RealmCacheSession.java
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.cache.infinispan;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.client.clienttype.ClientTypeManager;
import org.keycloak.cluster.ClusterProvider;
import org.keycloak.common.Profile;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientProvider;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientScopeProvider;
import org.keycloak.models.GroupModel;
import org.keycloak.models.GroupModel.Type;
import org.keycloak.models.GroupProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RealmProvider;
import org.keycloak.models.RoleModel;
import org.keycloak.models.RoleProvider;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CacheRealmProvider;
import org.keycloak.models.cache.CachedRealmModel;
import org.keycloak.models.cache.infinispan.entities.CachedClient;
import org.keycloak.models.cache.infinispan.entities.CachedClientRole;
import org.keycloak.models.cache.infinispan.entities.CachedClientScope;
import org.keycloak.models.cache.infinispan.entities.CachedGroup;
import org.keycloak.models.cache.infinispan.entities.CachedRealm;
import org.keycloak.models.cache.infinispan.entities.CachedRealmRole;
import org.keycloak.models.cache.infinispan.entities.CachedRole;
import org.keycloak.models.cache.infinispan.entities.ClientListQuery;
import org.keycloak.models.cache.infinispan.entities.ClientScopeListQuery;
import org.keycloak.models.cache.infinispan.entities.GroupListQuery;
import org.keycloak.models.cache.infinispan.entities.GroupNameQuery;
import org.keycloak.models.cache.infinispan.entities.RealmListQuery;
import org.keycloak.models.cache.infinispan.entities.RoleListQuery;
import org.keycloak.models.cache.infinispan.events.ClientAddedEvent;
import org.keycloak.models.cache.infinispan.events.ClientRemovedEvent;
import org.keycloak.models.cache.infinispan.events.ClientScopeAddedEvent;
import org.keycloak.models.cache.infinispan.events.ClientScopeRemovedEvent;
import org.keycloak.models.cache.infinispan.events.ClientUpdatedEvent;
import org.keycloak.models.cache.infinispan.events.GroupAddedEvent;
import org.keycloak.models.cache.infinispan.events.GroupMovedEvent;
import org.keycloak.models.cache.infinispan.events.GroupRemovedEvent;
import org.keycloak.models.cache.infinispan.events.GroupUpdatedEvent;
import org.keycloak.models.cache.infinispan.events.InvalidationEvent;
import org.keycloak.models.cache.infinispan.events.CacheKeyInvalidatedEvent;
import org.keycloak.models.cache.infinispan.events.RealmRemovedEvent;
import org.keycloak.models.cache.infinispan.events.RealmUpdatedEvent;
import org.keycloak.models.cache.infinispan.events.RoleAddedEvent;
import org.keycloak.models.cache.infinispan.events.RoleRemovedEvent;
import org.keycloak.models.cache.infinispan.events.RoleUpdatedEvent;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.storage.DatastoreProvider;
import org.keycloak.storage.StorageId;
import org.keycloak.storage.StoreManagers;
import org.keycloak.storage.client.ClientStorageProviderModel;
/**
* - the high level architecture of this cache is an invalidation cache.
* - the cache is manual/custom versioned. When a model is updated, we remove it from the cache
* which causes an invalidation message to be sent across the cluster.
* - We had to do it this way because Infinispan REPEATABLE_READ
* wouldn't cut it in invalidation mode. Also, REPEATABLE_READ doesn't work very well on relationships and items that are
* not in the cache.
* - There are two Infinispan caches. One clustered that holds actual objects and a another local one that holds revision
* numbers of cached objects. Whenever a cached object is removed (invalidated), the local revision
* cache number or that key is bumped higher based on a local version counter. Whenever a cache entry is fetched, this
* revision number is also fetched and compared against the revision number in the cache entry to see if the cache entry
* is stale. Whenever a cache entry is added, this revision number is also checked against the revision cache.
* - Revision entries are actually never removed (although they could be evicted by cache eviction policies). The reason for this
* is that it is possible for a stale object to be inserted if one thread loads and the data is updated in the database before
* it is added to the cache. So, we keep the version number around for this.
* - In a transaction, objects are registered to be invalidated. If an object is marked for invalidation within a transaction
* a cached object should never be returned. An DB adapter should always be returned.
* - After DB commits, the objects marked for invalidation are invalidated, or rather removed from the cache. At this time
* the revision cache entry for this object has its version number bumped.
* - Whenever an object is marked for invalidation, the cache is also searched for any objects that are related to this object
* and need to also be evicted/removed. We use the Infinispan Stream SPI for this.
*
* ClientList caches:
* - lists of clients are cached in a specific cache entry i.e. realm clients, find client by clientId
* - realm client lists need to be invalidated and evited whenever a client is added or removed from a realm. RealmProvider
* now has addClient/removeClient at its top level. All adapters should use these methods so that the appropriate invalidations
* can be registered.
* - whenever a client is added/removed the realm of the client is added to a listInvalidations set
* this set must be checked before sending back or caching a cached query. This check is required to
* avoid caching an uncommitted removal/add in a query cache.
* - when a client is removed, any queries that contain that client must also be removed.
* - a client removal will also cause anything that is contained and cached within that client to be removed
*
* Clustered caches:
* - There is a Infinispan @Listener registered. If an invalidation event happens, this is treated like
* the object was removed from the database and will perform evictions based on that assumption.
* - Eviction events will also cascade other evictions, but not assume this is a db removal.
* - With an invalidation cache, if you remove an entry on node 1 and this entry does not exist on node 2, node 2 will not receive a @Listener invalidation event.
* so, hat we have to put a marker entry in the invalidation cache before we read from the DB, so if the DB changes in between reading and adding a cache entry, the cache will be notified and bump
* the version information.
*
* DBs with Repeatable Read:
* - DBs like MySQL are Repeatable Read by default. So, if you query a Client for instance, it will always return the same result in the same transaction even if the DB
* was updated in between these queries. This makes it possible to store stale cache entries. To avoid this problem, this class stores the current local version counter
* at the beginning of the transaction. Whenever an entry is added to the cache, the current counter is compared against the counter at the beginning of the tx. If the current
* is greater, then don't cache.
*
* Groups and Roles:
* - roles are tricky because of composites. Composite lists are cached too. So, when a role is removed
* we also iterate and invalidate any role or group that contains that role being removed.
*
* - any relationship should be resolved from session.realms(). For example if JPA.getClientByClientId() is invoked,
* JPA should find the id of the client and then call session.realms().getClientById(). THis is to ensure that the cached
* object is invoked and all proper invalidation are being invoked.
*
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class RealmCacheSession implements CacheRealmProvider {
protected static final Logger logger = Logger.getLogger(RealmCacheSession.class);
public static final String REALM_CLIENTS_QUERY_SUFFIX = ".realm.clients";
public static final String ROLES_QUERY_SUFFIX = ".roles";
private static final String SCOPE_KEY_DEFAULT = "default";
private static final String SCOPE_KEY_OPTIONAL = "optional";
protected RealmCacheManager cache;
protected KeycloakSession session;
protected RealmProvider realmDelegate;
protected ClientProvider clientDelegate;
protected ClientScopeProvider clientScopeDelegate;
protected GroupProvider groupDelegate;
protected RoleProvider roleDelegate;
protected boolean transactionActive;
protected boolean setRollbackOnly;
protected Map<String, RealmAdapter> managedRealms = new HashMap<>();
protected Map<String, ClientModel> managedApplications = new HashMap<>();
protected Map<String, ClientScopeAdapter> managedClientScopes = new HashMap<>();
protected Map<String, RoleAdapter> managedRoles = new HashMap<>();
protected Map<String, GroupAdapter> managedGroups = new HashMap<>();
protected Set<String> listInvalidations = new HashSet<>();
protected Set<String> invalidations = new HashSet<>();
protected Set<InvalidationEvent> invalidationEvents = new HashSet<>(); // Events to be sent across cluster
protected final long startupRevision;
private final StoreManagers datastoreProvider;
public RealmCacheSession(RealmCacheManager cache, KeycloakSession session) {
this.cache = cache;
this.session = session;
this.startupRevision = cache.getCurrentCounter();
this.datastoreProvider = (StoreManagers) session.getProvider(DatastoreProvider.class);
session.getTransactionManager().enlistPrepare(getPrepareTransaction());
session.getTransactionManager().enlistAfterCompletion(getAfterTransaction());
}
@Override
public void clear() {
ClusterProvider cluster = session.getProvider(ClusterProvider.class);
cluster.notify(InfinispanCacheRealmProviderFactory.REALM_CLEAR_CACHE_EVENTS, ClearCacheEvent.getInstance(), false, ClusterProvider.DCNotify.ALL_DCS);
}
@Override
public RealmProvider getRealmDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (realmDelegate != null) return realmDelegate;
realmDelegate = session.getProvider(RealmProvider.class);
return realmDelegate;
}
public ClientProvider getClientDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (clientDelegate != null) return clientDelegate;
clientDelegate = this.datastoreProvider.clientStorageManager();
return clientDelegate;
}
public ClientScopeProvider getClientScopeDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (clientScopeDelegate != null) return clientScopeDelegate;
clientScopeDelegate = this.datastoreProvider.clientScopeStorageManager();
return clientScopeDelegate;
}
public RoleProvider getRoleDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (roleDelegate != null) return roleDelegate;
roleDelegate = this.datastoreProvider.roleStorageManager();
return roleDelegate;
}
public GroupProvider getGroupDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (groupDelegate != null) return groupDelegate;
groupDelegate = this.datastoreProvider.groupStorageManager();
return groupDelegate;
}
public boolean isInvalid(String key) {
return invalidations.contains(key);
}
public RealmCacheManager getCache() {
return cache;
}
public long getStartupRevision() {
return startupRevision;
}
@Override
public void registerInvalidation(String id) {
cache.invalidateCacheKey(id, invalidations);
invalidationEvents.add(new CacheKeyInvalidatedEvent(id));
}
@Override
public void registerRealmInvalidation(String id, String name) {
cache.realmUpdated(id, name, invalidations);
RealmAdapter adapter = managedRealms.get(id);
if (adapter != null) adapter.invalidateFlag();
invalidationEvents.add(RealmUpdatedEvent.create(id, name));
}
@Override
public void registerClientInvalidation(String id, String clientId, String realmId) {
invalidateClient(id);
invalidationEvents.add(ClientUpdatedEvent.create(id, clientId, realmId));
cache.clientUpdated(realmId, id, clientId, invalidations);
}
private void invalidateClient(String id) {
invalidations.add(id);
ClientModel adapter = managedApplications.get(id);
if (adapter != null && adapter instanceof ClientAdapter) ((ClientAdapter)adapter).invalidate();
}
@Override
public void registerClientScopeInvalidation(String id, String realmId) {
invalidateClientScope(id);
cache.clientScopeUpdated(realmId, invalidations);
invalidationEvents.add(new CacheKeyInvalidatedEvent(id));
}
private void invalidateClientScope(String id) {
invalidations.add(id);
ClientScopeAdapter adapter = managedClientScopes.get(id);
if (adapter != null) adapter.invalidate();
}
@Override
public void registerRoleInvalidation(String id, String roleName, String roleContainerId) {
invalidateRole(id);
cache.roleUpdated(roleContainerId, roleName, invalidations);
invalidationEvents.add(RoleUpdatedEvent.create(id, roleName, roleContainerId));
}
private void roleRemovalInvalidations(String roleId, String roleName, String roleContainerId) {
Set<String> newInvalidations = new HashSet<>();
cache.roleRemoval(roleId, roleName, roleContainerId, newInvalidations);
invalidations.addAll(newInvalidations);
// need to make sure that scope and group mapping clients and groups are invalidated
for (String id : newInvalidations) {
ClientModel adapter = managedApplications.get(id);
if (adapter != null && adapter instanceof ClientAdapter){
((ClientAdapter)adapter).invalidate();
continue;
}
GroupAdapter group = managedGroups.get(id);
if (group != null) {
group.invalidate();
continue;
}
ClientScopeAdapter clientScope = managedClientScopes.get(id);
if (clientScope != null) {
clientScope.invalidate();
continue;
}
RoleAdapter role = managedRoles.get(id);
if (role != null) {
role.invalidate();
continue;
}
}
}
private void invalidateRole(String id) {
invalidations.add(id);
RoleAdapter adapter = managedRoles.get(id);
if (adapter != null) adapter.invalidate();
}
private void addedRole(String roleId, String roleContainerId) {
// this is needed so that a new role that hasn't been committed isn't cached in a query
listInvalidations.add(roleContainerId);
invalidateRole(roleId);
cache.roleAdded(roleContainerId, invalidations);
invalidationEvents.add(RoleAddedEvent.create(roleId, roleContainerId));
}
@Override
public void registerGroupInvalidation(String id) {
invalidateGroup(id, null, false);
addGroupEventIfAbsent(GroupUpdatedEvent.create(id));
}
private void invalidateGroup(String id, String realmId, boolean invalidateQueries) {
invalidateGroup(id);
cache.groupNameInvalidations(id, invalidations);
if (invalidateQueries) {
cache.groupQueriesInvalidations(realmId, invalidations);
}
}
private void invalidateGroup(String id) {
invalidations.add(id);
GroupAdapter adapter = managedGroups.get(id);
if (adapter != null) adapter.invalidate();
}
protected void runInvalidations() {
for (String id : invalidations) {
cache.invalidateObject(id);
}
cache.sendInvalidationEvents(session, invalidationEvents, InfinispanCacheRealmProviderFactory.REALM_INVALIDATION_EVENTS);
}
private KeycloakTransaction getPrepareTransaction() {
return new KeycloakTransaction() {
@Override
public void begin() {
transactionActive = true;
}
@Override
public void commit() {
/* THIS WAS CAUSING DEADLOCK IN A CLUSTER
if (delegate == null) return;
List<String> locks = new LinkedList<>();
locks.addAll(invalidations);
Collections.sort(locks); // lock ordering
cache.getRevisions().startBatch();
if (!locks.isEmpty()) cache.getRevisions().getAdvancedCache().lock(locks);
*/
}
@Override
public void rollback() {
setRollbackOnly = true;
transactionActive = false;
}
@Override
public void setRollbackOnly() {
setRollbackOnly = true;
}
@Override
public boolean getRollbackOnly() {
return setRollbackOnly;
}
@Override
public boolean isActive() {
return transactionActive;
}
};
}
private KeycloakTransaction getAfterTransaction() {
return new KeycloakTransaction() {
@Override
public void begin() {
transactionActive = true;
}
@Override
public void commit() {
try {
runInvalidations();
transactionActive = false;
} finally {
cache.endRevisionBatch();
}
}
@Override
public void rollback() {
try {
setRollbackOnly = true;
runInvalidations();
transactionActive = false;
} finally {
cache.endRevisionBatch();
}
}
@Override
public void setRollbackOnly() {
setRollbackOnly = true;
}
@Override
public boolean getRollbackOnly() {
return setRollbackOnly;
}
@Override
public boolean isActive() {
return transactionActive;
}
};
}
@Override
public RealmModel createRealm(String name) {
RealmModel realm = getRealmDelegate().createRealm(name);
registerRealmInvalidation(realm.getId(), realm.getName());
return realm;
}
@Override
public RealmModel createRealm(String id, String name) {
RealmModel realm = getRealmDelegate().createRealm(id, name);
registerRealmInvalidation(realm.getId(), realm.getName());
return realm;
}
@Override
public RealmModel getRealm(String id) {
if (invalidations.contains(id)) {
return getRealmDelegate().getRealm(id);
} else if (managedRealms.containsKey(id)) {
return managedRealms.get(id);
}
CachedRealm cached = cache.get(id, CachedRealm.class);
RealmAdapter adapter;
if (cached != null) {
logger.tracev("by id cache hit: {0}", cached.getName());
adapter = new RealmAdapter(session, cached, this);
} else {
adapter = cache.computeSerialized(session, id, this::prepareCachedRealm);
if (adapter == null) {
return null;
}
}
managedRealms.put(id, adapter);
return adapter;
}
private RealmAdapter prepareCachedRealm(String id, KeycloakSession session) {
CachedRealm cached = cache.get(id, CachedRealm.class);
RealmAdapter adapter;
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
RealmModel model = getRealmDelegate().getRealm(id);
if (model == null) {
return null;
}
cached = new CachedRealm(loaded, model);
cache.addRevisioned(cached, startupRevision);
adapter = new RealmAdapter(session, cached, this);
CachedRealmModel.RealmCachedEvent event = new CachedRealmModel.RealmCachedEvent() {
@Override
public CachedRealmModel getRealm() {
return adapter;
}
@Override
public KeycloakSession getKeycloakSession() {
return session;
}
};
session.getKeycloakSessionFactory().publish(event);
} else {
adapter = new RealmAdapter(session, cached, this);
logger.tracev("by id cache hit after locking: {0}", cached.getName());
}
return adapter;
}
@Override
public RealmModel getRealmByName(String name) {
String cacheKey = getRealmByNameCacheKey(name);
if (invalidations.contains(cacheKey)) {
return getRealmDelegate().getRealmByName(name);
}
RealmListQuery query = cache.get(cacheKey, RealmListQuery.class);
if (query != null) {
logger.tracev("realm by name cache hit: {0}", name);
String realmId = query.getRealms().iterator().next();
return getRealm(realmId);
} else {
return cache.computeSerialized(session, cacheKey, (key, keycloakSession) -> prepareCachedRealmByName(name, key));
}
}
private RealmModel prepareCachedRealmByName(String name, String cacheKey) {
RealmListQuery query = cache.get(cacheKey, RealmListQuery.class);
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
RealmModel model = getRealmDelegate().getRealmByName(name);
if (model == null) {
return null;
}
query = new RealmListQuery(loaded, cacheKey, model.getId());
cache.addRevisioned(query, startupRevision);
return model;
} else {
String realmId = query.getRealms().iterator().next();
return getRealm(realmId);
}
}
static String getRealmByNameCacheKey(String name) {
return "realm.query.by.name." + name;
}
@Override
public Stream<RealmModel> getRealmsWithProviderTypeStream(Class<?> type) {
// Retrieve realms from backend
return getRealms(getRealmDelegate().getRealmsWithProviderTypeStream(type));
}
@Override
public Stream<RealmModel> getRealmsStream() {
// Retrieve realms from backend
return getRealms(getRealmDelegate().getRealmsStream());
}
@Override
public Stream<RealmModel> getRealmsStream(String search) {
// Retrieve realms from backend
return getRealms(getRealmDelegate().getRealmsStream(search));
}
private Stream<RealmModel> getRealms(Stream<RealmModel> backendRealms) {
// Return cache delegates to ensure cache invalidated during write operations
return backendRealms.map(RealmModel::getId).map(this::getRealm);
}
@Override
public boolean removeRealm(String id) {
RealmModel realm = getRealm(id);
if (realm == null) return false;
listInvalidations.add(id);
evictRealmOnRemoval(realm);
return getRealmDelegate().removeRealm(id);
}
public void evictRealmOnRemoval(RealmModel realm) {
cache.invalidateObject(realm.getId());
invalidationEvents.add(RealmRemovedEvent.create(realm.getId(), realm.getName()));
cache.realmRemoval(realm.getId(), realm.getName(), invalidations);
}
@Override
public ClientModel addClient(RealmModel realm, String clientId) {
ClientModel client = getClientDelegate().addClient(realm, clientId);
return addedClient(realm, client);
}
@Override
public ClientModel addClient(RealmModel realm, String id, String clientId) {
ClientModel client = getClientDelegate().addClient(realm, id, clientId);
return addedClient(realm, client);
}
private ClientModel addedClient(RealmModel realm, ClientModel client) {
logger.trace("added Client.....");
invalidateClient(client.getId());
// this is needed so that a client that hasn't been committed isn't cached in a query
listInvalidations.add(realm.getId());
invalidationEvents.add(ClientAddedEvent.create(client.getId(), realm.getId()));
cache.clientAdded(realm.getId(), invalidations);
return client;
}
static String getRealmClientsQueryCacheKey(String realm) {
return realm + REALM_CLIENTS_QUERY_SUFFIX;
}
static String getGroupsQueryCacheKey(String realm) {
return realm + ".groups";
}
static String getClientScopesCacheKey(String realm) {
return realm + ".clientscopes";
}
static String getClientScopesCacheKey(String client, boolean defaultScope) {
return client + "." + (defaultScope ? SCOPE_KEY_DEFAULT : SCOPE_KEY_OPTIONAL) + ".clientscopes";
}
static String getTopGroupsQueryCacheKey(String realm) {
return realm + ".top.groups";
}
static String getGroupByNameCacheKey(String realm, String parentId, String name) {
if (parentId != null) {
return realm + ".group." + parentId + "." + name;
} else {
return realm + ".group.top." + name;
}
}
static String getRolesCacheKey(String container) {
return container + ROLES_QUERY_SUFFIX;
}
static String getRoleByNameCacheKey(String container, String name) {
return container + "." + name + ROLES_QUERY_SUFFIX;
}
@Override
public Stream<ClientModel> getClientsStream(RealmModel realm, Integer firstResult, Integer maxResults) {
return getClientDelegate().getClientsStream(realm, firstResult, maxResults);
}
@Override
public Stream<ClientModel> getClientsStream(RealmModel realm) {
return getClientDelegate().getClientsStream(realm);
}
@Override
public Stream<ClientModel> getAlwaysDisplayInConsoleClientsStream(RealmModel realm) {
return getClientDelegate().getAlwaysDisplayInConsoleClientsStream(realm);
}
@Override
public Map<ClientModel, Set<String>> getAllRedirectUrisOfEnabledClients(RealmModel realm) {
return getClientDelegate().getAllRedirectUrisOfEnabledClients(realm);
}
@Override
public void removeClients(RealmModel realm) {
getClientDelegate().removeClients(realm);
}
@Override
public boolean removeClient(RealmModel realm, String id) {
ClientModel client = getClientById(realm, id);
if (client == null) return false;
invalidateClient(client.getId());
// this is needed so that a client that hasn't been committed isn't cached in a query
listInvalidations.add(realm.getId());
invalidationEvents.add(ClientRemovedEvent.create(client));
cache.clientRemoval(realm.getId(), id, client.getClientId(), invalidations);
client.getRolesStream().forEach(role -> {
roleRemovalInvalidations(role.getId(), role.getName(), client.getId());
});
if (client.isServiceAccountsEnabled()) {
UserModel serviceAccount = session.users().getServiceAccount(client);
if (serviceAccount != null) {
session.users().removeUser(realm, serviceAccount);
}
}
return getClientDelegate().removeClient(realm, id);
}
@Override
public void close() {
if (realmDelegate != null) realmDelegate.close();
if (clientDelegate != null) clientDelegate.close();
if (clientScopeDelegate != null) clientScopeDelegate.close();
if (roleDelegate != null) roleDelegate.close();
}
@Override
public RoleModel addRealmRole(RealmModel realm, String name) {
return addRealmRole(realm, KeycloakModelUtils.generateId(), name);
}
@Override
public RoleModel addRealmRole(RealmModel realm, String id, String name) {
RoleModel role = getRoleDelegate().addRealmRole(realm, id, name);
addedRole(role.getId(), realm.getId());
return role;
}
@Override
public Stream<RoleModel> getRealmRolesStream(RealmModel realm) {
String cacheKey = getRolesCacheKey(realm.getId());
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(realm.getId());
if (queryDB) {
return getRoleDelegate().getRealmRolesStream(realm);
}
RoleListQuery query = cache.get(cacheKey, RoleListQuery.class);
if (query != null) {
logger.tracev("getRealmRoles cache hit: {0}", realm.getName());
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
Set<RoleModel> model = getRoleDelegate().getRealmRolesStream(realm).collect(Collectors.toSet());
if (model == null) return null;
Set<String> ids = model.stream().map(RoleModel::getId).collect(Collectors.toSet());
query = new RoleListQuery(loaded, cacheKey, realm, ids);
logger.tracev("adding realm roles cache miss: realm {0} key {1}", realm.getName(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model.stream();
}
Set<RoleModel> list = new HashSet<>();
for (String id : query.getRoles()) {
RoleModel role = session.roles().getRoleById(realm, id);
if (role == null) {
invalidations.add(cacheKey);
return getRoleDelegate().getRealmRolesStream(realm);
}
list.add(role);
}
return list.stream();
}
@Override
public Stream<RoleModel> getClientRolesStream(ClientModel client) {
String cacheKey = getRolesCacheKey(client.getId());
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(client.getId()) || listInvalidations.contains(client.getRealm().getId());
if (queryDB) {
return getRoleDelegate().getClientRolesStream(client);
}
RoleListQuery query = cache.get(cacheKey, RoleListQuery.class);
if (query != null) {
logger.tracev("getClientRoles cache hit: {0}", client.getClientId());
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
Set<RoleModel> model = getRoleDelegate().getClientRolesStream(client).collect(Collectors.toSet());
if (model == null) return null;
Set<String> ids = model.stream().map(RoleModel::getId).collect(Collectors.toSet());
query = new RoleListQuery(loaded, cacheKey, client.getRealm(), ids, client.getClientId());
logger.tracev("adding client roles cache miss: client {0} key {1}", client.getClientId(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model.stream();
}
Set<RoleModel> list = new HashSet<>();
for (String id : query.getRoles()) {
RoleModel role = session.roles().getRoleById(client.getRealm(), id);
if (role == null) {
invalidations.add(cacheKey);
return getRoleDelegate().getClientRolesStream(client);
}
list.add(role);
}
return list.stream();
}
@Override
public Stream<RoleModel> getRealmRolesStream(RealmModel realm, Integer first, Integer max) {
return getRoleDelegate().getRealmRolesStream(realm, first, max);
}
@Override
public Stream<RoleModel> getRolesStream(RealmModel realm, Stream<String> ids, String search, Integer first, Integer max) {
return getRoleDelegate().getRolesStream(realm, ids, search, first, max);
}
@Override
public Stream<RoleModel> getClientRolesStream(ClientModel client, Integer first, Integer max) {
return getRoleDelegate().getClientRolesStream(client, first, max);
}
@Override
public Stream<RoleModel> searchForClientRolesStream(ClientModel client, String search, Integer first, Integer max) {
return getRoleDelegate().searchForClientRolesStream(client, search, first, max);
}
@Override
public Stream<RoleModel> searchForClientRolesStream(RealmModel realm, Stream<String> ids, String search, Integer first, Integer max) {
return getRoleDelegate().searchForClientRolesStream(realm, ids, search, first, max);
}
@Override
public Stream<RoleModel> searchForClientRolesStream(RealmModel realm, String search, Stream<String> excludedIds, Integer first, Integer max) {
return getRoleDelegate().searchForClientRolesStream(realm, search, excludedIds, first, max);
}
@Override
public Stream<RoleModel> searchForRolesStream(RealmModel realm, String search, Integer first, Integer max) {
return getRoleDelegate().searchForRolesStream(realm, search, first, max);
}
@Override
public RoleModel addClientRole(ClientModel client, String name) {
return addClientRole(client, KeycloakModelUtils.generateId(), name);
}
@Override
public RoleModel addClientRole(ClientModel client, String id, String name) {
RoleModel role = getRoleDelegate().addClientRole(client, id, name);
addedRole(role.getId(), client.getId());
return role;
}
@Override
public RoleModel getRealmRole(RealmModel realm, String name) {
String cacheKey = getRoleByNameCacheKey(realm.getId(), name);
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(realm.getId());
if (queryDB) {
return getRoleDelegate().getRealmRole(realm, name);
}
RoleListQuery query = cache.get(cacheKey, RoleListQuery.class);
if (query != null) {
logger.tracev("getRealmRole cache hit: {0}.{1}", realm.getName(), name);
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
RoleModel model = getRoleDelegate().getRealmRole(realm, name);
if (model == null) return null;
query = new RoleListQuery(loaded, cacheKey, realm, model.getId());
logger.tracev("adding realm role cache miss: client {0} key {1}", realm.getName(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model;
}
RoleModel role = getRoleById(realm, query.getRoles().iterator().next());
if (role == null) {
invalidations.add(cacheKey);
return getRoleDelegate().getRealmRole(realm, name);
}
return role;
}
@Override
public RoleModel getClientRole(ClientModel client, String name) {
String cacheKey = getRoleByNameCacheKey(client.getId(), name);
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(client.getId()) || listInvalidations.contains(client.getRealm().getId());
if (queryDB) {
return getRoleDelegate().getClientRole(client, name);
}
RoleListQuery query = cache.get(cacheKey, RoleListQuery.class);
if (query != null) {
logger.tracev("getClientRole cache hit: {0}.{1}", client.getClientId(), name);
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
RoleModel model = getRoleDelegate().getClientRole(client, name);
if (model == null) return null;
query = new RoleListQuery(loaded, cacheKey, client.getRealm(), model.getId(), client.getClientId());
logger.tracev("adding client role cache miss: client {0} key {1}", client.getClientId(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model;
}
RoleModel role = getRoleById(client.getRealm(), query.getRoles().iterator().next());
if (role == null) {
invalidations.add(cacheKey);
return getRoleDelegate().getClientRole(client, name);
}
return role;
}
@Override
public boolean removeRole(RoleModel role) {
listInvalidations.add(role.getContainer().getId());
invalidateRole(role.getId());
invalidationEvents.add(RoleRemovedEvent.create(role.getId(), role.getName(), role.getContainer().getId()));
roleRemovalInvalidations(role.getId(), role.getName(), role.getContainer().getId());
return getRoleDelegate().removeRole(role);
}
@Override
public void removeRoles(RealmModel realm) {
getRoleDelegate().removeRoles(realm);
}
@Override
public void removeRoles(ClientModel client) {
getRoleDelegate().removeRoles(client);
}
@Override
public RoleModel getRoleById(RealmModel realm, String id) {
CachedRole cached = cache.get(id, CachedRole.class);
if (cached != null && !cached.getRealm().equals(realm.getId())) {
cached = null;
}
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
RoleModel model = getRoleDelegate().getRoleById(realm, id);
if (model == null) return null;
if (invalidations.contains(id)) return model;
if (model.isClientRole()) {
cached = new CachedClientRole(loaded, model.getContainerId(), model, realm);
} else {
cached = new CachedRealmRole(loaded, model, realm);
}
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getRoleDelegate().getRoleById(realm, id);
} else if (managedRoles.containsKey(id)) {
return managedRoles.get(id);
}
RoleAdapter adapter = new RoleAdapter(cached,this, realm);
managedRoles.put(id, adapter);
return adapter;
}
@Override
public GroupModel getGroupById(RealmModel realm, String id) {
CachedGroup cached = cache.get(id, CachedGroup.class);
if (cached != null && !cached.getRealm().equals(realm.getId())) {
cached = null;
}
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
GroupModel model = getGroupDelegate().getGroupById(realm, id);
if (model == null) return null;
if (invalidations.contains(id)) return model;
cached = new CachedGroup(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getGroupDelegate().getGroupById(realm, id);
} else if (managedGroups.containsKey(id)) {
return managedGroups.get(id);
}
GroupAdapter adapter = new GroupAdapter(cached, this, session, realm);
managedGroups.put(id, adapter);
return adapter;
}
@Override
public GroupModel getGroupByName(RealmModel realm, GroupModel parent, String name) {
String cacheKey = getGroupByNameCacheKey(realm.getId(), parent != null? parent.getId(): null, name);
GroupNameQuery query = cache.get(cacheKey, GroupNameQuery.class);
if (query != null) {
logger.tracev("Group by name cache hit: {0}", name);
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
GroupModel model = getGroupDelegate().getGroupByName(realm, parent, name);
if (model == null) return null;
if (invalidations.contains(model.getId())) return model;
query = new GroupNameQuery(loaded, cacheKey, model.getId(), realm);
cache.addRevisioned(query, startupRevision);
return model;
} else if (invalidations.contains(cacheKey)) {
return getGroupDelegate().getGroupByName(realm, parent, name);
} else {
String groupId = query.getGroupId();
if (invalidations.contains(groupId)) {
return getGroupDelegate().getGroupByName(realm, parent, name);
}
return getGroupById(realm, groupId);
}
}
@Override
public void moveGroup(RealmModel realm, GroupModel group, GroupModel toParent) {
invalidateGroup(group.getId(), realm.getId(), true);
if (toParent != null) invalidateGroup(toParent.getId(), realm.getId(), false); // Queries already invalidated
listInvalidations.add(realm.getId());
invalidationEvents.add(GroupMovedEvent.create(group, toParent, realm.getId()));
getGroupDelegate().moveGroup(realm, group, toParent);
}
@Override
public Stream<GroupModel> getGroupsStream(RealmModel realm) {
String cacheKey = getGroupsQueryCacheKey(realm.getId());
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(realm.getId());
if (queryDB) {
return getGroupDelegate().getGroupsStream(realm);
}
GroupListQuery query = cache.get(cacheKey, GroupListQuery.class);
if (query != null) {
logger.tracev("getGroups cache hit: {0}", realm.getName());
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
List<GroupModel> model = getGroupDelegate().getGroupsStream(realm).collect(Collectors.toList());
if (model.isEmpty()) return Stream.empty();
Set<String> ids = new HashSet<>();
for (GroupModel client : model) ids.add(client.getId());
query = new GroupListQuery(loaded, cacheKey, realm, ids);
logger.tracev("adding realm getGroups cache miss: realm {0} key {1}", realm.getName(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model.stream();
}
List<GroupModel> list = new LinkedList<>();
for (String id : query.getGroups()) {
GroupModel group = session.groups().getGroupById(realm, id);
if (group == null) {
invalidations.add(cacheKey);
return getGroupDelegate().getGroupsStream(realm);
}
list.add(group);
}
return list.stream().sorted(GroupModel.COMPARE_BY_NAME);
}
public Stream<GroupModel> getGroupsStream(RealmModel realm, Stream<String> ids, String search, Integer first, Integer max) {
return getGroupDelegate().getGroupsStream(realm, ids, search, first, max);
}
@Override
public Long getGroupsCount(RealmModel realm, Stream<String> ids, String search) {
return getGroupDelegate().getGroupsCount(realm, ids, search);
}
@Override
public Long getGroupsCount(RealmModel realm, Boolean onlyTopGroups) {
return getGroupDelegate().getGroupsCount(realm, onlyTopGroups);
}
@Override
public long getClientsCount(RealmModel realm) {
return getClientDelegate().getClientsCount(realm);
}
@Override
public Long getGroupsCountByNameContaining(RealmModel realm, String search) {
return getGroupDelegate().getGroupsCountByNameContaining(realm, search);
}
@Override
public Stream<GroupModel> getGroupsByRoleStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults) {
return getGroupDelegate().getGroupsByRoleStream(realm, role, firstResult, maxResults);
}
@Override
public Stream<GroupModel> getTopLevelGroupsStream(RealmModel realm, String search, Boolean exact, Integer first, Integer max) {
String cacheKey = getTopGroupsQueryCacheKey(realm.getId());
if (hasInvalidation(realm, cacheKey)) {
return getGroupDelegate().getTopLevelGroupsStream(realm, search, exact, first, max);
}
GroupListQuery query = cache.get(cacheKey, GroupListQuery.class);
String searchKey = Optional.ofNullable(search).orElse("") + "." + Optional.ofNullable(first).orElse(-1) + "." + Optional.ofNullable(max).orElse(-1);
Set<String> cached;
if (Objects.isNull(query)) {
// not cached yet
Long loaded = cache.getCurrentRevision(cacheKey);
cached = getGroupDelegate().getTopLevelGroupsStream(realm, search, exact, first, max).map(GroupModel::getId).collect(Collectors.toSet());
query = new GroupListQuery(loaded, cacheKey, realm, searchKey, cached);
logger.tracev("adding realm getTopLevelGroups cache miss: realm {0} key {1}", realm.getName(), cacheKey);
cache.addRevisioned(query, startupRevision);
} else {
logger.tracev("getTopLevelGroups cache hit: {0}", realm.getName());
cached = query.getGroups(searchKey);
if (hasInvalidation(realm, cacheKey) || cached == null) {
// there is a cache entry, but the current search is not yet cached
cache.invalidateObject(cacheKey);
Long loaded = cache.getCurrentRevision(cacheKey);
cached = getGroupDelegate().getTopLevelGroupsStream(realm, search, exact, first, max).map(GroupModel::getId).collect(Collectors.toSet());
query = new GroupListQuery(loaded, cacheKey, realm, searchKey, cached, query);
logger.tracev("adding realm getTopLevelGroups search cache miss: realm {0} key {1}", realm.getName(), searchKey);
cache.addRevisioned(query, cache.getCurrentCounter());
}
}
AtomicBoolean invalidate = new AtomicBoolean(false);
Stream<GroupModel> groups = cached.stream()
.map((id) -> session.groups().getGroupById(realm, id))
.takeWhile(group -> {
if (Objects.isNull(group)) {
invalidate.set(true);
return false;
}
return true;
})
.sorted(GroupModel.COMPARE_BY_NAME);
if (!invalidate.get()) {
return groups;
}
invalidations.add(cacheKey);
return getGroupDelegate().getTopLevelGroupsStream(realm, search, exact, first, max);
}
private boolean hasInvalidation(RealmModel realm, String cacheKey) {
return invalidations.contains(cacheKey) || listInvalidations.contains(cacheKey)
|| listInvalidations.contains(realm.getId());
}
@Override
public Stream<GroupModel> searchForGroupByNameStream(RealmModel realm, String search, Integer first, Integer max) {
return getGroupDelegate().searchForGroupByNameStream(realm, search, false, first, max);
}
@Override
public Stream<GroupModel> searchForGroupByNameStream(RealmModel realm, String search, Boolean exact, Integer firstResult, Integer maxResults) {
return getGroupDelegate().searchForGroupByNameStream(realm, search, exact, firstResult, maxResults);
}
@Override
public Stream<GroupModel> searchGroupsByAttributes(RealmModel realm, Map<String, String> attributes, Integer firstResult, Integer maxResults) {
return getGroupDelegate().searchGroupsByAttributes(realm, attributes, firstResult, maxResults);
}
@Override
public boolean removeGroup(RealmModel realm, GroupModel group) {
invalidateGroup(group.getId(), realm.getId(), true);
listInvalidations.add(realm.getId());
cache.groupQueriesInvalidations(realm.getId(), invalidations);
if (group.getParentId() != null) {
invalidateGroup(group.getParentId(), realm.getId(), false); // Queries already invalidated
}
invalidationEvents.add(GroupRemovedEvent.create(group, realm.getId()));
return getGroupDelegate().removeGroup(realm, group);
}
private GroupModel groupAdded(RealmModel realm, GroupModel group, GroupModel toParent) {
listInvalidations.add(realm.getId());
invalidateGroup(group.getId(), realm.getId(), true);
if (toParent != null) invalidateGroup(toParent.getId(), realm.getId(), false); // Queries already invalidated
String parentId = toParent == null ? null : toParent.getId();
invalidationEvents.add(GroupAddedEvent.create(group.getId(), parentId, realm.getId()));
return group;
}
@Override
public GroupModel createGroup(RealmModel realm, String id, Type type, String name, GroupModel toParent) {
GroupModel group = getGroupDelegate().createGroup(realm, id, type, name, toParent);
return groupAdded(realm, group, toParent);
}
@Override
public void addTopLevelGroup(RealmModel realm, GroupModel subGroup) {
invalidateGroup(subGroup.getId(), realm.getId(), true);
if (subGroup.getParentId() != null) {
invalidateGroup(subGroup.getParentId(), realm.getId(), false); // Queries already invalidated
}
addGroupEventIfAbsent(GroupMovedEvent.create(subGroup, null, realm.getId()));
getGroupDelegate().addTopLevelGroup(realm, subGroup);
}
private void addGroupEventIfAbsent(InvalidationEvent eventToAdd) {
String groupId = eventToAdd.getId();
// Check if we have existing event with bigger priority
boolean eventAlreadyExists = invalidationEvents.stream()
.anyMatch((InvalidationEvent event) -> (event.getId().equals(groupId)) &&
(event instanceof GroupAddedEvent || event instanceof GroupMovedEvent || event instanceof GroupRemovedEvent));
if (!eventAlreadyExists) {
invalidationEvents.add(eventToAdd);
}
}
@Override
public ClientModel getClientById(RealmModel realm, String id) {
if (invalidations.contains(id) || listInvalidations.contains(realm.getId())) {
return getClientDelegate().getClientById(realm, id);
} else if (managedApplications.containsKey(id)) {
return managedApplications.get(id);
}
CachedClient cached = cache.get(id, CachedClient.class);
if (cached != null && !cached.getRealm().equals(realm.getId())) {
cached = null;
}
ClientModel adapter;
if (cached != null) {
logger.tracev("client by id cache hit: {0}", cached.getClientId());
adapter = validateCache(realm, cached);
} else {
adapter = cache.computeSerialized(session, id, (key, keycloakSession) -> prepareCachedClientById(realm, id));
if (adapter == null) {
return adapter;
}
}
managedApplications.put(id, adapter);
return adapter;
}
private ClientModel prepareCachedClientById(RealmModel realm, String id) {
CachedClient cached = cache.get(id, CachedClient.class);
ClientModel adapter;
if (cached != null && !cached.getRealm().equals(realm.getId())) {
cached = null;
}
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
ClientModel model = getClientDelegate().getClientById(realm, id);
if (model == null) {
return null;
}
adapter = cacheClient(realm, model, loaded);
} else {
logger.tracev("client by id cache hit after locking: {0}", cached.getClientId());
adapter = validateCache(realm, cached);
}
return adapter;
}
protected ClientModel cacheClient(RealmModel realm, ClientModel delegate, Long revision) {
if (invalidations.contains(delegate.getId())) return delegate;
StorageId storageId = new StorageId(delegate.getId());
CachedClient cached = null;
ClientModel adapter = null;
if (!storageId.isLocal()) {
ComponentModel component = realm.getComponent(storageId.getProviderId());
ClientStorageProviderModel model = new ClientStorageProviderModel(component);
if (!model.isEnabled()) {
return delegate;
}
ClientStorageProviderModel.CachePolicy policy = model.getCachePolicy();
if (policy != null && policy == ClientStorageProviderModel.CachePolicy.NO_CACHE) {
return delegate;
}
cached = new CachedClient(revision, realm, delegate);
adapter = toClientModel(realm, cached);
long lifespan = model.getLifespan();
if (lifespan > 0) {
cache.addRevisioned(cached, startupRevision, lifespan);
} else {
cache.addRevisioned(cached, startupRevision);
}
} else {
cached = new CachedClient(revision, realm, delegate);
adapter = toClientModel(realm, cached);
cache.addRevisioned(cached, startupRevision);
}
return adapter;
}
protected ClientModel validateCache(RealmModel realm, CachedClient cached) {
if (!realm.getId().equals(cached.getRealm())) {
return null;
}
StorageId storageId = new StorageId(cached.getId());
if (!storageId.isLocal()) {
ComponentModel component = realm.getComponent(storageId.getProviderId());
if (component == null) {
return null;
}
ClientStorageProviderModel model = new ClientStorageProviderModel(component);
// although we do set a timeout, Infinispan has no guarantees when the user will be evicted
// its also hard to test stuff
if (model.shouldInvalidate(cached)) {
registerClientInvalidation(cached.getId(), cached.getClientId(), realm.getId());
return getClientDelegate().getClientById(realm, cached.getId());
}
}
return toClientModel(realm, cached);
}
private ClientModel toClientModel(RealmModel realm, CachedClient cached) {
ClientAdapter client = new ClientAdapter(realm, cached, this);
if (Profile.isFeatureEnabled(Profile.Feature.CLIENT_TYPES)) {
ClientTypeManager mgr = session.getProvider(ClientTypeManager.class);
return mgr.augmentClient(client);
}
return client;
}
@Override
public Stream<ClientModel> searchClientsByClientIdStream(RealmModel realm, String clientId, Integer firstResult, Integer maxResults) {
return getClientDelegate().searchClientsByClientIdStream(realm, clientId, firstResult, maxResults);
}
@Override
public Stream<ClientModel> searchClientsByAttributes(RealmModel realm, Map<String, String> attributes, Integer firstResult, Integer maxResults) {
return getClientDelegate().searchClientsByAttributes(realm, attributes, firstResult, maxResults);
}
@Override
public Stream<ClientModel> searchClientsByAuthenticationFlowBindingOverrides(RealmModel realm, Map<String, String> overrides, Integer firstResult, Integer maxResults) {
return getClientDelegate().searchClientsByAuthenticationFlowBindingOverrides(realm, overrides, firstResult, maxResults);
}
@Override
public ClientModel getClientByClientId(RealmModel realm, String clientId) {
String cacheKey = getClientByClientIdCacheKey(clientId, realm.getId());
if (invalidations.contains(cacheKey) || listInvalidations.contains(realm.getId())) {
return getClientDelegate().getClientByClientId(realm, clientId);
}
ClientListQuery query = cache.get(cacheKey, ClientListQuery.class);
if (query != null) {
logger.tracev("client by name cache hit: {0}", clientId);
String id = query.getClients().iterator().next();
return getClientById(realm, id);
} else {
return cache.computeSerialized(session, cacheKey, (key, keycloakSession) -> prepareCachedClientByClientId(realm, clientId, key));
}
}
private ClientModel prepareCachedClientByClientId(RealmModel realm, String clientId, String cacheKey) {
ClientListQuery query = cache.get(cacheKey, ClientListQuery.class);
String id;
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
ClientModel model = getClientDelegate().getClientByClientId(realm, clientId);
if (model == null) {
return null;
}
id = model.getId();
query = new ClientListQuery(loaded, cacheKey, realm, id);
logger.tracev("adding client by name cache miss: {0}", clientId);
cache.addRevisioned(query, startupRevision);
if (invalidations.contains(model.getId())) {
return model;
}
} else {
id = query.getClients().iterator().next();
}
return getClientById(realm, id);
}
static String getClientByClientIdCacheKey(String clientId, String realmId) {
return realmId + ".client.query.by.clientId." + clientId;
}
@Override
public ClientScopeModel getClientScopeById(RealmModel realm, String id) {
CachedClientScope cached = cache.get(id, CachedClientScope.class);
if (cached != null && !cached.getRealm().equals(realm.getId())) {
cached = null;
}
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
ClientScopeModel model = getClientScopeDelegate().getClientScopeById(realm, id);
if (model == null) return null;
if (invalidations.contains(id)) return model;
cached = new CachedClientScope(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getClientScopeDelegate().getClientScopeById(realm, id);
} else if (managedClientScopes.containsKey(id)) {
return managedClientScopes.get(id);
}
ClientScopeAdapter adapter = new ClientScopeAdapter(realm, cached, this);
managedClientScopes.put(id, adapter);
return adapter;
}
@Override
public Stream<ClientScopeModel> getClientScopesStream(RealmModel realm) {
String cacheKey = getClientScopesCacheKey(realm.getId());
boolean queryDB = invalidations.contains(cacheKey) || listInvalidations.contains(realm.getId());
if (queryDB) {
return getClientScopeDelegate().getClientScopesStream(realm);
}
ClientScopeListQuery query = cache.get(cacheKey, ClientScopeListQuery.class);
if (query != null) {
logger.tracev("getClientScopesStream cache hit: {0}", realm.getName());
}
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
Set<ClientScopeModel> model = getClientScopeDelegate().getClientScopesStream(realm).collect(Collectors.toSet());
if (model == null) return null;
Set<String> ids = model.stream().map(ClientScopeModel::getId).collect(Collectors.toSet());
query = new ClientScopeListQuery(loaded, cacheKey, realm, ids);
logger.tracev("adding client scopes cache miss: realm {0} key {1}", realm.getName(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model.stream();
}
Set<ClientScopeModel> list = new HashSet<>();
for (String id : query.getClientScopes()) {
ClientScopeModel clientScope = session.clientScopes().getClientScopeById(realm, id);
if (clientScope == null) {
invalidations.add(cacheKey);
return getClientScopeDelegate().getClientScopesStream(realm);
}
list.add(clientScope);
}
return list.stream();
}
@Override
public ClientScopeModel addClientScope(RealmModel realm, String name) {
ClientScopeModel clientScope = getClientScopeDelegate().addClientScope(realm, name);
return addedClientScope(realm, clientScope);
}
@Override
public ClientScopeModel addClientScope(RealmModel realm, String id, String name) {
ClientScopeModel clientScope = getClientScopeDelegate().addClientScope(realm, id, name);
return addedClientScope(realm, clientScope);
}
private ClientScopeModel addedClientScope(RealmModel realm, ClientScopeModel clientScope) {
logger.tracef("Added client scope %s", clientScope.getId());
invalidateClientScope(clientScope.getId());
// this is needed so that a client scope that hasn't been committed isn't cached in a query
listInvalidations.add(realm.getId());
invalidationEvents.add(ClientScopeAddedEvent.create(clientScope.getId(), realm.getId()));
cache.clientScopeAdded(realm.getId(), invalidations);
return clientScope;
}
@Override
public boolean removeClientScope(RealmModel realm, String id) {
//removeClientScope can throw ModelException in case the client scope us used so invalidate only if the removal is succesful
if (getClientScopeDelegate().removeClientScope(realm, id)) {
listInvalidations.add(realm.getId());
invalidateClientScope(id);
invalidationEvents.add(ClientScopeRemovedEvent.create(id, realm.getId()));
return true;
} else {
return false;
}
}
@Override
public void removeClientScopes(RealmModel realm) {
getClientScopesStream(realm).map(ClientScopeModel::getId).forEach(id -> removeClientScope(realm, id));
}
@Override
public void addClientScopes(RealmModel realm, ClientModel client, Set<ClientScopeModel> clientScopes, boolean defaultScope) {
getClientDelegate().addClientScopes(realm, client, clientScopes, defaultScope);
registerClientInvalidation(client.getId(), client.getId(), realm.getId());
}
@Override
public void removeClientScope(RealmModel realm, ClientModel client, ClientScopeModel clientScope) {
getClientDelegate().removeClientScope(realm, client, clientScope);
registerClientInvalidation(client.getId(), client.getId(), realm.getId());
}
@Override
public Map<String, ClientScopeModel> getClientScopes(RealmModel realm, ClientModel client, boolean defaultScopes) {
String cacheKey = getClientScopesCacheKey(client.getId(), defaultScopes);
boolean queryDB = invalidations.contains(cacheKey) || invalidations.contains(client.getId()) || listInvalidations.contains(realm.getId());
if (queryDB) {
return getClientDelegate().getClientScopes(realm, client, defaultScopes);
}
ClientScopeListQuery query = cache.get(cacheKey, ClientScopeListQuery.class);
if (query == null) {
Long loaded = cache.getCurrentRevision(cacheKey);
Map<String, ClientScopeModel> model = getClientDelegate().getClientScopes(realm, client, defaultScopes);
if (model == null) return null;
Set<String> ids = model.values().stream().map(ClientScopeModel::getId).collect(Collectors.toSet());
query = new ClientScopeListQuery(loaded, cacheKey, realm, client.getId(), ids);
logger.tracev("adding assigned client scopes cache miss: client {0} key {1}", client.getClientId(), cacheKey);
cache.addRevisioned(query, startupRevision);
return model;
}
Map<String, ClientScopeModel> assignedScopes = new HashMap<>();
for (String id : query.getClientScopes()) {
ClientScopeModel clientScope = session.clientScopes().getClientScopeById(realm, id);
if (clientScope == null) {
invalidations.add(cacheKey);
return getClientDelegate().getClientScopes(realm, client, defaultScopes);
}
if (clientScope.getProtocol().equals((client.getProtocol() == null) ? "openid-connect" : client.getProtocol())) {
assignedScopes.put(clientScope.getName(), clientScope);
}
}
return assignedScopes;
}
@Override
public void addClientScopeToAllClients(RealmModel realm, ClientScopeModel clientScope, boolean defaultClientScope) {
getClientDelegate().addClientScopeToAllClients(realm, clientScope, defaultClientScope);
// This will make sure to all invalidate all clients dependent on clientScope
listInvalidations.add(realm.getId());
cache.clientScopeRemoval(realm.getId(), invalidations);
invalidationEvents.add(ClientScopeRemovedEvent.create(clientScope.getId(), realm.getId()));
}
// Don't cache ClientInitialAccessModel for now
@Override
public ClientInitialAccessModel createClientInitialAccessModel(RealmModel realm, int expiration, int count) {
return getRealmDelegate().createClientInitialAccessModel(realm, expiration, count);
}
@Override
public ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id) {
return getRealmDelegate().getClientInitialAccessModel(realm, id);
}
@Override
public void removeClientInitialAccessModel(RealmModel realm, String id) {
getRealmDelegate().removeClientInitialAccessModel(realm, id);
}
@Override
public Stream<ClientInitialAccessModel> listClientInitialAccessStream(RealmModel realm) {
return getRealmDelegate().listClientInitialAccessStream(realm);
}
@Override
public void removeExpiredClientInitialAccess() {
getRealmDelegate().removeExpiredClientInitialAccess();
}
@Override
public void saveLocalizationText(RealmModel realm, String locale, String key, String text) {
getRealmDelegate().saveLocalizationText(realm, locale, key, text);
registerRealmInvalidation(realm.getId(), locale);
}
@Override
public void saveLocalizationTexts(RealmModel realm, String locale, Map<String, String> localizationTexts) {
getRealmDelegate().saveLocalizationTexts(realm, locale, localizationTexts);
registerRealmInvalidation(realm.getId(), locale);
}
@Override
public boolean updateLocalizationText(RealmModel realm, String locale, String key, String text) {
boolean wasFound = getRealmDelegate().updateLocalizationText(realm, locale, key, text);
if (wasFound) {
registerRealmInvalidation(realm.getId(), locale);
}
return wasFound;
}
@Override
public boolean deleteLocalizationTextsByLocale(RealmModel realm, String locale) {
boolean wasDeleted = getRealmDelegate().deleteLocalizationTextsByLocale(realm, locale);
if(wasDeleted) {
registerRealmInvalidation(realm.getId(), locale);
}
return wasDeleted;
}
@Override
public boolean deleteLocalizationText(RealmModel realm, String locale, String key) {
boolean wasFound = getRealmDelegate().deleteLocalizationText(realm, locale, key);
if (wasFound) {
registerRealmInvalidation(realm.getId(), locale);
}
return wasFound;
}
@Override
public String getLocalizationTextsById(RealmModel realm, String locale, String key) {
Map<String, String> localizationTexts = getRealm(realm.getId()).getRealmLocalizationTextsByLocale(locale);
if(localizationTexts != null) {
return localizationTexts.get(key);
}
return null;
}
@Override
public void preRemove(RealmModel realm) {
listInvalidations.add(realm.getId());
getGroupDelegate().preRemove(realm);
}
}