(KC24) Use Dedicated SQL Session for Truststore

.github/workflows/build-test.yaml

@@ -8,6 +8,7 @@ on:
       - "*.xml"
   pull_request:
     branches: [main]
+  workflow_dispatch:
 
 jobs:
   build:
@@ -22,6 +23,12 @@ jobs:
           cache: "maven"
       - name: Build
         run: mvn -B clean package --file pom.xml
+      - name: Upload JAR artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: keycloak-extensions-jar
+          path: target/*.jar
+          retention-days: 30
       - name: Integration test
         run: mvn -B failsafe:integration-test failsafe:verify --file pom.xml
   compatibility:

src/main/java/com/scality/keycloak/truststore/JpaCertificateTruststoreProvider.java

@@ -12,6 +12,8 @@
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Function;
 
 import org.bouncycastle.asn1.x500.RDN;
 import org.bouncycastle.asn1.x500.X500Name;
@@ -40,14 +42,27 @@ public JpaCertificateTruststoreProvider(KeycloakSession session) {
         this.session = session;
     }
 
-    /***
-     * 
-     * @return EntityManager
-     */
     private EntityManager getEntityManager() {
         return session.getProvider(JpaConnectionProvider.class).getEntityManager();
     }
 
+    /**
+     * Executes a database query in a completely new Keycloak session with a fresh JDBC connection.
+     * Used on retry when the current session's connection is closed — em.clear() on the same
+     * EntityManager does NOT get a new connection, so we must open a new session entirely.
+     */
+    private <T> T executeInNewSession(Function<EntityManager, T> query) {
+        AtomicReference<T> resultRef = new AtomicReference<>();
+        KeycloakModelUtils.runJobInTransaction(
+            session.getKeycloakSessionFactory(),
+            newSession -> {
+                EntityManager newEm = newSession.getProvider(JpaConnectionProvider.class).getEntityManager();
+                resultRef.set(query.apply(newEm));
+            }
+        );
+        return resultRef.get();
+    }
+
     @Override
     public void close() {
         // nothing to close
@@ -184,27 +199,29 @@ public void removeCertificate(String alias) {
 
     @Override
     public CertificateRepresentation[] getCertificates() {
-        getEntityManager().clear();
-        List<TruststoreEntity> list = (List<TruststoreEntity>) getEntityManager()
-                .createNativeQuery("select t.id, t.alias, t.certificate, t.is_root_ca from truststore t",
-                        TruststoreEntity.class)
-                .setHint(AvailableHints.HINT_CACHEABLE, false)
-                .setHint(AvailableHints.HINT_CACHE_MODE, CacheMode.IGNORE)
-                .getResultList();
-        return list.stream()
-                .map(this::toCertificateRepresentation)
-                .toArray(CertificateRepresentation[]::new);
+        return executeInNewSession(newEm -> {
+            @SuppressWarnings("unchecked")
+            List<TruststoreEntity> list = (List<TruststoreEntity>) newEm
+                    .createNativeQuery("select t.id, t.alias, t.certificate, t.is_root_ca from truststore t",
+                            TruststoreEntity.class)
+                    .setHint(AvailableHints.HINT_CACHEABLE, false)
+                    .setHint(AvailableHints.HINT_CACHE_MODE, CacheMode.IGNORE)
+                    .getResultList();
+            return list.stream()
+                    .map(this::toCertificateRepresentation)
+                    .toArray(CertificateRepresentation[]::new);
+        });
     }
 
     @Override
     public CertificateRepresentation[] getCertificates(boolean isRootCA) {
-        return getEntityManager()
+        return executeInNewSession(newEm -> newEm
                 .createNamedQuery("findByIsRootCA", TruststoreEntity.class)
                 .setParameter("isRootCA", isRootCA)
                 .getResultList()
                 .stream()
                 .map(this::toCertificateRepresentation)
-                .toArray(CertificateRepresentation[]::new);
+                .toArray(CertificateRepresentation[]::new));
     }
 
     @Override