Poc-NAATs can be issued even if role is removed

[ascheibal]

Describe the bug

PoC_NAATs are part of the QT System, but disabled. During Onboarding Tests Partner Admins could enable PoCs to perform PoC_NAATs. This bug contains two issues: 1.) Even if no Admin has the right anymore to enable PoCs for PoC-NAATs, already enabled PoCs still have the feature available. (Only applies to WRU System). 2.) An admin that also has the role poc_nat_admin and addtionally has the role to act as counter (can record patient data) can generate PoC-NAATs despite the PoC was not enabled for PoC-NAATs before.

If a Test is submitted as a PoCNAAT its transfer to Testresult server is not permitted and results in error condition (quick-test proxy refuses transfer) The test then resides in quick-test db and disturbes cleanup job.

Expected behaviour

1.) This behaviour is expected as the entitlement for PoC-NAATs is an attribute of the PoC, managed by IAM. The Attribute does not get lost be the role removed from Admin. 2.) The role poc_nat_admin should only give the right to enable PoCs for PoC-NAAT (checkmark in PoC setup) not for performing those kind of tests. Hence, if group attibute pcr_enabled does not exists or has value false, PoC-NAATs should not be possible, even if current user has poc_nat_admin role.

Steps to reproduce the issue

1.) ensure group attribute pcr_enabled does not exist or is set to false. 2.) give admin user the poc_nat_atdmin role - user can do PoC-NAATs 3.) try with user w/o poc_nat_admin role - user cannot do PoC-NAATs

Technical details

Possible Fix

unbind test-kind-radio visibility from user role, only rely on users group attributes

Additional context

https://github.com/corona-warn-app/cwa-quick-test-backend/issues/260

[ascheibal]

resolved. Error Due to manually misconfigured user entry in keycloak (prc_enabled was assigned to user entry not group entry) user token contains group and user attributes.