1
|
1 /**
|
|
2 * Advanced authorization plugin for Orthanc
|
|
3 * Copyright (C) 2017 Osimis, Belgium
|
|
4 *
|
|
5 * This program is free software: you can redistribute it and/or
|
|
6 * modify it under the terms of the GNU Affero General Public License
|
|
7 * as published by the Free Software Foundation, either version 3 of
|
|
8 * the License, or (at your option) any later version.
|
|
9 *
|
|
10 * This program is distributed in the hope that it will be useful, but
|
|
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
13 * Affero General Public License for more details.
|
|
14 *
|
|
15 * You should have received a copy of the GNU Affero General Public License
|
|
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
17 **/
|
|
18
|
|
19 #include "AssociativeArray.h"
|
|
20 #include "DefaultAuthorizationParser.h"
|
|
21 #include "CachedAuthorizationService.h"
|
|
22 #include "AuthorizationWebService.h"
|
|
23 #include "MemoryCache.h"
|
|
24
|
|
25 #include "../Resources/Orthanc/Plugins/Samples/Common/OrthancPluginCppWrapper.h"
|
|
26 #include "../Resources/Orthanc/Core/Logging.h"
|
|
27 #include "../Resources/Orthanc/Core/Toolbox.h"
|
|
28
|
|
29 static OrthancPluginContext* context_ = NULL;
|
|
30
|
|
31
|
|
32 // Configuration of the authorization plugin
|
|
33 static std::auto_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_;
|
|
34 static std::auto_ptr<OrthancPlugins::IAuthorizationService> authorizationService_;
|
|
35 static std::set<std::string> uncheckedResources_;
|
|
36 static std::list<std::string> uncheckedFolders_;
|
|
37 static std::list<OrthancPlugins::Token> tokens_;
|
|
38 static std::set<OrthancPlugins::AccessLevel> uncheckedLevels_;
|
|
39
|
|
40
|
|
41 static int32_t FilterHttpRequests(OrthancPluginHttpMethod method,
|
|
42 const char *uri,
|
|
43 const char *ip,
|
|
44 uint32_t headersCount,
|
|
45 const char *const *headersKeys,
|
|
46 const char *const *headersValues,
|
|
47 uint32_t getArgumentsCount,
|
|
48 const char *const *getArgumentsKeys,
|
|
49 const char *const *getArgumentsValues)
|
|
50 {
|
|
51 try
|
|
52 {
|
|
53 if (method == OrthancPluginHttpMethod_Get)
|
|
54 {
|
|
55 // Allow GET accesses to static resources
|
|
56 if (uncheckedResources_.find(uri) != uncheckedResources_.end())
|
|
57 {
|
|
58 return 1;
|
|
59 }
|
|
60
|
|
61 for (std::list<std::string>::const_iterator
|
|
62 it = uncheckedFolders_.begin(); it != uncheckedFolders_.end(); ++it)
|
|
63 {
|
|
64 if (Orthanc::Toolbox::StartsWith(uri, *it))
|
|
65 {
|
|
66 return 1;
|
|
67 }
|
|
68 }
|
|
69 }
|
|
70
|
|
71 if (authorizationParser_.get() != NULL &&
|
|
72 authorizationService_.get() != NULL)
|
|
73 {
|
|
74 // Parse the resources that are accessed through this URI
|
|
75 OrthancPlugins::IAuthorizationParser::AccessedResources accesses;
|
|
76 if (!authorizationParser_->Parse(accesses, uri))
|
|
77 {
|
|
78 return 0; // Unable to parse this URI
|
|
79 }
|
|
80
|
|
81 // Loop over all the accessed resources to ensure access is
|
|
82 // granted to each of them
|
|
83 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator
|
|
84 access = accesses.begin(); access != accesses.end(); ++access)
|
|
85 {
|
|
86 // Ignored the access levels that are unchecked
|
|
87 // (cf. "UncheckedLevels" option)
|
|
88 if (uncheckedLevels_.find(access->GetLevel()) == uncheckedLevels_.end())
|
|
89 {
|
|
90 LOG(INFO) << "Testing whether access to "
|
|
91 << OrthancPlugins::EnumerationToString(access->GetLevel())
|
|
92 << " \"" << access->GetOrthancId() << "\" is allowed";
|
|
93
|
|
94 bool granted = false;
|
|
95 unsigned int validity; // ignored
|
|
96
|
|
97 if (tokens_.empty())
|
|
98 {
|
|
99 granted = authorizationService_->IsGranted(validity, method, *access);
|
|
100 }
|
|
101 else
|
|
102 {
|
|
103 OrthancPlugins::AssociativeArray headers
|
|
104 (headersCount, headersKeys, headersValues, false);
|
|
105
|
|
106 OrthancPlugins::AssociativeArray getArguments
|
|
107 (getArgumentsCount, getArgumentsKeys, getArgumentsValues, true);
|
|
108
|
|
109 // Loop over all the authorization tokens stored in the HTTP
|
|
110 // headers, until finding one that is granted
|
|
111 for (std::list<OrthancPlugins::Token>::const_iterator
|
|
112 token = tokens_.begin(); token != tokens_.end(); ++token)
|
|
113 {
|
|
114 std::string value;
|
|
115
|
|
116 bool hasValue = false;
|
|
117 switch (token->GetType())
|
|
118 {
|
|
119 case OrthancPlugins::TokenType_HttpHeader:
|
|
120 hasValue = headers.GetValue(value, token->GetKey());
|
|
121 break;
|
|
122
|
|
123 case OrthancPlugins::TokenType_GetArgument:
|
|
124 hasValue = getArguments.GetValue(value, token->GetKey());
|
|
125 break;
|
|
126
|
|
127 default:
|
|
128 throw Orthanc::OrthancException(Orthanc::ErrorCode_ParameterOutOfRange);
|
|
129 }
|
|
130
|
|
131 if (hasValue &&
|
|
132 authorizationService_->IsGranted(validity, method, *access, *token, value))
|
|
133 {
|
|
134 granted = true;
|
|
135 break;
|
|
136 }
|
|
137 }
|
|
138 }
|
|
139
|
|
140 if (!granted)
|
|
141 {
|
|
142 return 0;
|
|
143 }
|
|
144 }
|
|
145 }
|
|
146
|
|
147 // Access is granted to all the resources
|
|
148 return 1;
|
|
149 }
|
|
150
|
|
151 // By default, forbid access to all the resources
|
|
152 return 0;
|
|
153 }
|
|
154 catch (std::runtime_error& e)
|
|
155 {
|
|
156 LOG(ERROR) << e.what();
|
|
157 return OrthancPluginErrorCode_Success; // Ignore error
|
|
158 }
|
|
159 catch (Orthanc::OrthancException& e)
|
|
160 {
|
|
161 LOG(ERROR) << e.What();
|
|
162 return OrthancPluginErrorCode_Success; // Ignore error
|
|
163 }
|
|
164 catch (...)
|
|
165 {
|
|
166 LOG(ERROR) << "Unhandled internal exception";
|
|
167 return OrthancPluginErrorCode_Success; // Ignore error
|
|
168 }
|
|
169 }
|
|
170
|
|
171
|
|
172 #if !ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 2, 1)
|
|
173 static int32_t FilterHttpRequestsFallback(OrthancPluginHttpMethod method,
|
|
174 const char *uri,
|
|
175 const char *ip,
|
|
176 uint32_t headersCount,
|
|
177 const char *const *headersKeys,
|
|
178 const char *const *headersValues)
|
|
179 {
|
|
180 // Fallback wrapper function for Orthanc <= 1.2.0, where the GET
|
|
181 // arguments were not available in the HTTP filters
|
|
182 return FilterHttpRequests(method, uri, ip,
|
|
183 headersCount, headersKeys, headersValues,
|
|
184 0, NULL, NULL);
|
|
185 }
|
|
186 #endif
|
|
187
|
|
188
|
|
189 static OrthancPluginErrorCode OnChangeCallback(OrthancPluginChangeType changeType,
|
|
190 OrthancPluginResourceType resourceType,
|
|
191 const char* resourceId)
|
|
192 {
|
|
193 try
|
|
194 {
|
|
195 if (authorizationParser_.get() == NULL)
|
|
196 {
|
|
197 throw Orthanc::OrthancException(Orthanc::ErrorCode_InternalError);
|
|
198 }
|
|
199
|
|
200 if (changeType == OrthancPluginChangeType_Deleted)
|
|
201 {
|
|
202 switch (resourceType)
|
|
203 {
|
|
204 case OrthancPluginResourceType_Patient:
|
|
205 authorizationParser_->Invalidate(Orthanc::ResourceType_Patient, resourceId);
|
|
206 break;
|
|
207
|
|
208 case OrthancPluginResourceType_Study:
|
|
209 authorizationParser_->Invalidate(Orthanc::ResourceType_Study, resourceId);
|
|
210 break;
|
|
211
|
|
212 case OrthancPluginResourceType_Series:
|
|
213 authorizationParser_->Invalidate(Orthanc::ResourceType_Series, resourceId);
|
|
214 break;
|
|
215
|
|
216 case OrthancPluginResourceType_Instance:
|
|
217 authorizationParser_->Invalidate(Orthanc::ResourceType_Instance, resourceId);
|
|
218 break;
|
|
219
|
|
220 default:
|
|
221 break;
|
|
222 }
|
|
223 }
|
|
224
|
|
225 return OrthancPluginErrorCode_Success;
|
|
226 }
|
|
227 catch (std::runtime_error& e)
|
|
228 {
|
|
229 LOG(ERROR) << e.what();
|
|
230 return OrthancPluginErrorCode_Success; // Ignore error
|
|
231 }
|
|
232 catch (Orthanc::OrthancException& e)
|
|
233 {
|
|
234 LOG(ERROR) << e.What();
|
|
235 return OrthancPluginErrorCode_Success; // Ignore error
|
|
236 }
|
|
237 catch (...)
|
|
238 {
|
|
239 LOG(ERROR) << "Unhandled internal exception";
|
|
240 return OrthancPluginErrorCode_Success; // Ignore error
|
|
241 }
|
|
242 }
|
|
243
|
|
244
|
|
245 extern "C"
|
|
246 {
|
|
247 ORTHANC_PLUGINS_API int32_t OrthancPluginInitialize(OrthancPluginContext* context)
|
|
248 {
|
|
249 context_ = context;
|
|
250 OrthancPluginLogWarning(context_, "Initializing the authorization plugin");
|
|
251
|
|
252 /* Check the version of the Orthanc core */
|
|
253 if (OrthancPluginCheckVersion(context_) == 0)
|
|
254 {
|
|
255 OrthancPlugins::ReportMinimalOrthancVersion(context_,
|
|
256 ORTHANC_PLUGINS_MINIMAL_MAJOR_NUMBER,
|
|
257 ORTHANC_PLUGINS_MINIMAL_MINOR_NUMBER,
|
|
258 ORTHANC_PLUGINS_MINIMAL_REVISION_NUMBER);
|
|
259 return -1;
|
|
260 }
|
|
261
|
|
262 Orthanc::Logging::Initialize(context_);
|
|
263 OrthancPluginSetDescription(context_, "Advanced authorization plugin for Orthanc.");
|
|
264
|
|
265 try
|
|
266 {
|
|
267 OrthancPlugins::OrthancConfiguration general(context_);
|
|
268
|
|
269 static const char* SECTION = "Authorization";
|
|
270 if (general.IsSection(SECTION))
|
|
271 {
|
|
272 OrthancPlugins::OrthancConfiguration configuration;
|
|
273 general.GetSection(configuration, "Authorization");
|
|
274
|
|
275 // TODO - The size of the caches is set to 10,000 items. Maybe add a configuration option?
|
|
276 OrthancPlugins::MemoryCache::Factory factory(10000);
|
|
277
|
|
278 {
|
|
279 std::string root;
|
|
280
|
|
281 if (configuration.IsSection("DicomWeb"))
|
|
282 {
|
|
283 OrthancPlugins::OrthancConfiguration dicomWeb;
|
|
284 dicomWeb.GetSection(configuration, "DicomWeb");
|
|
285 root = dicomWeb.GetStringValue("Root", "");
|
|
286 }
|
|
287
|
|
288 if (root.empty())
|
|
289 {
|
|
290 root = "/dicom-web/";
|
|
291 }
|
|
292
|
|
293 authorizationParser_.reset
|
|
294 (new OrthancPlugins::DefaultAuthorizationParser(context_, factory, root));
|
|
295 }
|
|
296
|
|
297 std::list<std::string> tmp;
|
|
298
|
|
299 configuration.LookupListOfStrings(tmp, "TokenHttpHeaders", true);
|
|
300 for (std::list<std::string>::const_iterator
|
|
301 it = tmp.begin(); it != tmp.end(); ++it)
|
|
302 {
|
|
303 tokens_.push_back(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, *it));
|
|
304 }
|
|
305
|
|
306 configuration.LookupListOfStrings(tmp, "TokenGetArguments", true);
|
|
307
|
|
308 #if ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 2, 1)
|
|
309 for (std::list<std::string>::const_iterator
|
|
310 it = tmp.begin(); it != tmp.end(); ++it)
|
|
311 {
|
|
312 tokens_.push_back(OrthancPlugins::Token(OrthancPlugins::TokenType_GetArgument, *it));
|
|
313 }
|
|
314 #else
|
|
315 if (!tmp.empty())
|
|
316 {
|
|
317 LOG(ERROR) << "The option \"TokenGetArguments\" of the authorization plugin "
|
|
318 << "is only valid if compiled against Orthanc >= 1.2.1";
|
|
319 throw Orthanc::OrthancException(Orthanc::ErrorCode_Plugin);
|
|
320 }
|
|
321 #endif
|
|
322
|
|
323 configuration.LookupSetOfStrings(uncheckedResources_, "UncheckedResources", false);
|
|
324 configuration.LookupListOfStrings(uncheckedFolders_, "UncheckedFolders", false);
|
|
325
|
|
326 std::string url;
|
|
327
|
|
328 static const char* WEB_SERVICE = "WebService";
|
|
329 if (!configuration.LookupStringValue(url, WEB_SERVICE))
|
|
330 {
|
|
331 LOG(ERROR) << "Missing mandatory option \"" << WEB_SERVICE
|
|
332 << "\" for the authorization plugin";
|
|
333 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat);
|
|
334 }
|
|
335
|
|
336 if (configuration.LookupListOfStrings(tmp, "UncheckedLevels", false))
|
|
337 {
|
|
338 for (std::list<std::string>::const_iterator
|
|
339 it = tmp.begin(); it != tmp.end(); ++it)
|
|
340 {
|
|
341 uncheckedLevels_.insert(OrthancPlugins::StringToAccessLevel(*it));
|
|
342 }
|
|
343 }
|
|
344
|
|
345 authorizationService_.reset
|
|
346 (new OrthancPlugins::CachedAuthorizationService
|
|
347 (new OrthancPlugins::AuthorizationWebService(context_, url), factory));
|
|
348
|
|
349 OrthancPluginRegisterOnChangeCallback(context_, OnChangeCallback);
|
|
350
|
|
351 #if ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 2, 1)
|
|
352 OrthancPluginRegisterIncomingHttpRequestFilter2(context_, FilterHttpRequests);
|
|
353 #else
|
|
354 OrthancPluginRegisterIncomingHttpRequestFilter(context_, FilterHttpRequestsFallback);
|
|
355 #endif
|
|
356 }
|
|
357 else
|
|
358 {
|
|
359 LOG(WARNING) << "No section \"" << SECTION << "\" in the configuration file, "
|
|
360 << "the authorization plugin is disabled";
|
|
361 }
|
|
362 }
|
|
363 catch (Orthanc::OrthancException& e)
|
|
364 {
|
|
365 LOG(ERROR) << e.What();
|
|
366 return -1;
|
|
367 }
|
|
368
|
|
369 return 0;
|
|
370 }
|
|
371
|
|
372
|
|
373 ORTHANC_PLUGINS_API void OrthancPluginFinalize()
|
|
374 {
|
|
375 authorizationParser_.reset(NULL);
|
|
376 }
|
|
377
|
|
378
|
|
379 ORTHANC_PLUGINS_API const char* OrthancPluginGetName()
|
|
380 {
|
|
381 return "authorization";
|
|
382 }
|
|
383
|
|
384
|
|
385 ORTHANC_PLUGINS_API const char* OrthancPluginGetVersion()
|
|
386 {
|
|
387 return ORTHANC_AUTHORIZATION_VERSION;
|
|
388 }
|
|
389 }
|