Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 149:423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Thu, 15 Feb 2024 16:30:21 +0100 |
| parents | f448e8626f1a |
| children | 9be1ee2b8fe1 |
comparison
equal
deleted
inserted
replaced
| 148:20c638fa8b07 | 149:423531fb1200 |
|---|---|
| 30 #include <SerializationToolbox.h> | 30 #include <SerializationToolbox.h> |
| 31 #include <EmbeddedResources.h> | 31 #include <EmbeddedResources.h> |
| 32 | 32 |
| 33 | 33 |
| 34 // Configuration of the authorization plugin | 34 // Configuration of the authorization plugin |
| 35 static bool resourceTokensEnabled_ = false; | |
| 36 static bool userTokensEnabled_ = false; | |
| 35 static std::unique_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_; | 37 static std::unique_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_; |
| 36 static std::unique_ptr<OrthancPlugins::IAuthorizationService> authorizationService_; | 38 static std::unique_ptr<OrthancPlugins::IAuthorizationService> authorizationService_; |
| 37 static std::unique_ptr<OrthancPlugins::PermissionParser> permissionParser_; | 39 static std::unique_ptr<OrthancPlugins::PermissionParser> permissionParser_; |
| 38 static std::set<std::string> uncheckedResources_; | 40 static std::set<std::string> uncheckedResources_; |
| 39 static std::list<std::string> uncheckedFolders_; | 41 static std::list<std::string> uncheckedFolders_; |
| 119 return false; // Unable to parse this URI, we could not check labels | 121 return false; // Unable to parse this URI, we could not check labels |
| 120 } | 122 } |
| 121 | 123 |
| 122 if (authorizationParser_->IsListOfResources(uri)) | 124 if (authorizationParser_->IsListOfResources(uri)) |
| 123 { | 125 { |
| 124 granted = false; | 126 granted = false; // if a user does not have access to all labels, he can not have access to a list of resources |
| 125 return true; // if a user does not have access to all labels, he can not have access to a list of resources | 127 return true; |
| 126 } | 128 } |
| 127 | 129 |
| 128 // Loop over all the accessed resources to ensure access is | 130 // Loop over all the accessed resources to ensure access is |
| 129 // granted to each of them | 131 // granted to each of them |
| 130 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator | 132 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator |
| 363 } | 365 } |
| 364 | 366 |
| 365 // If we get till here, it means that we have a resource token -> check that the resource is accessible | 367 // If we get till here, it means that we have a resource token -> check that the resource is accessible |
| 366 //////////////////////////////////////////////////////////////// | 368 //////////////////////////////////////////////////////////////// |
| 367 | 369 |
| 368 if (authorizationParser_.get() != NULL && | 370 if (resourceTokensEnabled_ && |
| 369 authorizationService_.get() != NULL) | 371 authorizationService_.get() != NULL) |
| 370 { | 372 { |
| 371 // Parse the resources that are accessed through this URI | 373 // Parse the resources that are accessed through this URI |
| 372 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | 374 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; |
| 373 | 375 |
| 1135 | 1137 |
| 1136 pluginConfiguration.LookupStringValue(urlTokenCreationBase, WEB_SERVICE_TOKEN_CREATION_BASE); | 1138 pluginConfiguration.LookupStringValue(urlTokenCreationBase, WEB_SERVICE_TOKEN_CREATION_BASE); |
| 1137 pluginConfiguration.LookupStringValue(urlUserProfile, WEB_SERVICE_USER_PROFILE); | 1139 pluginConfiguration.LookupStringValue(urlUserProfile, WEB_SERVICE_USER_PROFILE); |
| 1138 } | 1140 } |
| 1139 | 1141 |
| 1142 authorizationParser_.reset(new OrthancPlugins::DefaultAuthorizationParser(factory, dicomWebRoot)); | |
| 1143 | |
| 1140 if (!urlTokenValidation.empty()) | 1144 if (!urlTokenValidation.empty()) |
| 1141 { | 1145 { |
| 1142 LOG(WARNING) << "Authorization plugin: url defined for Token Validation: " << urlTokenValidation; | 1146 LOG(WARNING) << "Authorization plugin: url defined for Token Validation: " << urlTokenValidation << ", resource tokens validation is enabled"; |
| 1143 authorizationParser_.reset | 1147 resourceTokensEnabled_ = true; |
| 1144 (new OrthancPlugins::DefaultAuthorizationParser(factory, dicomWebRoot)); | |
| 1145 } | 1148 } |
| 1146 else | 1149 else |
| 1147 { | 1150 { |
| 1148 LOG(WARNING) << "Authorization plugin: no url defined for Token Validation"; | 1151 LOG(WARNING) << "Authorization plugin: no url defined for Token Validation, resource tokens validation is disabled"; |
| 1152 resourceTokensEnabled_ = false; | |
| 1149 } | 1153 } |
| 1150 | 1154 |
| 1151 if (!urlUserProfile.empty()) | 1155 if (!urlUserProfile.empty()) |
| 1152 { | 1156 { |
| 1153 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile; | 1157 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; |
| 1158 userTokensEnabled_ = true; | |
| 1154 | 1159 |
| 1155 static const char* PERMISSIONS = "Permissions"; | 1160 static const char* PERMISSIONS = "Permissions"; |
| 1156 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) | 1161 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) |
| 1157 { | 1162 { |
| 1158 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + | 1163 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + |
| 1159 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); | 1164 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); |
| 1160 } | 1165 } |
| 1161 permissionParser_.reset | 1166 permissionParser_.reset |
| 1162 (new OrthancPlugins::PermissionParser(dicomWebRoot, oe2Root)); | 1167 (new OrthancPlugins::PermissionParser(dicomWebRoot, oe2Root)); |
| 1163 | 1168 |
| 1164 permissionParser_->Add(pluginConfiguration.GetJson()[PERMISSIONS]); | 1169 permissionParser_->Add(pluginConfiguration.GetJson()[PERMISSIONS], authorizationParser_.get()); |
| 1165 } | 1170 } |
| 1166 else | 1171 else |
| 1167 { | 1172 { |
| 1168 LOG(WARNING) << "Authorization plugin: no url defined for User Profile"; | 1173 LOG(WARNING) << "Authorization plugin: no url defined for User Profile" << ", user tokens validation is disabled"; |
| 1174 userTokensEnabled_ = false; | |
| 1169 } | 1175 } |
| 1170 | 1176 |
| 1171 if (!urlTokenCreationBase.empty()) | 1177 if (!urlTokenCreationBase.empty()) |
| 1172 { | 1178 { |
| 1173 LOG(WARNING) << "Authorization plugin: base url defined for Token Creation : " << urlTokenCreationBase; | 1179 LOG(WARNING) << "Authorization plugin: base url defined for Token Creation : " << urlTokenCreationBase; |
| 1175 else | 1181 else |
| 1176 { | 1182 { |
| 1177 LOG(WARNING) << "Authorization plugin: no base url defined for Token Creation"; | 1183 LOG(WARNING) << "Authorization plugin: no base url defined for Token Creation"; |
| 1178 } | 1184 } |
| 1179 | 1185 |
| 1180 if (authorizationParser_.get() == NULL && permissionParser_.get() == NULL) | 1186 if (!resourceTokensEnabled_ && permissionParser_.get() == NULL) |
| 1181 { | 1187 { |
| 1182 if (hasBasicAuthEnabled) | 1188 if (hasBasicAuthEnabled) |
| 1183 { | 1189 { |
| 1184 LOG(WARNING) << "Authorization plugin: No Token Validation or User Profile url defined -> will only be able to generate tokens. All API routes are accessible to all registered users."; | 1190 LOG(WARNING) << "Authorization plugin: No Token Validation or User Profile url defined -> will only be able to generate tokens. All API routes are accessible to all registered users."; |
| 1185 } | 1191 } |
| 1324 if (!urlTokenCreationBase.empty()) | 1330 if (!urlTokenCreationBase.empty()) |
| 1325 { | 1331 { |
| 1326 OrthancPlugins::RegisterRestCallback<CreateToken>("/auth/tokens/(.*)", true); | 1332 OrthancPlugins::RegisterRestCallback<CreateToken>("/auth/tokens/(.*)", true); |
| 1327 } | 1333 } |
| 1328 | 1334 |
| 1329 if (authorizationParser_.get() != NULL || permissionParser_.get() != NULL) | 1335 if (resourceTokensEnabled_ || userTokensEnabled_) |
| 1330 { | 1336 { |
| 1331 if (hasBasicAuthEnabled) | 1337 if (hasBasicAuthEnabled) |
| 1332 { | 1338 { |
| 1333 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: you are using the plugin to grant access to resources or handle user permissions. This is not compatible with \"AuthenticationEnabled\" = true"); | 1339 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: you are using the plugin to grant access to resources or handle user permissions. This is not compatible with \"AuthenticationEnabled\" = true"); |
| 1334 } | 1340 } |