Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log error if Okta and DB role claims unequal #8182

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Log error if Okta and DB role claims unequal #8182

wants to merge 1 commit into from

Conversation

emyl3
Copy link
Collaborator

@emyl3 emyl3 commented Oct 9, 2024
edited
Loading

BACKEND PULL REQUEST

Related Issue

Changes Proposed

  • Compare role claims in the DB and Okta and log an error if they are unequal for the following scenarios:
    • call getUser method
    • call getUserByLoginEmail method
    • when we set the organizationRolesContext

Additional Information

Testing

  • deployed on dev3 with the feature flag on
  • Removed the following group in Okta for this user [email protected] on dev3:
    • SR-DEV3-TENANT:AK-Bobans-org-5145a894-3be7-45ea-a5a1-79895df0352c:ALL_FACILITIES
    • searched the user in the "Manage users" support admin tool
    • logged here in Azure
Screenshot 2024-10-11 at 13 35 15
  • log in as a non-site admin user on the envs above and navigate around the app

This was referenced Oct 9, 2024
Open
Open
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 11, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

emyl3
emyl3 commented Oct 12, 2024
View reviewed changes
backend/src/main/java/gov/cdc/usds/simplereport/service/LoggedInAuthorizationService.java
@@ -60,6 +60,8 @@ public List<OrganizationRoleClaims> findAllOrganizationRoles() {
String username = currentAuth.getName();
List<OrganizationRoleClaims> dbOrgRoleClaims =
_dbOrgRoleClaimsService.getOrganizationRoleClaims(username);
_dbOrgRoleClaimsService.checkOrgRoleClaimsEquality(
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Anyone know how often we reset organizationRolesContext and have to fetch it again? 🤔

Based on digging around in Azure, it seems like on initial log in and page load fetchCurrentOrganizationRoles (which is the only method that calls findAllOrganizationRoles is called a bunch of times and then not again for 20-30 mins or so...

I'm asking because I'm wondering if we are doing the check too frequently if I set the check at this point. 🤔

emyl3
emyl3 commented Oct 12, 2024
View reviewed changes
backend/src/test/java/gov/cdc/usds/simplereport/service/ApiUserServiceTest.java
@@ -159,7 +159,7 @@ void getUser_withAdminUser_withOktaMigrationDisabled_success() {

UserInfo userInfo = _service.getUser(apiUser.getInternalId());

verify(_dbOrgRoleClaimsService, times(0)).getOrganizationRoleClaims((ApiUser) any());
verify(_dbOrgRoleClaimsService, times(1)).getOrganizationRoleClaims((ApiUser) any());
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Had to increment by 1 in this test file because of how we are comparing the role claims -- we fetch from the DB regardless of whether the feature flag is on or off.

@emyl3 emyl3 marked this pull request as ready for review October 12, 2024 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mehansen mehansen Awaiting requested review from mehansen

@DanielSass DanielSass Awaiting requested review from DanielSass

@mpbrown mpbrown Awaiting requested review from mpbrown

@bobbywells52 bobbywells52 Awaiting requested review from bobbywells52

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Initiate rolling migration, phase 2
1 participant
@emyl3