuthentication"), "Authenticated user {} with access token by {}", credentials.getUserName(), it.first);

src/Access/IAccessStorage.cpp

@@ -536,7 +536,7 @@ std::optional<AuthResult> IAccessStorage::authenticateImpl(
     bool allow_no_password,
     bool allow_plaintext_password) const
 {
-    if (!typeid_cast<const TokenCredentials &>(credentials).isReady())
+    if (typeid_cast<const TokenCredentials *>(&credentials) && !typeid_cast<const TokenCredentials *>(&credentials)->isReady())
         throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Could not resolve username from token");
 
     if (auto id = find<User>(credentials.getUserName()))

src/Access/TokenAccessStorage.cpp

@@ -173,7 +173,7 @@ String TokenAccessStorage::getStorageParamsJSON() const
     std::lock_guard lock(mutex);
     Poco::JSON::Object params_json;
 
-    params_json.set("processor", provider_name);
+    params_json.set("provider", provider_name);
 
     Poco::JSON::Array common_role_names_json;
     for (const auto & role : common_role_names)