CDCgov · emyl3 · Aug 29, 2024 · Aug 27, 2024 · emyl3 · Aug 28, 2024
diff --git a/...c/main/java/gov/cdc/usds/simplereport/config/authorization/UserAuthorizationVerifier.java b/...c/main/java/gov/cdc/usds/simplereport/config/authorization/UserAuthorizationVerifier.java
@@ -5,6 +5,7 @@
 import gov.cdc.usds.simplereport.api.model.errors.NonexistentUserException;
 import gov.cdc.usds.simplereport.api.model.errors.UnidentifiedUserException;
 import gov.cdc.usds.simplereport.config.AuthorizationConfiguration;
+import gov.cdc.usds.simplereport.config.FeatureFlagsConfig;
 import gov.cdc.usds.simplereport.db.model.ApiUser;
 import gov.cdc.usds.simplereport.db.model.Facility;
 import gov.cdc.usds.simplereport.db.model.Organization;
@@ -57,6 +58,7 @@ public class UserAuthorizationVerifier {
   private final OktaRepository _oktaRepo;
   private final AuthorizationService _authService;
   private final CurrentAccountRequestContextHolder _contextHolder;
+  private final FeatureFlagsConfig _featureFlagsConfig;
 
   public boolean userHasSiteAdminRole() {
     return _authService.isSiteAdmin();
@@ -99,11 +101,16 @@ public boolean userHasPermission(UserPermission permission) {
 
   public boolean userIsInSameOrg(UUID userId) {
     Optional<OrganizationRoles> currentOrgRoles = _orgService.getCurrentOrganizationRoles();
-    String otherUserEmail = getUser(userId).getLoginEmail();
+    ApiUser otherUser = getUser(userId);
+    String otherUserEmail = otherUser.getLoginEmail();
     Optional<Organization> otherOrg =
         _oktaRepo
             .getOrganizationRoleClaimsForUser(otherUserEmail)
             .map(r -> _orgService.getOrganization(r.getOrganizationExternalId()));
+    if (_featureFlagsConfig.isOktaMigrationEnabled()) {
+      otherOrg = otherUser.getOrganizations().stream().findFirst();
+    }
+
     return currentOrgRoles.isPresent()
         && otherOrg.isPresent()
         && currentOrgRoles

diff --git a/...st/java/gov/cdc/usds/simplereport/config/authorization/UserAuthorizationVerifierTest.java b/...st/java/gov/cdc/usds/simplereport/config/authorization/UserAuthorizationVerifierTest.java
@@ -0,0 +1,108 @@
+package gov.cdc.usds.simplereport.config.authorization;
+
+import static gov.cdc.usds.simplereport.test_util.TestUserIdentities.ALL_FACILITIES_USER;
+import static gov.cdc.usds.simplereport.test_util.TestUserIdentities.OTHER_ORG_ADMIN;
+import static gov.cdc.usds.simplereport.test_util.TestUserIdentities.OTHER_ORG_USER;
+import static gov.cdc.usds.simplereport.test_util.TestUserIdentities.STANDARD_USER;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import gov.cdc.usds.simplereport.config.FeatureFlagsConfig;
+import gov.cdc.usds.simplereport.db.model.ApiUser;
+import gov.cdc.usds.simplereport.db.repository.ApiUserRepository;
+import gov.cdc.usds.simplereport.service.BaseServiceTest;
+import gov.cdc.usds.simplereport.test_util.SliceTestConfiguration;
+import java.util.Optional;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.boot.test.mock.mockito.SpyBean;
+import org.springframework.test.context.TestPropertySource;
+
+@TestPropertySource(properties = {"spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true"})
+class UserAuthorizationVerifierTest extends BaseServiceTest<UserAuthorizationVerifier> {
+  @Autowired @SpyBean ApiUserRepository _apiUserRepo;
+  @MockBean FeatureFlagsConfig _featureFlagsConfig;
+
+  @BeforeEach
+  public void setup() {
+    initSampleData();
+  }
+
+  @Test
+  @SliceTestConfiguration.WithSimpleReportOrgAdminUser
+  void userIsInSameOrg_whenOktaMigrationDisabled_forUsersInSameOrg_returnsTrue() {
+    // GIVEN
+    when(_featureFlagsConfig.isOktaMigrationEnabled()).thenReturn(false);
+    ApiUser user = _apiUserRepo.findByLoginEmail(ALL_FACILITIES_USER).get();
+    ApiUser userSpy = spy(user);
+    when(_apiUserRepo.findByIdIncludeArchived(user.getInternalId()))
+        .thenReturn(Optional.of(userSpy));
+
+    // WHEN
+    boolean isSameOrg = _service.userIsInSameOrg(user.getInternalId());
+
+    // THEN
+    verify(userSpy, times(0)).getOrganizations();
+    assertTrue(isSameOrg);
+  }
+
+  @Test
+  @SliceTestConfiguration.WithSimpleReportOrgAdminUser
+  void userIsInSameOrg_whenOktaMigrationDisabled_forUsersInDifferentOrgs_returnsFalse() {
+    // GIVEN
+    when(_featureFlagsConfig.isOktaMigrationEnabled()).thenReturn(false);
+    ApiUser user = _apiUserRepo.findByLoginEmail(OTHER_ORG_USER).get();
+    ApiUser userSpy = spy(user);
+    when(_apiUserRepo.findByIdIncludeArchived(user.getInternalId()))
+        .thenReturn(Optional.of(userSpy));
+
+    // WHEN
+    boolean isSameOrg = _service.userIsInSameOrg(user.getInternalId());
+
+    // THEN
+    verify(userSpy, times(0)).getOrganizations();
+    assertFalse(isSameOrg);
+  }
+
+  @Test
+  @SliceTestConfiguration.WithSimpleReportOrgAdminUser
+  void userIsInSameOrg_whenOktaMigrationEnabled_forUsersInSameOrg_returnsTrue() {
+    // GIVEN
+    when(_featureFlagsConfig.isOktaMigrationEnabled()).thenReturn(true);
+    ApiUser user = _apiUserRepo.findByLoginEmail(STANDARD_USER).get();
+    ApiUser userSpy = spy(user);
+    when(_apiUserRepo.findByIdIncludeArchived(user.getInternalId()))
+        .thenReturn(Optional.of(userSpy));
+
+    // WHEN
+    boolean isSameOrg = _service.userIsInSameOrg(user.getInternalId());
+
+    // THEN
+    verify(userSpy, times(1)).getOrganizations();
+    assertTrue(isSameOrg);
+  }
+
+  @Test
+  @SliceTestConfiguration.WithSimpleReportEntryOnlyUser
+  void userIsInSameOrg_whenOktaMigrationEnabled_forUsersInDifferentOrgs_returnsFalse() {
+    // GIVEN
+    when(_featureFlagsConfig.isOktaMigrationEnabled()).thenReturn(true);
+    ApiUser user = _apiUserRepo.findByLoginEmail(OTHER_ORG_ADMIN).get();
+    ApiUser userSpy = spy(user);
+    when(_apiUserRepo.findByIdIncludeArchived(user.getInternalId()))
+        .thenReturn(Optional.of(userSpy));
+
+    // WHEN
+    boolean isSameOrg = _service.userIsInSameOrg(user.getInternalId());
+
+    // THEN
+    verify(userSpy, times(1)).getOrganizations();
+    assertFalse(isSameOrg);
+  }
+}