diff --git a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java index b7ae839cb454017adc22bd543228b1afe1d1e0da..d1bab443e33d93f8a1f0db7ef416a31818d0e647 100644 --- a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java +++ b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java @@ -34,7 +34,6 @@ import java.util.stream.Stream; import jakarta.annotation.PostConstruct; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang3.StringUtils; import org.opensaml.saml.saml2.core.Response; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; @@ -176,7 +175,15 @@ public class AntragraumService { } public boolean isAccessible(String samlToken, String trustLevel) { - return StringUtils.equals(getTrustLevel(samlToken), trustLevel); + try { + int vorgangTrustLevel = TrustLevel.fromString(trustLevel).getLevelValue(); + int tokenTrustLevel = TrustLevel.fromString(getTrustLevel(samlToken)).getLevelValue(); + return tokenTrustLevel >= vorgangTrustLevel; + + } catch (Exception e) { + LOG.error(String.format("Unknown TrustLevel '%s', access denied.", trustLevel)); + return false; + } } String getTrustLevel(String samlToken) { diff --git a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java new file mode 100644 index 0000000000000000000000000000000000000000..93f0dcc996e967f6b7e1f31a079a55ac35f97a5c --- /dev/null +++ b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java @@ -0,0 +1,26 @@ +package de.ozgcloud.nachrichten.antragraum; + +import java.util.Arrays; + +import lombok.Getter; +import lombok.RequiredArgsConstructor; + +@RequiredArgsConstructor +enum TrustLevel { + + LEVEL_1("STORK-QAA-Level-1"), + LEVEL_2("STORK-QAA-Level-2"), + LEVEL_3("STORK-QAA-Level-3"), + LEVEL_4("STORK-QAA-Level-4"); + + @Getter + private final String name; + + public int getLevelValue() { + return Integer.parseInt(name.substring(name.length() - 1, name.length())); + } + + public static TrustLevel fromString(String name) { + return Arrays.stream(TrustLevel.values()).filter(trustLevel -> trustLevel.getName().equals(name)).findFirst().orElse(null); + } +} diff --git a/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java b/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java index 1b0bd3f3c2168126a21ebdb75a118626394eaf99..7f2429645baddea707fa064b6767dc96b1c19544 100644 --- a/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java +++ b/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java @@ -476,16 +476,16 @@ class AntragraumServiceTest { @Test void shouldCallGetTrustLevel() { - service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL); + service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName()); verify(service).getTrustLevel(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN); } @Test void shouldReturnTrueIfTrustLevelMatches() { - doReturn(GrpcServiceKontoTestFactory.TRUST_LEVEL).when(service).getTrustLevel(any()); + doReturn(TrustLevel.LEVEL_1.getName()).when(service).getTrustLevel(any()); - var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL); + var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName()); assertThat(trustLevel).isTrue(); } @@ -494,10 +494,19 @@ class AntragraumServiceTest { void shouldReturnFalseIfTrustLevelNotMatches() { doReturn("qutasch").when(service).getTrustLevel(any()); - var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL); + var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName()); assertThat(trustLevel).isFalse(); } + + @Test + void shouldAllowAccessOnHigherTrustLevel() { + doReturn(TrustLevel.LEVEL_2.getName()).when(service).getTrustLevel(any()); + + var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName()); + + assertThat(trustLevel).isTrue(); + } } @DisplayName("Get trustLevel")