From 73654212d38b9bdb6f23928ff6ce3ec4164cf6d5 Mon Sep 17 00:00:00 2001 From: elisa lee Date: Wed, 23 Oct 2024 09:54:28 -0500 Subject: [PATCH] Log error if Okta and DB role claims unequal (#8182) --- .../simplereport/service/ApiUserService.java | 4 ++++ .../service/DbOrgRoleClaimsService.java | 17 ++++++++------ .../service/LoggedInAuthorizationService.java | 2 ++ .../service/ApiUserServiceTest.java | 16 ++++++------- .../service/DbOrgRoleClaimsServiceTest.java | 23 +++++++++++++++---- 5 files changed, 43 insertions(+), 19 deletions(-) diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java index 165057ec56..37c06330a4 100644 --- a/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java +++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java @@ -721,6 +721,10 @@ private UserInfo consolidateUser(ApiUser apiUser, PartialOktaUser oktaUser) { OrganizationRoles orgRoles = getOrganizationRoles(Optional.ofNullable(oktaClaims), apiUser, isSiteAdmin); + _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality( + List.of(oktaClaims), + List.of(_dbOrgRoleClaimsService.getOrganizationRoleClaims(apiUser)), + apiUser.getLoginEmail()); return new UserInfo(apiUser, Optional.of(orgRoles), isSiteAdmin, userStatus); } diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java index 74af45bd43..3a3f33cc69 100644 --- a/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java +++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java @@ -67,7 +67,9 @@ public OrganizationRoleClaims getOrganizationRoleClaims(ApiUser user) { * @return boolean */ public boolean checkOrgRoleClaimsEquality( - List oktaClaims, List dbClaims) { + List oktaClaims, + List dbClaims, + String username) { boolean hasEqualRoleClaims = false; if (oktaClaims.size() == dbClaims.size()) { List sanitizedOktaClaims = sanitizeOktaOrgRoleClaims(oktaClaims); @@ -79,17 +81,18 @@ public boolean checkOrgRoleClaimsEquality( .anyMatch(dbClaim -> equalOrgRoleClaim(sanitizedOktaClaim, dbClaim))); } if (!hasEqualRoleClaims) { - logUnequalClaims(); + logUnequalClaims(username); } return hasEqualRoleClaims; } - /** Logs a message saying OrganizationRoleClaims are unequal with the affected User ID */ - private void logUnequalClaims() { - // WIP: Currently assumes check is for the current user - // This may change based on where checkOrgRoleClaimsEquality is called - String username = _getCurrentUser.get().getUsername(); + /** + * Logs a message saying OrganizationRoleClaims are unequal with the affected User ID * + * + * @param username - String user login email + */ + private void logUnequalClaims(String username) { ApiUser user = _userRepo.findByLoginEmail(username).orElseThrow(NonexistentUserException::new); log.error( "Okta OrganizationRoleClaims do not match database OrganizationRoleClaims for User ID: {}", diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java index 932ef74191..60a82be40a 100644 --- a/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java +++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java @@ -60,6 +60,8 @@ public List findAllOrganizationRoles() { String username = currentAuth.getName(); List dbOrgRoleClaims = _dbOrgRoleClaimsService.getOrganizationRoleClaims(username); + _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality( + oktaOrgRoleClaims, dbOrgRoleClaims, username); if (_featureFlagsConfig.isOktaMigrationEnabled()) { return dbOrgRoleClaims; } diff --git a/backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java b/backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java index 033705c6c1..97990240b1 100644 --- a/backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java +++ b/backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java @@ -159,7 +159,7 @@ void getUser_withAdminUser_withOktaMigrationDisabled_success() { UserInfo userInfo = _service.getUser(apiUser.getInternalId()); - verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(email, userInfo.getEmail()); roleCheck( userInfo, @@ -177,7 +177,7 @@ void getUser_withAdminUser_withOktaMigrationEnabled_success() { UserInfo userInfo = _service.getUser(apiUser.getInternalId()); - verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(email, userInfo.getEmail()); roleCheck(userInfo, EnumSet.of(OrganizationRole.USER, OrganizationRole.ALL_FACILITIES)); } @@ -192,7 +192,7 @@ void getUser_withSuperUser_withOktaMigrationDisabled_success() { UserInfo userInfo = _service.getUser(apiUser.getInternalId()); - verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(email, userInfo.getEmail()); roleCheck( userInfo, @@ -218,7 +218,7 @@ void getUser_withSuperUser_withOktaMigrationEnabled_success() { UserInfo userInfo = _service.getUser(apiUser.getInternalId()); - verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(email, userInfo.getEmail()); roleCheck(userInfo, EnumSet.of(OrganizationRole.USER, OrganizationRole.ALL_FACILITIES)); @@ -607,7 +607,7 @@ void getUserByLoginEmail_withOktaMigrationDisabled_success() { ApiUser apiUser = _apiUserRepo.findByLoginEmail(email).get(); UserInfo userInfo = _service.getUserByLoginEmail(email); - verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(apiUser.getInternalId(), userInfo.getInternalId()); assertEquals(email, userInfo.getEmail()); assertEquals(UserStatus.ACTIVE, userInfo.getUserStatus()); @@ -626,7 +626,7 @@ void getUserByLoginEmail_withOktaMigrationEnabled_success() { ApiUser apiUser = _apiUserRepo.findByLoginEmail(email).get(); UserInfo userInfo = _service.getUserByLoginEmail(email); - verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any()); assertEquals(apiUser.getInternalId(), userInfo.getInternalId()); assertEquals(email, userInfo.getEmail()); @@ -725,7 +725,7 @@ void getUserByLoginEmail_invalidClaims_withOktaMigrationDisabled_success() { // we should be able to retrieve user info for a user with invalid claims (no facility access) // without failing UserInfo result = _service.getUserByLoginEmail(email); - verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); assertThat(result.getFacilities()).isEmpty(); assertEquals(List.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER), result.getRoles()); } @@ -740,7 +740,7 @@ void getUserByLoginEmail_invalidClaims_withOktaMigrationEnabled_success() { // we should be able to retrieve user info for a user with invalid claims (no facility access) // without failing UserInfo result = _service.getUserByLoginEmail(email); - verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any()); + verify(_dbOrgRoleClaimsService, times(2)).getOrganizationRoleClaims((ApiUser) any()); assertThat(result.getFacilities()).isEmpty(); assertEquals(List.of(OrganizationRole.USER), result.getRoles()); } diff --git a/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java b/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java index e089f7a12f..facb869c30 100644 --- a/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java +++ b/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java @@ -125,9 +125,14 @@ void checkOrgRoleClaimsEquality_withIdenticalOrgRoleClaims_inDifferentOrder_isTr OrganizationRoleClaimsTestUtils.DB_ORG_EXTERNAL_ID, Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.ADMIN)); + String username = "fakeuser@example.com"; + ApiUser mockApiUser = mock(ApiUser.class); + when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser)); assertTrue( _service.checkOrgRoleClaimsEquality( - List.of(secondOktaClaim, firstOktaClaim), List.of(firstDbClaim, secondDbClaim))); + List.of(secondOktaClaim, firstOktaClaim), + List.of(firstDbClaim, secondDbClaim), + "fakeuser@example.com")); } @Test @@ -146,7 +151,10 @@ void checkOrgRoleClaimsEquality_withDifferentRoleOrder_isTrue() { OrganizationRoleClaimsTestUtils.OKTA_ORG_EXTERNAL_ID, Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.USER)); - assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim))); + String username = "fakeuser@example.com"; + ApiUser mockApiUser = mock(ApiUser.class); + when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser)); + assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username)); } @Test @@ -164,7 +172,11 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaims_isFalse() { Mockito.reset(_apiUserRepoSpy); - assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim))); + String username = "fakeuser@example.com"; + ApiUser mockApiUser = mock(ApiUser.class); + when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser)); + assertFalse( + _service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username)); verify(_apiUserRepoSpy, times(1)).findByLoginEmail(any()); } @@ -176,7 +188,10 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaimsSize_isFalse() { OrganizationRoleClaimsTestUtils.OKTA_FACILITY_NAMES, Set.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER)); - assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of())); + String username = "fakeuser@example.com"; + ApiUser mockApiUser = mock(ApiUser.class); + when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser)); + assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(), username)); } private OrganizationRoleClaims createClaimsForCreatedOrg(