Fetch group info for users from DB when oktaMigrationEnabled is true

[emyl3]

BACKEND PULL REQUEST

Related Issue

• Part of Initiate rolling migration, phase 2 #7598

Changes Proposed

• Regardless of oktaMigrationEnabled flag status, continue to update groups and roles in Okta
• When the oktaMigrationEnabled flag is set to true, read groups and roles from DB
• When the oktaMigrationEnabled flag is set to false, read groups and roles from Okta

Affected flows:

• adding org to queue (checking if the org is a duplicate)
• reprovisioning user
• updating user roles and privileges
• users graphql query (I don't think we are calling this on the frontend 🤔)
• verifying a pending organization
• getting org admin users
• confirmation modal when deleting a facility via site admin "Manage facility" tool (it displays how many users and patients are associated with only that facility)

Additional Information

• Separate tickets to address loading users with their status for the "Manage users" page

Testing

dev2 - oktaMigrationEnabled - true

• dev2 metabase link

dev3 - oktaMigrationEnabled - false

• dev3 metabase link to see roles and facilities at a glance

[emyl3]

⚠️ holding off on updating this until this is addressed #8103

Then, this will be updated in #8108

[emyl3]

⚠️ This else block changes the behavior of this method when the feature flag is enabled.

Previously, even if the org had no admin users this method would succeed

However, with this implementation if an org does not have an admin it will throw an exception.

Let me know if you think this should continue to have the same behavior as before. 🤔

[mpbrown]

I think this makes sense. Btw do we have any additional context on the comment on this method? Is this an old reference to some account request workflow that hasn't been implemented?

/**
   * This method is for verifying an organization after the Experian identity verification process.
   * It should not be used for any other purpose and once we move to the updated account request
   * workflow this should be removed.
   */
  @Transactional(readOnly = false)
  public String verifyOrganizationNoPermissions(String externalId) {

[emyl3]

That's a good question... Let me check that commit history in see if I can uncover anything... 🕵️

[emyl3]

This is the PR that introduced this change: #2096
I did a search in the repo and couldn't find any mention of a new or updated account request flow 🤔 so I'm not entirely sure what that comment is referencing....

[emyl3]

⚠️ Let me know if this makes sense to generate this count 🙏

[mehansen]

I think this will fix this bug #7873 🤩

[mpbrown]

Looks really great overall! Awesome work on this Elisa!

[mpbrown]

I think this makes sense. Btw do we have any additional context on the comment on this method? Is this an old reference to some account request workflow that hasn't been implemented?

/**
   * This method is for verifying an organization after the Experian identity verification process.
   * It should not be used for any other purpose and once we move to the updated account request
   * workflow this should be removed.
   */
  @Transactional(readOnly = false)
  public String verifyOrganizationNoPermissions(String externalId) {

[mpbrown]

Do we need to handle or otherwise flag if the org doesn't have any admins? (was thinking about no admin users after this comment)

[emyl3]

I think it's OK in this context because we are trying to check if the to-be-created new org might be a duplicate of another org. If there are no org admins in that duplicate org, it would throw the exception on line 155. Let me know what you think!

[bobbywells52]

Tested in dev2 and dev3 and is working as excepted -- LGTM! Thank you for you continued heavy effort on this big lift 🙌🏻

[emyl3]

@mpbrown @mehansen @DanielSass Ready for re-review! Changes have been redeployed to dev2 and dev3 respectively

[mpbrown]

LGTM on dev2 and dev3! Great work on this Elisa!

[mehansen]

looks great! I have some non-blocking naming nits but they are more personal preference so still approving

[mehansen]

I think this will fix this bug #7873 🤩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[DanielSass]

Do we have users with more than one organization? I don't think we do, but do we know that for certain / are there guardrails in place to ensure that can't happen?

[DanielSass]

Everything looks good, thanks for pairing with me on the review @emyl3.
I think the only issues we noted were specific corner cases we need to make sure get included in the test plan.

Thanks for all your work on this