Skip to content

Commit

Permalink
Log error if Okta and DB role claims unequal
Browse files Browse the repository at this point in the history
  • Loading branch information
emyl3 committed Oct 9, 2024
1 parent b43eb16 commit c39c587
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -721,6 +721,10 @@ private UserInfo consolidateUser(ApiUser apiUser, PartialOktaUser oktaUser) {
OrganizationRoles orgRoles =
getOrganizationRoles(Optional.ofNullable(oktaClaims), apiUser, isSiteAdmin);

_dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
List.of(oktaClaims),
List.of(_dbOrgRoleClaimsService.getOrganizationRoleClaims(apiUser)),
apiUser.getLoginEmail());
return new UserInfo(apiUser, Optional.of(orgRoles), isSiteAdmin, userStatus);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,9 @@ public OrganizationRoleClaims getOrganizationRoleClaims(ApiUser user) {
* @return boolean
*/
public boolean checkOrgRoleClaimsEquality(
List<OrganizationRoleClaims> oktaClaims, List<OrganizationRoleClaims> dbClaims) {
List<OrganizationRoleClaims> oktaClaims,
List<OrganizationRoleClaims> dbClaims,
String username) {
boolean hasEqualRoleClaims = false;
if (oktaClaims.size() == dbClaims.size()) {
List<OrganizationRoleClaims> sanitizedOktaClaims = sanitizeOktaOrgRoleClaims(oktaClaims);
Expand All @@ -79,17 +81,18 @@ public boolean checkOrgRoleClaimsEquality(
.anyMatch(dbClaim -> equalOrgRoleClaim(sanitizedOktaClaim, dbClaim)));
}
if (!hasEqualRoleClaims) {
logUnequalClaims();
logUnequalClaims(username);
}

return hasEqualRoleClaims;
}

/** Logs a message saying OrganizationRoleClaims are unequal with the affected User ID */
private void logUnequalClaims() {
// WIP: Currently assumes check is for the current user
// This may change based on where checkOrgRoleClaimsEquality is called
String username = _getCurrentUser.get().getUsername();
/**
* Logs a message saying OrganizationRoleClaims are unequal with the affected User ID *
*
* @param username - String user login email
*/
private void logUnequalClaims(String username) {
ApiUser user = _userRepo.findByLoginEmail(username).orElseThrow(NonexistentUserException::new);
log.error(
"Okta OrganizationRoleClaims do not match database OrganizationRoleClaims for User ID: {}",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ public List<OrganizationRoleClaims> findAllOrganizationRoles() {
String username = currentAuth.getName();
List<OrganizationRoleClaims> dbOrgRoleClaims =
_dbOrgRoleClaimsService.getOrganizationRoleClaims(username);
_dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
oktaOrgRoleClaims, dbOrgRoleClaims, username);
if (_featureFlagsConfig.isOktaMigrationEnabled()) {
return dbOrgRoleClaims;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,9 +125,14 @@ void checkOrgRoleClaimsEquality_withIdenticalOrgRoleClaims_inDifferentOrder_isTr
OrganizationRoleClaimsTestUtils.DB_ORG_EXTERNAL_ID,
Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.ADMIN));

String username = "[email protected]";
ApiUser mockApiUser = mock(ApiUser.class);
when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
assertTrue(
_service.checkOrgRoleClaimsEquality(
List.of(secondOktaClaim, firstOktaClaim), List.of(firstDbClaim, secondDbClaim)));
List.of(secondOktaClaim, firstOktaClaim),
List.of(firstDbClaim, secondDbClaim),
"[email protected]"));
}

@Test
Expand All @@ -146,7 +151,10 @@ void checkOrgRoleClaimsEquality_withDifferentRoleOrder_isTrue() {
OrganizationRoleClaimsTestUtils.OKTA_ORG_EXTERNAL_ID,
Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.USER));

assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
String username = "[email protected]";
ApiUser mockApiUser = mock(ApiUser.class);
when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
}

@Test
Expand All @@ -164,7 +172,11 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaims_isFalse() {

Mockito.reset(_apiUserRepoSpy);

assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
String username = "[email protected]";
ApiUser mockApiUser = mock(ApiUser.class);
when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
assertFalse(
_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
verify(_apiUserRepoSpy, times(1)).findByLoginEmail(any());
}

Expand All @@ -176,7 +188,10 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaimsSize_isFalse() {
OrganizationRoleClaimsTestUtils.OKTA_FACILITY_NAMES,
Set.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER));

assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of()));
String username = "[email protected]";
ApiUser mockApiUser = mock(ApiUser.class);
when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(), username));
}

private OrganizationRoleClaims createClaimsForCreatedOrg(
Expand Down

0 comments on commit c39c587

Please sign in to comment.