keycloak · pedroigor · May 11, 2022 · Apr 5, 2022
@@ -1,3 +1,20 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.keycloak.authorization.policy.provider.client;
 
 import java.io.IOException;
@@ -123,7 +140,7 @@ public void postInit(KeycloakSessionFactory factory) {
 
                         try {
                             if (clients.isEmpty()) {
-                                policyStore.delete(policy.getId());
+                                policyStore.delete(removedClient.getRealm(), policy.getId());
                             } else {
                                 policy.putConfig("clients", JsonSerialization.writeValueAsString(clients));
                             }

@@ -1,19 +1,18 @@
 /*
- *  Copyright 2021 Red Hat, Inc. and/or its affiliates
- *  and other contributors as indicated by the @author tags.
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
  *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 package org.keycloak.authorization.policy.provider.clientscope;
 
@@ -69,12 +68,13 @@ public void postInit(KeycloakSessionFactory factory) {
                 StoreFactory storeFactory = provider.getStoreFactory();
                 PolicyStore policyStore = storeFactory.getPolicyStore();
                 ClientScopeModel removedClientScope = ((ClientScopeRemovedEvent) event).getClientScope();
+                RealmModel realm = ((ClientScopeRemovedEvent) event).getClientScope().getRealm();
 
                 Map<Policy.FilterOption, String[]> filters = new HashMap<>();
 
                 filters.put(Policy.FilterOption.TYPE, new String[] { getId() });
 
-                policyStore.findByResourceServer(null, filters, null, null).forEach(new Consumer<Policy>() {
+                policyStore.find(realm, null, filters, null, null).forEach(new Consumer<Policy>() {
 
                     @Override
                     public void accept(Policy policy) {
@@ -93,7 +93,7 @@ public void accept(Policy policy) {
                         }
 
                         if (clientScopes.isEmpty()) {
-                            policyStore.delete(policy.getId());
+                            policyStore.delete(realm, policy.getId());
                         } else {
                             try {
                                 policy.putConfig("clientScopes", JsonSerialization.writeValueAsString(clientScopes));

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018 Red Hat, Inc. and/or its affiliates
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
  * and other contributors as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -125,6 +125,7 @@ public void onCreate(Policy policy, UmaPermissionRepresentation representation,
     public void onUpdate(Policy policy, UmaPermissionRepresentation representation, AuthorizationProvider authorization) {
         PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
+        RealmModel realm = policy.getResourceServer().getRealm();
 
         for (Policy associatedPolicy : associatedPolicies) {
             AbstractPolicyRepresentation associatedRep = ModelToRepresentation.toRepresentation(associatedPolicy, authorization, false, false);
@@ -143,7 +144,7 @@ public void onUpdate(Policy policy, UmaPermissionRepresentation representation,
                 }
 
                 if (rep.getRoles().isEmpty()) {
-                    policyStore.delete(associatedPolicy.getId());
+                    policyStore.delete(realm, associatedPolicy.getId());
                 } else {
                     RepresentationToModel.toModel(rep, authorization, associatedPolicy);
                 }
@@ -154,7 +155,7 @@ public void onUpdate(Policy policy, UmaPermissionRepresentation representation,
                     rep.setType(representation.getCondition());
                     RepresentationToModel.toModel(rep, authorization, associatedPolicy);
                 } else {
-                    policyStore.delete(associatedPolicy.getId());
+                    policyStore.delete(realm, associatedPolicy.getId());
                 }
             } else if ("group".equals(associatedRep.getType())) {
                 GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep);
@@ -170,7 +171,7 @@ public void onUpdate(Policy policy, UmaPermissionRepresentation representation,
                 }
 
                 if (rep.getGroups().isEmpty()) {
-                    policyStore.delete(associatedPolicy.getId());
+                    policyStore.delete(realm, associatedPolicy.getId());
                 } else {
                     RepresentationToModel.toModel(rep, authorization, associatedPolicy);
                 }
@@ -188,7 +189,7 @@ public void onUpdate(Policy policy, UmaPermissionRepresentation representation,
                 }
 
                 if (rep.getClients().isEmpty()) {
-                    policyStore.delete(associatedPolicy.getId());
+                    policyStore.delete(realm, associatedPolicy.getId());
                 } else {
                     RepresentationToModel.toModel(rep, authorization, associatedPolicy);
                 }
@@ -206,7 +207,7 @@ public void onUpdate(Policy policy, UmaPermissionRepresentation representation,
                 }
 
                 if (rep.getUsers().isEmpty()) {
-                    policyStore.delete(associatedPolicy.getId());
+                    policyStore.delete(realm, associatedPolicy.getId());
                 } else {
                     RepresentationToModel.toModel(rep, authorization, associatedPolicy);
                 }
@@ -364,9 +365,10 @@ public Class<UmaPermissionRepresentation> getRepresentationType() {
     @Override
     public void onRemove(Policy policy, AuthorizationProvider authorization) {
         PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
+        RealmModel realm = policy.getResourceServer().getRealm();
 
         for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
-            policyStore.delete(associatedPolicy.getId());
+            policyStore.delete(realm, associatedPolicy.getId());
         }
     }
 

@@ -1,19 +1,18 @@
 /*
- *  Copyright 2016 Red Hat, Inc. and/or its affiliates
- *  and other contributors as indicated by the @author tags.
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
  *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package org.keycloak.authorization.policy.provider.role;
@@ -140,11 +139,10 @@ private void updateRoles(Policy policy, RolePolicyRepresentation representation,
     }
 
     private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
-        KeycloakSession session = authorization.getKeycloakSession();
-        RealmModel realm = authorization.getRealm();
         Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
 
         if (roles != null) {
+            RealmModel realm = authorization.getRealm();
             for (RolePolicyRepresentation.RoleDefinition definition : roles) {
                 String roleName = definition.getId();
                 String clientId = null;
@@ -240,7 +238,7 @@ private void updateResourceServer(ClientModel clientModel, RoleModel removedRole
 
                 try {
                     if (roles.isEmpty()) {
-                        policyStore.delete(policy.getId());
+                        policyStore.delete(clientModel.getRealm(), policy.getId());
                     } else {
                         policy.putConfig("roles", JsonSerialization.writeValueAsString(roles));
                     }

@@ -27,6 +27,7 @@
 import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.RealmModel;
 import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
 import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
 import org.keycloak.models.cache.infinispan.entities.Revisioned;
@@ -44,6 +45,15 @@ public class InfinispanCacheStoreFactoryProviderFactory implements CachedStorePr
 
     protected volatile StoreFactoryCacheManager storeCache;
 
+    /**
+     * Legacy store doesn't store realm id for any entity and no method there is using new introduced RealmModel parameter.
+     * The parameter was introduced for usage only in the new storage. Therefore, in some cases we may break our rule specified in JavaDoc
+     * and use {@code null} value as parameter that otherwise cannot be {@code null}. We need to be careful and place such value only to a method call
+     * that cannot end up in the new store because it would end with {@link NullPointerException}. To mark all places where we do this,
+     * we use this variable so it is easily searchable.
+     */
+    public static final RealmModel NULL_REALM = null;
+
     @Override
     public CachedStoreFactoryProvider create(KeycloakSession session) {
         lazyInit(session);

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
  * and other contributors as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,6 +22,7 @@
 import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
+import org.keycloak.authorization.store.PermissionTicketStore;
 import org.keycloak.models.cache.infinispan.authorization.entities.CachedPermissionTicket;
 
 /**
@@ -42,8 +43,8 @@ public PermissionTicketAdapter(CachedPermissionTicket cached, StoreFactoryCacheS
     @Override
     public PermissionTicket getDelegateForUpdate() {
         if (updated == null) {
-            ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getResourceServerId());
-            updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
+            ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
+            updated = cacheSession.getPermissionTicketStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, cached.getId());
             if (updated == null) throw new IllegalStateException("Not found in database");
             cacheSession.registerPermissionTicketInvalidation(cached.getId(), cached.getOwner(), cached.getRequester(), cached.getResourceId(), updated.getResource().getName(), cached.getScopeId(), cached.getResourceServerId());
         }
@@ -70,8 +71,8 @@ public long getCacheTimestamp() {
     protected boolean isUpdated() {
         if (updated != null) return true;
         if (!invalidated) return false;
-        ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getResourceServerId());
-        updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
+        ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
+        updated = cacheSession.getPermissionTicketStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, cached.getId());
         if (updated == null) throw new IllegalStateException("Not found in database");
         return true;
     }
@@ -122,13 +123,13 @@ public void setGrantedTimestamp(Long millis) {
 
     @Override
     public ResourceServer getResourceServer() {
-        return cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId());
+        return cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
     }
 
     @Override
     public Policy getPolicy() {
         if (isUpdated()) return updated.getPolicy();
-        return cacheSession.getPolicyStore().findById(cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId()), cached.getPolicy());
+        return cacheSession.getPolicyStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId()), cached.getPolicy());
     }
 
     @Override
@@ -140,12 +141,12 @@ public void setPolicy(Policy policy) {
 
     @Override
     public Resource getResource() {
-        return cacheSession.getResourceStore().findById(getResourceServer(), cached.getResourceId());
+        return cacheSession.getResourceStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getResourceId());
     }
 
     @Override
     public Scope getScope() {
-        return cacheSession.getScopeStore().findById(getResourceServer(), cached.getScopeId());
+        return cacheSession.getScopeStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getScopeId());
     }
 
     @Override