Skip to content

Commit

Permalink
Fetch group info for users from DB when oktaMigrationEnabled is true
Browse files Browse the repository at this point in the history
  • Loading branch information
emyl3 committed Sep 9, 2024
1 parent e2549af commit acf4def
Show file tree
Hide file tree
Showing 16 changed files with 546 additions and 44 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,14 @@
import gov.cdc.usds.simplereport.api.model.accountrequest.WaitlistRequest;
import gov.cdc.usds.simplereport.api.model.errors.BadRequestException;
import gov.cdc.usds.simplereport.api.model.errors.IllegalGraphqlArgumentException;
import gov.cdc.usds.simplereport.config.FeatureFlagsConfig;
import gov.cdc.usds.simplereport.db.model.ApiUser;
import gov.cdc.usds.simplereport.db.model.Organization;
import gov.cdc.usds.simplereport.db.model.OrganizationQueueItem;
import gov.cdc.usds.simplereport.idp.repository.OktaRepository;
import gov.cdc.usds.simplereport.properties.SendGridProperties;
import gov.cdc.usds.simplereport.service.ApiUserService;
import gov.cdc.usds.simplereport.service.DbAuthorizationService;
import gov.cdc.usds.simplereport.service.OrganizationQueueService;
import gov.cdc.usds.simplereport.service.OrganizationService;
import gov.cdc.usds.simplereport.service.email.EmailService;
Expand All @@ -27,6 +30,7 @@
import java.util.List;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.encoder.Encode;
Expand All @@ -50,7 +54,9 @@ public class AccountRequestController {
private final OrganizationService _os;
private final OrganizationQueueService _oqs;
private final ApiUserService _aus;
private final DbAuthorizationService _das;
private final EmailService _es;
private final FeatureFlagsConfig _ffc;
private final SendGridProperties sendGridProperties;
private final ObjectMapper objectMapper = new ObjectMapper();
private final OktaRepository _oktaRepo;
Expand Down Expand Up @@ -136,8 +142,9 @@ private String checkForDuplicateOrg(String organizationName, String state, Strin
Optional<Organization> duplicateOrg =
potentialDuplicates.stream().filter(o -> o.getExternalId().startsWith(state)).findFirst();
if (duplicateOrg.isPresent()) {
if (_oktaRepo.fetchAdminUserEmail(duplicateOrg.get()).stream()
.anyMatch(Predicate.isEqual(email))) {
List<String> adminUserEmails = getOrgAdminUserEmails(duplicateOrg.get());

if (adminUserEmails.stream().anyMatch(Predicate.isEqual(email))) {
// Special toasts are shown to admin users trying to re-register their org.
String message =
duplicateOrg.get().getIdentityVerified()
Expand All @@ -156,6 +163,19 @@ private String checkForDuplicateOrg(String organizationName, String state, Strin
return String.join("-", organizationName, state);
}

private List<String> getOrgAdminUserEmails(Organization org) {
List<String> adminUserEmails;
if (_ffc.isOktaMigrationEnabled()) {
adminUserEmails =
_das.getOrgAdminUsers(org).stream()
.map(ApiUser::getLoginEmail)
.collect(Collectors.toList());
} else {
adminUserEmails = _oktaRepo.fetchAdminUserEmail(org);
}
return adminUserEmails;
}

private void logOrganizationAccountRequest(@RequestBody @Valid OrganizationAccountRequest request)
throws JsonProcessingException {
if (log.isInfoEnabled()) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
package gov.cdc.usds.simplereport.db.repository;

import gov.cdc.usds.simplereport.config.authorization.OrganizationRole;
import gov.cdc.usds.simplereport.db.model.ApiUser;
import gov.cdc.usds.simplereport.db.model.Facility;
import gov.cdc.usds.simplereport.db.model.Organization;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
Expand Down Expand Up @@ -30,4 +33,34 @@ public interface ApiUserRepository extends EternalSystemManagedEntityRepository<

@Query(BASE_QUERY + " and loginEmail IN :emails" + NAME_ORDER)
List<ApiUser> findAllByLoginEmailInOrderByName(Collection<String> emails);

String API_USER_ROLE_LEFT_JOIN = " LEFT JOIN api_user_role aur ON aur.apiUser = e";
String BY_UNDELETED_ORG = " WHERE aur.organization = :org AND e.isDeleted = false";
String JOINED_NAME_ORDER =
" order by e.nameInfo.lastName, e.nameInfo.firstName, e.nameInfo.middleName, e.internalId";

@Query(
value =
"from #{#entityName} e" + API_USER_ROLE_LEFT_JOIN + BY_UNDELETED_ORG + JOINED_NAME_ORDER)
List<ApiUser> findAllByOrganization(Organization org);

@Query(
value =
"from #{#entityName} e"
+ API_USER_ROLE_LEFT_JOIN
+ BY_UNDELETED_ORG
+ " AND aur.role = :role"
+ JOINED_NAME_ORDER)
List<ApiUser> findAllByOrganizationAndRole(Organization org, OrganizationRole role);

@Query(
value =
"from #{#entityName} e"
+ API_USER_ROLE_LEFT_JOIN
+ " LEFT JOIN api_user_facility auf ON auf.apiUser = e"
+ " WHERE auf.facility = :facility"
+ " AND e.isDeleted = false"
+ " AND (aur.role = 'USER' OR aur.role = 'ENTRY_ONLY')"
+ " GROUP BY e")
List<ApiUser> findAllBySingleFacilityAccess(Facility facility);
}
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,12 @@ public void activateOrganization(Organization org) {
inactiveUsernames.removeAll(orgUsernamesMap.get(org.getExternalId()));
}

@Override
public String activateUser(String username) {
inactiveUsernames.remove(username);
return "activationToken";
}

// this method means nothing in a demo env
public String activateOrganizationWithSingleUser(Organization org) {
activateOrganization(org);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,13 @@ private String activateUser(User user) {
}
}

@Override
public String activateUser(String username) {
User oktaUser =
getUserOrThrowError(username, "Cannot activate Okta user with unrecognized username");
return activateUser(oktaUser);
}

@Override
public void activateOrganization(Organization org) {
var users = getOrgAdminUsers(org);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ List<String> updateUserPrivilegesAndGroupAccess(

void activateOrganization(Organization org);

String activateUser(String username);

String activateOrganizationWithSingleUser(Organization org);

List<String> fetchAdminUserEmail(Organization org);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ public class ApiUserService {

@Autowired private ApiUserContextHolder _apiUserContextHolder;

@Autowired private DbAuthorizationService _dbAuthService;

@Autowired private DbOrgRoleClaimsService _dbOrgRoleClaimsService;

@Autowired private FeatureFlagsConfig _featureFlagsConfig;
Expand Down Expand Up @@ -146,11 +148,9 @@ private UserInfo reprovisionUser(
throw new ConflictingUserException();
}

OrganizationRoleClaims claims =
_oktaRepo
.getOrganizationRoleClaimsForUser(apiUser.getLoginEmail())
.orElseThrow(MisconfiguredUserException::new);
if (!org.getExternalId().equals(claims.getOrganizationExternalId())) {
String currentOrgExternalId = getOrgExternalId(apiUser);

if (!org.getExternalId().equals(currentOrgExternalId)) {
throw new ConflictingUserException();
}

Expand All @@ -160,20 +160,22 @@ private UserInfo reprovisionUser(

Set<OrganizationRole> roles = getOrganizationRoles(role, accessAllFacilities);
Set<Facility> facilitiesFound = getFacilitiesToGiveAccess(org, roles, facilities);
Optional<OrganizationRoleClaims> oktaClaims =
_oktaRepo.updateUserPrivileges(apiUser.getLoginEmail(), org, facilitiesFound, roles);
Optional<OrganizationRoles> orgRoles = oktaClaims.map(c -> _orgService.getOrganizationRoles(c));
Optional<OrganizationRoles> updatedOrgRoles;

apiUser.setNameInfo(name);
apiUser.setIsDeleted(false);
apiUser.setFacilities(facilitiesFound);
apiUser.setRoles(roles, org);

Optional<OrganizationRoleClaims> oktaClaims =
_oktaRepo.updateUserPrivileges(apiUser.getLoginEmail(), org, facilitiesFound, roles);
updatedOrgRoles = oktaClaims.map(c -> _orgService.getOrganizationRoles(c));

if (_featureFlagsConfig.isOktaMigrationEnabled()) {
orgRoles = Optional.ofNullable(getOrgRolesFromDB(apiUser));
updatedOrgRoles = Optional.ofNullable(getOrgRolesFromDB(apiUser));
}

UserInfo user = new UserInfo(apiUser, orgRoles, false);
UserInfo user = new UserInfo(apiUser, updatedOrgRoles, false);

log.info(
"User with id={} re-provisioned by user with id={}",
Expand Down Expand Up @@ -247,14 +249,11 @@ public UserInfo updateUserPrivileges(
UUID userId, boolean accessAllFacilities, Set<UUID> facilities, Role role) {
ApiUser apiUser = getApiUser(userId);
String username = apiUser.getLoginEmail();
OrganizationRoleClaims orgClaims =
_oktaRepo
.getOrganizationRoleClaimsForUser(username)
.orElseThrow(MisconfiguredUserException::new);
Organization org = _orgService.getOrganization(orgClaims.getOrganizationExternalId());

String orgExternalId = getOrgExternalId(apiUser);
Organization org = _orgService.getOrganization(orgExternalId);
Set<OrganizationRole> roles = getOrganizationRoles(role, accessAllFacilities);
Set<Facility> facilitiesFound = getFacilitiesToGiveAccess(org, roles, facilities);

Optional<OrganizationRoleClaims> newOrgClaims =
_oktaRepo.updateUserPrivileges(username, org, facilitiesFound, roles);
Optional<OrganizationRoles> orgRoles =
Expand Down Expand Up @@ -597,13 +596,20 @@ public UserInfo getCurrentUserInfo() {
@AuthorizationConfiguration.RequirePermissionManageUsers
public List<ApiUser> getUsersInCurrentOrg() {
Organization org = _orgService.getCurrentOrganization();
final Set<String> orgUserEmails = _oktaRepo.getAllUsersForOrganization(org);
return _apiUserRepo.findAllByLoginEmailInOrderByName(orgUserEmails);
List<ApiUser> usersInOrg;
if (_featureFlagsConfig.isOktaMigrationEnabled()) {
usersInOrg = _dbAuthService.getUsersInOrganization(org);
} else {
final Set<String> orgUserEmails = _oktaRepo.getAllUsersForOrganization(org);
usersInOrg = _apiUserRepo.findAllByLoginEmailInOrderByName(orgUserEmails);
}
return usersInOrg;
}

@AuthorizationConfiguration.RequirePermissionManageUsers
public List<ApiUserWithStatus> getUsersAndStatusInCurrentOrg() {
Organization org = _orgService.getCurrentOrganization();
// get user list from DB -- if I get individual users will I hit okta rate limit?
final Map<String, UserStatus> emailsToStatus =
_oktaRepo.getAllUsersWithStatusForOrganization(org);
List<ApiUser> users = _apiUserRepo.findAllByLoginEmailInOrderByName(emailsToStatus.keySet());
Expand Down Expand Up @@ -829,4 +835,23 @@ private OrganizationRoles getOrgRolesFromDB(ApiUser apiUser) {
_dbOrgRoleClaimsService.getOrganizationRoleClaims(apiUser);
return _orgService.getOrganizationRoles(orgRoleClaims);
}

private String getOrgExternalId(ApiUser apiUser) {
String orgExternalId;
if (_featureFlagsConfig.isOktaMigrationEnabled()) {
Optional<Organization> org = apiUser.getOrganizations().stream().findFirst();
if (org.isPresent()) {
orgExternalId = org.get().getExternalId();
} else {
throw new MisconfiguredUserException();
}
} else {
OrganizationRoleClaims claims =
_oktaRepo
.getOrganizationRoleClaimsForUser(apiUser.getLoginEmail())
.orElseThrow(MisconfiguredUserException::new);
orgExternalId = claims.getOrganizationExternalId();
}
return orgExternalId;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package gov.cdc.usds.simplereport.service;

import gov.cdc.usds.simplereport.config.AuthorizationConfiguration;
import gov.cdc.usds.simplereport.config.authorization.OrganizationRole;
import gov.cdc.usds.simplereport.db.model.ApiUser;
import gov.cdc.usds.simplereport.db.model.Facility;
import gov.cdc.usds.simplereport.db.model.Organization;
import gov.cdc.usds.simplereport.db.repository.ApiUserRepository;
import java.util.List;
import java.util.stream.Collectors;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;

@Component
@Slf4j
@RequiredArgsConstructor
public class DbAuthorizationService {
private final ApiUserRepository _userRepo;

/**
* Fetches a list of ApiUsers that belong to an Organization sorted by last name, first name, and
* middle name
*
* @param org - Organization
* @return List of ApiUsers that belong to the org
*/
@AuthorizationConfiguration.RequirePermissionManageUsers
public List<ApiUser> getUsersInOrganization(Organization org) {
return _userRepo.findAllByOrganization(org);
}

/**
* Fetches a list of ApiUsers that belong to an Organization and has the ADMIN role, sorted by
* last name, first name, and middle name
*
* @param org - Organization
* @return List of ApiUsers with ADMIN role in the org
*/
public List<ApiUser> getOrgAdminUsers(Organization org) {
return _userRepo.findAllByOrganizationAndRole(org, OrganizationRole.ADMIN);
}

/**
* Fetches a count of ApiUsers that have permission to access the one defined facility and do not
* have the ALL_FACILITIES and/or ADMIN roles
*
* @param facility - Facility to get count for
* @return Integer - count of ApiUsers
*/
public Integer getUserWithSingleFacilityAccessCount(Facility facility) {
List<ApiUser> users = _userRepo.findAllBySingleFacilityAccess(facility);
return users.stream()
.filter(user -> user.getFacilities().size() <= 1)
.collect(Collectors.toList())
.size();
}
}
Loading

0 comments on commit acf4def

Please sign in to comment.