Merge pull request 'OZG-6179-HoeheresTrustLevelBeruecksichtigen' (#24) from...

Merge pull request 'OZG-6179-HoeheresTrustLevelBeruecksichtigen' (#24) from OZG-6179-HoeheresTrustLevelBeruecksichtigen into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/nachrichten-manager/pulls/24


Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>

nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java

@@ -34,7 +34,6 @@ import java.util.stream.Stream;
 import jakarta.annotation.PostConstruct;
 
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.opensaml.saml.saml2.core.Response;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -176,11 +175,11 @@ public class AntragraumService {
 	}
 
 	public boolean isAccessible(String samlToken, String trustLevel) {
-		return StringUtils.equals(getTrustLevel(samlToken), trustLevel);
+		return getTrustLevel(samlToken).getIntValue() >= TrustLevel.fromString(trustLevel).getIntValue();
 	}
 
-	String getTrustLevel(String samlToken) {
-		return decrypter.decryptTrustLevel(parseSamlToken(samlToken));
+	TrustLevel getTrustLevel(String samlToken) {
+		return TrustLevel.fromString(decrypter.decryptTrustLevel(parseSamlToken(samlToken)));
 	}
 
 	Response parseSamlToken(String samlToken) {

nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java

+package de.ozgcloud.nachrichten.antragraum;
+
+import java.util.Arrays;
+
+import lombok.Getter;
+
+@Getter
+enum TrustLevel {
+
+	LEVEL_1("STORK-QAA-Level-1"),
+	LEVEL_2("STORK-QAA-Level-2"),
+	LEVEL_3("STORK-QAA-Level-3"),
+	LEVEL_4("STORK-QAA-Level-4");
+
+	private final String value;
+	private final int intValue;
+
+	TrustLevel(String value) {
+		this.value = value;
+		this.intValue = extractIntValue();
+	}
+
+	private int extractIntValue() {
+		return Integer.parseInt(value.substring(value.length() - 1));
+	}
+
+	public static TrustLevel fromString(String value) {
+		return Arrays.stream(TrustLevel.values()).filter(trustLevel -> trustLevel.getValue().equals(value)).findFirst()
+				.orElseThrow(() -> new IllegalArgumentException("Unknown TrustLevel: '" + value + "'"));
+	}
+}
\ No newline at end of file

nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java

@@ -476,27 +476,29 @@ class AntragraumServiceTest {
 
 		@Test
 		void shouldCallGetTrustLevel() {
-			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			doReturn(TrustLevel.LEVEL_1).when(service).getTrustLevel(any());
+
+			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getValue());
 
 			verify(service).getTrustLevel(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN);
 		}
 
 		@Test
 		void shouldReturnTrueIfTrustLevelMatches() {
-			doReturn(GrpcServiceKontoTestFactory.TRUST_LEVEL).when(service).getTrustLevel(any());
+			doReturn(TrustLevel.LEVEL_1).when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getValue());
 
 			assertThat(trustLevel).isTrue();
 		}
 
 		@Test
-		void shouldReturnFalseIfTrustLevelNotMatches() {
-			doReturn("qutasch").when(service).getTrustLevel(any());
+		void shouldAllowAccessOnHigherTrustLevel() {
+			doReturn(TrustLevel.LEVEL_2).when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getValue());
 
-			assertThat(trustLevel).isFalse();
+			assertThat(trustLevel).isTrue();
 		}
 	}
 
@@ -511,7 +513,7 @@ class AntragraumServiceTest {
 		void mock() {
 			doReturn(response).when(service).parseSamlToken(any());
 
-			when(decrypter.decryptTrustLevel(any())).thenReturn(GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			when(decrypter.decryptTrustLevel(any())).thenReturn(TrustLevel.LEVEL_1.getValue());
 		}
 
 		@Test
@@ -532,7 +534,7 @@ class AntragraumServiceTest {
 		void shouldReturnValue() {
 			var trustLevel = service.getTrustLevel(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN);
 
-			assertThat(trustLevel).isEqualTo(GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			assertThat(trustLevel).isEqualTo(TrustLevel.LEVEL_1);
 		}
 	}
 

nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/TrustLevelTest.java

+package de.ozgcloud.nachrichten.antragraum;
+
+import static org.assertj.core.api.Assertions.*;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+class TrustLevelTest {
+
+	@DisplayName("From string")
+	@Nested
+	class TestFromString {
+
+		@DisplayName("should return TrustLevel if value matches with existing")
+		@Test
+		void shouldReturnTrustLevel() {
+			var trustLevelValue = "STORK-QAA-Level-2";
+
+			var trustLevel = TrustLevel.fromString(trustLevelValue);
+
+			assertThat(trustLevel.getValue()).isEqualTo(trustLevelValue);
+		}
+
+		@Test
+		void shouldThrowExceptionIfValueNotMatches() {
+			var trustLevelValue = "quatsch";
+
+			assertThatThrownBy(() -> TrustLevel.fromString(trustLevelValue)).isInstanceOf(IllegalArgumentException.class);
+		}
+	}
+}