Mercurial > hg > orthanc-authorization
annotate Plugin/DefaultConfiguration.json @ 202:3c56c3f0059a default tip
Fix forbidden access when the PatientID and StudyInstanceUID are identical
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 23 Sep 2024 12:43:33 +0200 |
parents | 85859ec3aa7e |
children |
rev | line source |
---|---|
71 | 1 { |
2 "Authorization" : { | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
3 // The Base URL of the auth webservice. This is an alias for all 3 next configurations: |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
4 // // "WebServiceUserProfileUrl" : " ROOT /user/get-profile", |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
5 // // "WebServiceTokenValidationUrl" : " ROOT /tokens/validate", |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
6 // // "WebServiceTokenCreationBaseUrl" : " ROOT /tokens/", |
79 | 7 // // "WebServiceTokenDecoderUrl" : " ROOT /tokens/decode", |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
8 // You should define it only if your auth webservice implements all 3 routes ! |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
9 // "WebServiceRootUrl" : "http://change-me:8000/", |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
10 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
11 // The URL of the auth webservice route implementing user profile (optional) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
12 // (this configuration was previously named "WebService" and its old name is still accepted |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
13 // for backward compatibility) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
14 // "WebServiceUserProfileUrl" : "http://change-me:8000/user/profile", |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
15 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
16 // The URL of the auth webservice route implementing resource level authorization (optional) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
17 // "WebServiceTokenValidationUrl" : "http://change-me:8000/tokens/validate", |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
18 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
19 // The Base URL of the auth webservice route to create tokens (optional) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
20 // "WebServiceTokenCreationBaseUrl" : "http://change-me:8000/tokens/", |
71 | 21 |
79 | 22 // The URL of the auth webservice route implementing token decoding (optional) |
23 // "WebServiceTokenDecoderUrl": "http://change-me:8000/tokens/decode" | |
24 | |
71 | 25 // The username and password to connect to the webservice (optional) |
26 //"WebServiceUsername": "change-me", | |
27 //"WebServicePassword": "change-me", | |
28 | |
29 // An identifier added to the payload of each request to the auth webservice (optional) | |
30 //"WebServiceIdentifier": "change-me" | |
31 | |
32 // The name of the HTTP headers that may contain auth tokens | |
33 //"TokenHttpHeaders" : [], | |
34 | |
83 | 35 // The name of the GET arguments that may contain auth tokens |
71 | 36 //"TokenGetArguments" : [], |
37 | |
38 // A list of predefined configurations for well-known plugins | |
39 // "StandardConfigurations": [ // new in v 0.4.0 | |
40 // "osimis-web-viewer", | |
41 // "stone-webviewer", | |
152
9f686ee4b158
Added missing parsing of /dicom-web/studies/.../instances
Alain Mazy <am@osimis.io>
parents:
149
diff
changeset
|
42 // "orthanc-explorer-2", |
9f686ee4b158
Added missing parsing of /dicom-web/studies/.../instances
Alain Mazy <am@osimis.io>
parents:
149
diff
changeset
|
43 // "ohif" |
71 | 44 // ], |
45 | |
46 //"UncheckedResources" : [], | |
47 //"UncheckedFolders" : [], | |
48 //"CheckedLevel" : "studies", | |
49 //"UncheckedLevels" : [], | |
50 | |
51 // Definition of required "user-permissions". This can be fully customized. | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
52 // You may define other permissions yourself as long as they match the permissions |
71 | 53 // provided in the user-profile route implemented by the auth-service. |
54 // You may test your regex in https://regex101.com/ by selecting .NET (C#) and removing the leading ^ and trailing $ | |
95
dff72e397f90
fix standard configuration 'orthanc-explorer-2' for TokenGetArguments
Alain Mazy <am@osimis.io>
parents:
91
diff
changeset
|
55 // The default configuration is suitable for Orthanc-Explorer-2 (see https://github.com/orthanc-team/orthanc-auth-service) |
71 | 56 "Permissions" : [ |
75 | 57 ["post", "^/auth/tokens/decode$", ""], |
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
58 ["post", "^/tools/lookup$", ""], // currently used to authorize downloads in Stone (to map the StudyInstanceUID into an OrthancID. Not ideal -> we should define a new API that has the resource ID in the path to be able to check it at resource level) but, on another hand, you do not get any Patient information from this route |
75 | 59 |
71 | 60 // elemental browsing in OE2 |
61 ["post", "^/tools/find$", "all|view"], | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
100
diff
changeset
|
62 ["get" , "^/(patients|studies|series|instances)(|/)", "all|view"], |
71 | 63 ["get" , "^/statistics$", "all|view"], |
90
bb4c32b25c5d
Added a default permission for /changes
Alain Mazy <am@osimis.io>
parents:
89
diff
changeset
|
64 ["get" , "^/changes$", "all|view"], |
157
9434bb40e27c
The default permissions have been updated to handle /system & /plugins/...
Alain Mazy <am@osimis.io>
parents:
152
diff
changeset
|
65 ["get" , "^/system$", "all|view"], |
9434bb40e27c
The default permissions have been updated to handle /system & /plugins/...
Alain Mazy <am@osimis.io>
parents:
152
diff
changeset
|
66 ["get" , "^/plugins$", "all|view"], |
9434bb40e27c
The default permissions have been updated to handle /system & /plugins/...
Alain Mazy <am@osimis.io>
parents:
152
diff
changeset
|
67 ["get" , "^/plugins/(.*)$", "all|view"], |
71 | 68 |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
148
diff
changeset
|
69 // single resources patterns (SINGLE_RESOURCE_PATTERNS is an alias for all single resource patterns defined in https://orthanc.uclouvain.be/hg/orthanc-authorization/file/tip/Plugin/DefaultAuthorizationParser.cpp) |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
148
diff
changeset
|
70 // (a user must have access to the route + have an authorized label to access the resource) |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
148
diff
changeset
|
71 ["get" , "SINGLE_RESOURCE_PATTERNS", "all|view"], |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
148
diff
changeset
|
72 |
75 | 73 // create links to open viewer or download resources |
74 ["put", "^/auth/tokens/(viewer-instant-link|meddream-instant-link)$", "all|view"], | |
75 ["put", "^/auth/tokens/(download-instant-link)$", "all|download"], | |
76 | |
77 // share a link to open a study | |
91
50b18e7a254d
Added a default permission for /auth/tokens/ohif-viewer-publication
Alain Mazy <am@osimis.io>
parents:
90
diff
changeset
|
78 ["put", "^/auth/tokens/(stone-viewer-publication|meddream-viewer-publication|osimis-viewer-publication|ohif-viewer-publication)$", "all|share"], |
75 | 79 |
80 // uploads | |
81 ["post", "^/instances$", "all|upload"], | |
146
f294a3c6dbe6
Added 2 new default permissions for dicom-web (get and post on dicom-web/studies)
Alain Mazy <am@osimis.io>
parents:
127
diff
changeset
|
82 ["post" , "^/DICOM_WEB_ROOT/studies$", "all|upload"], |
167
e406ef204e3a
new default permissions for create-dicom + stl routes
Alain Mazy <am@orthanc.team>
parents:
157
diff
changeset
|
83 ["post", "^/tools/create-dicom$", "all|upload"], |
e406ef204e3a
new default permissions for create-dicom + stl routes
Alain Mazy <am@orthanc.team>
parents:
157
diff
changeset
|
84 ["post", "^/stl/encode-rtstruct$", "all|upload"], |
e406ef204e3a
new default permissions for create-dicom + stl routes
Alain Mazy <am@orthanc.team>
parents:
157
diff
changeset
|
85 ["post", "^/stl/encode-nifti$", "all|upload"], |
75 | 86 |
71 | 87 // monitor jobs you have created |
88 ["get" , "^/jobs/([a-f0-9-]+)$", "all|send|modify|anonymize|q-r-remote-modalities"], | |
89 | |
90 // interacting with peers/modalities/dicomweb | |
91 ["post", "^/(peers|modalities)/(.*)/store$", "all|send"], | |
92 ["get" , "^/(peers|modalities)$", "all|send|q-r-remote-modalities"], | |
93 ["post", "^/modalities/(.*)/echo$", "all|send|q-r-remote-modalities"], | |
94 ["post", "^/modalities/(.*)/query$", "all|q-r-remote-modalities"], | |
95 ["get", "^/queries/([a-f0-9-]+)/answers$", "all|q-r-remote-modalities"], | |
96 ["post", "^/modalities/(.*)/move$", "all|q-r-remote-modalities"], | |
75 | 97 ["get" , "^/DICOM_WEB_ROOT/servers$", "all|send|q-r-remote-modalities"], |
71 | 98 ["get" , "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$", "all|send"], |
148
20c638fa8b07
new permissions for QIDO-RS & WADO-RS
Alain Mazy <am@osimis.io>
parents:
146
diff
changeset
|
99 |
20c638fa8b07
new permissions for QIDO-RS & WADO-RS
Alain Mazy <am@osimis.io>
parents:
146
diff
changeset
|
100 // DICOMWeb QIDO-RS |
20c638fa8b07
new permissions for QIDO-RS & WADO-RS
Alain Mazy <am@osimis.io>
parents:
146
diff
changeset
|
101 ["get" , "^/DICOM_WEB_ROOT/(studies|series|instances)(|/)$", "all|view"], |
20c638fa8b07
new permissions for QIDO-RS & WADO-RS
Alain Mazy <am@osimis.io>
parents:
146
diff
changeset
|
102 |
71 | 103 // modifications/anonymization |
127
8591a0c1fa2a
updated default 'Permissions' configuration to take the '/merge' routes into account
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
104 ["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/(modify|merge)(.*)$", "all|modify"], |
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
105 ["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/anonymize(.*)$", "all|anonymize"], |
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
106 |
100
760fd9ad7007
new default permissions for labels
Alain Mazy <am@osimis.io>
parents:
95
diff
changeset
|
107 // labels |
760fd9ad7007
new default permissions for labels
Alain Mazy <am@osimis.io>
parents:
95
diff
changeset
|
108 ["get", "^/tools/labels$", "all|view|edit-labels"], |
760fd9ad7007
new default permissions for labels
Alain Mazy <am@osimis.io>
parents:
95
diff
changeset
|
109 ["put" , "^/(patients|studies|series|instances)/([a-f0-9-]+)/labels/(.*)$", "all|edit-labels"], |
760fd9ad7007
new default permissions for labels
Alain Mazy <am@osimis.io>
parents:
95
diff
changeset
|
110 ["delete" , "^/(patients|studies|series|instances)/([a-f0-9-]+)/labels/(.*)$", "all|edit-labels"], |
760fd9ad7007
new default permissions for labels
Alain Mazy <am@osimis.io>
parents:
95
diff
changeset
|
111 |
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
112 // deletes |
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
113 ["delete" , "^/(patients|studies|series|instances)/([a-f0-9-]+)$", "all|delete"], |
89 | 114 ["post" , "^/tools/bulk-delete$", "all|delete"], |
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
115 |
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
116 // settings |
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
117 ["put", "^/tools/log-level$", "all|settings"], |
194
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
118 ["get", "^/tools/log-level$", "all|settings"], |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
119 |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
120 // permission settings |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
121 ["put", "^/auth/settings/roles$", "admin-permissions"], |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
122 ["get", "^/auth/settings/roles$", "admin-permissions"], |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
123 ["get", "^/auth/settings/permissions$", "admin-permissions"] |
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
167
diff
changeset
|
124 |
71 | 125 ] |
126 } | |
127 } |