From d3ae075a33eebf91e171312a17a6edde13a2b5f3 Mon Sep 17 00:00:00 2001
From: Stefan Guilhen <sguilhen@redhat.com>
Date: Fri, 9 Feb 2024 10:45:07 -0300
Subject: [PATCH] Fix MembershipType so that NPE is not thrown when an empty
 member is found within a group

Closes #25883

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
---
 .../storage/ldap/mappers/membership/MembershipType.java   | 2 +-
 .../testsuite/federation/ldap/LDAPGroupMapperTest.java    | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java
index f8715769de..1bc9aea2bf 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java
@@ -57,7 +57,7 @@ public enum MembershipType {
             Set<LDAPDn> result = new LinkedHashSet<>();
             for (String membership : allMemberships) {
                 LDAPDn childDn = LDAPDn.fromString(membership);
-                if (childDn.getFirstRdn().getAttrValue(rdnAttr) != null && childDn.isDescendantOf(requiredParentDn)) {
+                if (childDn.isDescendantOf(requiredParentDn) && childDn.getFirstRdn().getAttrValue(rdnAttr) != null) {
                     result.add(childDn);
                 }
             }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPGroupMapperTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPGroupMapperTest.java
index 47cd2dc3a1..f58832d1e2 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPGroupMapperTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPGroupMapperTest.java
@@ -513,7 +513,13 @@ public class LDAPGroupMapperTest extends AbstractLDAPTest {
             nonExistentLdapUser.setDn(nonExistentDn);
             LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, "not-used", group2, nonExistentLdapUser);
 
-            // 4 - Check group members. Just existing user rob should be present
+            // 4 - Add an empty member to the same LDAP group
+            LDAPDn emptyDn = LDAPDn.fromString("");
+            LDAPObject emptyUser = new LDAPObject();
+            emptyUser.setDn(emptyDn);
+            LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, "not-used", group2, emptyUser);
+
+            // 5 - Check group members. Just existing user rob should be present
             groupMapper.syncDataFromFederationProviderToKeycloak(appRealm);
             GroupModel kcGroup2 = KeycloakModelUtils.findGroupByPath(session, appRealm, "/group2");
             List<UserModel> groupUsers = session.users().getGroupMembersStream(appRealm, kcGroup2, 0, 5)