Skip to content

[Test] Fix race condition in TokenServiceTests#141581

Merged
elasticsearchmachine merged 2 commits intoelastic:mainfrom
slobodanadamovic:sa-fix-race-condition-in-token-service-tests
Jan 30, 2026
Merged

[Test] Fix race condition in TokenServiceTests#141581
elasticsearchmachine merged 2 commits intoelastic:mainfrom
slobodanadamovic:sa-fix-race-condition-in-token-service-tests

Conversation

@slobodanadamovic
Copy link
Copy Markdown
Contributor

@slobodanadamovic slobodanadamovic commented Jan 30, 2026
edited
Loading

The encryptedTokenId is released async, which results in race condition
that triggers the assertion in MockBytesRefRecycler.close.

This PR fixes test by waiting for all potential async releases to complete.

Resolves #141470

Reproduction

The issue can be reliably reproduced with following patch:

diff --git a/muted-tests.yml b/muted-tests.yml
index aaa039def19e..e9be24adf3ab 100644
--- a/muted-tests.yml
+++ b/muted-tests.yml
@@ -330,9 +330,6 @@ tests:
 - class: org.elasticsearch.search.query.VectorIT
   method: testFilteredQueryStrategy
   issue: https://github.com/elastic/elasticsearch/issues/141469
-- class: org.elasticsearch.xpack.security.authc.TokenServiceTests
-  method: testAttachAndGetToken
-  issue: https://github.com/elastic/elasticsearch/issues/141470
 
 # Examples:
 #
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
index f6a9134b3952..0c28b57ea428 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -701,7 +701,15 @@ public class TokenService {
                             // could happen with a token that is not ours
                             delegate.onResponse(null);
                         }
-                    }), encryptedTokenId));
+                    }), () -> {
+                        try {
+                            Thread.sleep(1000);
+                        } catch (InterruptedException e) {
+                            Thread.currentThread().interrupt();
+                            throw new IllegalStateException(e);
+                        }
+                        encryptedTokenId.close();
+                    }));
                 } else {
                     logger.debug(() -> format("invalid key %s key: %s", passphraseHash, keyCache.cache.keySet()));
                     listener.onResponse(null);

@slobodanadamovic
[Test] Fix race condition in TokenServiceTests
fe9541b 
The `encryptedTokenId` is released async, which results in race condition
that triggers the assertion in `MockBytesRefRecycler.close`.

This PR fixes it by waiting for all potential async releases to complete.

Resolves elastic#141470
@slobodanadamovic slobodanadamovic self-assigned this Jan 30, 2026
@slobodanadamovic slobodanadamovic added >test Issues or PRs that are addressing/adding tests :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team labels Jan 30, 2026
@slobodanadamovic slobodanadamovic requested a review from a team January 30, 2026 12:58
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Jan 30, 2026

Pinging @elastic/es-security (Team:Security)

@slobodanadamovic slobodanadamovic added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Jan 30, 2026
@elasticsearchmachine elasticsearchmachine merged commit 71dee3c into elastic:main Jan 30, 2026
41 checks passed
@slobodanadamovic slobodanadamovic deleted the sa-fix-race-condition-in-token-service-tests branch January 30, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

@slobodanadamovic slobodanadamovic

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CI] TokenServiceTests testAttachAndGetToken failing

3 participants

@slobodanadamovic @elasticsearchmachine @n1v0lg