Merge pull request #377 from cryptomator/feature/syncer-efficiency

overheadhunter · web-flow · commit 50f81d773fb6 · 2025-12-18T19:12:57.000+01:00
more bulk transactions for group members
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Updated Keycloak to 26.4.7
 - Update Quarkus to 3.20.4 LTS
+- Improved efficiency of keycloak-to-hub data sync (#377)
 - Improved efficiency of group-based access permission checks (#372)
 - Migrated aes-siv and base encoding libraries to [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) and [`@scure/base`](https://github.com/paulmillr/scure-base/) (#373)
 
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Group.java b/backend/src/main/java/org/cryptomator/hub/entities/Group.java
@@ -32,10 +32,6 @@ public Set<Authority> getMembers() {
 		return members;
 	}
 
-	public void setMembers(Set<Authority> members) {
-		this.members = members;
-	}
-
 	@Transient
 	public int getMemberSize() {
 		return members.size();
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java
@@ -9,6 +9,7 @@
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
 
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -36,18 +37,27 @@ void sync() {
 
 	@Transactional
 	void sync(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, KeycloakUserDto> keycloakUsers) {
+		// get current state from database:
 		var databaseUsers = userRepo.findAll().stream().collect(Collectors.toMap(User::getId, Function.identity()));
 		var databaseGroups = groupRepo.findAll().stream().collect(Collectors.toMap(Group::getId, Function.identity()));
-		syncAddedUsers(keycloakUsers, databaseUsers);
+
+		// sync users:
+		var addedUsers = syncAddedUsers(keycloakUsers, databaseUsers);
 		var deletedUserIds = syncDeletedUsers(keycloakUsers, databaseUsers);
 		syncUpdatedUsers(keycloakUsers, databaseUsers, deletedUserIds);
-		syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
+
+		// all users after additions and deletions:
+		Map<String, Authority> allAuthorities = merge(databaseUsers, addedUsers);
+		deletedUserIds.forEach(allAuthorities::remove);
+
+		// sync groups:
+		var addedGroups = syncAddedGroups(keycloakGroups, databaseGroups, allAuthorities);
 		var deletedGroupIds = syncDeletedGroups(keycloakGroups, databaseGroups);
-		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, databaseUsers);
+		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, allAuthorities);
 	}
 
 	//visible for testing
-	void syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
+	Map<String, User> syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
 		var addedIds = diff(keycloakUsers.keySet(), databaseUsers.keySet());
 		var added = addedIds.stream().map(id -> {
 			var keycloakUser = keycloakUsers.get(id);
@@ -57,9 +67,10 @@ void syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User
 			databaseUser.setEmail(keycloakUser.email());
 			databaseUser.setPictureUrl(keycloakUser.pictureUrl());
 			return databaseUser;
-		});
-		userRepo.persist(added);
+		}).collect(Collectors.toMap(User::getId, Function.identity()));
+		userRepo.persist(added.values());
 		effectiveGroupMembershipRepo.updateUsers(addedIds);
+		return added;
 	}
 
 	//visible for testing
@@ -83,30 +94,20 @@ void syncUpdatedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, Us
 	}
 
 	//visible for testing
-	void syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, User> databaseUsers) {
+	Map<String, Group> syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, Authority> allAuthorities) {
 		var addedIds = diff(keycloakGroups.keySet(), databaseGroups.keySet());
 		var added = addedIds.stream().map(id -> {
 			var keycloakGroup = keycloakGroups.get(id);
 			var databaseGroup = new Group();
 			databaseGroup.setId(keycloakGroup.id());
 			databaseGroup.setName(keycloakGroup.name());
 			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
-			Set<Authority> members = new HashSet<>();
-			for (var keycloakMember : keycloakGroup.members()) {
-				var databaseUser = databaseUsers.get(keycloakMember.id());
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(keycloakMember.id());
-				}
-				if (databaseUser != null) {
-					members.add(databaseUser);
-				}
-			}
-			databaseGroup.setMembers(members);
+			databaseGroup.getMembers().addAll(keycloakGroup.members().stream().map(KeycloakUserDto::id).map(allAuthorities::get).collect(Collectors.toSet()));
 			return databaseGroup;
-		});
-		groupRepo.persist(added);
+		}).collect(Collectors.toMap(Group::getId, Function.identity()));
+		groupRepo.persist(added.values());
 		effectiveGroupMembershipRepo.updateGroups(addedIds);
+		return added;
 	}
 
 	//visible for testing
@@ -118,39 +119,39 @@ Set<String> syncDeletedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<
 	}
 
 	//visible for testing
-	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, User> databaseUsers) {
+	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, Authority> allAuthorities) {
 		var toUpdateIds = diff(databaseGroups.keySet(), deletedGroupIds);
 		var idsOfGroupsWithChangedMembers = new HashSet<String>();
 		for (var id : toUpdateIds) {
 			var databaseGroup = databaseGroups.get(id);
 			var keycloakGroup = keycloakGroups.get(id);
-			var wantIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
-			var haveIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
 			databaseGroup.setName(keycloakGroup.name());
 			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
-			for (var addId : diff(wantIds, haveIds)) {
-				var databaseUser = databaseUsers.get(addId);
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(addId);
-				}
-				if (databaseUser != null) {
-					databaseGroup.getMembers().add(databaseUser);
-				}
-			}
-			for (var removeId : diff(haveIds, wantIds)) {
-				databaseGroup.getMembers().removeIf(u -> u.getId().equals(removeId));
-			}
-			if (!wantIds.containsAll(haveIds) || !haveIds.containsAll(wantIds)) {
+
+			// update members:
+			var kcMemberIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
+			var dbMemberIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
+			var addedMemberIds = diff(kcMemberIds, dbMemberIds);
+			var addedMembers = addedMemberIds.stream().map(allAuthorities::get).collect(Collectors.toSet());
+			databaseGroup.getMembers().addAll(addedMembers);
+			var removedMemberIds = diff(dbMemberIds, kcMemberIds);
+			databaseGroup.getMembers().removeIf(u -> removedMemberIds.contains(u.getId()));
+			if (!addedMemberIds.isEmpty() || !removedMemberIds.isEmpty()) {
 				idsOfGroupsWithChangedMembers.add(id);
 			}
 		}
 		effectiveGroupMembershipRepo.updateGroups(idsOfGroupsWithChangedMembers);
 	}
 
-	private <T> Set<T> diff(Set<T> base, Set<T> difference) {
+	private static <T> Set<T> diff(Set<T> base, Set<T> difference) {
 		var result = new HashSet<>(base);
 		result.removeAll(difference);
 		return result;
 	}
+
+	private static <K, V> Map<K, V> merge(Map<K, ? extends V> first, Map<K, ? extends V> second) {
+		Map<K, V> result = new HashMap<>(first);
+		result.putAll(second);
+		return result;
+	}
 }
diff --git a/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java b/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java
@@ -6,6 +6,7 @@
 import org.cryptomator.hub.entities.User;
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
@@ -50,16 +51,16 @@ void setUp() {
 		remoteUserPuller.effectiveGroupMembershipRepo = effectiveGroupMembershipRepo;
 		persistedUsers.clear();
 		Mockito.doAnswer(invocation -> {
-			Stream<User> stream = invocation.getArgument(0);
-			persistedUsers.addAll(stream.toList());
+			Iterable<User> iterable = invocation.getArgument(0);
+			iterable.forEach(persistedUsers::add);
 			return null;
-		}).when(userRepo).persist(Mockito.<Stream<User>>any());
+		}).when(userRepo).persist(Mockito.<Iterable<User>>any());
 		persistedGroups.clear();
 		Mockito.doAnswer(invocation -> {
-			Stream<Group> stream = invocation.getArgument(0);
-			persistedGroups.addAll(stream.toList());
+			Iterable<Group> iterable = invocation.getArgument(0);
+			iterable.forEach(persistedGroups::add);
 			return null;
-		}).when(groupRepo).persist(Mockito.<Stream<Group>>any());
+		}).when(groupRepo).persist(Mockito.<Iterable<Group>>any());
 	}
 
 	@Nested
@@ -77,8 +78,8 @@ public class AddDeleteUsers {
 				",;,;,"
 		}, delimiterString = ";")
 		void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] addedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
 			var keycloakUserIds = Set.of(keycloakUserIdString);
 			var databaseUserIds = Set.of(databaseUserIdString);
@@ -92,9 +93,10 @@ void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUser
 				Mockito.when(keycloakUsers.get(userId)).thenReturn(keycloakUser);
 			}
 
-			remoteUserPuller.syncAddedUsers(keycloakUsers, databaseUsers);
+			var added = remoteUserPuller.syncAddedUsers(keycloakUsers, databaseUsers);
 
-			Mockito.verify(userRepo).persist(Mockito.<Stream<User>>any());
+			Assertions.assertEquals(addedUserIds, added.keySet());
+			Mockito.verify(userRepo).persist(Mockito.<Iterable<User>>any());
 			Mockito.verify(effectiveGroupMembershipRepo).updateUsers(Mockito.argThat(addedUserIds::containsAll));
 			for (var userId : addedUserIds) {
 				MatcherAssert.assertThat(persistedUsers, Matchers.hasItem(
@@ -119,8 +121,8 @@ void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUser
 				",;,;,"
 		}, delimiterString = ";")
 		void testDeleteUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
 			var keycloakUserIds = Arrays.stream(keycloakUserIdString).collect(Collectors.toSet());
 			var databaseUserIds = Arrays.stream(databaseUserIdString).collect(Collectors.toSet());
@@ -155,8 +157,8 @@ public class UpdateUsers {
 				",;,;,;," // all empty
 		}, delimiterString = ";")
 		void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString, @ConvertWith(StringArrayConverter.class) String[] updatedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
 			var keycloakUserIds = Arrays.stream(keycloakUserIdString).collect(Collectors.toSet());
 			var databaseUserIds = Arrays.stream(databaseUserIdString).collect(Collectors.toSet());
@@ -213,7 +215,7 @@ void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGro
 				keycloakGroups.put(gid, dto);
 			}
 
-			Map<String, User> databaseUsers = new HashMap<>();
+			Map<String, Authority> databaseUsers = new HashMap<>();
 			for (var keycloakUser : kcUsers.values()) {
 				var databaseUser = Mockito.mock(User.class);
 				Mockito.when(databaseUser.getId()).thenReturn(keycloakUser.id());
@@ -227,10 +229,11 @@ void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGro
 				databaseGroups.put(gid, databaseGroup);
 			}
 
-			remoteUserPuller.syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
+			var added = remoteUserPuller.syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
 
 			var addedGroupIds = Set.of(addedGroupIdString);
-			Mockito.verify(groupRepo).persist(Mockito.<Stream<Group>>any());
+			Assertions.assertEquals(addedGroupIds, added.keySet());
+			Mockito.verify(groupRepo).persist(Mockito.<Iterable<Group>>any());
 			Mockito.verify(effectiveGroupMembershipRepo).updateGroups(Mockito.argThat(addedGroupIds::containsAll));
 			for (var groupId : addedGroupIds) {
 				MatcherAssert.assertThat(persistedGroups, Matchers.hasItem(
@@ -255,8 +258,8 @@ void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGro
 				",;,;,"
 		}, delimiterString = ";")
 		void testDeleteGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] deletedGroupIdString) {
-			Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock(Map.class);
-			Map<String, Group> databaseGroups = Mockito.mock(Map.class);
+			Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock();
+			Map<String, Group> databaseGroups = Mockito.mock();
 
 			var kcGroupIds = Arrays.stream(keycloakGroupIdString).collect(Collectors.toSet());
 			var dbGroupIds = Arrays.stream(databaseGroupIdString).collect(Collectors.toSet());
@@ -291,8 +294,8 @@ void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] keycloak
 		var otherKCUser = Mockito.mock(User.class);
 		Mockito.when(otherKCUser.getId()).thenReturn("U_otherKC");
 
-		Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock(Map.class);
-		Map<String, Group> databaseGroups = Mockito.mock(Map.class);
+		Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock();
+		Map<String, Group> databaseGroups = Mockito.mock();
 
 		var keycloakGroupIds = Arrays.stream(keycloakGroupIdString).collect(Collectors.toSet());
 		var databaseGroupIds = Arrays.stream(databaseGroupIdString).collect(Collectors.toSet());
@@ -319,7 +322,7 @@ void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] keycloak
 			Mockito.when(databaseGroups.get(groupId)).thenReturn(dbGroup);
 		}
 
-		Map<String, User> databaseUsers = new HashMap<>();
+		Map<String, Authority> databaseUsers = new HashMap<>();
 		var userMock = Mockito.mock(User.class);
 		Mockito.when(userMock.getId()).thenReturn("U_user");
 		databaseUsers.put("U_user", userMock);
