Log error if Okta and DB role claims unequal

[emyl3]

BACKEND PULL REQUEST

Related Issue

• FINALLY resolves Initiate rolling migration, phase 2 #7598 😭 🙌 🎉

Changes Proposed

• Compare role claims in the DB and Okta and log an error if they are unequal for the following scenarios:
  • call getUser method
  • call getUserByLoginEmail method
  • when we set the organizationRolesContext

Additional Information

• Two other issues were open related to finishing up issue Initiate rolling migration, phase 2 #7598
  • Adding a daily alert Create a daily PagerDuty alert for when org role claims are unequal #8181
  • Enabling the feature flag on certain dev envs Enable oktaMigrationEnabled for certain dev envs for testing #8180

Testing

• deployed on dev3 with the feature flag on
• Removed the following group in Okta for this user [email protected] on dev3:
  • SR-DEV3-TENANT:AK-Bobans-org-5145a894-3be7-45ea-a5a1-79895df0352c:ALL_FACILITIES
  • searched the user in the "Manage users" support admin tool
  • logged here in Azure

• log in as a non-site admin user on the envs above and navigate around the app

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[emyl3]

⚠️ Anyone know how often we reset organizationRolesContext and have to fetch it again? 🤔

Based on digging around in Azure, it seems like on initial log in and page load fetchCurrentOrganizationRoles (which is the only method that calls findAllOrganizationRoles is called a bunch of times and then not again for 20-30 mins or so...

I'm asking because I'm wondering if we are doing the check too frequently if I set the check at this point. 🤔

[DanielSass]

Don't know off the top of my head. And not sure if the better place to look would be spring docs or okta's 🤔

[mehansen]

does this line mean that the context is only valid for a single request? if so it seems like it would need to be refetched any time we are handling a new request that needs the current org roles

prime-simplereport/backend/src/main/java/gov/cdc/usds/simplereport/api/CurrentOrganizationRolesContextHolder.java

Line 11 in f800b08

@Scope(scopeName = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)

[mehansen]

fwiw since we are condensing the logs into a single alert per day (?) it doesn't seem that harmful if we are logging frequently. though it may be a little bit of a pain to parse through the log lines later I don't see a super simple alternative 🤷

[emyl3]

Thank you for digging into that @mehansen. Based on what you shared, I'm surprised I didn't see it log more frequently when testing. 🤷 After I merge, I'll keep on eye on prod and the logs...

[emyl3]

⚠️ Had to increment by 1 in this test file because of how we are comparing the role claims -- we fetch from the DB regardless of whether the feature flag is on or off.

[DanielSass]

lgtm

[mpbrown]

LGTM! Great work on this Elisa!