From c39c587da80a7df5a1265654aac780a1ea00e124 Mon Sep 17 00:00:00 2001
From: elisa lee <elisa@skylight.digital>
Date: Mon, 23 Sep 2024 13:54:30 -0500
Subject: [PATCH] Log error if Okta and DB role claims unequal

---
 .../simplereport/service/ApiUserService.java  |  4 ++++
 .../service/DbOrgRoleClaimsService.java       | 17 ++++++++------
 .../service/LoggedInAuthorizationService.java |  2 ++
 .../service/DbOrgRoleClaimsServiceTest.java   | 23 +++++++++++++++----
 4 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java
index 165057ec56..37c06330a4 100644
--- a/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java
+++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java
@@ -721,6 +721,10 @@ private UserInfo consolidateUser(ApiUser apiUser, PartialOktaUser oktaUser) {
     OrganizationRoles orgRoles =
         getOrganizationRoles(Optional.ofNullable(oktaClaims), apiUser, isSiteAdmin);
 
+    _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
+        List.of(oktaClaims),
+        List.of(_dbOrgRoleClaimsService.getOrganizationRoleClaims(apiUser)),
+        apiUser.getLoginEmail());
     return new UserInfo(apiUser, Optional.of(orgRoles), isSiteAdmin, userStatus);
   }
 
diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java
index 74af45bd43..3a3f33cc69 100644
--- a/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java
+++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsService.java
@@ -67,7 +67,9 @@ public OrganizationRoleClaims getOrganizationRoleClaims(ApiUser user) {
    * @return boolean
    */
   public boolean checkOrgRoleClaimsEquality(
-      List<OrganizationRoleClaims> oktaClaims, List<OrganizationRoleClaims> dbClaims) {
+      List<OrganizationRoleClaims> oktaClaims,
+      List<OrganizationRoleClaims> dbClaims,
+      String username) {
     boolean hasEqualRoleClaims = false;
     if (oktaClaims.size() == dbClaims.size()) {
       List<OrganizationRoleClaims> sanitizedOktaClaims = sanitizeOktaOrgRoleClaims(oktaClaims);
@@ -79,17 +81,18 @@ public boolean checkOrgRoleClaimsEquality(
                           .anyMatch(dbClaim -> equalOrgRoleClaim(sanitizedOktaClaim, dbClaim)));
     }
     if (!hasEqualRoleClaims) {
-      logUnequalClaims();
+      logUnequalClaims(username);
     }
 
     return hasEqualRoleClaims;
   }
 
-  /** Logs a message saying OrganizationRoleClaims are unequal with the affected User ID */
-  private void logUnequalClaims() {
-    // WIP: Currently assumes check is for the current user
-    // This may change based on where checkOrgRoleClaimsEquality is called
-    String username = _getCurrentUser.get().getUsername();
+  /**
+   * Logs a message saying OrganizationRoleClaims are unequal with the affected User ID *
+   *
+   * @param username - String user login email
+   */
+  private void logUnequalClaims(String username) {
     ApiUser user = _userRepo.findByLoginEmail(username).orElseThrow(NonexistentUserException::new);
     log.error(
         "Okta OrganizationRoleClaims do not match database OrganizationRoleClaims for User ID: {}",
diff --git a/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java b/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java
index 932ef74191..60a82be40a 100644
--- a/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java
+++ b/backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java
@@ -60,6 +60,8 @@ public List<OrganizationRoleClaims> findAllOrganizationRoles() {
       String username = currentAuth.getName();
       List<OrganizationRoleClaims> dbOrgRoleClaims =
           _dbOrgRoleClaimsService.getOrganizationRoleClaims(username);
+      _dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
+          oktaOrgRoleClaims, dbOrgRoleClaims, username);
       if (_featureFlagsConfig.isOktaMigrationEnabled()) {
         return dbOrgRoleClaims;
       }
diff --git a/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java b/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java
index e089f7a12f..facb869c30 100644
--- a/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java
+++ b/backend/src/test/java/gov/cdc/usds/simplereport/service/DbOrgRoleClaimsServiceTest.java
@@ -125,9 +125,14 @@ void checkOrgRoleClaimsEquality_withIdenticalOrgRoleClaims_inDifferentOrder_isTr
             OrganizationRoleClaimsTestUtils.DB_ORG_EXTERNAL_ID,
             Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.ADMIN));
 
+    String username = "fakeuser@example.com";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
     assertTrue(
         _service.checkOrgRoleClaimsEquality(
-            List.of(secondOktaClaim, firstOktaClaim), List.of(firstDbClaim, secondDbClaim)));
+            List.of(secondOktaClaim, firstOktaClaim),
+            List.of(firstDbClaim, secondDbClaim),
+            "fakeuser@example.com"));
   }
 
   @Test
@@ -146,7 +151,10 @@ void checkOrgRoleClaimsEquality_withDifferentRoleOrder_isTrue() {
             OrganizationRoleClaimsTestUtils.OKTA_ORG_EXTERNAL_ID,
             Set.of(OrganizationRole.ALL_FACILITIES, OrganizationRole.USER));
 
-    assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
+    String username = "fakeuser@example.com";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertTrue(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
   }
 
   @Test
@@ -164,7 +172,11 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaims_isFalse() {
 
     Mockito.reset(_apiUserRepoSpy);
 
-    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim)));
+    String username = "fakeuser@example.com";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertFalse(
+        _service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(dbClaim), username));
     verify(_apiUserRepoSpy, times(1)).findByLoginEmail(any());
   }
 
@@ -176,7 +188,10 @@ void checkOrgRoleClaimsEquality_withDifferentOrgClaimsSize_isFalse() {
             OrganizationRoleClaimsTestUtils.OKTA_FACILITY_NAMES,
             Set.of(OrganizationRole.NO_ACCESS, OrganizationRole.USER));
 
-    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of()));
+    String username = "fakeuser@example.com";
+    ApiUser mockApiUser = mock(ApiUser.class);
+    when(_apiUserRepoSpy.findByLoginEmail(username)).thenReturn(Optional.of(mockApiUser));
+    assertFalse(_service.checkOrgRoleClaimsEquality(List.of(oktaClaim), List.of(), username));
   }
 
   private OrganizationRoleClaims createClaimsForCreatedOrg(