From a22c5eb2ec763736310a8e1333f100d95177b46c Mon Sep 17 00:00:00 2001
From: Yang Wang <yang.wang@elastic.co>
Date: Fri, 18 Nov 2022 19:16:17 +1100
Subject: [PATCH] Fix the condition for logging empty JWK sets. (#91675)

The logic for check isEmpty should have been flipped. This PR fixes it.

Relates: #91001
---
 .../xpack/security/authc/jwt/JwtSignatureValidator.java     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.java
index 0e4d6a827b142..93b87ea48aa95 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.java
@@ -161,8 +161,10 @@ public void close() {
         }
 
         private void logWarnIfAuthenticationWillAlwaysFail() {
-            final boolean hasUsableJwksAndAlgorithms = (hmacJwtSignatureValidator != null && hmacJwtSignatureValidator.jwksAlgs.isEmpty())
-                || (pkcJwtSignatureValidator != null && pkcJwtSignatureValidator.jwkSetLoader.getContentAndJwksAlgs().jwksAlgs().isEmpty());
+            final boolean hasUsableJwksAndAlgorithms = (hmacJwtSignatureValidator != null
+                && false == hmacJwtSignatureValidator.jwksAlgs.isEmpty())
+                || (pkcJwtSignatureValidator != null
+                    && false == pkcJwtSignatureValidator.jwkSetLoader.getContentAndJwksAlgs().jwksAlgs().isEmpty());
             if (false == hasUsableJwksAndAlgorithms) {
                 logger.warn(
                     "No available JWK and algorithm for HMAC or PKC. JWT realm authentication expected to fail until this is fixed."