OZG-6179 allow access on higher trust level

nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java

@@ -34,7 +34,6 @@ import java.util.stream.Stream;
 import jakarta.annotation.PostConstruct;
 
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.opensaml.saml.saml2.core.Response;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -176,7 +175,15 @@ public class AntragraumService {
 	}
 
 	public boolean isAccessible(String samlToken, String trustLevel) {
-		return StringUtils.equals(getTrustLevel(samlToken), trustLevel);
+		try {
+			int vorgangTrustLevel = TrustLevel.fromString(trustLevel).getLevelValue();
+			int tokenTrustLevel = TrustLevel.fromString(getTrustLevel(samlToken)).getLevelValue();
+			return tokenTrustLevel >= vorgangTrustLevel;
+
+		} catch (Exception e) {
+			LOG.error(String.format("Unknown TrustLevel '%s', access denied.", trustLevel));
+			return false;
+		}
 	}
 
 	String getTrustLevel(String samlToken) {

nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java

+package de.ozgcloud.nachrichten.antragraum;
+
+import java.util.Arrays;
+
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
+@RequiredArgsConstructor
+enum TrustLevel {
+
+	LEVEL_1("STORK-QAA-Level-1"),
+	LEVEL_2("STORK-QAA-Level-2"),
+	LEVEL_3("STORK-QAA-Level-3"),
+	LEVEL_4("STORK-QAA-Level-4");
+
+	@Getter
+	private final String name;
+
+	public int getLevelValue() {
+		return Integer.parseInt(name.substring(name.length() - 1, name.length()));
+	}
+
+	public static TrustLevel fromString(String name) {
+		return Arrays.stream(TrustLevel.values()).filter(trustLevel -> trustLevel.getName().equals(name)).findFirst().orElse(null);
+	}
+}

nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java

@@ -476,16 +476,16 @@ class AntragraumServiceTest {
 
 		@Test
 		void shouldCallGetTrustLevel() {
-			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			verify(service).getTrustLevel(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN);
 		}
 
 		@Test
 		void shouldReturnTrueIfTrustLevelMatches() {
-			doReturn(GrpcServiceKontoTestFactory.TRUST_LEVEL).when(service).getTrustLevel(any());
+			doReturn(TrustLevel.LEVEL_1.getName()).when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			assertThat(trustLevel).isTrue();
 		}
@@ -494,10 +494,19 @@ class AntragraumServiceTest {
 		void shouldReturnFalseIfTrustLevelNotMatches() {
 			doReturn("qutasch").when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			assertThat(trustLevel).isFalse();
 		}
+
+		@Test
+		void shouldAllowAccessOnHigherTrustLevel() {
+			doReturn(TrustLevel.LEVEL_2.getName()).when(service).getTrustLevel(any());
+
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
+
+			assertThat(trustLevel).isTrue();
+		}
 	}
 
 	@DisplayName("Get trustLevel")