Log error if Okta and DB role claims unequal (#8182)

backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java

@@ -721,6 +721,10 @@ private UserInfo consolidateUser(ApiUser apiUser, PartialOktaUser oktaUser) {
     OrganizationRoles orgRoles =
         getOrganizationRoles(Optional.ofNullable(oktaClaims), apiUser, isSiteAdmin);
 
+    _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
+        List.of(oktaClaims),
+        List.of(_dbOrgRoleClaimsService.getOrganizationRoleClaims(apiUser)),
+        apiUser.getLoginEmail());
     return new UserInfo(apiUser, Optional.of(orgRoles), isSiteAdmin, userStatus);
   }
 

backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java

@@ -67,7 +67,9 @@ public OrganizationRoleClaims getOrganizationRoleClaims(ApiUser user) {
    * @return boolean
    */
   public boolean checkOrgRoleClaimsEquality(
-      List<OrganizationRoleClaims> oktaClaims, List<OrganizationRoleClaims> dbClaims) {
+      List<OrganizationRoleClaims> oktaClaims,
+      List<OrganizationRoleClaims> dbClaims,
+      String username) {
     boolean hasEqualRoleClaims = false;
     if (oktaClaims.size() == dbClaims.size()) {
       List<OrganizationRoleClaims> sanitizedOktaClaims = sanitizeOktaOrgRoleClaims(oktaClaims);
@@ -79,17 +81,18 @@ public boolean checkOrgRoleClaimsEquality(
                           .anyMatch(dbClaim -> equalOrgRoleClaim(sanitizedOktaClaim, dbClaim)));
     }
     if (!hasEqualRoleClaims) {
-      logUnequalClaims();
+      logUnequalClaims(username);
     }
 
     return hasEqualRoleClaims;
   }
 
-  /** Logs a message saying OrganizationRoleClaims are unequal with the affected User ID */
-  private void logUnequalClaims() {
-    // WIP: Currently assumes check is for the current user
-    // This may change based on where checkOrgRoleClaimsEquality is called
-    String username = _getCurrentUser.get().getUsername();
+  /**
+   * Logs a message saying OrganizationRoleClaims are unequal with the affected User ID *
+   *
+   * @param username - String user login email
+   */
+  private void logUnequalClaims(String username) {
     ApiUser user = _userRepo.findByLoginEmail(username).orElseThrow(NonexistentUserException::new);
     log.error(
         "Okta OrganizationRoleClaims do not match database OrganizationRoleClaims for User ID: {}",

backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java

@@ -60,6 +60,8 @@ public List<OrganizationRoleClaims> findAllOrganizationRoles() {
       String username = currentAuth.getName();
       List<OrganizationRoleClaims> dbOrgRoleClaims =
           _dbOrgRoleClaimsService.getOrganizationRoleClaims(username);
+      _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
+          oktaOrgRoleClaims, dbOrgRoleClaims, username);
       if (_featureFlagsConfig.isOktaMigrationEnabled()) {
         return dbOrgRoleClaims;
       }

backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java

@@ -159,7 +159,7 @@ void getUser_withAdminUser_withOktaMigrationDisabled_success() {
 
     UserInfo userInfo = _service.getUser(apiUser.getInternalId());
 
-    verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
     assertEquals(email, userInfo.getEmail());
     roleCheck(
         userInfo,
@@ -177,7 +177,7 @@ void getUser_withAdminUser_withOktaMigrationEnabled_success() {
 
     UserInfo userInfo = _service.getUser(apiUser.getInternalId());
 
-    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any());
     assertEquals(email, userInfo.getEmail());
     roleCheck(userInfo, EnumSet.of(OrganizationRole.USER, OrganizationRole.ALL_FACILITIES));
   }
@@ -192,7 +192,7 @@ void getUser_withSuperUser_withOktaMigrationDisabled_success() {
 
     UserInfo userInfo = _service.getUser(apiUser.getInternalId());
 
-    verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
     assertEquals(email, userInfo.getEmail());
     roleCheck(
         userInfo,
@@ -218,7 +218,7 @@ void getUser_withSuperUser_withOktaMigrationEnabled_success() {
 
     UserInfo userInfo = _service.getUser(apiUser.getInternalId());
 
-    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any());
     assertEquals(email, userInfo.getEmail());
     roleCheck(userInfo, EnumSet.of(OrganizationRole.USER, OrganizationRole.ALL_FACILITIES));
 
@@ -607,7 +607,7 @@ void getUserByLoginEmail_withOktaMigrationDisabled_success() {
     ApiUser apiUser = _apiUserRepo.findByLoginEmail(email).get();
     UserInfo userInfo = _service.getUserByLoginEmail(email);
 
-    verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
     assertEquals(apiUser.getInternalId(), userInfo.getInternalId());
     assertEquals(email, userInfo.getEmail());
     assertEquals(UserStatus.ACTIVE, userInfo.getUserStatus());
@@ -626,7 +626,7 @@ void getUserByLoginEmail_withOktaMigrationEnabled_success() {
     ApiUser apiUser = _apiUserRepo.findByLoginEmail(email).get();
     UserInfo userInfo = _service.getUserByLoginEmail(email);
 
-    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any());
 
     assertEquals(apiUser.getInternalId(), userInfo.getInternalId());
     assertEquals(email, userInfo.getEmail());
@@ -725,7 +725,7 @@ void getUserByLoginEmail_invalidClaims_withOktaMigrationDisabled_success() {
     // we should be able to retrieve user info for a user with invalid claims (no facility access)
     // without failing
     UserInfo result = _service.getUserByLoginEmail(email);
-    verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
     assertThat(result.getFacilities()).isEmpty();
     assertEquals(List.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER), result.getRoles());
   }
@@ -740,7 +740,7 @@ void getUserByLoginEmail_invalidClaims_withOktaMigrationEnabled_success() {
     // we should be able to retrieve user info for a user with invalid claims (no facility access)
     // without failing
     UserInfo result = _service.getUserByLoginEmail(email);
-    verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
+    verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any());
     assertThat(result.getFacilities()).isEmpty();
     assertEquals(List.of(OrganizationRole.USER), result.getRoles());
   }

backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java

@@ -125,9 +125,14 @@ void checkOrgRoleClaimsEquality_withIdenticalOrgRoleClaims_inDifferentOrder_isTr
             OrganizationRoleClaimsTestUtils.DB_ORG_EXTERNAL_ID,
             Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.ADMIN));
 
+    String username = "[email protected]";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
     assertTrue(
         _service.checkOrgRoleClaimsEquality(
-            List.of(secondOktaClaim, firstOktaClaim), List.of(firstDbClaim, secondDbClaim)));
+            List.of(secondOktaClaim, firstOktaClaim),
+            List.of(firstDbClaim, secondDbClaim),
+            "[email protected]"));
   }
 
   @Test
@@ -146,7 +151,10 @@ void checkOrgRoleClaimsEquality_withDifferentRoleOrder_isTrue() {
             OrganizationRoleClaimsTestUtils.OKTA_ORG_EXTERNAL_ID,
             Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.USER));
 
-    assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
+    String username = "[email protected]";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
   }
 
   @Test
@@ -164,7 +172,11 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaims_isFalse() {
 
     Mockito.reset(_apiUserRepoSpy);
 
-    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
+    String username = "[email protected]";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertFalse(
+        _service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
     verify(_apiUserRepoSpy, times(1)).findByLoginEmail(any());
   }
 
@@ -176,7 +188,10 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaimsSize_isFalse() {
             OrganizationRoleClaimsTestUtils.OKTA_FACILITY_NAMES,
             Set.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER));
 
-    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of()));
+    String username = "[email protected]";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(), username));
   }
 
   private OrganizationRoleClaims createClaimsForCreatedOrg(