Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 149:423531fb1200
SINGLE_RESOURCE_PATTERNS to facilitate api-key support
author | Alain Mazy <am@osimis.io> |
---|---|
date | Thu, 15 Feb 2024 16:30:21 +0100 |
parents | f448e8626f1a |
children | 9be1ee2b8fe1 |
comparison
equal
deleted
inserted
replaced
148:20c638fa8b07 | 149:423531fb1200 |
---|---|
30 #include <SerializationToolbox.h> | 30 #include <SerializationToolbox.h> |
31 #include <EmbeddedResources.h> | 31 #include <EmbeddedResources.h> |
32 | 32 |
33 | 33 |
34 // Configuration of the authorization plugin | 34 // Configuration of the authorization plugin |
35 static bool resourceTokensEnabled_ = false; | |
36 static bool userTokensEnabled_ = false; | |
35 static std::unique_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_; | 37 static std::unique_ptr<OrthancPlugins::IAuthorizationParser> authorizationParser_; |
36 static std::unique_ptr<OrthancPlugins::IAuthorizationService> authorizationService_; | 38 static std::unique_ptr<OrthancPlugins::IAuthorizationService> authorizationService_; |
37 static std::unique_ptr<OrthancPlugins::PermissionParser> permissionParser_; | 39 static std::unique_ptr<OrthancPlugins::PermissionParser> permissionParser_; |
38 static std::set<std::string> uncheckedResources_; | 40 static std::set<std::string> uncheckedResources_; |
39 static std::list<std::string> uncheckedFolders_; | 41 static std::list<std::string> uncheckedFolders_; |
119 return false; // Unable to parse this URI, we could not check labels | 121 return false; // Unable to parse this URI, we could not check labels |
120 } | 122 } |
121 | 123 |
122 if (authorizationParser_->IsListOfResources(uri)) | 124 if (authorizationParser_->IsListOfResources(uri)) |
123 { | 125 { |
124 granted = false; | 126 granted = false; // if a user does not have access to all labels, he can not have access to a list of resources |
125 return true; // if a user does not have access to all labels, he can not have access to a list of resources | 127 return true; |
126 } | 128 } |
127 | 129 |
128 // Loop over all the accessed resources to ensure access is | 130 // Loop over all the accessed resources to ensure access is |
129 // granted to each of them | 131 // granted to each of them |
130 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator | 132 for (OrthancPlugins::IAuthorizationParser::AccessedResources::const_iterator |
363 } | 365 } |
364 | 366 |
365 // If we get till here, it means that we have a resource token -> check that the resource is accessible | 367 // If we get till here, it means that we have a resource token -> check that the resource is accessible |
366 //////////////////////////////////////////////////////////////// | 368 //////////////////////////////////////////////////////////////// |
367 | 369 |
368 if (authorizationParser_.get() != NULL && | 370 if (resourceTokensEnabled_ && |
369 authorizationService_.get() != NULL) | 371 authorizationService_.get() != NULL) |
370 { | 372 { |
371 // Parse the resources that are accessed through this URI | 373 // Parse the resources that are accessed through this URI |
372 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | 374 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; |
373 | 375 |
1135 | 1137 |
1136 pluginConfiguration.LookupStringValue(urlTokenCreationBase, WEB_SERVICE_TOKEN_CREATION_BASE); | 1138 pluginConfiguration.LookupStringValue(urlTokenCreationBase, WEB_SERVICE_TOKEN_CREATION_BASE); |
1137 pluginConfiguration.LookupStringValue(urlUserProfile, WEB_SERVICE_USER_PROFILE); | 1139 pluginConfiguration.LookupStringValue(urlUserProfile, WEB_SERVICE_USER_PROFILE); |
1138 } | 1140 } |
1139 | 1141 |
1142 authorizationParser_.reset(new OrthancPlugins::DefaultAuthorizationParser(factory, dicomWebRoot)); | |
1143 | |
1140 if (!urlTokenValidation.empty()) | 1144 if (!urlTokenValidation.empty()) |
1141 { | 1145 { |
1142 LOG(WARNING) << "Authorization plugin: url defined for Token Validation: " << urlTokenValidation; | 1146 LOG(WARNING) << "Authorization plugin: url defined for Token Validation: " << urlTokenValidation << ", resource tokens validation is enabled"; |
1143 authorizationParser_.reset | 1147 resourceTokensEnabled_ = true; |
1144 (new OrthancPlugins::DefaultAuthorizationParser(factory, dicomWebRoot)); | |
1145 } | 1148 } |
1146 else | 1149 else |
1147 { | 1150 { |
1148 LOG(WARNING) << "Authorization plugin: no url defined for Token Validation"; | 1151 LOG(WARNING) << "Authorization plugin: no url defined for Token Validation, resource tokens validation is disabled"; |
1152 resourceTokensEnabled_ = false; | |
1149 } | 1153 } |
1150 | 1154 |
1151 if (!urlUserProfile.empty()) | 1155 if (!urlUserProfile.empty()) |
1152 { | 1156 { |
1153 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile; | 1157 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; |
1158 userTokensEnabled_ = true; | |
1154 | 1159 |
1155 static const char* PERMISSIONS = "Permissions"; | 1160 static const char* PERMISSIONS = "Permissions"; |
1156 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) | 1161 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) |
1157 { | 1162 { |
1158 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + | 1163 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + |
1159 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); | 1164 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); |
1160 } | 1165 } |
1161 permissionParser_.reset | 1166 permissionParser_.reset |
1162 (new OrthancPlugins::PermissionParser(dicomWebRoot, oe2Root)); | 1167 (new OrthancPlugins::PermissionParser(dicomWebRoot, oe2Root)); |
1163 | 1168 |
1164 permissionParser_->Add(pluginConfiguration.GetJson()[PERMISSIONS]); | 1169 permissionParser_->Add(pluginConfiguration.GetJson()[PERMISSIONS], authorizationParser_.get()); |
1165 } | 1170 } |
1166 else | 1171 else |
1167 { | 1172 { |
1168 LOG(WARNING) << "Authorization plugin: no url defined for User Profile"; | 1173 LOG(WARNING) << "Authorization plugin: no url defined for User Profile" << ", user tokens validation is disabled"; |
1174 userTokensEnabled_ = false; | |
1169 } | 1175 } |
1170 | 1176 |
1171 if (!urlTokenCreationBase.empty()) | 1177 if (!urlTokenCreationBase.empty()) |
1172 { | 1178 { |
1173 LOG(WARNING) << "Authorization plugin: base url defined for Token Creation : " << urlTokenCreationBase; | 1179 LOG(WARNING) << "Authorization plugin: base url defined for Token Creation : " << urlTokenCreationBase; |
1175 else | 1181 else |
1176 { | 1182 { |
1177 LOG(WARNING) << "Authorization plugin: no base url defined for Token Creation"; | 1183 LOG(WARNING) << "Authorization plugin: no base url defined for Token Creation"; |
1178 } | 1184 } |
1179 | 1185 |
1180 if (authorizationParser_.get() == NULL && permissionParser_.get() == NULL) | 1186 if (!resourceTokensEnabled_ && permissionParser_.get() == NULL) |
1181 { | 1187 { |
1182 if (hasBasicAuthEnabled) | 1188 if (hasBasicAuthEnabled) |
1183 { | 1189 { |
1184 LOG(WARNING) << "Authorization plugin: No Token Validation or User Profile url defined -> will only be able to generate tokens. All API routes are accessible to all registered users."; | 1190 LOG(WARNING) << "Authorization plugin: No Token Validation or User Profile url defined -> will only be able to generate tokens. All API routes are accessible to all registered users."; |
1185 } | 1191 } |
1324 if (!urlTokenCreationBase.empty()) | 1330 if (!urlTokenCreationBase.empty()) |
1325 { | 1331 { |
1326 OrthancPlugins::RegisterRestCallback<CreateToken>("/auth/tokens/(.*)", true); | 1332 OrthancPlugins::RegisterRestCallback<CreateToken>("/auth/tokens/(.*)", true); |
1327 } | 1333 } |
1328 | 1334 |
1329 if (authorizationParser_.get() != NULL || permissionParser_.get() != NULL) | 1335 if (resourceTokensEnabled_ || userTokensEnabled_) |
1330 { | 1336 { |
1331 if (hasBasicAuthEnabled) | 1337 if (hasBasicAuthEnabled) |
1332 { | 1338 { |
1333 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: you are using the plugin to grant access to resources or handle user permissions. This is not compatible with \"AuthenticationEnabled\" = true"); | 1339 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: you are using the plugin to grant access to resources or handle user permissions. This is not compatible with \"AuthenticationEnabled\" = true"); |
1334 } | 1340 } |