Mercurial > hg > orthanc-authorization
annotate Plugin/DefaultConfiguration.json @ 77:94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Wed, 15 Mar 2023 16:36:42 +0100 |
| parents | 57e98fc07ab2 |
| children | 94c5388ed30b |
| rev | line source |
|---|---|
| 71 | 1 { |
| 2 "Authorization" : { | |
|
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
3 // The Base URL of the auth webservice. This is an alias for all 3 next configurations: |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
4 // // "WebServiceUserProfileUrl" : " ROOT /user/get-profile", |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
5 // // "WebServiceTokenValidationUrl" : " ROOT /tokens/validate", |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
6 // // "WebServiceTokenCreationBaseUrl" : " ROOT /tokens/", |
|
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
7 // You should define it only if your auth webservice implements all 3 routes ! |
|
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
8 // "WebServiceRootUrl" : "http://change-me:8000/", |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
9 |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
10 // The URL of the auth webservice route implementing user profile (optional) |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
11 // (this configuration was previously named "WebService" and its old name is still accepted |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
12 // for backward compatibility) |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
13 // "WebServiceUserProfileUrl" : "http://change-me:8000/user/profile", |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
14 |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
15 // The URL of the auth webservice route implementing resource level authorization (optional) |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
16 // "WebServiceTokenValidationUrl" : "http://change-me:8000/tokens/validate", |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
17 |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
18 // The Base URL of the auth webservice route to create tokens (optional) |
|
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
19 // "WebServiceTokenCreationBaseUrl" : "http://change-me:8000/tokens/", |
| 71 | 20 |
| 21 // The username and password to connect to the webservice (optional) | |
| 22 //"WebServiceUsername": "change-me", | |
| 23 //"WebServicePassword": "change-me", | |
| 24 | |
| 25 // An identifier added to the payload of each request to the auth webservice (optional) | |
| 26 //"WebServiceIdentifier": "change-me" | |
| 27 | |
| 28 // The name of the HTTP headers that may contain auth tokens | |
| 29 //"TokenHttpHeaders" : [], | |
| 30 | |
| 31 // the name of the GET arguments that may contain auth tokens | |
| 32 //"TokenGetArguments" : [], | |
| 33 | |
| 34 // A list of predefined configurations for well-known plugins | |
| 35 // "StandardConfigurations": [ // new in v 0.4.0 | |
| 36 // "osimis-web-viewer", | |
| 37 // "stone-webviewer", | |
| 38 // "orthanc-explorer-2" | |
| 39 // ], | |
| 40 | |
| 41 //"UncheckedResources" : [], | |
| 42 //"UncheckedFolders" : [], | |
| 43 //"CheckedLevel" : "studies", | |
| 44 //"UncheckedLevels" : [], | |
| 45 | |
| 46 // Definition of required "user-permissions". This can be fully customized. | |
|
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
47 // You may define other permissions yourself as long as they match the permissions |
| 71 | 48 // provided in the user-profile route implemented by the auth-service. |
| 49 // You may test your regex in https://regex101.com/ by selecting .NET (C#) and removing the leading ^ and trailing $ | |
| 50 // The default configuration is suitable for Orthanc-Explorer-2 (see TBD sample) | |
| 51 "Permissions" : [ | |
| 75 | 52 ["post", "^/auth/tokens/decode$", ""], |
|
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
53 ["post", "^/tools/lookup$", ""], // currently used to authorize downloads in Stone (to map the StudyInstanceUID into an OrthancID. Not ideal -> we should define a new API that has the resource ID in the path to be able to check it at resource level) but, on another hand, you do not get any Patient information from this route |
| 75 | 54 |
| 71 | 55 // elemental browsing in OE2 |
| 56 ["post", "^/tools/find$", "all|view"], | |
| 75 | 57 ["get" , "^/(patients|studies|series|instances)/([a-f0-9-]+)$", "all|view"], |
| 58 ["get" , "^/(patients|studies|series|instances)/([a-f0-9-]+)/(studies|study|series|instances)$", "all|view"], | |
| 71 | 59 ["get" , "^/instances/([a-f0-9-]+)/(tags|header)$", "all|view"], |
| 60 ["get" , "^/statistics$", "all|view"], | |
| 61 | |
| 75 | 62 // create links to open viewer or download resources |
| 63 ["put", "^/auth/tokens/(viewer-instant-link|meddream-instant-link)$", "all|view"], | |
| 64 ["put", "^/auth/tokens/(download-instant-link)$", "all|download"], | |
| 65 | |
| 66 // share a link to open a study | |
| 67 ["put", "^/auth/tokens/(stone-viewer-publication|meddream-viewer-publication|osimis-viewer-publication)$", "all|share"], | |
| 68 | |
| 69 // uploads | |
| 70 ["post", "^/instances$", "all|upload"], | |
| 71 | |
| 71 | 72 // monitor jobs you have created |
| 73 ["get" , "^/jobs/([a-f0-9-]+)$", "all|send|modify|anonymize|q-r-remote-modalities"], | |
| 74 | |
| 75 // interacting with peers/modalities/dicomweb | |
| 76 ["post", "^/(peers|modalities)/(.*)/store$", "all|send"], | |
| 77 ["get" , "^/(peers|modalities)$", "all|send|q-r-remote-modalities"], | |
| 78 ["post", "^/modalities/(.*)/echo$", "all|send|q-r-remote-modalities"], | |
| 79 ["post", "^/modalities/(.*)/query$", "all|q-r-remote-modalities"], | |
| 80 ["get", "^/queries/([a-f0-9-]+)/answers$", "all|q-r-remote-modalities"], | |
| 81 ["post", "^/modalities/(.*)/move$", "all|q-r-remote-modalities"], | |
| 75 | 82 ["get" , "^/DICOM_WEB_ROOT/servers$", "all|send|q-r-remote-modalities"], |
| 71 | 83 ["get" , "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$", "all|send"], |
| 84 | |
| 85 // modifications/anonymization | |
| 86 ["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/modify(.*)$", "all|modify"], | |
|
77
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
87 ["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/anonymize(.*)$", "all|anonymize"], |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
88 |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
89 // deletes |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
90 ["delete" , "^/(patients|studies|series|instances)/([a-f0-9-]+)$", "all|delete"], |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
91 |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
92 // settings |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
93 ["put", "^/tools/log-level$", "all|settings"], |
|
94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
Alain Mazy <am@osimis.io>
parents:
75
diff
changeset
|
94 ["get", "^/tools/log-level$", "all|settings"] |
| 71 | 95 ] |
| 96 } | |
| 97 } |