Mercurial > hg > orthanc-authorization
annotate Plugin/PermissionParser.cpp @ 194:85859ec3aa7e
added support for roles/permissions edition
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Fri, 14 Jun 2024 16:26:53 +0200 |
| parents | c4b908970ae4 |
| children | 2f1e872e8eaa |
| rev | line source |
|---|---|
| 71 | 1 /** |
| 2 * Advanced authorization plugin for Orthanc | |
| 3 * Copyright (C) 2017-2023 Osimis S.A., Belgium | |
| 150 | 4 * Copyright (C) 2024-2024 Orthanc Team SRL, Belgium |
|
188
c4b908970ae4
updated copyright, as Orthanc Team now replaces Osimis
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
150
diff
changeset
|
5 * Copyright (C) 2021-2024 Sebastien Jodogne, ICTEAM UCLouvain, Belgium |
| 71 | 6 * |
| 7 * This program is free software: you can redistribute it and/or | |
| 8 * modify it under the terms of the GNU Affero General Public License | |
| 9 * as published by the Free Software Foundation, either version 3 of | |
| 10 * the License, or (at your option) any later version. | |
| 11 * | |
| 12 * This program is distributed in the hope that it will be useful, but | |
| 13 * WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 15 * Affero General Public License for more details. | |
| 16 * | |
| 17 * You should have received a copy of the GNU Affero General Public License | |
| 18 * along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| 19 **/ | |
| 20 | |
| 21 #include "PermissionParser.h" | |
| 22 | |
| 23 #include <Toolbox.h> | |
| 24 #include <OrthancException.h> | |
| 25 #include <Logging.h> | |
| 26 | |
| 27 namespace OrthancPlugins | |
| 28 { | |
| 29 PermissionPattern::PermissionPattern(const OrthancPluginHttpMethod& method, const std::string& patternRegex, const std::string& permissions) : | |
| 30 method(method), | |
| 31 pattern(patternRegex) | |
| 32 { | |
| 74 | 33 if (!permissions.empty()) |
| 34 { | |
| 35 std::vector<std::string> permissionsVector; | |
| 36 Orthanc::Toolbox::TokenizeString(permissionsVector, permissions, '|'); | |
| 71 | 37 |
| 74 | 38 for (size_t i = 0; i < permissionsVector.size(); ++i) |
| 39 { | |
| 40 this->permissions.insert(permissionsVector[i]); | |
| 41 } | |
| 71 | 42 } |
| 43 } | |
| 44 | |
| 45 | |
| 46 static void Replace(std::string& text, const std::string& findText, const std::string& replaceText) | |
| 47 { | |
| 48 size_t pos = text.find(findText); | |
| 49 if (pos != std::string::npos) | |
| 50 { | |
| 51 text = text.replace(pos, findText.size(), replaceText); | |
| 52 } | |
| 53 } | |
| 54 | |
| 55 | |
| 56 static void StripLeadingAndTrailingSlashes(std::string& text) | |
| 57 { | |
| 58 if (text.size() > 1 && text[0] == '/') | |
| 59 { | |
| 60 text = text.substr(1, text.size() -1); | |
| 61 } | |
| 62 if (text.size() > 1 && text[text.size() - 1] == '/') | |
| 63 { | |
| 64 text = text.substr(0, text.size() -1); | |
| 65 } | |
| 66 } | |
| 67 | |
| 68 | |
| 69 PermissionParser::PermissionParser(const std::string& dicomWebRoot, const std::string& oe2Root) : | |
| 70 dicomWebRoot_(dicomWebRoot), | |
| 71 oe2Root_(oe2Root) | |
| 72 { | |
| 73 } | |
| 74 | |
|
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
75 void PermissionParser::Add(const Json::Value& configuration, const IAuthorizationParser* authorizationParser) |
| 71 | 76 { |
| 77 if (configuration.type() != Json::arrayValue) | |
| 78 { | |
| 79 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadParameterType, "Permissions should be an array."); | |
| 80 } | |
| 81 | |
| 82 for (Json::ArrayIndex i = 0; i < configuration.size(); ++i) | |
| 83 { | |
| 84 const Json::Value& permission = configuration[i]; | |
| 85 if (permission.type() != Json::arrayValue || permission.size() < 3) | |
| 86 { | |
| 87 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadParameterType, "Permissions elements should be an array of min size 3."); | |
| 88 } | |
| 89 | |
|
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
90 if (permission[1].asString() == "SINGLE_RESOURCE_PATTERNS") |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
91 { |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
92 std::vector<boost::regex> singleResourcePatterns; |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
93 authorizationParser->GetSingleResourcePatterns(singleResourcePatterns); |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
94 |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
95 for (std::vector<boost::regex>::const_iterator it = singleResourcePatterns.begin(); it != singleResourcePatterns.end(); ++it) |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
96 { |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
97 Add(permission[0].asString(), // 0 = HTTP method |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
98 it->str(), // 1 = pattern |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
99 permission[2].asString() // 2 = list of | separated permissions (no space) |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
100 // 3 = optional comment |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
101 ); |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
102 } |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
103 } |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
104 else |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
105 { |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
106 Add(permission[0].asString(), // 0 = HTTP method |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
107 permission[1].asString(), // 1 = pattern |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
108 permission[2].asString() // 2 = list of | separated permissions (no space) |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
109 // 3 = optional comment |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
110 ); |
|
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
74
diff
changeset
|
111 } |
| 71 | 112 } |
| 113 | |
| 114 } | |
| 115 | |
| 116 void PermissionParser::Add(const std::string& method, | |
| 117 const std::string& patternRegex, | |
| 118 const std::string& permission) | |
| 119 { | |
| 120 std::string lowerCaseMethod; | |
| 121 Orthanc::Toolbox::ToLowerCase(lowerCaseMethod, method); | |
| 122 OrthancPluginHttpMethod parsedMethod = OrthancPluginHttpMethod_Get; | |
| 123 | |
| 124 if (lowerCaseMethod == "post") | |
| 125 { | |
| 126 parsedMethod = OrthancPluginHttpMethod_Post; | |
| 127 } | |
| 128 else if (lowerCaseMethod == "put") | |
| 129 { | |
| 130 parsedMethod = OrthancPluginHttpMethod_Put; | |
| 131 } | |
| 132 else if (lowerCaseMethod == "delete") | |
| 133 { | |
| 134 parsedMethod = OrthancPluginHttpMethod_Delete; | |
| 135 } | |
| 136 else if (lowerCaseMethod == "get") | |
| 137 { | |
| 138 parsedMethod = OrthancPluginHttpMethod_Get; | |
| 139 } | |
| 140 else | |
| 141 { | |
| 142 throw Orthanc::OrthancException(Orthanc::ErrorCode_ParameterOutOfRange, std::string("Invalid HTTP method ") + method); | |
| 143 } | |
| 144 | |
| 145 std::string regex = patternRegex; | |
| 146 std::string strippedDicomWebRoot = dicomWebRoot_; | |
| 147 | |
| 148 StripLeadingAndTrailingSlashes(strippedDicomWebRoot); | |
| 149 Replace(regex, "DICOM_WEB_ROOT", strippedDicomWebRoot); | |
| 150 | |
| 151 LOG(WARNING) << "Authorization plugin: adding a new permission pattern: " << lowerCaseMethod << " " << regex << " - " << permission; | |
| 152 | |
| 153 permissionsPattern_.push_back(PermissionPattern(parsedMethod, regex, permission)); | |
|
194
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
154 |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
155 { // extract individual permissions |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
156 std::set<std::string> permissions; |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
157 Orthanc::Toolbox::SplitString(permissions, permission, '|'); |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
158 |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
159 for (std::set<std::string>::const_iterator it = permissions.begin(); it != permissions.end(); ++it) |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
160 { |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
161 if (!it->empty()) |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
162 { |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
163 permissionsList_.insert(*it); |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
164 } |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
165 } |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
166 |
|
85859ec3aa7e
added support for roles/permissions edition
Alain Mazy <am@orthanc.team>
parents:
188
diff
changeset
|
167 } |
| 71 | 168 } |
| 169 | |
| 170 bool PermissionParser::Parse(std::set<std::string>& permissions, | |
| 171 std::string& matchedPattern, | |
| 172 const OrthancPluginHttpMethod& method, | |
| 173 const std::string& uri) const | |
| 174 { | |
| 175 // The mutex below should not be necessary, but we prefer to | |
| 176 // ensure thread safety in boost::regex | |
| 177 boost::mutex::scoped_lock lock(mutex_); | |
| 178 | |
| 179 | |
| 180 for (std::list<PermissionPattern>::const_iterator it = permissionsPattern_.begin(); | |
| 181 it != permissionsPattern_.end(); ++it) | |
| 182 { | |
| 183 if (method == it->method) | |
| 184 { | |
| 185 boost::smatch what; | |
| 186 if (boost::regex_match(uri, what, it->pattern)) | |
| 187 { | |
| 188 matchedPattern = it->pattern.expression(); | |
| 189 permissions = it->permissions; | |
| 190 return true; | |
| 191 } | |
| 192 } | |
| 193 } | |
| 194 | |
| 195 return false; | |
| 196 } | |
| 197 } |