Avoid running org related code if there are no orgs in a realm

Closes #33424

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-01 09:47:18 -03:00 committed by Alexander Schwartz
parent ebfb42f9c5
commit ef48a3a360
3 changed files with 47 additions and 23 deletions

View file

@ -338,15 +338,13 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC
protected UserModel cacheUser(RealmModel realm, UserModel delegate, Long revision) {
int notBefore = getDelegate().getNotBeforeOfUser(realm, delegate);
if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
if (isOrganizationDisabled(session, delegate)) {
return new ReadOnlyUserModelDelegate(delegate) {
@Override
public boolean isEnabled() {
return false;
}
};
}
if (isReadOnlyOrganizationMember(delegate)) {
return new ReadOnlyUserModelDelegate(delegate) {
@Override
public boolean isEnabled() {
return false;
}
};
}
CachedUser cached;
@ -978,10 +976,22 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC
return List.of();
}
private boolean isOrganizationDisabled(KeycloakSession session, UserModel delegate) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
private boolean isReadOnlyOrganizationMember(UserModel delegate) {
if (delegate == null) {
return false;
}
if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
return false;
}
OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class);
if (organizationProvider.count() == 0) {
return false;
}
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
return organizationProvider.getByMember(delegate)
.anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) ||
(!organizationProvider.isEnabled() && org.isManaged(delegate)));

View file

@ -114,16 +114,13 @@ public class UserStorageManager extends AbstractStorageManager<UserStorageProvid
*/
protected UserModel importValidation(RealmModel realm, UserModel user) {
if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) && user != null) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
if (isOrganizationDisabled(session, user)) {
return new ReadOnlyUserModelDelegate(user) {
@Override
public boolean isEnabled() {
return false;
}
};
}
if (isReadOnlyOrganizationMember(user)) {
return new ReadOnlyUserModelDelegate(user) {
@Override
public boolean isEnabled() {
return false;
}
};
}
if (user == null || user.getFederationLink() == null) return user;
@ -932,10 +929,22 @@ public class UserStorageManager extends AbstractStorageManager<UserStorageProvid
return Collections.emptyList();
}
private boolean isOrganizationDisabled(KeycloakSession session, UserModel delegate) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
private boolean isReadOnlyOrganizationMember(UserModel delegate) {
if (delegate == null) {
return false;
}
if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
return false;
}
OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class);
if (organizationProvider.count() == 0) {
return false;
}
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
return organizationProvider.getByMember(delegate)
.anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) ||
(!organizationProvider.isEnabled() && org.isManaged(delegate)));

View file

@ -191,6 +191,11 @@ public class Organizations {
}
OrganizationProvider provider = getProvider(session);
if (provider.count() == 0) {
return null;
}
AuthenticationSessionModel authSession = session.getContext().getAuthenticationSession();
if (authSession != null) {