libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Avoid running org related code if there are no orgs in a realm

Browse source 
Closes #33424

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-01 09:47:18 -03:00 committed by Alexander Schwartz
parent ebfb42f9c5
commit ef48a3a360
3 changed files with 47 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java vendored
View file

@ -338,8 +338,7 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC
protected UserModel cacheUser(RealmModel realm, UserModel delegate, Long revision) { protected UserModel cacheUser(RealmModel realm, UserModel delegate, Long revision) {
int notBefore = getDelegate().getNotBeforeOfUser(realm, delegate); int notBefore = getDelegate().getNotBeforeOfUser(realm, delegate);
if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) { if (isReadOnlyOrganizationMember(delegate)) {
if (isOrganizationDisabled(session, delegate)) {
return new ReadOnlyUserModelDelegate(delegate) { return new ReadOnlyUserModelDelegate(delegate) {
@Override @Override
public boolean isEnabled() { public boolean isEnabled() {
@ -347,7 +346,6 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC
} }
}; };
} }
}
CachedUser cached; CachedUser cached;
UserAdapter adapter; UserAdapter adapter;
@ -978,10 +976,22 @@ public class UserCacheSession implements UserCache, OnCreateComponent, OnUpdateC
return List.of(); return List.of();
} }
private boolean isOrganizationDisabled(KeycloakSession session, UserModel delegate) { private boolean isReadOnlyOrganizationMember(UserModel delegate) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member if (delegate == null) {
return false;
}
if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
return false;
}
OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class); OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class);
if (organizationProvider.count() == 0) {
return false;
}
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
return organizationProvider.getByMember(delegate) return organizationProvider.getByMember(delegate)
.anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) || .anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) ||
(!organizationProvider.isEnabled() && org.isManaged(delegate))); (!organizationProvider.isEnabled() && org.isManaged(delegate)));

21
model/storage-private/src/main/java/org/keycloak/storage/UserStorageManager.java
View file

@ -114,9 +114,7 @@ public class UserStorageManager extends AbstractStorageManager<UserStorageProvid
*/ */
protected UserModel importValidation(RealmModel realm, UserModel user) { protected UserModel importValidation(RealmModel realm, UserModel user) {
if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) && user != null) { if (isReadOnlyOrganizationMember(user)) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
if (isOrganizationDisabled(session, user)) {
return new ReadOnlyUserModelDelegate(user) { return new ReadOnlyUserModelDelegate(user) {
@Override @Override
public boolean isEnabled() { public boolean isEnabled() {
@ -124,7 +122,6 @@ public class UserStorageManager extends AbstractStorageManager<UserStorageProvid
} }
}; };
} }
}
if (user == null || user.getFederationLink() == null) return user; if (user == null || user.getFederationLink() == null) return user;
@ -932,10 +929,22 @@ public class UserStorageManager extends AbstractStorageManager<UserStorageProvid
return Collections.emptyList(); return Collections.emptyList();
} }
private boolean isOrganizationDisabled(KeycloakSession session, UserModel delegate) { private boolean isReadOnlyOrganizationMember(UserModel delegate) {
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member if (delegate == null) {
return false;
}
if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
return false;
}
OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class); OrganizationProvider organizationProvider = session.getProvider(OrganizationProvider.class);
if (organizationProvider.count() == 0) {
return false;
}
// check if provider is enabled and user is managed member of a disabled organization OR provider is disabled and user is managed member
return organizationProvider.getByMember(delegate) return organizationProvider.getByMember(delegate)
.anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) || .anyMatch((org) -> (organizationProvider.isEnabled() && org.isManaged(delegate) && !org.isEnabled()) ||
(!organizationProvider.isEnabled() && org.isManaged(delegate))); (!organizationProvider.isEnabled() && org.isManaged(delegate)));

5
services/src/main/java/org/keycloak/organization/utils/Organizations.java
View file

@ -191,6 +191,11 @@ public class Organizations {
} }
OrganizationProvider provider = getProvider(session); OrganizationProvider provider = getProvider(session);
if (provider.count() == 0) {
return null;
}
AuthenticationSessionModel authSession = session.getContext().getAuthenticationSession(); AuthenticationSessionModel authSession = session.getContext().getAuthenticationSession();
if (authSession != null) { if (authSession != null) {