From cd20f45b8a931fe901492838e64d9d334c7d5c62 Mon Sep 17 00:00:00 2001
From: Alexander Schwartz <aschwart@redhat.com>
Date: Wed, 27 Apr 2022 10:19:46 +0200
Subject: [PATCH] Ensure that values of attributes are unique in the database

While this is already ensured on the Java level when using a Set, database inconsistencies as occurred with Hibernate could lead to follow-up problems that are hard to analyze (as seen in #11666).

Closes #11671
---
 .../storage/jpa/client/entity/JpaClientAttributeEntity.java | 6 +++++-
 .../clientscope/entity/JpaClientScopeAttributeEntity.java   | 6 +++++-
 .../storage/jpa/group/entity/JpaGroupAttributeEntity.java   | 6 +++++-
 .../storage/jpa/realm/entity/JpaRealmAttributeEntity.java   | 5 ++++-
 .../map/storage/jpa/role/entity/JpaRoleAttributeEntity.java | 6 +++++-
 .../client-scopes/jpa-client-scopes-changelog-1.xml         | 2 ++
 .../resources/META-INF/clients/jpa-clients-changelog-1.xml  | 2 ++
 .../resources/META-INF/groups/jpa-groups-changelog-1.xml    | 2 ++
 .../resources/META-INF/realms/jpa-realms-changelog-1.xml    | 2 ++
 .../main/resources/META-INF/roles/jpa-roles-changelog-1.xml | 2 ++
 10 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/client/entity/JpaClientAttributeEntity.java b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/client/entity/JpaClientAttributeEntity.java
index adca8ab0a5..a190ac75e2 100644
--- a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/client/entity/JpaClientAttributeEntity.java
+++ b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/client/entity/JpaClientAttributeEntity.java
@@ -18,10 +18,14 @@ package org.keycloak.models.map.storage.jpa.client.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+
 import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
 
 @Entity
-@Table(name = "kc_client_attribute")
+@Table(name = "kc_client_attribute", uniqueConstraints = {
+        @UniqueConstraint(columnNames = {"fk_root", "name", "value"})
+})
 public class JpaClientAttributeEntity extends JpaAttributeEntity<JpaClientEntity> {
 
     public JpaClientAttributeEntity() {
diff --git a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/clientscope/entity/JpaClientScopeAttributeEntity.java b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/clientscope/entity/JpaClientScopeAttributeEntity.java
index 8522667aed..65ff41dcf5 100644
--- a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/clientscope/entity/JpaClientScopeAttributeEntity.java
+++ b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/clientscope/entity/JpaClientScopeAttributeEntity.java
@@ -18,10 +18,14 @@ package org.keycloak.models.map.storage.jpa.clientscope.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+
 import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
 
 @Entity
-@Table(name = "kc_client_scope_attribute")
+@Table(name = "kc_client_scope_attribute", uniqueConstraints = {
+        @UniqueConstraint(columnNames = {"fk_root", "name", "value"})
+})
 public class JpaClientScopeAttributeEntity extends JpaAttributeEntity<JpaClientScopeEntity> {
 
     public JpaClientScopeAttributeEntity() {
diff --git a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/group/entity/JpaGroupAttributeEntity.java b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/group/entity/JpaGroupAttributeEntity.java
index 51b9e0629e..702b6810b7 100644
--- a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/group/entity/JpaGroupAttributeEntity.java
+++ b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/group/entity/JpaGroupAttributeEntity.java
@@ -18,10 +18,14 @@ package org.keycloak.models.map.storage.jpa.group.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+
 import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
 
 @Entity
-@Table(name = "kc_group_attribute")
+@Table(name = "kc_group_attribute", uniqueConstraints = {
+        @UniqueConstraint(columnNames = {"fk_root", "name", "value"})
+})
 public class JpaGroupAttributeEntity extends JpaAttributeEntity<JpaGroupEntity> {
 
     public JpaGroupAttributeEntity() {
diff --git a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/realm/entity/JpaRealmAttributeEntity.java b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/realm/entity/JpaRealmAttributeEntity.java
index 04daf455cf..811750de89 100644
--- a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/realm/entity/JpaRealmAttributeEntity.java
+++ b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/realm/entity/JpaRealmAttributeEntity.java
@@ -18,6 +18,7 @@ package org.keycloak.models.map.storage.jpa.realm.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
 
 import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
 
@@ -28,7 +29,9 @@ import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
  * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
  */
 @Entity
-@Table(name = "kc_realm_attribute")
+@Table(name = "kc_realm_attribute", uniqueConstraints = {
+        @UniqueConstraint(columnNames = {"fk_root", "name", "value"})
+})
 public class JpaRealmAttributeEntity extends JpaAttributeEntity<JpaRealmEntity> {
 
     public JpaRealmAttributeEntity() {
diff --git a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/role/entity/JpaRoleAttributeEntity.java b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/role/entity/JpaRoleAttributeEntity.java
index 714537c1dd..bbfcc4aa19 100644
--- a/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/role/entity/JpaRoleAttributeEntity.java
+++ b/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/role/entity/JpaRoleAttributeEntity.java
@@ -18,10 +18,14 @@ package org.keycloak.models.map.storage.jpa.role.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+
 import org.keycloak.models.map.storage.jpa.JpaAttributeEntity;
 
 @Entity
-@Table(name = "kc_role_attribute")
+@Table(name = "kc_role_attribute", uniqueConstraints = {
+        @UniqueConstraint(columnNames = {"fk_root", "name", "value"})
+})
 public class JpaRoleAttributeEntity extends JpaAttributeEntity<JpaRoleEntity> {
 
     public JpaRoleAttributeEntity() {
diff --git a/model/map-jpa/src/main/resources/META-INF/client-scopes/jpa-client-scopes-changelog-1.xml b/model/map-jpa/src/main/resources/META-INF/client-scopes/jpa-client-scopes-changelog-1.xml
index 4f887a3223..2b75d324a9 100644
--- a/model/map-jpa/src/main/resources/META-INF/client-scopes/jpa-client-scopes-changelog-1.xml
+++ b/model/map-jpa/src/main/resources/META-INF/client-scopes/jpa-client-scopes-changelog-1.xml
@@ -57,6 +57,8 @@ limitations under the License.
             <column name="name" type="VARCHAR(255)"/>
             <column name="value" type="text"/>
         </createTable>
+        <!-- this is deferrable and initiallyDeferred as hibernate will first insert new entries and then delete the old by default -->
+        <addUniqueConstraint tableName="kc_client_scope_attribute" columnNames="fk_root, name, value" deferrable="true" initiallyDeferred="true" />
         <createIndex tableName="kc_client_scope_attribute" indexName="client_scope_attr_fk_root">
             <column name="fk_root"/>
         </createIndex>
diff --git a/model/map-jpa/src/main/resources/META-INF/clients/jpa-clients-changelog-1.xml b/model/map-jpa/src/main/resources/META-INF/clients/jpa-clients-changelog-1.xml
index 1fcb99c786..64bc014a31 100644
--- a/model/map-jpa/src/main/resources/META-INF/clients/jpa-clients-changelog-1.xml
+++ b/model/map-jpa/src/main/resources/META-INF/clients/jpa-clients-changelog-1.xml
@@ -64,6 +64,8 @@ limitations under the License.
             <column name="name" type="VARCHAR(255)"/>
             <column name="value" type="text"/>
         </createTable>
+        <!-- this is deferrable and initiallyDeferred as hibernate will first insert new entries and then delete the old by default -->
+        <addUniqueConstraint tableName="kc_client_attribute" columnNames="fk_root, name, value" deferrable="true" initiallyDeferred="true" />
         <createIndex tableName="kc_client_attribute" indexName="client_attr_fk_root">
             <column name="fk_root"/>
         </createIndex>
diff --git a/model/map-jpa/src/main/resources/META-INF/groups/jpa-groups-changelog-1.xml b/model/map-jpa/src/main/resources/META-INF/groups/jpa-groups-changelog-1.xml
index 4b28db1b0a..65822d20f5 100644
--- a/model/map-jpa/src/main/resources/META-INF/groups/jpa-groups-changelog-1.xml
+++ b/model/map-jpa/src/main/resources/META-INF/groups/jpa-groups-changelog-1.xml
@@ -59,6 +59,8 @@ limitations under the License.
             <column name="name" type="VARCHAR(255)"/>
             <column name="value" type="text"/>
         </createTable>
+        <!-- this is deferrable and initiallyDeferred as hibernate will first insert new entries and then delete the old by default -->
+        <addUniqueConstraint tableName="kc_group_attribute" columnNames="fk_root, name, value" deferrable="true" initiallyDeferred="true" />
         <createIndex tableName="kc_group_attribute" indexName="group_attr_fk_root">
             <column name="fk_root"/>
         </createIndex>
diff --git a/model/map-jpa/src/main/resources/META-INF/realms/jpa-realms-changelog-1.xml b/model/map-jpa/src/main/resources/META-INF/realms/jpa-realms-changelog-1.xml
index 4ddc2fad57..a818727b1b 100644
--- a/model/map-jpa/src/main/resources/META-INF/realms/jpa-realms-changelog-1.xml
+++ b/model/map-jpa/src/main/resources/META-INF/realms/jpa-realms-changelog-1.xml
@@ -83,6 +83,8 @@ limitations under the License.
             <column name="name" type="VARCHAR(255)"/>
             <column name="value" type="TEXT"/>
         </createTable>
+        <!-- this is deferrable and initiallyDeferred as hibernate will first insert new entries and then delete the old by default -->
+        <addUniqueConstraint tableName="kc_realm_attribute" columnNames="fk_root, name, value" deferrable="true" initiallyDeferred="true" />
         <createIndex tableName="kc_realm_attribute" indexName="realm_attr_fk_root">
             <column name="fk_root"/>
         </createIndex>
diff --git a/model/map-jpa/src/main/resources/META-INF/roles/jpa-roles-changelog-1.xml b/model/map-jpa/src/main/resources/META-INF/roles/jpa-roles-changelog-1.xml
index 5497876d93..6f3e43f553 100644
--- a/model/map-jpa/src/main/resources/META-INF/roles/jpa-roles-changelog-1.xml
+++ b/model/map-jpa/src/main/resources/META-INF/roles/jpa-roles-changelog-1.xml
@@ -66,6 +66,8 @@ limitations under the License.
             <column name="name" type="VARCHAR(255)"/>
             <column name="value" type="text"/>
         </createTable>
+        <!-- this is deferrable and initiallyDeferred as hibernate will first insert new entries and then delete the old by default -->
+        <addUniqueConstraint tableName="kc_role_attribute" columnNames="fk_root, name, value" deferrable="true" initiallyDeferred="true" />
         <createIndex tableName="kc_role_attribute" indexName="role_attr_fk_root">
             <column name="fk_root"/>
         </createIndex>