ascheibal
commented
2 years ago resolved. Error Due to manually misconfigured user entry in keycloak (prc_enabled was assigned to user entry not group entry) user access token contains group and user attributes, user attribute was not deleted
Describe the bug
PoC_NAATs are part of the QT System, but disabled. During Onboarding Tests Partner Admins could enable PoCs to perform PoC_NAATs. This bug contains two issues: 1.) Even if no Admin has the right anymore to enable PoCs for PoC-NAATs, already enabled PoCs still have the feature available. (Only applies to WRU System). 2.) An admin that also has the role poc_nat_admin and addtionally has the role to act as counter (can record patient data) can generate PoC-NAATs despite the PoC was not enabled for PoC-NAATs before.
If a Test is submitted as a PoCNAAT its transfer to Testresult server is not permitted and results in error condition (quick-test proxy refuses transfer) The test then resides in quick-test db and disturbes cleanup job.
Expected behaviour
1.) This behaviour is expected as the entitlement for PoC-NAATs is an attribute of the PoC, managed by IAM. The Attribute does not get lost be the role removed from Admin. 2.) The role poc_nat_admin should only give the right to enable PoCs for PoC-NAAT (checkmark in PoC setup) not for performing those kind of tests. Hence, if group attibute pcr_enabled does not exists or has value false, PoC-NAATs should not be possible, even if current user has poc_nat_admin role.
Steps to reproduce the issue
1.) ensure group attribute pcr_enabled does not exist or is set to false. 2.) give admin user the poc_nat_atdmin role - user can do PoC-NAATs 3.) try with user w/o poc_nat_admin role - user cannot do PoC-NAATs
Technical details
Possible Fix
ensure test results >=10 cannot be issued, if users group attribute is pcr_enabled = false | null
Additional context
https://github.com/corona-warn-app/cwa-quick-test-frontend/issues/314