From b45150dc972eec2031715ad6a405635e0870b77e Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Tue, 6 Aug 2024 11:12:23 +0200
Subject: [PATCH] OZG-6179 allow access on higher trust level

---
 .../antragraum/AntragraumService.java         | 11 ++++++--
 .../nachrichten/antragraum/TrustLevel.java    | 26 +++++++++++++++++++
 .../antragraum/AntragraumServiceTest.java     | 17 +++++++++---
 3 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java

diff --git a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java
index b7ae839..d1bab44 100644
--- a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java
+++ b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/AntragraumService.java
@@ -34,7 +34,6 @@ import java.util.stream.Stream;
 import jakarta.annotation.PostConstruct;
 
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.opensaml.saml.saml2.core.Response;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -176,7 +175,15 @@ public class AntragraumService {
 	}
 
 	public boolean isAccessible(String samlToken, String trustLevel) {
-		return StringUtils.equals(getTrustLevel(samlToken), trustLevel);
+		try {
+			int vorgangTrustLevel = TrustLevel.fromString(trustLevel).getLevelValue();
+			int tokenTrustLevel = TrustLevel.fromString(getTrustLevel(samlToken)).getLevelValue();
+			return tokenTrustLevel >= vorgangTrustLevel;
+
+		} catch (Exception e) {
+			LOG.error(String.format("Unknown TrustLevel '%s', access denied.", trustLevel));
+			return false;
+		}
 	}
 
 	String getTrustLevel(String samlToken) {
diff --git a/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java
new file mode 100644
index 0000000..93f0dcc
--- /dev/null
+++ b/nachrichten-manager-server/src/main/java/de/ozgcloud/nachrichten/antragraum/TrustLevel.java
@@ -0,0 +1,26 @@
+package de.ozgcloud.nachrichten.antragraum;
+
+import java.util.Arrays;
+
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
+@RequiredArgsConstructor
+enum TrustLevel {
+
+	LEVEL_1("STORK-QAA-Level-1"),
+	LEVEL_2("STORK-QAA-Level-2"),
+	LEVEL_3("STORK-QAA-Level-3"),
+	LEVEL_4("STORK-QAA-Level-4");
+
+	@Getter
+	private final String name;
+
+	public int getLevelValue() {
+		return Integer.parseInt(name.substring(name.length() - 1, name.length()));
+	}
+
+	public static TrustLevel fromString(String name) {
+		return Arrays.stream(TrustLevel.values()).filter(trustLevel -> trustLevel.getName().equals(name)).findFirst().orElse(null);
+	}
+}
diff --git a/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java b/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java
index 1b0bd3f..7f24296 100644
--- a/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java
+++ b/nachrichten-manager-server/src/test/java/de/ozgcloud/nachrichten/antragraum/AntragraumServiceTest.java
@@ -476,16 +476,16 @@ class AntragraumServiceTest {
 
 		@Test
 		void shouldCallGetTrustLevel() {
-			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			verify(service).getTrustLevel(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN);
 		}
 
 		@Test
 		void shouldReturnTrueIfTrustLevelMatches() {
-			doReturn(GrpcServiceKontoTestFactory.TRUST_LEVEL).when(service).getTrustLevel(any());
+			doReturn(TrustLevel.LEVEL_1.getName()).when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			assertThat(trustLevel).isTrue();
 		}
@@ -494,10 +494,19 @@ class AntragraumServiceTest {
 		void shouldReturnFalseIfTrustLevelNotMatches() {
 			doReturn("qutasch").when(service).getTrustLevel(any());
 
-			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, GrpcServiceKontoTestFactory.TRUST_LEVEL);
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
 
 			assertThat(trustLevel).isFalse();
 		}
+
+		@Test
+		void shouldAllowAccessOnHigherTrustLevel() {
+			doReturn(TrustLevel.LEVEL_2.getName()).when(service).getTrustLevel(any());
+
+			var trustLevel = service.isAccessible(GrpcGetRueckfrageRequestTestFactory.SAML_TOKEN, TrustLevel.LEVEL_1.getName());
+
+			assertThat(trustLevel).isTrue();
+		}
 	}
 
 	@DisplayName("Get trustLevel")
-- 
GitLab