Mercurial > hg > orthanc-authorization
annotate Plugin/Plugin.cpp @ 167:e406ef204e3a
new default permissions for create-dicom + stl routes
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Wed, 15 May 2024 14:31:04 +0200 |
parents | 3c99bb6fd309 |
children | c4b908970ae4 |
rev | line source |
---|---|
1 | 1 /** |
2 * Advanced authorization plugin for Orthanc | |
68 | 3 * Copyright (C) 2017-2023 Osimis S.A., Belgium |
150 | 4 * Copyright (C) 2024-2024 Orthanc Team SRL, Belgium |
1 | 5 * |
6 * This program is free software: you can redistribute it and/or | |
7 * modify it under the terms of the GNU Affero General Public License | |
8 * as published by the Free Software Foundation, either version 3 of | |
9 * the License, or (at your option) any later version. | |
10 * | |
11 * This program is distributed in the hope that it will be useful, but | |
12 * WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 * Affero General Public License for more details. | |
15 * | |
16 * You should have received a copy of the GNU Affero General Public License | |
17 * along with this program. If not, see <http://www.gnu.org/licenses/>. | |
18 **/ | |
19 | |
20 #include "AssociativeArray.h" | |
21 #include "DefaultAuthorizationParser.h" | |
22 #include "CachedAuthorizationService.h" | |
23 #include "AuthorizationWebService.h" | |
71 | 24 #include "PermissionParser.h" |
1 | 25 #include "MemoryCache.h" |
34 | 26 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" |
27 | |
36
8ada1b669194
replacing deprecated std::auto_ptr by std::unique_ptr
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
35
diff
changeset
|
28 #include <Compatibility.h> // For std::unique_ptr<> |
32 | 29 #include <Logging.h> |
30 #include <Toolbox.h> | |
111 | 31 #include <SerializationToolbox.h> |
71 | 32 #include <EmbeddedResources.h> |
1 | 33 |
156
43b77aa34468
fix deprecated calls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
153
diff
changeset
|
34 #define ORTHANC_PLUGIN_NAME "authorization" |
43b77aa34468
fix deprecated calls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
153
diff
changeset
|
35 |
1 | 36 |
37 // Configuration of the authorization plugin | |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
38 static bool resourceTokensEnabled_ = false; |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
39 static bool userTokensEnabled_ = false; |
36
8ada1b669194
replacing deprecated std::auto_ptr by std::unique_ptr
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
35
diff
changeset
|
40 static std::unique_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_; |
8ada1b669194
replacing deprecated std::auto_ptr by std::unique_ptr
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
35
diff
changeset
|
41 static std::unique_ptr<OrthancPlugins::IAuthorizationService> authorizationService_; |
71 | 42 static std::unique_ptr<OrthancPlugins::PermissionParser> permissionParser_; |
1 | 43 static std::set<std::string> uncheckedResources_; |
44 static std::list<std::string> uncheckedFolders_; | |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
45 static std::set<OrthancPlugins::Token> tokens_; |
1 | 46 static std::set<OrthancPlugins::AccessLevel> uncheckedLevels_; |
47 | |
48 | |
71 | 49 static std::string JoinStrings(const std::set<std::string>& values) |
50 { | |
51 std::string out; | |
52 std::set<std::string> copy = values; // TODO: remove after upgrading to OrthancFramework 1.11.3+ | |
53 Orthanc::Toolbox::JoinStrings(out, copy, "|"); | |
54 return out; | |
55 } | |
56 | |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
57 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
58 // For Orthanc prior to 1.12.2, we can not use the Forbidden error code and report the error ourselves |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
59 static void SendForbiddenError(const char* message, OrthancPluginRestOutput* output) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
60 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
61 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
62 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
63 OrthancPluginSendHttpStatus(context, output, 403, message, strlen(message)); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
64 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
65 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
66 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
67 |
86 | 68 class TokenAndValue |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
69 { |
86 | 70 private: |
71 OrthancPlugins::Token token_; | |
72 std::string value_; | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
73 |
86 | 74 public: |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
75 TokenAndValue(const OrthancPlugins::Token& token, const std::string& value) : |
86 | 76 token_(token), |
77 value_(value) | |
78 { | |
79 } | |
80 | |
81 const OrthancPlugins::Token& GetToken() const | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
82 { |
86 | 83 return token_; |
84 } | |
85 | |
86 const std::string& GetValue() const | |
87 { | |
88 return value_; | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
89 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
90 }; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
91 |
113 | 92 bool HasAccessToAllLabels(const OrthancPlugins::IAuthorizationService::UserProfile& profile) |
93 { | |
94 return (profile.authorizedLabels.find("*") != profile.authorizedLabels.end()); | |
95 } | |
96 | |
97 bool HasAccessToSomeLabels(const OrthancPlugins::IAuthorizationService::UserProfile& profile) | |
98 { | |
99 return (profile.authorizedLabels.size() > 0); | |
100 } | |
101 | |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
102 static bool HasAuthorizedLabelsForResource(bool& granted, |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
103 const OrthancPlugins::IAuthorizationParser::AccessedResources& accesses, |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
104 const OrthancPlugins::IAuthorizationService::UserProfile& profile) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
105 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
106 granted = false; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
107 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
108 if (HasAccessToAllLabels(profile)) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
109 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
110 granted = true; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
111 return true; // we could check labels |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
112 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
113 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
114 // Loop over all the accessed resources to ensure access is |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
115 // granted to each of them |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
116 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
117 access = accesses.begin(); access != accesses.end(); ++access) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
118 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
119 // Ignored the access levels that are unchecked |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
120 // (cf. "UncheckedLevels" option) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
121 if (uncheckedLevels_.find(access->GetLevel()) == uncheckedLevels_.end()) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
122 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
123 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access->GetLevel()) + " \"" + access->GetOrthancId() + "\" is allowed wrt Labels for User '" + profile.name + "'"; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
124 const std::set<std::string>& resourceLabels = access->GetLabels(); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
125 std::set<std::string> authorizedResourceLabels; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
126 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
127 Orthanc::Toolbox::GetIntersection(authorizedResourceLabels, resourceLabels, profile.authorizedLabels); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
128 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
129 if (authorizedResourceLabels.size() == 0) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
130 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
131 LOG(INFO) << msg << " -> not granted, no authorized labels"; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
132 granted = false; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
133 return true; // we could check labels |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
134 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
135 else |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
136 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
137 LOG(INFO) << msg << " -> granted, at least one authorized labels"; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
138 granted = true; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
139 return true; // we could check labels |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
140 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
141 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
142 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
143 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
144 // This method only checks if a resource is accessible thanks to its labels. If we could not check it, we always return false !! |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
145 return false; // we could not check labels |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
146 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
147 |
113 | 148 |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
149 static bool CheckAuthorizedLabelsForResource(bool& granted, |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
150 const std::string& uri, |
113 | 151 const OrthancPlugins::AssociativeArray& getArguments, |
152 const OrthancPlugins::IAuthorizationService::UserProfile& profile) | |
153 { | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
154 granted = false; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
155 |
113 | 156 if (HasAccessToAllLabels(profile)) |
157 { | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
158 granted = true; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
159 return true; // we could check labels |
113 | 160 } |
161 | |
162 if (authorizationParser_.get() != NULL && | |
163 authorizationService_.get() != NULL) | |
164 { | |
165 // Parse the resources that are accessed through this URI | |
166 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | |
167 | |
168 if (!authorizationParser_->Parse(accesses, uri, getArguments.GetMap())) | |
169 { | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
170 return false; // Unable to parse this URI, we could not check labels |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
171 } |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
172 |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
173 if (authorizationParser_->IsListOfResources(uri)) |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
174 { |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
175 granted = false; // if a user does not have access to all labels, he can not have access to a list of resources |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
176 return true; // we could check labels |
113 | 177 } |
178 | |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
179 return HasAuthorizedLabelsForResource(granted, accesses, profile); |
113 | 180 } |
181 | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
182 // This method only checks if a resource is accessible thanks to its labels. If we could not check it, we always return false !! |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
183 return false; // we could not check labels |
113 | 184 } |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
185 |
116
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
186 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
187 static void GetAuthTokens(std::vector<TokenAndValue>& authTokens, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
188 uint32_t headersCount, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
189 const char *const *headersKeys, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
190 const char *const *headersValues, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
191 uint32_t getArgumentsCount, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
192 const char *const *getArgumentsKeys, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
193 const char *const *getArgumentsValues) // the tokens that are set in this request |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
194 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
195 // Extract auth tokens from headers and url get arguments |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
196 //////////////////////////////////////////////////////////////// |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
197 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
198 OrthancPlugins::AssociativeArray headers(headersCount, headersKeys, headersValues, false); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
199 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
200 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
201 for (std::set<OrthancPlugins::Token>::const_iterator token = tokens_.begin(); token != tokens_.end(); ++token) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
202 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
203 std::string value; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
204 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
205 bool hasValue = false; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
206 switch (token->GetType()) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
207 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
208 case OrthancPlugins::TokenType_HttpHeader: |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
209 hasValue = headers.GetValue(value, token->GetKey()); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
210 break; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
211 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
212 case OrthancPlugins::TokenType_GetArgument: |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
213 hasValue = getArguments.GetValue(value, token->GetKey()); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
214 break; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
215 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
216 default: |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
217 throw Orthanc::OrthancException(Orthanc::ErrorCode_ParameterOutOfRange); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
218 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
219 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
220 if (hasValue) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
221 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
222 authTokens.push_back(TokenAndValue(*token, value)); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
223 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
224 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
225 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
226 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
227 static bool IsResourceAccessGranted(const std::vector<TokenAndValue>& authTokens, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
228 OrthancPluginHttpMethod method, |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
229 const OrthancPlugins::AccessedResource& access) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
230 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
231 unsigned int validity; // ignored |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
232 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
233 // Ignored the access levels that are unchecked |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
234 // (cf. "UncheckedLevels" option) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
235 if (uncheckedLevels_.find(access.GetLevel()) == uncheckedLevels_.end()) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
236 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
237 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access.GetLevel()) + " \"" + access.GetOrthancId() + "\" is allowed with a resource token"; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
238 LOG(INFO) << msg; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
239 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
240 bool granted = false; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
241 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
242 if (authTokens.empty()) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
243 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
244 granted = authorizationService_->IsGrantedToAnonymousUser(validity, method, access); |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
245 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
246 else |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
247 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
248 // Loop over all the authorization tokens in the request until finding one that is granted |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
249 for (size_t i = 0; i < authTokens.size(); ++i) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
250 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
251 if (authorizationService_->IsGranted(validity, method, access, authTokens[i].GetToken(), authTokens[i].GetValue())) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
252 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
253 granted = true; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
254 break; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
255 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
256 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
257 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
258 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
259 if (!granted) |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
260 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
261 LOG(INFO) << msg << " -> not granted"; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
262 return false; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
263 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
264 else |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
265 { |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
266 LOG(INFO) << msg << " -> granted"; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
267 return true; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
268 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
269 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
270 |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
271 return false; |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
272 } |
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
273 |
1 | 274 static int32_t FilterHttpRequests(OrthancPluginHttpMethod method, |
275 const char *uri, | |
276 const char *ip, | |
277 uint32_t headersCount, | |
278 const char *const *headersKeys, | |
279 const char *const *headersValues, | |
280 uint32_t getArgumentsCount, | |
281 const char *const *getArgumentsKeys, | |
282 const char *const *getArgumentsValues) | |
283 { | |
284 try | |
285 { | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
286 unsigned int validity; // ignored |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
287 |
109 | 288 // Allow GET accesses to unchecked resources/folders (usually static resources) |
289 //////////////////////////////////////////////////////////////// | |
290 | |
1 | 291 if (method == OrthancPluginHttpMethod_Get) |
292 { | |
293 if (uncheckedResources_.find(uri) != uncheckedResources_.end()) | |
294 { | |
295 return 1; | |
296 } | |
297 | |
298 for (std::list<std::string>::const_iterator | |
299 it = uncheckedFolders_.begin(); it != uncheckedFolders_.end(); ++it) | |
300 { | |
301 if (Orthanc::Toolbox::StartsWith(uri, *it)) | |
302 { | |
303 return 1; | |
304 } | |
305 } | |
306 } | |
307 | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
308 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
116
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
309 GetAuthTokens(authTokens, headersCount, headersKeys, headersValues, getArgumentsCount, getArgumentsKeys, getArgumentsValues); |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
310 |
116
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
311 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
71 | 312 |
109 | 313 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions |
314 //////////////////////////////////////////////////////////////// | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
315 bool hasUserRequiredPermissions = false; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
316 bool hasAuthorizedLabelsForResource = false; |
109 | 317 |
71 | 318 if (permissionParser_.get() != NULL && |
319 authorizationService_.get() != NULL) | |
320 { | |
321 std::set<std::string> requiredPermissions; | |
322 std::string matchedPattern; | |
323 if (permissionParser_->Parse(requiredPermissions, matchedPattern, method, uri)) | |
324 { | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
325 if (authTokens.empty()) |
71 | 326 { |
103 | 327 std::string msg = std::string("Testing whether anonymous user has any of the required permissions '") + JoinStrings(requiredPermissions) + "'"; |
113 | 328 |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
329 LOG(INFO) << msg; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
330 if (authorizationService_->HasAnonymousUserPermission(validity, requiredPermissions)) |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
331 { |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
332 LOG(INFO) << msg << " -> granted"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
333 hasUserRequiredPermissions = true; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
334 } |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
335 else |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
336 { |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
337 LOG(INFO) << msg << " -> not granted"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
338 hasUserRequiredPermissions = false; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
339 // continue in order to check if there is a resource token that could grant access to the resource |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
340 } |
71 | 341 } |
342 else | |
343 { | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
344 for (size_t i = 0; i < authTokens.size(); ++i) |
71 | 345 { |
103 | 346 std::string msg = std::string("Testing whether user has the required permissions '") + JoinStrings(requiredPermissions) + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "' required to match '" + matchedPattern + "'"; |
347 | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
348 // LOG(INFO) << msg; |
113 | 349 OrthancPlugins::IAuthorizationService::UserProfile profile; |
350 unsigned int validityNotUsed; | |
351 authorizationService_->GetUserProfile(validityNotUsed, profile, authTokens[i].GetToken(), authTokens[i].GetValue()); | |
352 | |
353 if (authorizationService_->HasUserPermission(validity, requiredPermissions, profile)) | |
71 | 354 { |
103 | 355 LOG(INFO) << msg << " -> granted"; |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
356 hasUserRequiredPermissions = true; |
113 | 357 |
358 // check labels permissions | |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
359 std::string msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
360 if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) |
113 | 361 { |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
362 if (hasAuthorizedLabelsForResource) |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
363 { |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
364 LOG(INFO) << msg << " -> granted"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
365 } |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
366 else |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
367 { |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
368 LOG(INFO) << msg << " -> not granted"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
369 return 0; // the labels for this resource prevents access -> stop checking now ! |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
370 } |
113 | 371 } |
71 | 372 } |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
373 else |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
374 { |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
375 LOG(INFO) << msg << " -> not granted"; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
376 hasUserRequiredPermissions = false; |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
377 } |
71 | 378 } |
379 } | |
380 } | |
381 } | |
109 | 382 |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
383 // no need to check for resource token if the user has access and if the labels checking has not prevented access |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
384 if (hasUserRequiredPermissions) |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
385 { |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
386 return 1; |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
387 } |
109 | 388 |
115
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
389 // If we get till here, it means that we have a resource token -> check that the resource is accessible |
0eed78c1e177
cache the UserProfile + updated http filter logic
Alain Mazy <am@osimis.io>
parents:
114
diff
changeset
|
390 //////////////////////////////////////////////////////////////// |
109 | 391 |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
392 if (resourceTokensEnabled_ && |
1 | 393 authorizationService_.get() != NULL) |
394 { | |
395 // Parse the resources that are accessed through this URI | |
396 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | |
56
c02f0646297d
added support for /dicom-web/studies?0020000D=1.2.3&...
Alain Mazy <am@osimis.io>
parents:
54
diff
changeset
|
397 |
57
55539d564f4f
added support for /dicom-web/series? & /dicom-web/instances?
Alain Mazy <am@osimis.io>
parents:
56
diff
changeset
|
398 if (!authorizationParser_->Parse(accesses, uri, getArguments.GetMap())) |
1 | 399 { |
400 return 0; // Unable to parse this URI | |
401 } | |
402 | |
403 // Loop over all the accessed resources to ensure access is | |
404 // granted to each of them | |
138
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
405 int checkedResources = 0; |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
406 int grantedResources = 0; |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
407 |
1 | 408 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator |
409 access = accesses.begin(); access != accesses.end(); ++access) | |
410 { | |
138
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
411 if (uncheckedLevels_.find(access->GetLevel()) == uncheckedLevels_.end()) |
1 | 412 { |
138
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
413 checkedResources++; |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
414 if (IsResourceAccessGranted(authTokens, method, *access)) |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
415 { |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
416 grantedResources++; |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
417 } |
1 | 418 } |
419 } | |
138
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
420 |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
421 if (checkedResources > 0 && grantedResources == checkedResources) |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
422 { |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
423 return 1; |
f448e8626f1a
Now handling new GET /tools/create-archive and sibling routes
Alain Mazy <am@osimis.io>
parents:
126
diff
changeset
|
424 } |
1 | 425 } |
426 | |
427 // By default, forbid access to all the resources | |
428 return 0; | |
429 } | |
430 catch (std::runtime_error& e) | |
431 { | |
432 LOG(ERROR) << e.what(); | |
433 return OrthancPluginErrorCode_Success; // Ignore error | |
434 } | |
435 catch (Orthanc::OrthancException& e) | |
436 { | |
437 LOG(ERROR) << e.What(); | |
438 return OrthancPluginErrorCode_Success; // Ignore error | |
439 } | |
440 catch (...) | |
441 { | |
442 LOG(ERROR) << "Unhandled internal exception"; | |
443 return OrthancPluginErrorCode_Success; // Ignore error | |
444 } | |
445 } | |
446 | |
447 | |
448 #if !ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 2, 1) | |
449 static int32_t FilterHttpRequestsFallback(OrthancPluginHttpMethod method, | |
450 const char *uri, | |
451 const char *ip, | |
452 uint32_t headersCount, | |
453 const char *const *headersKeys, | |
454 const char *const *headersValues) | |
455 { | |
456 // Fallback wrapper function for Orthanc <= 1.2.0, where the GET | |
457 // arguments were not available in the HTTP filters | |
458 return FilterHttpRequests(method, uri, ip, | |
459 headersCount, headersKeys, headersValues, | |
460 0, NULL, NULL); | |
461 } | |
462 #endif | |
463 | |
464 | |
465 static OrthancPluginErrorCode OnChangeCallback(OrthancPluginChangeType changeType, | |
466 OrthancPluginResourceType resourceType, | |
467 const char* resourceId) | |
468 { | |
469 try | |
470 { | |
471 if (authorizationParser_.get() == NULL) | |
472 { | |
71 | 473 return OrthancPluginErrorCode_Success; |
1 | 474 } |
475 | |
476 if (changeType == OrthancPluginChangeType_Deleted) | |
477 { | |
478 switch (resourceType) | |
479 { | |
480 case OrthancPluginResourceType_Patient: | |
481 authorizationParser_->Invalidate(Orthanc::ResourceType_Patient, resourceId); | |
482 break; | |
483 | |
484 case OrthancPluginResourceType_Study: | |
485 authorizationParser_->Invalidate(Orthanc::ResourceType_Study, resourceId); | |
486 break; | |
487 | |
488 case OrthancPluginResourceType_Series: | |
489 authorizationParser_->Invalidate(Orthanc::ResourceType_Series, resourceId); | |
490 break; | |
491 | |
492 case OrthancPluginResourceType_Instance: | |
493 authorizationParser_->Invalidate(Orthanc::ResourceType_Instance, resourceId); | |
494 break; | |
495 | |
496 default: | |
497 break; | |
498 } | |
499 } | |
500 | |
501 return OrthancPluginErrorCode_Success; | |
502 } | |
503 catch (std::runtime_error& e) | |
504 { | |
505 LOG(ERROR) << e.what(); | |
506 return OrthancPluginErrorCode_Success; // Ignore error | |
507 } | |
508 catch (Orthanc::OrthancException& e) | |
509 { | |
510 LOG(ERROR) << e.What(); | |
511 return OrthancPluginErrorCode_Success; // Ignore error | |
512 } | |
513 catch (...) | |
514 { | |
515 LOG(ERROR) << "Unhandled internal exception"; | |
516 return OrthancPluginErrorCode_Success; // Ignore error | |
517 } | |
518 } | |
519 | |
111 | 520 |
521 bool GetUserProfileInternal(OrthancPlugins::IAuthorizationService::UserProfile& profile, const OrthancPluginHttpRequest* request) | |
522 { | |
523 OrthancPlugins::AssociativeArray headers | |
524 (request->headersCount, request->headersKeys, request->headersValues, false); | |
525 | |
526 OrthancPlugins::AssociativeArray getArguments | |
527 (request->getCount, request->getKeys, request->getValues, true); | |
528 | |
529 // Loop over all the authorization tokens stored in the HTTP | |
530 // headers, until finding one that is granted | |
531 for (std::set<OrthancPlugins::Token>::const_iterator | |
532 token = tokens_.begin(); token != tokens_.end(); ++token) | |
533 { | |
534 OrthancPlugins::IAuthorizationService::UserProfile tryProfile; | |
535 | |
536 std::string value; | |
537 | |
538 bool hasValue = false; | |
539 switch (token->GetType()) | |
540 { | |
541 case OrthancPlugins::TokenType_HttpHeader: | |
542 hasValue = headers.GetValue(value, token->GetKey()); | |
543 break; | |
544 | |
545 case OrthancPlugins::TokenType_GetArgument: | |
546 hasValue = getArguments.GetValue(value, token->GetKey()); | |
547 break; | |
548 | |
549 default: | |
550 throw Orthanc::OrthancException(Orthanc::ErrorCode_ParameterOutOfRange); | |
551 } | |
552 | |
553 if (hasValue) | |
554 { | |
555 unsigned int validity; // not used | |
556 if (authorizationService_->GetUserProfile(validity, tryProfile, *token, value)) | |
557 { | |
558 profile = tryProfile; | |
559 return true; | |
560 } | |
561 } | |
562 } | |
563 | |
564 return false; | |
565 } | |
566 | |
567 void AdjustToolsFindQueryLabels(Json::Value& query, const OrthancPlugins::IAuthorizationService::UserProfile& profile) | |
568 { | |
569 std::set<std::string> labelsToFind; | |
570 std::string labelsConstraint = "Invalid"; | |
571 | |
572 if (query.isMember("Labels") && query.isMember("LabelsConstraint")) | |
573 { | |
574 Orthanc::SerializationToolbox::ReadSetOfStrings(labelsToFind, query, "Labels"); | |
575 labelsConstraint = Orthanc::SerializationToolbox::ReadString(query, "LabelsConstraint"); | |
576 } | |
577 else if (query.isMember("Labels") || query.isMember("LabelsConstraint")) | |
578 { | |
114 | 579 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to transform tools/find query, both 'Labels' and 'LabelsConstraint' must be defined together if one of them is defined."); |
111 | 580 } |
581 | |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
582 if (!HasAccessToSomeLabels(profile)) |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
583 { |
114 | 584 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels."); |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
585 } |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
586 else if (profile.authorizedLabels.size() > 0) |
111 | 587 { |
588 // if the user has access to all labels: no need to transform the tools/find body, we keep it as is | |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
589 if (!HasAccessToAllLabels(profile)) |
111 | 590 { // the user does not have access to all labels -> transform the tools/find body |
591 | |
592 if (labelsToFind.size() == 0) | |
593 { | |
594 if (profile.authorizedLabels.size() > 0) | |
595 { | |
114 | 596 query.removeMember("Labels"); |
111 | 597 Orthanc::SerializationToolbox::WriteSetOfStrings(query, profile.authorizedLabels, "Labels"); |
598 query["LabelsConstraint"] = "Any"; | |
599 } | |
600 } | |
601 else if (labelsConstraint == "All") | |
602 { | |
603 if (profile.authorizedLabels.size() > 0) | |
604 { | |
605 if (!Orthanc::Toolbox::IsSetInSet(labelsToFind, profile.authorizedLabels)) | |
606 { | |
114 | 607 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to transform tools/find query with 'All' labels constraint when the user does not have access to all listed labels."); |
111 | 608 } |
609 } | |
610 } | |
611 else if (labelsConstraint == "Any") | |
612 { | |
613 if (profile.authorizedLabels.size() > 0) | |
614 { | |
615 std::set<std::string> newLabelsToFind; | |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
616 Orthanc::Toolbox::GetIntersection(newLabelsToFind, labelsToFind, profile.authorizedLabels); |
111 | 617 |
618 if (newLabelsToFind.size() == 0) | |
619 { | |
114 | 620 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to transform tools/find query with 'All' labels constraint when none of the labels to find is authorized for the user."); |
111 | 621 } |
622 | |
623 query.removeMember("Labels"); | |
624 Orthanc::SerializationToolbox::WriteSetOfStrings(query, newLabelsToFind, "Labels"); | |
625 } | |
626 } | |
627 else if (labelsConstraint == "None") | |
628 { | |
629 if (profile.authorizedLabels.size() > 0) | |
630 { | |
114 | 631 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to transform tools/find query with 'None' labels constraint when the user only has authorized_labels."); |
111 | 632 } |
633 } | |
634 } | |
635 } | |
636 } | |
637 | |
118 | 638 bool GetStudyInstanceUIDFromQuery(std::string& studyInstanceUID, const Json::Value& body) |
639 { | |
640 | |
641 if (!body.isMember("Query")) | |
642 { | |
643 return false; | |
644 } | |
645 | |
646 if (body["Query"].isMember("StudyInstanceUID")) | |
647 { | |
648 studyInstanceUID = body["Query"]["StudyInstanceUID"].asString(); | |
649 } | |
650 else if (body["Query"].isMember("0020,000d")) | |
651 { | |
652 studyInstanceUID = body["Query"]["0020,000d"].asString(); | |
653 } | |
654 else if (body["Query"].isMember("0020,000D")) | |
655 { | |
656 studyInstanceUID = body["Query"]["0020,000D"].asString(); | |
657 } | |
658 else if (body["Query"].isMember("0020000D")) | |
659 { | |
660 studyInstanceUID = body["Query"]["0020000D"].asString(); | |
661 } | |
662 else | |
663 { | |
664 return false; | |
665 } | |
666 | |
667 return true; | |
668 } | |
669 | |
111 | 670 void ToolsFind(OrthancPluginRestOutput* output, |
671 const char* /*url*/, | |
672 const OrthancPluginHttpRequest* request) | |
673 { | |
674 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); | |
675 | |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
676 try |
111 | 677 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
678 if (request->method != OrthancPluginHttpMethod_Post) |
111 | 679 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
680 OrthancPluginSendMethodNotAllowed(context, output, "POST"); |
111 | 681 } |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
682 else |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
683 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
684 // The filtering to this route is performed by this plugin as it is done for any other route before we get here. |
111 | 685 |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
686 Json::Value query; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
687 if (!OrthancPlugins::ReadJson(query, request->body, request->bodySize)) |
116
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
688 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
689 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); |
116
89eddd4b2f6a
tested resource token for WADO-RS
Alain Mazy <am@osimis.io>
parents:
115
diff
changeset
|
690 } |
111 | 691 |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
692 // If the logged in user has restrictions on the labels he can access, modify the tools/find payload before reposting it to Orthanc |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
693 OrthancPlugins::IAuthorizationService::UserProfile profile; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
694 if (GetUserProfileInternal(profile, request) && HasAccessToSomeLabels(profile)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
695 { |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
696 Orthanc::ResourceType queryLevel = Orthanc::StringToResourceType(query["Level"].asString().c_str()); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
697 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
698 if (queryLevel == Orthanc::ResourceType_Study) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
699 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
700 AdjustToolsFindQueryLabels(query, profile); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
701 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
702 else if (queryLevel == Orthanc::ResourceType_Patient && !HasAccessToAllLabels(profile)) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
703 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
704 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Patient level when the user does not have access to ALL labels."); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
705 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
706 else if (queryLevel == Orthanc::ResourceType_Series || queryLevel == Orthanc::ResourceType_Instance) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
707 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
708 std::string studyInstanceUID; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
709 |
165
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
710 if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
711 { |
165
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
712 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) |
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
713 { |
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
714 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); |
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
715 } |
99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
Alain Mazy <am@orthanc.team>
parents:
163
diff
changeset
|
716 |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
717 // since this is a series/instance find, make sure the user has access to the parent study |
162 | 718 Json::Value studyOrthancIds; |
163 | 719 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
720 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
721 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query."); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
722 } |
163 | 723 else if (studyOrthancIds.size() != 1) |
724 { | |
725 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | |
726 } | |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
727 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
728 bool granted = false; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
729 OrthancPlugins::IAuthorizationParser::AccessedResources accessedResources; |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
730 authorizationParser_->AddDicomStudy(accessedResources, studyInstanceUID); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
731 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
732 if (!HasAuthorizedLabelsForResource(granted, accessedResources, profile)) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
733 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
734 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to check resource access based on the authorized_labels."); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
735 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
736 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
737 if (!granted) |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
738 { |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
739 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, the user shall have access to the parent study."); |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
740 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
741 } |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
742 } |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
743 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
744 else // anonymous user profile or resource token |
111 | 745 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
746 std::string studyInstanceUID; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
747 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
748 // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
749 // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
750 // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
751 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
752 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
753 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
754 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
755 |
162 | 756 Json::Value studyOrthancIds; |
163 | 757 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
758 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
759 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
760 } |
163 | 761 else if (studyOrthancIds.size() != 1) |
762 { | |
763 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | |
764 } | |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
765 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
766 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
767 GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
768 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
769 std::set<std::string> labels; |
162 | 770 OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0]["ID"].asString(), studyInstanceUID, labels); |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
771 if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
772 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
773 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
774 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
775 |
119
66b2b938c43e
fix resource-token when no anonymous profile is available
Alain Mazy <am@osimis.io>
parents:
118
diff
changeset
|
776 } |
66b2b938c43e
fix resource-token when no anonymous profile is available
Alain Mazy <am@osimis.io>
parents:
118
diff
changeset
|
777 |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
778 Json::Value result; |
153
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
779 |
3683f3d083bd
fix tools/find to allow accessing /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels
Alain Mazy <am@osimis.io>
parents:
150
diff
changeset
|
780 if (OrthancPlugins::RestApiPost(result, "/tools/find", query, false)) |
119
66b2b938c43e
fix resource-token when no anonymous profile is available
Alain Mazy <am@osimis.io>
parents:
118
diff
changeset
|
781 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
782 OrthancPlugins::AnswerJson(result, output); |
111 | 783 } |
784 | |
785 } | |
119
66b2b938c43e
fix resource-token when no anonymous profile is available
Alain Mazy <am@osimis.io>
parents:
118
diff
changeset
|
786 |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
787 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
788 catch(const Orthanc::OrthancException& e) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
789 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
790 // this error is not yet supported in Orthanc 1.12.1 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
791 if (e.GetErrorCode() == Orthanc::ErrorCode_ForbiddenAccess && !OrthancPlugins::CheckMinimalOrthancVersion(1, 12, 2)) |
111 | 792 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
793 SendForbiddenError(e.GetDetails(), output); |
111 | 794 } |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
795 else |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
796 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
797 throw e; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
798 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
799 } |
119
66b2b938c43e
fix resource-token when no anonymous profile is available
Alain Mazy <am@osimis.io>
parents:
118
diff
changeset
|
800 |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
801 } |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
802 |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
803 void ToolsLabels(OrthancPluginRestOutput* output, |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
804 const char* /*url*/, |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
805 const OrthancPluginHttpRequest* request) |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
806 { |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
807 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
808 |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
809 try |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
810 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
811 if (request->method != OrthancPluginHttpMethod_Get) |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
812 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
813 OrthancPluginSendMethodNotAllowed(context, output, "GET"); |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
814 } |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
815 else |
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
816 { |
124
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
817 // The filtering to this route is performed by this plugin as it is done for any other route before we get here. |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
818 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
819 // If the logged in user has restrictions on the labels he can access, modify the tools/labels response before answering |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
820 OrthancPlugins::IAuthorizationService::UserProfile profile; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
821 if (GetUserProfileInternal(profile, request)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
822 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
823 if (!HasAccessToSomeLabels(profile)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
824 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
825 Json::Value emptyLabels; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
826 OrthancPlugins::AnswerJson(emptyLabels, output); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
827 return; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
828 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
829 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
830 Json::Value jsonLabels; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
831 if (OrthancPlugins::RestApiGet(jsonLabels, "/tools/labels", false)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
832 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
833 std::set<std::string> allLabels; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
834 Orthanc::SerializationToolbox::ReadSetOfStrings(allLabels, jsonLabels); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
835 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
836 if (!HasAccessToAllLabels(profile)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
837 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
838 std::set<std::string> authorizedLabels; |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
839 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
840 Orthanc::Toolbox::GetIntersection(authorizedLabels, allLabels, profile.authorizedLabels); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
841 Orthanc::SerializationToolbox::WriteSetOfStrings(jsonLabels, authorizedLabels); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
842 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
843 OrthancPlugins::AnswerJson(jsonLabels, output); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
844 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
845 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
846 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
847 else |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
848 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
849 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: no user profile found, access to tools/labels is forbidden."); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
850 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
851 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
852 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
853 catch(const Orthanc::OrthancException& e) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
854 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
855 // this error is not yet supported in Orthanc 1.12.1 |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
856 if (e.GetErrorCode() == Orthanc::ErrorCode_ForbiddenAccess && !OrthancPlugins::CheckMinimalOrthancVersion(1, 12, 2)) |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
857 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
858 SendForbiddenError(e.GetDetails(), output); |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
859 } |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
860 else |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
861 { |
d5232d374fd8
Add support for ForbiddenAccess error for Orthanc < 1.12.2
Alain Mazy <am@osimis.io>
parents:
120
diff
changeset
|
862 throw e; |
112
572955904411
added tools/labels + removed forbidden_labels
Alain Mazy <am@osimis.io>
parents:
111
diff
changeset
|
863 } |
111 | 864 } |
865 } | |
866 | |
867 | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
868 void CreateToken(OrthancPluginRestOutput* output, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
869 const char* /*url*/, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
870 const OrthancPluginHttpRequest* request) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
871 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
872 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
873 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
874 if (request->method != OrthancPluginHttpMethod_Put) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
875 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
876 OrthancPluginSendMethodNotAllowed(context, output, "PUT"); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
877 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
878 else |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
879 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
880 // The filtering to this route is performed by this plugin as it is done for any other route before we get here. |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
881 // Since the route contains the tokenType, we can allow/forbid creating them based on the url |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
882 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
883 // simply forward the request to the auth-service |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
884 std::string tokenType; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
885 if (request->groupsCount == 1) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
886 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
887 tokenType = request->groups[0]; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
888 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
889 else |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
890 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
891 throw Orthanc::OrthancException(Orthanc::ErrorCode_InternalError); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
892 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
893 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
894 // convert from Orthanc flavored API to WebService API |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
895 Json::Value body; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
896 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
897 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
898 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
899 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
900 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
901 std::string id; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
902 std::vector<OrthancPlugins::IAuthorizationService::OrthancResource> resources; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
903 std::string expirationDateString; |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
904 uint64_t validityDuration; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
905 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
906 if (body.isMember("ID")) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
907 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
908 id = body["ID"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
909 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
910 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
911 for (Json::ArrayIndex i = 0; i < body["Resources"].size(); ++i) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
912 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
913 const Json::Value& jsonResource = body["Resources"][i]; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
914 OrthancPlugins::IAuthorizationService::OrthancResource resource; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
915 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
916 if (jsonResource.isMember("DicomUid")) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
917 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
918 resource.dicomUid = jsonResource["DicomUid"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
919 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
920 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
921 if (jsonResource.isMember("OrthancId")) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
922 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
923 resource.orthancId = jsonResource["OrthancId"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
924 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
925 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
926 if (jsonResource.isMember("Url")) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
927 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
928 resource.url = jsonResource["Url"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
929 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
930 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
931 resource.level = jsonResource["Level"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
932 resources.push_back(resource); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
933 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
934 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
935 if (body.isMember("ExpirationDate")) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
936 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
937 expirationDateString = body["ExpirationDate"].asString(); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
938 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
939 |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
940 if (body.isMember("ValidityDuration")) |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
941 { |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
942 validityDuration = body["ValidityDuration"].asUInt64(); |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
943 } |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
944 |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
945 OrthancPlugins::IAuthorizationService::CreatedToken createdToken; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
946 if (authorizationService_->CreateToken(createdToken, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
947 tokenType, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
948 id, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
949 resources, |
73
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
950 expirationDateString, |
512247750f0a
new ValidityDuration arg in create token API
Alain Mazy <am@osimis.io>
parents:
72
diff
changeset
|
951 validityDuration)) |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
952 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
953 Json::Value createdJsonToken; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
954 createdJsonToken["Token"] = createdToken.token; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
955 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
956 if (!createdToken.url.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
957 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
958 createdJsonToken["Url"] = createdToken.url; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
959 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
960 else |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
961 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
962 createdJsonToken["Url"] = Json::nullValue; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
963 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
964 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
965 OrthancPlugins::AnswerJson(createdJsonToken, output); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
966 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
967 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
968 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
969 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
970 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
971 |
74 | 972 void DecodeToken(OrthancPluginRestOutput* output, |
973 const char* /*url*/, | |
974 const OrthancPluginHttpRequest* request) | |
975 { | |
976 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); | |
977 | |
978 if (request->method != OrthancPluginHttpMethod_Post) | |
979 { | |
980 OrthancPluginSendMethodNotAllowed(context, output, "POST"); | |
981 } | |
982 else | |
983 { | |
984 // convert from Orthanc flavored API to WebService API | |
985 Json::Value body; | |
986 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) | |
987 { | |
988 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); | |
989 } | |
990 | |
991 Json::Value authPayload; | |
992 | |
993 authPayload["token-key"] = body["TokenKey"].asString(); | |
994 authPayload["token-value"] = body["TokenValue"].asString(); | |
995 | |
996 OrthancPlugins::IAuthorizationService::DecodedToken decodedToken; | |
997 if (authorizationService_->DecodeToken(decodedToken, | |
998 body["TokenKey"].asString(), | |
999 body["TokenValue"].asString())) | |
1000 { | |
1001 Json::Value decodedJsonToken; | |
1002 | |
1003 if (!decodedToken.redirectUrl.empty()) | |
1004 { | |
1005 decodedJsonToken["RedirectUrl"] = decodedToken.redirectUrl; | |
1006 } | |
1007 | |
1008 if (!decodedToken.errorCode.empty()) | |
1009 { | |
1010 decodedJsonToken["ErrorCode"] = decodedToken.errorCode; | |
1011 } | |
1012 | |
1013 if (!decodedToken.tokenType.empty()) | |
1014 { | |
1015 decodedJsonToken["TokenType"] = decodedToken.tokenType; | |
1016 } | |
1017 | |
1018 OrthancPlugins::AnswerJson(decodedJsonToken, output); | |
1019 } | |
1020 } | |
1021 } | |
1022 | |
111 | 1023 |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1024 void GetUserProfile(OrthancPluginRestOutput* output, |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1025 const char* /*url*/, |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1026 const OrthancPluginHttpRequest* request) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1027 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1028 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1029 |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1030 if (request->method != OrthancPluginHttpMethod_Get) |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1031 { |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1032 OrthancPluginSendMethodNotAllowed(context, output, "GET"); |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1033 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1034 else |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1035 { |
111 | 1036 OrthancPlugins::IAuthorizationService::UserProfile profile; |
1037 if (GetUserProfileInternal(profile, request)) | |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1038 { |
111 | 1039 Json::Value jsonProfile; |
1040 jsonProfile["name"] = profile.name; | |
1041 jsonProfile["permissions"] = Json::arrayValue; | |
1042 for (std::set<std::string>::const_iterator it = profile.permissions.begin(); it != profile.permissions.end(); ++it) | |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1043 { |
111 | 1044 jsonProfile["permissions"].append(*it); |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1045 } |
111 | 1046 for (std::set<std::string>::const_iterator it = profile.authorizedLabels.begin(); it != profile.authorizedLabels.end(); ++it) |
1047 { | |
1048 jsonProfile["authorized-labels"].append(*it); | |
1049 } | |
109 | 1050 |
111 | 1051 OrthancPlugins::AnswerJson(jsonProfile, output); |
69
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1052 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1053 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1054 } |
af44dce56328
new 'auth/user-profile' Rest API route
Alain Mazy <am@osimis.io>
parents:
68
diff
changeset
|
1055 |
71 | 1056 void MergeJson(Json::Value &a, const Json::Value &b) { |
1057 | |
1058 if (!a.isObject() || !b.isObject()) | |
1059 { | |
1060 return; | |
1061 } | |
1062 | |
1063 Json::Value::Members members = b.getMemberNames(); | |
1064 | |
1065 for (size_t i = 0; i < members.size(); i++) | |
1066 { | |
1067 std::string key = members[i]; | |
1068 | |
1069 if (!a[key].isNull() && a[key].type() == Json::objectValue && b[key].type() == Json::objectValue) | |
1070 { | |
1071 MergeJson(a[key], b[key]); | |
1072 } | |
1073 else | |
1074 { | |
1075 a[key] = b[key]; | |
1076 } | |
1077 } | |
1078 } | |
1079 | |
1 | 1080 |
1081 extern "C" | |
1082 { | |
1083 ORTHANC_PLUGINS_API int32_t OrthancPluginInitialize(OrthancPluginContext* context) | |
1084 { | |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1085 OrthancPlugins::SetGlobalContext(context); |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1086 OrthancPluginLogWarning(context, "Initializing the authorization plugin"); |
1 | 1087 |
1088 /* Check the version of the Orthanc core */ | |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1089 if (OrthancPluginCheckVersion(context) == 0) |
1 | 1090 { |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1091 OrthancPlugins::ReportMinimalOrthancVersion(ORTHANC_PLUGINS_MINIMAL_MAJOR_NUMBER, |
1 | 1092 ORTHANC_PLUGINS_MINIMAL_MINOR_NUMBER, |
1093 ORTHANC_PLUGINS_MINIMAL_REVISION_NUMBER); | |
1094 return -1; | |
1095 } | |
1096 | |
164 | 1097 #if ORTHANC_FRAMEWORK_VERSION_IS_ABOVE(1, 12, 4) |
1098 Orthanc::Logging::InitializePluginContext(context, ORTHANC_PLUGIN_NAME); | |
1099 #elif ORTHANC_FRAMEWORK_VERSION_IS_ABOVE(1, 7, 2) | |
32 | 1100 Orthanc::Logging::InitializePluginContext(context); |
33
b9c536bf598b
improved Orthanc::Logging::Initialize()
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
32
diff
changeset
|
1101 #else |
b9c536bf598b
improved Orthanc::Logging::Initialize()
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
32
diff
changeset
|
1102 Orthanc::Logging::Initialize(context); |
b9c536bf598b
improved Orthanc::Logging::Initialize()
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
32
diff
changeset
|
1103 #endif |
b9c536bf598b
improved Orthanc::Logging::Initialize()
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
32
diff
changeset
|
1104 |
156
43b77aa34468
fix deprecated calls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
153
diff
changeset
|
1105 OrthancPlugins::SetDescription(ORTHANC_PLUGIN_NAME, "Advanced authorization plugin for Orthanc."); |
1 | 1106 |
1107 try | |
1108 { | |
71 | 1109 static const char* PLUGIN_SECTION = "Authorization"; |
1110 | |
1111 OrthancPlugins::OrthancConfiguration orthancFullConfiguration; | |
1112 | |
1113 // read default configuration | |
1114 std::string defaultConfigurationFileContent; | |
1115 Orthanc::EmbeddedResources::GetFileResource(defaultConfigurationFileContent, Orthanc::EmbeddedResources::DEFAULT_CONFIGURATION); | |
1116 Json::Value pluginJsonDefaultConfiguration; | |
1117 OrthancPlugins::ReadJsonWithoutComments(pluginJsonDefaultConfiguration, defaultConfigurationFileContent); | |
1118 Json::Value pluginJsonConfiguration = pluginJsonDefaultConfiguration[PLUGIN_SECTION]; | |
1 | 1119 |
71 | 1120 OrthancPlugins::OrthancConfiguration pluginProvidedConfiguration; |
1121 | |
1122 if (orthancFullConfiguration.IsSection(PLUGIN_SECTION)) | |
1 | 1123 { |
71 | 1124 // get the configuration provided by the user |
1125 orthancFullConfiguration.GetSection(pluginProvidedConfiguration, PLUGIN_SECTION); | |
1126 | |
1127 // merge it with the default configuration. This is a way to apply the all default values in a single step | |
1128 MergeJson(pluginJsonConfiguration, pluginProvidedConfiguration.GetJson()); | |
1129 | |
1130 // recreate a OrthancConfiguration object from the merged configuration | |
1131 OrthancPlugins::OrthancConfiguration pluginConfiguration(pluginJsonConfiguration, PLUGIN_SECTION); | |
1 | 1132 |
1133 // TODO - The size of the caches is set to 10,000 items. Maybe add a configuration option? | |
1134 OrthancPlugins::MemoryCache::Factory factory(10000); | |
1135 | |
71 | 1136 std::string dicomWebRoot = "/dicom-web/"; |
1137 std::string oe2Root = "/ui/"; | |
1 | 1138 |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1139 bool hasBasicAuthEnabled = orthancFullConfiguration.GetBooleanValue("AuthenticationEnabled", "true"); |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1140 |
71 | 1141 if (orthancFullConfiguration.IsSection("DicomWeb")) |
1142 { | |
1143 OrthancPlugins::OrthancConfiguration dicomWeb; | |
1144 dicomWeb.GetSection(orthancFullConfiguration, "DicomWeb"); | |
1145 dicomWebRoot = dicomWeb.GetStringValue("Root", "/dicom-web/"); | |
1146 } | |
1 | 1147 |
71 | 1148 if (orthancFullConfiguration.IsSection("OrthancExplorer2")) |
1149 { | |
1150 OrthancPlugins::OrthancConfiguration oe2; | |
1151 oe2.GetSection(orthancFullConfiguration, "OrthancExplorer2"); | |
1152 oe2Root = oe2.GetStringValue("Root", "/ui/"); | |
1 | 1153 } |
1154 | |
1155 std::list<std::string> tmp; | |
1156 | |
71 | 1157 pluginConfiguration.LookupListOfStrings(tmp, "TokenHttpHeaders", true); |
1 | 1158 for (std::list<std::string>::const_iterator |
1159 it = tmp.begin(); it != tmp.end(); ++it) | |
1160 { | |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1161 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, *it)); |
1 | 1162 } |
1163 | |
71 | 1164 pluginConfiguration.LookupListOfStrings(tmp, "TokenGetArguments", true); |
1 | 1165 |
8
4362026afddf
orthanc 1.2.1 renamed as 1.3.0
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
1
diff
changeset
|
1166 #if ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 3, 0) |
1 | 1167 for (std::list<std::string>::const_iterator |
1168 it = tmp.begin(); it != tmp.end(); ++it) | |
1169 { | |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1170 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_GetArgument, *it)); |
1 | 1171 } |
1172 #else | |
1173 if (!tmp.empty()) | |
1174 { | |
29
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1175 throw Orthanc::OrthancException( |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1176 Orthanc::ErrorCode_Plugin, |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1177 "The option \"TokenGetArguments\" of the authorization plugin " |
bc0431cb6b8f
fix for compatibility with simplified OrthancPluginCppWrapper
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
22
diff
changeset
|
1178 "is only valid if compiled against Orthanc >= 1.3.0" |
1 | 1179 } |
1180 #endif | |
1181 | |
71 | 1182 pluginConfiguration.LookupSetOfStrings(uncheckedResources_, "UncheckedResources", false); |
1183 pluginConfiguration.LookupListOfStrings(uncheckedFolders_, "UncheckedFolders", false); | |
1 | 1184 |
74 | 1185 std::string urlTokenDecoder; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1186 std::string urlTokenValidation; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1187 std::string urlTokenCreationBase; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1188 std::string urlUserProfile; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1189 std::string urlRoot; |
1 | 1190 |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1191 static const char* WEB_SERVICE_ROOT = "WebServiceRootUrl"; |
74 | 1192 static const char* WEB_SERVICE_TOKEN_DECODER = "WebServiceTokenDecoderUrl"; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1193 static const char* WEB_SERVICE_TOKEN_VALIDATION = "WebServiceTokenValidationUrl"; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1194 static const char* WEB_SERVICE_TOKEN_CREATION_BASE = "WebServiceTokenCreationBaseUrl"; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1195 static const char* WEB_SERVICE_USER_PROFILE = "WebServiceUserProfileUrl"; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1196 static const char* WEB_SERVICE_TOKEN_VALIDATION_LEGACY = "WebService"; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1197 if (pluginConfiguration.LookupStringValue(urlRoot, WEB_SERVICE_ROOT)) |
71 | 1198 { |
74 | 1199 urlTokenDecoder = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/decode"); |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1200 urlTokenValidation = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/validate"); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1201 urlTokenCreationBase = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/"); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1202 urlUserProfile = Orthanc::Toolbox::JoinUri(urlRoot, "/user/get-profile"); |
71 | 1203 } |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1204 else |
71 | 1205 { |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1206 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION); |
74 | 1207 pluginConfiguration.LookupStringValue(urlTokenDecoder, WEB_SERVICE_TOKEN_DECODER); |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1208 if (urlTokenValidation.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1209 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1210 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION_LEGACY); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1211 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1212 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1213 pluginConfiguration.LookupStringValue(urlTokenCreationBase, WEB_SERVICE_TOKEN_CREATION_BASE); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1214 pluginConfiguration.LookupStringValue(urlUserProfile, WEB_SERVICE_USER_PROFILE); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1215 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1216 |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1217 authorizationParser_.reset(new OrthancPlugins::DefaultAuthorizationParser(factory, dicomWebRoot)); |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1218 |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1219 if (!urlTokenValidation.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1220 { |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1221 LOG(WARNING) << "Authorization plugin: url defined for Token Validation: " << urlTokenValidation << ", resource tokens validation is enabled"; |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1222 resourceTokensEnabled_ = true; |
71 | 1223 } |
1224 else | |
1225 { | |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1226 LOG(WARNING) << "Authorization plugin: no url defined for Token Validation, resource tokens validation is disabled"; |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1227 resourceTokensEnabled_ = false; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1228 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1229 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1230 if (!urlUserProfile.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1231 { |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1232 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1233 userTokensEnabled_ = true; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1234 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1235 static const char* PERMISSIONS = "Permissions"; |
71 | 1236 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) |
1237 { | |
1238 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1239 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); |
71 | 1240 } |
1241 permissionParser_.reset | |
1242 (new OrthancPlugins::PermissionParser(dicomWebRoot, oe2Root)); | |
1243 | |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1244 permissionParser_->Add(pluginConfiguration.GetJson()[PERMISSIONS], authorizationParser_.get()); |
71 | 1245 } |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1246 else |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1247 { |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1248 LOG(WARNING) << "Authorization plugin: no url defined for User Profile" << ", user tokens validation is disabled"; |
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1249 userTokensEnabled_ = false; |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1250 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1251 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1252 if (!urlTokenCreationBase.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1253 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1254 LOG(WARNING) << "Authorization plugin: base url defined for Token Creation : " << urlTokenCreationBase; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1255 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1256 else |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1257 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1258 LOG(WARNING) << "Authorization plugin: no base url defined for Token Creation"; |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1259 } |
71 | 1260 |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1261 if (!resourceTokensEnabled_ && permissionParser_.get() == NULL) |
71 | 1262 { |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1263 if (hasBasicAuthEnabled) |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1264 { |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1265 LOG(WARNING) << "Authorization plugin: No Token Validation or User Profile url defined -> will only be able to generate tokens. All API routes are accessible to all registered users."; |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1266 } |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1267 else |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1268 { |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1269 LOG(WARNING) << "Authorization plugin: ----------- insecure setup ---------- No Token Validation or User Profile url defined -> will only be able to generate tokens. Authentication is not enabled -> anyone will have access to all API routes."; |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1270 } |
1 | 1271 } |
1272 | |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1273 std::set<std::string> standardConfigurations; |
71 | 1274 if (pluginConfiguration.LookupSetOfStrings(standardConfigurations, "StandardConfigurations", false)) |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1275 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1276 if (standardConfigurations.find("osimis-web-viewer") != standardConfigurations.end()) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1277 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1278 uncheckedFolders_.push_back("/osimis-viewer/app/"); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1279 uncheckedFolders_.push_back("/osimis-viewer/languages/"); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1280 uncheckedResources_.insert("/osimis-viewer/config.js"); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1281 |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1282 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, "token")); |
95
dff72e397f90
fix standard configuration 'orthanc-explorer-2' for TokenGetArguments
Alain Mazy <am@osimis.io>
parents:
86
diff
changeset
|
1283 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_GetArgument, "token")); // for download links in Webviewer |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1284 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1285 |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1286 if (standardConfigurations.find("stone-webviewer") != standardConfigurations.end()) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1287 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1288 uncheckedFolders_.push_back("/stone-webviewer/"); |
65 | 1289 uncheckedResources_.insert("/system"); // for Stone to check that Orthanc is the server providing the data |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1290 |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1291 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, "Authorization")); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1292 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1293 |
65 | 1294 if (standardConfigurations.find("orthanc-explorer-2") != standardConfigurations.end()) |
1295 { | |
1296 uncheckedFolders_.push_back("/ui/app/"); | |
74 | 1297 uncheckedFolders_.push_back("/ui/landing/"); |
76 | 1298 uncheckedResources_.insert("/"); // for the redirect to /ui/app/ |
66 | 1299 uncheckedResources_.insert("/ui/api/pre-login-configuration"); // for the UI to know, i.e. if Keycloak is enabled or not |
71 | 1300 uncheckedResources_.insert("/ui/api/configuration"); |
120 | 1301 uncheckedResources_.insert("/auth/user/profile"); |
65 | 1302 |
1303 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, "Authorization")); // for basic-auth | |
1304 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_HttpHeader, "token")); // for keycloak | |
95
dff72e397f90
fix standard configuration 'orthanc-explorer-2' for TokenGetArguments
Alain Mazy <am@osimis.io>
parents:
86
diff
changeset
|
1305 tokens_.insert(OrthancPlugins::Token(OrthancPlugins::TokenType_GetArgument, "token")); // for download links in OE2 |
65 | 1306 } |
1307 | |
102 | 1308 if (standardConfigurations.find("ohif") != standardConfigurations.end()) |
1309 { | |
1310 uncheckedFolders_.push_back("/ohif/"); | |
1311 } | |
1312 | |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1313 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1314 |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1315 std::string checkedLevelString; |
71 | 1316 if (pluginConfiguration.LookupStringValue(checkedLevelString, "CheckedLevel")) |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1317 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1318 OrthancPlugins::AccessLevel checkedLevel = OrthancPlugins::StringToAccessLevel(checkedLevelString); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1319 if (checkedLevel == OrthancPlugins::AccessLevel_Instance) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1320 { |
113 | 1321 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_System); |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1322 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Patient); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1323 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Study); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1324 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Series); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1325 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1326 else if (checkedLevel == OrthancPlugins::AccessLevel_Series) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1327 { |
113 | 1328 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_System); |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1329 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Patient); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1330 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Study); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1331 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Instance); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1332 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1333 else if (checkedLevel == OrthancPlugins::AccessLevel_Study) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1334 { |
113 | 1335 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_System); |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1336 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Patient); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1337 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Series); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1338 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Instance); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1339 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1340 else if (checkedLevel == OrthancPlugins::AccessLevel_Patient) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1341 { |
113 | 1342 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_System); |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1343 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Study); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1344 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Series); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1345 uncheckedLevels_.insert(OrthancPlugins::AccessLevel_Instance); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1346 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1347 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1348 |
71 | 1349 if (pluginConfiguration.LookupListOfStrings(tmp, "UncheckedLevels", false)) |
1 | 1350 { |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1351 if (uncheckedLevels_.size() == 0) |
1 | 1352 { |
58
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1353 for (std::list<std::string>::const_iterator |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1354 it = tmp.begin(); it != tmp.end(); ++it) |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1355 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1356 uncheckedLevels_.insert(OrthancPlugins::StringToAccessLevel(*it)); |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1357 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1358 } |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1359 else |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1360 { |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1361 LOG(ERROR) << "Authorization plugin: you may only provide one of 'CheckedLevel' or 'UncheckedLevels' configurations"; |
ad279c70c22d
added a new configuration 'StandardConfigurations'
Alain Mazy <am@osimis.io>
parents:
57
diff
changeset
|
1362 return -1; |
1 | 1363 } |
1364 } | |
1365 | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1366 std::unique_ptr<OrthancPlugins::AuthorizationWebService> webService(new OrthancPlugins::AuthorizationWebService(urlTokenValidation, |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1367 urlTokenCreationBase, |
74 | 1368 urlUserProfile, |
1369 urlTokenDecoder)); | |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1370 |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1371 std::string webServiceIdentifier; |
71 | 1372 if (pluginConfiguration.LookupStringValue(webServiceIdentifier, "WebServiceIdentifier")) |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1373 { |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1374 webService->SetIdentifier(webServiceIdentifier); |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1375 } |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1376 |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1377 std::string webServiceUsername; |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1378 std::string webServicePassword; |
71 | 1379 if (pluginConfiguration.LookupStringValue(webServiceUsername, "WebServiceUsername") && pluginConfiguration.LookupStringValue(webServicePassword, "WebServicePassword")) |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1380 { |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1381 webService->SetCredentials(webServiceUsername, webServicePassword); |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1382 } |
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1383 |
1 | 1384 authorizationService_.reset |
1385 (new OrthancPlugins::CachedAuthorizationService | |
54
317b31e99501
Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. WebServiceIdentifier is now included in the payload as the 'identifier' field
Alain Mazy <am@osimis.io>
parents:
51
diff
changeset
|
1386 (webService.release(), factory)); |
1 | 1387 |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1388 if (!urlTokenValidation.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1389 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1390 OrthancPluginRegisterOnChangeCallback(context, OnChangeCallback); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1391 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1392 |
74 | 1393 if (!urlTokenDecoder.empty()) |
1394 { | |
1395 OrthancPlugins::RegisterRestCallback<DecodeToken>("/auth/tokens/decode", true); | |
1396 } | |
1397 | |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1398 if (!urlUserProfile.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1399 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1400 OrthancPlugins::RegisterRestCallback<GetUserProfile>("/auth/user/profile", true); |
126
8b123c2adb69
now overriding /tools/find and /tools/labels only if the auth-service is providing user profile
Alain Mazy <am@osimis.io>
parents:
124
diff
changeset
|
1401 OrthancPlugins::RegisterRestCallback<ToolsFind>("/tools/find", true); |
8b123c2adb69
now overriding /tools/find and /tools/labels only if the auth-service is providing user profile
Alain Mazy <am@osimis.io>
parents:
124
diff
changeset
|
1402 OrthancPlugins::RegisterRestCallback<ToolsLabels>("/tools/labels", true); |
72
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1403 } |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1404 |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1405 if (!urlTokenCreationBase.empty()) |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1406 { |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1407 OrthancPlugins::RegisterRestCallback<CreateToken>("/auth/tokens/(.*)", true); |
e381ba725669
new PUT auth/tokens/{token-type} API route + updated interface with WebService
Alain Mazy <am@osimis.io>
parents:
71
diff
changeset
|
1408 } |
74 | 1409 |
149
423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
Alain Mazy <am@osimis.io>
parents:
138
diff
changeset
|
1410 if (resourceTokensEnabled_ || userTokensEnabled_) |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1411 { |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1412 if (hasBasicAuthEnabled) |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1413 { |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1414 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: you are using the plugin to grant access to resources or handle user permissions. This is not compatible with \"AuthenticationEnabled\" = true"); |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1415 } |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1416 |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1417 LOG(WARNING) << "Authorization plugin: Registering Incoming HTTP Request Filter"; |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1418 |
1 | 1419 #if ORTHANC_PLUGINS_VERSION_IS_ABOVE(1, 2, 1) |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1420 OrthancPluginRegisterIncomingHttpRequestFilter2(context, FilterHttpRequests); |
1 | 1421 #else |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1422 OrthancPluginRegisterIncomingHttpRequestFilter(context, FilterHttpRequestsFallback); |
1 | 1423 #endif |
81
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1424 } |
fac45493d547
more flexibility wrt configuration
Alain Mazy <am@osimis.io>
parents:
77
diff
changeset
|
1425 |
1 | 1426 } |
1427 else | |
1428 { | |
71 | 1429 LOG(WARNING) << "No section \"" << PLUGIN_SECTION << "\" in the configuration file, " |
1 | 1430 << "the authorization plugin is disabled"; |
1431 } | |
1432 } | |
1433 catch (Orthanc::OrthancException& e) | |
1434 { | |
1435 LOG(ERROR) << e.What(); | |
1436 return -1; | |
1437 } | |
1438 | |
1439 return 0; | |
1440 } | |
1441 | |
1442 | |
1443 ORTHANC_PLUGINS_API void OrthancPluginFinalize() | |
1444 { | |
1445 authorizationParser_.reset(NULL); | |
1446 } | |
1447 | |
1448 | |
1449 ORTHANC_PLUGINS_API const char* OrthancPluginGetName() | |
1450 { | |
156
43b77aa34468
fix deprecated calls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
153
diff
changeset
|
1451 return ORTHANC_PLUGIN_NAME; |
1 | 1452 } |
1453 | |
1454 | |
1455 ORTHANC_PLUGINS_API const char* OrthancPluginGetVersion() | |
1456 { | |
22
c44013681a51
now using the Orthanc framework
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
8
diff
changeset
|
1457 return ORTHANC_PLUGIN_VERSION; |
1 | 1458 } |
1459 } |