[KEYCLOAK-10822] - Prevent access to users from another realm

model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java

@@ -194,6 +194,11 @@ public class UserCacheSession implements UserCache {
         }
 
         CachedUser cached = cache.get(id, CachedUser.class);
+
+        if (cached != null && !cached.getRealm().equals(realm.getId())) {
+            cached = null;
+        }
+        
         UserModel adapter = null;
         if (cached == null) {
             logger.trace("not cached");

model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java

@@ -522,7 +522,7 @@ public class JpaUserProvider implements UserProvider, UserCredentialStore {
     @Override
     public UserModel getUserById(String id, RealmModel realm) {
         UserEntity userEntity = em.find(UserEntity.class, id);
-        if (userEntity == null) return null;
+        if (userEntity == null || !realm.getId().equals(userEntity.getRealmId())) return null;
         return new UserAdapter(session, realm, em, userEntity);
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java

@@ -76,6 +76,7 @@ import org.openqa.selenium.WebDriver;
 import javax.mail.MessagingException;
 import javax.mail.internet.MimeMessage;
 import javax.ws.rs.ClientErrorException;
+import javax.ws.rs.NotFoundException;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import java.io.IOException;
@@ -143,11 +144,18 @@ public class UserTest extends AbstractAdminTest {
     }
 
     private String createUser(UserRepresentation userRep) {
+        return createUser(userRep, true);
+    }
+    
+    private String createUser(UserRepresentation userRep, boolean assertAdminEvent) {
         Response response = realm.users().create(userRep);
         String createdId = ApiUtil.getCreatedId(response);
         response.close();
 
-        assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.userResourcePath(createdId), userRep, ResourceType.USER);
+        if (assertAdminEvent) {
+            assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.userResourcePath(createdId), userRep,
+                    ResourceType.USER);
+        }
 
         getCleanup().addUserId(createdId);
 
@@ -1460,6 +1468,40 @@ public class UserTest extends AbstractAdminTest {
             assertThat(user.getAttributes(), Matchers.nullValue());
         }
     }
+    
+    @Test
+    public void testAccessUserFromOtherRealm() {
+        RealmRepresentation firstRealm = new RealmRepresentation();
+        
+        firstRealm.setRealm("first-realm");
+        
+        adminClient.realms().create(firstRealm);
+        
+        realm = adminClient.realm(firstRealm.getRealm());
+        realmId = realm.toRepresentation().getId();
+
+        UserRepresentation firstUser = new UserRepresentation();
+
+        firstUser.setUsername("first");
+        firstUser.setEmail("first@first-realm.org");
+        
+        firstUser.setId(createUser(firstUser, false));
+
+        RealmRepresentation secondRealm = new RealmRepresentation();
+
+        secondRealm.setRealm("second-realm");
+
+        adminClient.realms().create(secondRealm);
+
+        adminClient.realm(firstRealm.getRealm()).users().get(firstUser.getId()).update(firstUser);
+
+        try {
+            adminClient.realm(secondRealm.getRealm()).users().get(firstUser.getId()).toRepresentation();
+            fail("Should not have access to firstUser from another realm");
+        } catch (NotFoundException nfe) {
+            // ignore
+        }
+    }
 
     private void switchEditUsernameAllowedOn(boolean enable) {
         RealmRepresentation rep = realm.toRepresentation();