Resolve session leak in DeclarativeUserProfileProvider

ahus1 · web-flow · commit 3cf09894989b · 2025-10-29T07:31:18.000-03:00
Closes #43785 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
diff --git a/services/src/main/java/org/keycloak/userprofile/DeclarativeUserProfileProvider.java b/services/src/main/java/org/keycloak/userprofile/DeclarativeUserProfileProvider.java
@@ -355,32 +355,11 @@ protected UserProfileMetadata decorateUserProfileForCache(UserProfileMetadata de
                 }
 
                 if (UserModel.USERNAME.equals(attributeName)) {
-                    required = new Predicate<AttributeContext>() {
-                        @Override
-                        public boolean test(AttributeContext context) {
-                            RealmModel realm = context.getSession().getContext().getRealm();
-                            return !realm.isRegistrationEmailAsUsername();
-                        }
-                    };
+                    required = new UsernameRequiredPredicate();
                 }
 
                 if (UserModel.EMAIL.equals(attributeName)) {
-                    Predicate<AttributeContext> requiredFromConfig = required;
-                    required = new Predicate<AttributeContext>() {
-                        @Override
-                        public boolean test(AttributeContext context) {
-                            UserModel user = context.getUser();
-
-                            if (isServiceAccountUser(user)) {
-                                return false;
-                            }
-
-                            if (requiredFromConfig.test(context)) return true;
-
-                            RealmModel realm = context.getSession().getContext().getRealm();
-                            return realm.isRegistrationEmailAsUsername();
-                        }
-                    };
+                    required = new EmailRequiredPredicate(required);
                 }
 
                 List<AttributeMetadata> existingMetadata = decoratedMetadata.getAttribute(attributeName);
@@ -439,7 +418,7 @@ private Predicate<AttributeContext> createViewAllowedPredicate(Predicate<Attribu
         return ac -> ac.getContext().isRoleForContext(viewRoles) || canEdit.test(ac);
     }
 
-    private boolean isServiceAccountUser(UserModel user) {
+    private static boolean isServiceAccountUser(UserModel user) {
         return user != null && user.getServiceAccountClientLink() != null;
     }
 
@@ -552,4 +531,34 @@ private Function<UserProfileContext, UserProfileMetadata> createUserDefinedProfi
             return decorateUserProfileForCache(decoratedMetadata, parsedConfig);
         };
     }
+
+    private static class EmailRequiredPredicate implements Predicate<AttributeContext> {
+        private final Predicate<AttributeContext> required;
+
+        public EmailRequiredPredicate(Predicate<AttributeContext> required) {
+            this.required = required;
+        }
+
+        @Override
+        public boolean test(AttributeContext context) {
+            UserModel user = context.getUser();
+
+            if (isServiceAccountUser(user)) {
+                return false;
+            }
+
+            if (required.test(context)) return true;
+
+            RealmModel realm = context.getSession().getContext().getRealm();
+            return realm.isRegistrationEmailAsUsername();
+        }
+    }
+
+    private static class UsernameRequiredPredicate implements Predicate<AttributeContext> {
+        @Override
+        public boolean test(AttributeContext context) {
+            RealmModel realm = context.getSession().getContext().getRealm();
+            return !realm.isRegistrationEmailAsUsername();
+        }
+    }
 }
