Mercurial > hg > orthanc-authorization

annotate Plugin/CachedAuthorizationService.cpp @ 71:30fb3ce960d9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
configurable user permissions
author Alain Mazy <am@osimis.io>
date Wed, 22 Feb 2023 13:13:38 +0100
parents af44dce56328
children e381ba725669
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
1 /**
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
2 * Advanced authorization plugin for Orthanc
68
1a13c4fbc9a1 copyrights
Alain Mazy <am@osimis.io>
parents: 46
diff changeset
3 * Copyright (C) 2017-2023 Osimis S.A., Belgium
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
4 *
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
5 * This program is free software: you can redistribute it and/or
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
6 * modify it under the terms of the GNU Affero General Public License
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
7 * as published by the Free Software Foundation, either version 3 of
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
8 * the License, or (at your option) any later version.
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
9 *
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
10 * This program is distributed in the hope that it will be useful, but
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
13 * Affero General Public License for more details.
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
14 *
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
15 * You should have received a copy of the GNU Affero General Public License
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
17 **/
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
18
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
19 #include "CachedAuthorizationService.h"
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
20
32
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 31
diff changeset
21 #include <OrthancException.h>
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
22 #include <Toolbox.h>
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
23
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
24 #include <boost/lexical_cast.hpp>
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
25
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
26 namespace OrthancPlugins
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
27 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
28 std::string CachedAuthorizationService::ComputeKey(OrthancPluginHttpMethod method,
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
29 const AccessedResource& access,
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
30 const Token& token,
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
31 const std::string& tokenValue) const
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
32 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
33 return (boost::lexical_cast<std::string>(method) + "|" +
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
34 boost::lexical_cast<std::string>(access.GetLevel()) + "|" +
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
35 access.GetOrthancId() + "|" + token.GetKey() + "|" + tokenValue);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
36 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
37
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
38
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
39 std::string CachedAuthorizationService::ComputeKey(const std::string& permission,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
40 const Token& token,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
41 const std::string& tokenValue) const
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
42 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
43 return (permission + "|" + token.GetKey() + "|" + tokenValue);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
44 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
45
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
46
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
47 CachedAuthorizationService::CachedAuthorizationService(BaseAuthorizationService* decorated /* takes ownership */,
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
48 ICacheFactory& factory) :
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
49 decorated_(decorated),
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
50 cache_(factory.Create())
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
51 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
52 if (decorated_.get() == NULL)
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
53 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
54 throw Orthanc::OrthancException(Orthanc::ErrorCode_InternalError);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
55 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
56 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
57
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
58
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
59 bool CachedAuthorizationService::IsGrantedInternal(unsigned int& validity,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
60 OrthancPluginHttpMethod method,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
61 const AccessedResource& access,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
62 const Token* token,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
63 const std::string& tokenValue)
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
64 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
65 assert(decorated_.get() != NULL);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
66
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
67 std::string key = ComputeKey(method, access, *token, tokenValue);
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
68 std::string value;
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
69
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
70 if (cache_->Retrieve(value, key))
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
71 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
72 // Return the previously cached value
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
73 return (value == "1");
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
74 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
75
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
76 bool granted = decorated_->IsGrantedInternal(validity, method, access, token, tokenValue);
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
77
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
78 if (granted)
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
79 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
80 if (validity > 0)
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
81 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
82 cache_->Store(key, "1", validity);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
83 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
84
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
85 return true;
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
86 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
87 else
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
88 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
89 if (validity > 0)
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
90 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
91 cache_->Store(key, "0", validity);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
92 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
93
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
94 return false;
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
95 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
96 }
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
97
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
98
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
99 bool CachedAuthorizationService::GetUserProfileInternal(unsigned int& validity,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
100 Json::Value& profile /* out */,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
101 const Token* token,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
102 const std::string& tokenValue)
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
103 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
104 // no cache used when retrieving the full user profile
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
105 return decorated_->GetUserProfileInternal(validity, profile, token, tokenValue);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
106 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
107
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
108 bool CachedAuthorizationService::HasUserPermissionInternal(unsigned int& validity,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
109 const std::string& permission,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
110 const Token* token,
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
111 const std::string& tokenValue)
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
112 {
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
113 assert(decorated_.get() != NULL);
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
114
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
115 std::string key = ComputeKey(permission, *token, tokenValue);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
116 std::string value;
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
117
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
118 if (cache_->Retrieve(value, key))
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
119 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
120 // Return the previously cached value
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
121 return (value == "1");
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
122 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
123
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
124 bool granted = decorated_->HasUserPermissionInternal(validity, permission, token, tokenValue);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
125
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
126 if (granted)
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
127 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
128 if (validity > 0)
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
129 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
130 cache_->Store(key, "1", validity);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
131 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
132
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
133 return true;
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
134 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
135 else
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
136 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
137 if (validity > 0)
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
138 {
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
139 cache_->Store(key, "0", validity);
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
140 }
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
141
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
142 return false;
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
143 }
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
144 }
69
af44dce56328 new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents: 68
diff changeset
145
71
30fb3ce960d9 configurable user permissions
Alain Mazy <am@osimis.io>
parents: 69
diff changeset
146
69
af44dce56328 new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents: 68
diff changeset
147
1
d5d3cb00556a initial release
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
148 }