From ef48a3a360cc0c96faeef3ecbedd42b8e88d36bd Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Tue, 1 Oct 2024 09:47:18 -0300 Subject: [PATCH] Avoid running org related code if there are no orgs in a realm Closes #33424 Signed-off-by: Pedro Igor --- .../cache/infinispan/UserCacheSession.java | 32 +++++++++++------- .../keycloak/storage/UserStorageManager.java | 33 ++++++++++++------- .../organization/utils/Organizations.java | 5 +++ 3 files changed, 47 insertions(+), 23 deletions(-) diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java index 3f0dd1d7bb..f9180a5fe9 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java @@ -338,15 +338,13 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC protected UserModel cacheUser(RealmModel realm, UserModel delegate, Long revision) { int notBefore = getDelegate().getNotBeforeOfUser(realm, delegate); - if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) { - if (isOrganizationDisabled(session, delegate)) { - return new ReadOnlyUserModelDelegate(delegate) { - @Override - public boolean isEnabled() { - return false; - } - }; - } + if (isReadOnlyOrganizationMember(delegate)) { + return new ReadOnlyUserModelDelegate(delegate) { + @Override + public boolean isEnabled() { + return false; + } + }; } CachedUser cached; @@ -978,10 +976,22 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC return List.of(); } - private boolean isOrganizationDisabled(KeycloakSession session, UserModel delegate) { - // check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member + private boolean isReadOnlyOrganizationMember(UserModel delegate) { + if (delegate == null) { + return false; + } + + if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) { + return false; + } + OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class); + if (organizationProvider.count() == 0) { + return false; + } + + // check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member return organizationProvider.getByMember(delegate) .anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) || (!organizationProvider.isEnabled() && org.isManaged(delegate))); diff --git a/model/storage-private/src/main/java/org/keycloak/storage/UserStorageManager.java b/model/storage-private/src/main/java/org/keycloak/storage/UserStorageManager.java index 894b16a444..6cfacbbfa7 100755 --- a/model/storage-private/src/main/java/org/keycloak/storage/UserStorageManager.java +++ b/model/storage-private/src/main/java/org/keycloak/storage/UserStorageManager.java @@ -114,16 +114,13 @@ public class UserStorageManager extends AbstractStorageManager (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) || (!organizationProvider.isEnabled() && org.isManaged(delegate))); diff --git a/services/src/main/java/org/keycloak/organization/utils/Organizations.java b/services/src/main/java/org/keycloak/organization/utils/Organizations.java index 418e4690e3..cf41db90aa 100644 --- a/services/src/main/java/org/keycloak/organization/utils/Organizations.java +++ b/services/src/main/java/org/keycloak/organization/utils/Organizations.java @@ -191,6 +191,11 @@ public class Organizations { } OrganizationProvider provider = getProvider(session); + + if (provider.count() == 0) { + return null; + } + AuthenticationSessionModel authSession = session.getContext().getAuthenticationSession(); if (authSession != null) {