Merge pull request keycloak#3140 from pedroigor/KEYCLOAK-3390

[KEYCLOAK-3390] - Updating authorization objects doesn't invalidate cache in cluster

distribution/demo-dist/src/main/xslt/standalone.xsl

@@ -89,6 +89,7 @@
  <local-cache name="sessions"/>
  <local-cache name="offlineSessions"/>
  <local-cache name="loginFailures"/>
+ <local-cache name="authorization "/>
  <local-cache name="work"/>
  </cache-container>
  <xsl:apply-templates select="node()|@*"/>

distribution/server-overlay/cli/keycloak-install-ha.cli

@@ -8,6 +8,7 @@ embed-server --server-config=standalone-ha.xml
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:add(mode="SYNC",owners="1")
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:add(mode="SYNC",owners="1")
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1")
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization:add(mode="SYNC",owners="1")
 /subsystem=infinispan/cache-container=keycloak/replicated-cache=work:add(mode="SYNC")
 /extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
 /subsystem=keycloak-server:add(web-context=auth)

model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java

@@ -108,7 +108,7 @@ protected void initContainerManaged(String cacheContainerLookup) {
 
  cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(true, maxEntries));
  cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
-
+ cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true);
  logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup);
  } catch (Exception e) {
  throw new RuntimeException("Failed to retrieve cache container", e);
@@ -161,6 +161,7 @@ protected void initEmbedded() {
  cacheManager.defineConfiguration(InfinispanConnectionProvider.SESSION_CACHE_NAME, sessionCacheConfiguration);
  cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration);
  cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration);
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, sessionCacheConfiguration);
 
  ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder();
  if (clustered) {
@@ -178,9 +179,6 @@ protected void initEmbedded() {
  cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(false, InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
  cacheManager.getCache(InfinispanConnectionProvider.REALM_CACHE_NAME, true);
 
- cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME,
- new ConfigurationBuilder().eviction().type(EvictionType.COUNT).size(100).simpleCache(true).build());
-
  long maxEntries = cacheManager.getCache(InfinispanConnectionProvider.USER_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
  if (maxEntries <= 0) {
  maxEntries = InfinispanConnectionProvider.USER_REVISIONS_CACHE_DEFAULT_MAX;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java

@@ -389,7 +389,7 @@ private Policy getDelegateForUpdate() {
  if (this.updated == null) {
  this.updated = getDelegate().findById(getId());
  if (this.updated == null) throw new IllegalStateException("Not found in database");
- transaction.whenCommit(() -> cache.evict(getCacheKeyForPolicy(getId())));
+ transaction.whenCommit(() -> cache.remove(getCacheKeyForPolicy(getId())));
  }
 
  return this.updated;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java

@@ -169,7 +169,7 @@ private ResourceServer getDelegateForUpdate() {
  if (this.updated == null) {
  this.updated = getDelegate().findById(getId());
  if (this.updated == null) throw new IllegalStateException("Not found in database");
- transaction.whenCommit(() -> cache.evict(getCacheKeyForResourceServer(getId())));
+ transaction.whenCommit(() -> cache.remove(getCacheKeyForResourceServer(getId())));
  }
 
  return this.updated;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java

@@ -270,7 +270,7 @@ private Resource getDelegateForUpdate() {
  if (this.updated == null) {
  this.updated = getDelegate().findById(getId());
  if (this.updated == null) throw new IllegalStateException("Not found in database");
- transaction.whenCommit(() -> cache.evict(getCacheKeyForResource(getId())));
+ transaction.whenCommit(() -> cache.remove(getCacheKeyForResource(getId())));
  }
 
  return this.updated;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java

@@ -175,7 +175,7 @@ private Scope getDelegateForUpdate() {
  if (this.updated == null) {
  this.updated = getDelegate().findById(getId());
  if (this.updated == null) throw new IllegalStateException("Not found in database");
- transaction.whenCommit(() -> cache.evict(getCacheKeyForScope(getId())));
+ transaction.whenCommit(() -> cache.remove(getCacheKeyForScope(getId())));
  }
 
  return this.updated;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java

@@ -22,10 +22,10 @@
 import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
-import org.keycloak.models.entities.AbstractIdentifiableEntity;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.Logic;
 
+import java.io.Serializable;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -34,7 +34,9 @@
 /**
  * @author <a href="mailto:[email protected]">Pedro Igor</a>
  */
-public class CachedPolicy implements Policy {
+public class CachedPolicy implements Policy, Serializable {
+
+ private static final long serialVersionUID = -144247681046298128L;
 
  private String id;
  private String type;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResource.java

@@ -22,14 +22,17 @@
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
 
+import java.io.Serializable;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 /**
  * @author <a href="mailto:[email protected]">Pedro Igor</a>
  */
-public class CachedResource implements Resource {
+public class CachedResource implements Resource, Serializable {
+
+ private static final long serialVersionUID = -6886179034626995165L;
 
  private final String id;
  private String resourceServerId;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResourceServer.java

@@ -21,10 +21,14 @@
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
 
+import java.io.Serializable;
+
 /**
  * @author <a href="mailto:[email protected]">Pedro Igor</a>
  */
-public class CachedResourceServer implements ResourceServer {
+public class CachedResourceServer implements ResourceServer, Serializable {
+
+ private static final long serialVersionUID = 5054253390723121289L;
 
  private final String id;
  private String clientId;

model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedScope.java

@@ -21,10 +21,14 @@
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
 
+import java.io.Serializable;
+
 /**
  * @author <a href="mailto:[email protected]">Pedro Igor</a>
  */
-public class CachedScope implements Scope {
+public class CachedScope implements Scope, Serializable {
+
+ private static final long serialVersionUID = -3919706923417065454L;
 
  private final String id;
  private String resourceServerId;

wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java

@@ -63,6 +63,7 @@ private void addInfinispanCaches(DeploymentPhaseContext context) {
  st.addDependency(cacheContainerService.append("offlineSessions"));
  st.addDependency(cacheContainerService.append("loginFailures"));
  st.addDependency(cacheContainerService.append("work"));
+ st.addDependency(cacheContainerService.append("authorization"));;
  }
  }
 

wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml

@@ -95,6 +95,7 @@
  <distributed-cache name="sessions" mode="SYNC" owners="1"/>
  <distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
  <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
+ <distributed-cache name="authorization" mode="SYNC" owners="1"/>
  <replicated-cache name="work" mode="SYNC" />
  </cache-container>
  <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">