Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 109:7381a7674b36
wip: adding labels
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Fri, 18 Aug 2023 12:08:49 +0200 |
| parents | fcc4542a0c38 |
| children | 2b1a95c7d263 |
comparison
equal
deleted
inserted
replaced
| 108:68ce6fd8b22a | 109:7381a7674b36 |
|---|---|
| 20 #include "DefaultAuthorizationParser.h" | 20 #include "DefaultAuthorizationParser.h" |
| 21 #include "CachedAuthorizationService.h" | 21 #include "CachedAuthorizationService.h" |
| 22 #include "AuthorizationWebService.h" | 22 #include "AuthorizationWebService.h" |
| 23 #include "PermissionParser.h" | 23 #include "PermissionParser.h" |
| 24 #include "MemoryCache.h" | 24 #include "MemoryCache.h" |
| 25 | |
| 26 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" | 25 #include "../Resources/Orthanc/Plugins/OrthancPluginCppWrapper.h" |
| 27 | 26 |
| 28 #include <Compatibility.h> // For std::unique_ptr<> | 27 #include <Compatibility.h> // For std::unique_ptr<> |
| 29 #include <Logging.h> | 28 #include <Logging.h> |
| 30 #include <Toolbox.h> | 29 #include <Toolbox.h> |
| 86 { | 85 { |
| 87 try | 86 try |
| 88 { | 87 { |
| 89 unsigned int validity; // ignored | 88 unsigned int validity; // ignored |
| 90 | 89 |
| 90 // Allow GET accesses to unchecked resources/folders (usually static resources) | |
| 91 //////////////////////////////////////////////////////////////// | |
| 92 | |
| 91 if (method == OrthancPluginHttpMethod_Get) | 93 if (method == OrthancPluginHttpMethod_Get) |
| 92 { | 94 { |
| 93 // Allow GET accesses to static resources | |
| 94 if (uncheckedResources_.find(uri) != uncheckedResources_.end()) | 95 if (uncheckedResources_.find(uri) != uncheckedResources_.end()) |
| 95 { | 96 { |
| 96 return 1; | 97 return 1; |
| 97 } | 98 } |
| 98 | 99 |
| 103 { | 104 { |
| 104 return 1; | 105 return 1; |
| 105 } | 106 } |
| 106 } | 107 } |
| 107 } | 108 } |
| 109 | |
| 110 // Extract auth tokens from headers and url get arguments | |
| 111 //////////////////////////////////////////////////////////////// | |
| 108 | 112 |
| 109 OrthancPlugins::AssociativeArray headers(headersCount, headersKeys, headersValues, false); | 113 OrthancPlugins::AssociativeArray headers(headersCount, headersKeys, headersValues, false); |
| 110 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); | 114 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
| 111 | 115 |
| 112 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request | 116 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
| 134 { | 138 { |
| 135 authTokens.push_back(TokenAndValue(*token, value)); | 139 authTokens.push_back(TokenAndValue(*token, value)); |
| 136 } | 140 } |
| 137 } | 141 } |
| 138 | 142 |
| 139 // check if the user permissions grants him access | 143 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions |
| 144 //////////////////////////////////////////////////////////////// | |
| 145 | |
| 140 if (permissionParser_.get() != NULL && | 146 if (permissionParser_.get() != NULL && |
| 141 authorizationService_.get() != NULL) | 147 authorizationService_.get() != NULL) |
| 142 // && uncheckedLevels_.find(OrthancPlugins::AccessLevel_UserPermissions) == uncheckedLevels_.end()) | |
| 143 { | 148 { |
| 144 std::set<std::string> requiredPermissions; | 149 std::set<std::string> requiredPermissions; |
| 145 std::string matchedPattern; | 150 std::string matchedPattern; |
| 146 if (permissionParser_->Parse(requiredPermissions, matchedPattern, method, uri)) | 151 if (permissionParser_->Parse(requiredPermissions, matchedPattern, method, uri)) |
| 147 { | 152 { |
| 166 std::string msg = std::string("Testing whether user has the required permissions '") + JoinStrings(requiredPermissions) + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "' required to match '" + matchedPattern + "'"; | 171 std::string msg = std::string("Testing whether user has the required permissions '") + JoinStrings(requiredPermissions) + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "' required to match '" + matchedPattern + "'"; |
| 167 | 172 |
| 168 LOG(INFO) << msg; | 173 LOG(INFO) << msg; |
| 169 if (authorizationService_->HasUserPermission(validity, requiredPermissions, authTokens[i].GetToken(), authTokens[i].GetValue())) | 174 if (authorizationService_->HasUserPermission(validity, requiredPermissions, authTokens[i].GetToken(), authTokens[i].GetValue())) |
| 170 { | 175 { |
| 176 // TODO: check labels permissions | |
| 171 LOG(INFO) << msg << " -> granted"; | 177 LOG(INFO) << msg << " -> granted"; |
| 172 return 1; | 178 return 1; |
| 173 } | 179 } |
| 174 else | 180 else |
| 175 { | 181 { |
| 177 } | 183 } |
| 178 } | 184 } |
| 179 } | 185 } |
| 180 } | 186 } |
| 181 } | 187 } |
| 188 | |
| 189 | |
| 190 // | |
| 191 | |
| 182 if (authorizationParser_.get() != NULL && | 192 if (authorizationParser_.get() != NULL && |
| 183 authorizationService_.get() != NULL) | 193 authorizationService_.get() != NULL) |
| 184 { | 194 { |
| 185 // Parse the resources that are accessed through this URI | 195 // Parse the resources that are accessed through this URI |
| 186 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; | 196 OrthancPlugins::IAuthorizationParser::AccessedResources accesses; |
| 506 // Loop over all the authorization tokens stored in the HTTP | 516 // Loop over all the authorization tokens stored in the HTTP |
| 507 // headers, until finding one that is granted | 517 // headers, until finding one that is granted |
| 508 for (std::set<OrthancPlugins::Token>::const_iterator | 518 for (std::set<OrthancPlugins::Token>::const_iterator |
| 509 token = tokens_.begin(); token != tokens_.end(); ++token) | 519 token = tokens_.begin(); token != tokens_.end(); ++token) |
| 510 { | 520 { |
| 511 Json::Value profile; | 521 OrthancPlugins::IAuthorizationService::UserProfile profile; |
| 512 | 522 |
| 513 std::string value; | 523 std::string value; |
| 514 | 524 |
| 515 bool hasValue = false; | 525 bool hasValue = false; |
| 516 switch (token->GetType()) | 526 switch (token->GetType()) |
| 530 if (hasValue) | 540 if (hasValue) |
| 531 { | 541 { |
| 532 unsigned int validity; // not used | 542 unsigned int validity; // not used |
| 533 if (authorizationService_->GetUserProfile(validity, profile, *token, value)) | 543 if (authorizationService_->GetUserProfile(validity, profile, *token, value)) |
| 534 { | 544 { |
| 535 OrthancPlugins::AnswerJson(profile, output); | 545 Json::Value jsonProfile; |
| 546 jsonProfile["name"] = profile.name; | |
| 547 jsonProfile["permissions"] = Json::arrayValue; | |
| 548 for (std::set<std::string>::const_iterator it = profile.permissions.begin(); it != profile.permissions.end(); ++it) | |
| 549 { | |
| 550 jsonProfile["permissions"].append(*it); | |
| 551 } | |
| 552 for (std::set<std::string>::const_iterator it = profile.authorizedLabels.begin(); it != profile.authorizedLabels.end(); ++it) | |
| 553 { | |
| 554 jsonProfile["authorized-labels"].append(*it); | |
| 555 } | |
| 556 for (std::set<std::string>::const_iterator it = profile.forbiddenLabels.begin(); it != profile.forbiddenLabels.end(); ++it) | |
| 557 { | |
| 558 jsonProfile["forbidden-labels"].append(*it); | |
| 559 } | |
| 560 | |
| 561 OrthancPlugins::AnswerJson(jsonProfile, output); | |
| 536 return; | 562 return; |
| 537 } | 563 } |
| 538 } | 564 } |
| 539 } | 565 } |
| 540 | 566 |