Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 109:7381a7674b36
wip: adding labels
author | Alain Mazy <am@osimis.io> |
---|---|
date | Fri, 18 Aug 2023 12:08:49 +0200 |
parents | fcc4542a0c38 |
children | 2b1a95c7d263 |
comparison
equal
deleted
inserted
replaced
108:68ce6fd8b22a | 109:7381a7674b36 |
---|---|
20 #include "DefaultAuthorizationParser.h" | 20 #include "DefaultAuthorizationParser.h" |
21 #include "CachedAuthorizationService.h" | 21 #include "CachedAuthorizationService.h" |
22 #include "AuthorizationWebService.h" | 22 #include "AuthorizationWebService.h" |
23 #include "PermissionParser.h" | 23 #include "PermissionParser.h" |
24 #include "MemoryCache.h" | 24 #include "MemoryCache.h" |
25 | |
26 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" | 25 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" |
27 | 26 |
28 #include <Compatibility.h> // For std::unique_ptr<> | 27 #include <Compatibility.h> // For std::unique_ptr<> |
29 #include <Logging.h> | 28 #include <Logging.h> |
30 #include <Toolbox.h> | 29 #include <Toolbox.h> |
86 { | 85 { |
87 try | 86 try |
88 { | 87 { |
89 unsigned int validity; // ignored | 88 unsigned int validity; // ignored |
90 | 89 |
90 // Allow GET accesses to unchecked resources/folders (usually static resources) | |
91 //////////////////////////////////////////////////////////////// | |
92 | |
91 if (method == OrthancPluginHttpMethod_Get) | 93 if (method == OrthancPluginHttpMethod_Get) |
92 { | 94 { |
93 // Allow GET accesses to static resources | |
94 if (uncheckedResources_.find(uri) != uncheckedResources_.end()) | 95 if (uncheckedResources_.find(uri) != uncheckedResources_.end()) |
95 { | 96 { |
96 return 1; | 97 return 1; |
97 } | 98 } |
98 | 99 |
103 { | 104 { |
104 return 1; | 105 return 1; |
105 } | 106 } |
106 } | 107 } |
107 } | 108 } |
109 | |
110 // Extract auth tokens from headers and url get arguments | |
111 //////////////////////////////////////////////////////////////// | |
108 | 112 |
109 OrthancPlugins::AssociativeArray headers(headersCount, headersKeys, headersValues, false); | 113 OrthancPlugins::AssociativeArray headers(headersCount, headersKeys, headersValues, false); |
110 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); | 114 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
111 | 115 |
112 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request | 116 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
134 { | 138 { |
135 authTokens.push_back(TokenAndValue(*token, value)); | 139 authTokens.push_back(TokenAndValue(*token, value)); |
136 } | 140 } |
137 } | 141 } |
138 | 142 |
139 // check if the user permissions grants him access | 143 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions |
144 //////////////////////////////////////////////////////////////// | |
145 | |
140 if (permissionParser_.get() != NULL && | 146 if (permissionParser_.get() != NULL && |
141 authorizationService_.get() != NULL) | 147 authorizationService_.get() != NULL) |
142 // && uncheckedLevels_.find(OrthancPlugins::AccessLevel_UserPermissions) == uncheckedLevels_.end()) | |
143 { | 148 { |
144 std::set<std::string> requiredPermissions; | 149 std::set<std::string> requiredPermissions; |
145 std::string matchedPattern; | 150 std::string matchedPattern; |
146 if (permissionParser_->Parse(requiredPermissions, matchedPattern, method, uri)) | 151 if (permissionParser_->Parse(requiredPermissions, matchedPattern, method, uri)) |
147 { | 152 { |
166 std::string msg = std::string("Testing whether user has the required permissions '") + JoinStrings(requiredPermissions) + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "' required to match '" + matchedPattern + "'"; | 171 std::string msg = std::string("Testing whether user has the required permissions '") + JoinStrings(requiredPermissions) + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "' required to match '" + matchedPattern + "'"; |
167 | 172 |
168 LOG(INFO) << msg; | 173 LOG(INFO) << msg; |
169 if (authorizationService_->HasUserPermission(validity, requiredPermissions, authTokens[i].GetToken(), authTokens[i].GetValue())) | 174 if (authorizationService_->HasUserPermission(validity, requiredPermissions, authTokens[i].GetToken(), authTokens[i].GetValue())) |
170 { | 175 { |
176 // TODO: check labels permissions | |
171 LOG(INFO) << msg << " -> granted"; | 177 LOG(INFO) << msg << " -> granted"; |
172 return 1; | 178 return 1; |
173 } | 179 } |
174 else | 180 else |
175 { | 181 { |
177 } | 183 } |
178 } | 184 } |
179 } | 185 } |
180 } | 186 } |
181 } | 187 } |
188 | |
189 | |
190 // | |
191 | |
182 if (authorizationParser_.get() != NULL && | 192 if (authorizationParser_.get() != NULL && |
183 authorizationService_.get() != NULL) | 193 authorizationService_.get() != NULL) |
184 { | 194 { |
185 // Parse the resources that are accessed through this URI | 195 // Parse the resources that are accessed through this URI |
186 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | 196 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; |
506 // Loop over all the authorization tokens stored in the HTTP | 516 // Loop over all the authorization tokens stored in the HTTP |
507 // headers, until finding one that is granted | 517 // headers, until finding one that is granted |
508 for (std::set<OrthancPlugins::Token>::const_iterator | 518 for (std::set<OrthancPlugins::Token>::const_iterator |
509 token = tokens_.begin(); token != tokens_.end(); ++token) | 519 token = tokens_.begin(); token != tokens_.end(); ++token) |
510 { | 520 { |
511 Json::Value profile; | 521 OrthancPlugins::IAuthorizationService::UserProfile profile; |
512 | 522 |
513 std::string value; | 523 std::string value; |
514 | 524 |
515 bool hasValue = false; | 525 bool hasValue = false; |
516 switch (token->GetType()) | 526 switch (token->GetType()) |
530 if (hasValue) | 540 if (hasValue) |
531 { | 541 { |
532 unsigned int validity; // not used | 542 unsigned int validity; // not used |
533 if (authorizationService_->GetUserProfile(validity, profile, *token, value)) | 543 if (authorizationService_->GetUserProfile(validity, profile, *token, value)) |
534 { | 544 { |
535 OrthancPlugins::AnswerJson(profile, output); | 545 Json::Value jsonProfile; |
546 jsonProfile["name"] = profile.name; | |
547 jsonProfile["permissions"] = Json::arrayValue; | |
548 for (std::set<std::string>::const_iterator it = profile.permissions.begin(); it != profile.permissions.end(); ++it) | |
549 { | |
550 jsonProfile["permissions"].append(*it); | |
551 } | |
552 for (std::set<std::string>::const_iterator it = profile.authorizedLabels.begin(); it != profile.authorizedLabels.end(); ++it) | |
553 { | |
554 jsonProfile["authorized-labels"].append(*it); | |
555 } | |
556 for (std::set<std::string>::const_iterator it = profile.forbiddenLabels.begin(); it != profile.forbiddenLabels.end(); ++it) | |
557 { | |
558 jsonProfile["forbidden-labels"].append(*it); | |
559 } | |
560 | |
561 OrthancPlugins::AnswerJson(jsonProfile, output); | |
536 return; | 562 return; |
537 } | 563 } |
538 } | 564 } |
539 } | 565 } |
540 | 566 |