Ensure searched LDAPObject is properly cached before other methods that trigger user validation run

Closes #34050

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java

@@ -621,18 +621,19 @@ public class LDAPStorageProvider implements UserStorageProvider,
      * @return ldapUser corresponding to local user or null if user is no longer in LDAP
      */
     protected LDAPObject loadAndValidateUser(RealmModel realm, UserModel local) {
-        LDAPObject existing = userManager.getManagedLDAPUser(local.getId());
+        // getFirstAttribute triggers validation and another call to this method, so we run it before checking the cache
+        String uuidLdapAttribute = local.getFirstAttribute(LDAPConstants.LDAP_ID);
+
+        LDAPObject existing = userManager.getManagedLDAPObject(local.getId());
         if (existing != null) {
             return existing;
         }
 
-        String uuidLdapAttribute = local.getFirstAttribute(LDAPConstants.LDAP_ID);
-
         LDAPObject ldapUser = loadLDAPUserByUuid(realm, uuidLdapAttribute);
-
         if(ldapUser == null){
             return null;
         }
+        userManager.setManagedLDAPObject(local.getId(), ldapUser);
         LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
 
         if (ldapUser.getUuid().equals(local.getFirstAttribute(LDAPConstants.LDAP_ID))) {

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageUserManager.java

@@ -31,6 +31,7 @@ import org.keycloak.storage.ldap.mappers.LDAPTransaction;
  */
 public class LDAPStorageUserManager {
 
+    private final Map<String, LDAPObject> managedLDAPObjects = new HashMap<>();
     private final Map<String, ManagedUserEntry> managedUsers = new HashMap<>();
     private final LDAPStorageProvider provider;
 
@@ -43,9 +44,16 @@ public class LDAPStorageUserManager {
         return entry==null ? null : entry.getManagedProxiedUser();
     }
 
-    public LDAPObject getManagedLDAPUser(String userId) {
+    public LDAPObject getManagedLDAPObject(String userId) {
-        ManagedUserEntry entry = managedUsers.get(userId);
+        return managedLDAPObjects.get(userId);
-        return entry==null ? null : entry.getLdapUser();
+    }
+
+    public void setManagedLDAPObject(String userId, LDAPObject ldapObject) {
+        LDAPObject object = managedLDAPObjects.get(userId);
+        if (object != null) {
+            throw new IllegalStateException("Don't expect to have ldap object for user " + userId);
+        }
+        managedLDAPObjects.put(userId, ldapObject);
     }
 
     public LDAPTransaction getTransaction(String userId) {
@@ -66,7 +74,7 @@ public class LDAPStorageUserManager {
         }
 
         LDAPTransaction ldapTransaction = new LDAPTransaction(provider, ldapObject);
-        ManagedUserEntry newEntry = new ManagedUserEntry(proxiedUser, ldapObject, ldapTransaction);
+        ManagedUserEntry newEntry = new ManagedUserEntry(proxiedUser, ldapTransaction);
         managedUsers.put(userId, newEntry);
     }
 
@@ -79,12 +87,10 @@ public class LDAPStorageUserManager {
     private static class ManagedUserEntry {
 
         private final UserModel managedProxiedUser;
-        private final LDAPObject ldapUser;
         private final LDAPTransaction ldapTransaction;
 
-        public ManagedUserEntry(UserModel managedProxiedUser, LDAPObject ldapUser, LDAPTransaction ldapTransaction) {
+        public ManagedUserEntry(UserModel managedProxiedUser, LDAPTransaction ldapTransaction) {
             this.managedProxiedUser = managedProxiedUser;
-            this.ldapUser = ldapUser;
             this.ldapTransaction = ldapTransaction;
         }
 
@@ -92,10 +98,6 @@ public class LDAPStorageUserManager {
             return managedProxiedUser;
         }
 
-        public LDAPObject getLdapUser() {
-            return ldapUser;
-        }
-
         public LDAPTransaction getLdapTransaction() {
             return ldapTransaction;
         }