Mercurial > hg > orthanc-authorization
annotate Plugin/AuthorizationWebService.cpp @ 71:30fb3ce960d9
configurable user permissions
author | Alain Mazy <am@osimis.io> |
---|---|
date | Wed, 22 Feb 2023 13:13:38 +0100 |
parents | 786b202ef24e |
children | e381ba725669 |
rev | line source |
---|---|
1 | 1 /** |
2 * Advanced authorization plugin for Orthanc | |
68 | 3 * Copyright (C) 2017-2023 Osimis S.A., Belgium |
1 | 4 * |
5 * This program is free software: you can redistribute it and/or | |
6 * modify it under the terms of the GNU Affero General Public License | |
7 * as published by the Free Software Foundation, either version 3 of | |
8 * the License, or (at your option) any later version. | |
9 * | |
10 * This program is distributed in the hope that it will be useful, but | |
11 * WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
13 * Affero General Public License for more details. | |
14 * | |
15 * You should have received a copy of the GNU Affero General Public License | |
16 * along with this program. If not, see <http://www.gnu.org/licenses/>. | |
17 **/ | |
18 | |
19 #include "AuthorizationWebService.h" | |
20 | |
34 | 21 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" |
22 | |
32 | 23 #include <Logging.h> |
59
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
24 #include <Toolbox.h> |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
25 #include <HttpClient.h> |
71 | 26 #include <algorithm> |
1 | 27 |
28 namespace OrthancPlugins | |
29 { | |
71 | 30 static const char* GRANTED = "granted"; |
31 static const char* VALIDITY = "validity"; | |
32 static const char* PERMISSIONS = "permissions"; | |
33 | |
34 | |
1 | 35 bool AuthorizationWebService::IsGrantedInternal(unsigned int& validity, |
36 OrthancPluginHttpMethod method, | |
37 const AccessedResource& access, | |
38 const Token* token, | |
39 const std::string& tokenValue) | |
40 { | |
41 Json::Value body = Json::objectValue; | |
42 | |
43 switch (method) | |
44 { | |
45 case OrthancPluginHttpMethod_Get: | |
46 body["method"] ="get"; | |
47 break; | |
48 | |
49 case OrthancPluginHttpMethod_Post: | |
50 body["method"] ="post"; | |
51 break; | |
52 | |
53 case OrthancPluginHttpMethod_Put: | |
54 body["method"] ="put"; | |
55 break; | |
56 | |
57 case OrthancPluginHttpMethod_Delete: | |
58 body["method"] ="delete"; | |
59 break; | |
60 | |
61 default: | |
62 throw Orthanc::OrthancException(Orthanc::ErrorCode_ParameterOutOfRange); | |
63 } | |
64 | |
65 body["level"] = EnumerationToString(access.GetLevel()); | |
66 | |
67 if (access.GetLevel() == AccessLevel_System) | |
68 { | |
69 body["uri"] = access.GetOrthancId(); | |
70 } | |
71 else | |
72 { | |
73 body["orthanc-id"] = access.GetOrthancId(); | |
74 body["dicom-uid"] = access.GetDicomUid(); | |
75 } | |
76 | |
77 if (token != NULL) | |
78 { | |
79 body["token-key"] = token->GetKey(); | |
80 body["token-value"] = tokenValue; | |
81 } | |
82 | |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
83 if (!identifier_.empty()) |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
84 { |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
85 body["identifier"] = identifier_; |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
86 } |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
87 else |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
88 { |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
89 body["identifier"] = Json::nullValue; |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
90 } |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
91 |
70 | 92 Orthanc::WebServiceParameters authWebservice; |
93 authWebservice.SetUrl(url_); | |
94 | |
95 if (!username_.empty()) | |
96 { | |
97 authWebservice.SetCredentials(username_, password_); | |
98 } | |
1 | 99 |
70 | 100 std::string bodyAsString; |
101 Orthanc::Toolbox::WriteFastJson(bodyAsString, body); | |
102 | |
103 Orthanc::HttpClient authClient(authWebservice, ""); | |
104 authClient.AssignBody(bodyAsString); | |
105 authClient.SetMethod(Orthanc::HttpMethod_Post); | |
106 authClient.AddHeader("Content-Type", "application/json"); | |
107 authClient.AddHeader("Expect", ""); | |
108 authClient.SetTimeout(10); | |
109 | |
1 | 110 if (token != NULL && |
111 token->GetType() == TokenType_HttpHeader) | |
112 { | |
113 // If the token source is a HTTP header, forward it also as a | |
59
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
114 // HTTP header except if it is the Authorization header that might conflict with username_ and password_ |
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
115 std::string lowerTokenKey; |
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
116 Orthanc::Toolbox::ToLowerCase(lowerTokenKey, token->GetKey()); |
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
117 |
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
118 if (!(lowerTokenKey == "authorization" && !username_.empty())) |
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
119 { |
70 | 120 authClient.AddHeader(token->GetKey(), tokenValue); |
59
a5f2976fe8a0
fix Authorization header conflicting with WebServiceUsername
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
121 } |
1 | 122 } |
123 | |
124 Json::Value answer; | |
70 | 125 authClient.ApplyAndThrowException(answer); |
1 | 126 |
127 if (answer.type() != Json::objectValue || | |
128 !answer.isMember(GRANTED) || | |
129 answer[GRANTED].type() != Json::booleanValue || | |
130 (answer.isMember(VALIDITY) && | |
131 answer[VALIDITY].type() != Json::intValue)) | |
132 { | |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
133 throw Orthanc::OrthancException(Orthanc::ErrorCode_NetworkProtocol, |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
134 "Syntax error in the result of the Web service"); |
1 | 135 } |
136 | |
137 validity = 0; | |
138 if (answer.isMember(VALIDITY)) | |
139 { | |
140 int tmp = answer[VALIDITY].asInt(); | |
141 if (tmp < 0) | |
142 { | |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
143 throw Orthanc::OrthancException(Orthanc::ErrorCode_NetworkProtocol, |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
144 "A validity duration cannot be negative"); |
1 | 145 } |
146 | |
147 validity = static_cast<unsigned int>(tmp); | |
148 } | |
149 | |
150 return answer[GRANTED].asBool(); | |
151 } | |
152 | |
153 | |
154 void AuthorizationWebService::SetCredentials(const std::string& username, | |
155 const std::string& password) | |
156 { | |
157 username_ = username; | |
158 password_ = password; | |
159 } | |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
160 |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
161 void AuthorizationWebService::SetUserProfileUrl(const std::string& url) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
162 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
163 userProfileUrl_ = url; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
164 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
165 |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
166 void AuthorizationWebService::SetIdentifier(const std::string& webServiceIdentifier) |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
167 { |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
168 identifier_ = webServiceIdentifier; |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
169 } |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
46
diff
changeset
|
170 |
71 | 171 bool AuthorizationWebService::GetUserProfileInternal(unsigned int& validity, |
172 Json::Value& profile /* out */, | |
173 const Token* token, | |
174 const std::string& tokenValue) | |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
175 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
176 if (userProfileUrl_.empty()) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
177 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
178 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadRequest, "Can not get user profile if the 'WebServiceUserProfileUrl' is not configured"); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
179 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
180 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
181 Orthanc::WebServiceParameters authWebservice; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
182 authWebservice.SetUrl(userProfileUrl_); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
183 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
184 if (!username_.empty()) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
185 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
186 authWebservice.SetCredentials(username_, password_); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
187 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
188 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
189 Json::Value body; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
190 |
71 | 191 if (token != NULL) |
192 { | |
193 body["token-key"] = token->GetKey(); | |
194 body["token-value"] = tokenValue; | |
195 } | |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
196 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
197 if (!identifier_.empty()) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
198 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
199 body["identifier"] = identifier_; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
200 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
201 else |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
202 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
203 body["identifier"] = Json::nullValue; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
204 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
205 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
206 std::string bodyAsString; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
207 Orthanc::Toolbox::WriteFastJson(bodyAsString, body); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
208 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
209 try |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
210 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
211 Orthanc::HttpClient authClient(authWebservice, ""); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
212 authClient.AssignBody(bodyAsString); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
213 authClient.SetMethod(Orthanc::HttpMethod_Post); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
214 authClient.AddHeader("Content-Type", "application/json"); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
215 authClient.AddHeader("Expect", ""); |
70 | 216 authClient.SetTimeout(10); |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
217 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
218 authClient.ApplyAndThrowException(profile); |
71 | 219 |
220 if (profile.isMember("validity")) | |
221 { | |
222 validity = profile["validity"].asInt(); | |
223 } | |
224 else | |
225 { | |
226 validity = 0; | |
227 } | |
228 | |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
229 return true; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
230 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
231 catch (Orthanc::OrthancException& ex) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
232 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
233 return false; |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
234 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
235 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
236 |
71 | 237 bool AuthorizationWebService::HasUserPermissionInternal(unsigned int& validity, |
238 const std::string& permission, | |
239 const Token* token, | |
240 const std::string& tokenValue) | |
241 { | |
242 Json::Value profile; | |
243 | |
244 | |
245 if (GetUserProfileInternal(validity, profile, token, tokenValue)) | |
246 { | |
247 if (profile.type() != Json::objectValue || | |
248 !profile.isMember(PERMISSIONS) || | |
249 !profile.isMember(VALIDITY) || | |
250 profile[PERMISSIONS].type() != Json::arrayValue || | |
251 profile[VALIDITY].type() != Json::intValue) | |
252 { | |
253 throw Orthanc::OrthancException(Orthanc::ErrorCode_NetworkProtocol, | |
254 "Syntax error in the result of the Web service"); | |
255 } | |
256 | |
257 validity = profile[VALIDITY].asUInt(); | |
258 | |
259 Json::Value& permissions = profile[PERMISSIONS]; | |
260 for (Json::ArrayIndex i = 0; i < permissions.size(); ++i) | |
261 { | |
262 if (permission == permissions[i].asString()) | |
263 { | |
264 return true; | |
265 } | |
266 } | |
267 } | |
268 | |
269 return false; | |
270 } | |
271 | |
1 | 272 } |