orthanc-authorization: Plugin/Plugin.cpp comparison

comparison Plugin/Plugin.cpp @ 124:d5232d374fd8 0.6.0

Add support for ForbiddenAccess error for Orthanc < 1.12.2

author	Alain Mazy <am@osimis.io>
date	Mon, 18 Sep 2023 21:15:33 +0200
parents	9ebcda90587f
children	8b123c2adb69

comparison

equal deleted inserted replaced

-:db60c361e395
+:d5232d374fd8
 std::string out;
 std::set<std::string> copy = values;    // TODO: remove after upgrading to OrthancFramework 1.11.3+
 Orthanc::Toolbox::JoinStrings(out, copy, "|");
 return out;
 }
+// For Orthanc prior to 1.12.2, we can not use the Forbidden error code and report the error ourselves
+static void SendForbiddenError(const char* message, OrthancPluginRestOutput* output)
+{
+OrthancPluginContext* context = OrthancPlugins::GetGlobalContext();
+OrthancPluginSendHttpStatus(context, output, 403, message, strlen(message));
+}
 class TokenAndValue
 {
 private:
 OrthancPlugins::Token token_;
 const char* /*url*/,
 const OrthancPluginHttpRequest* request)
 {
 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext();
-if (request->method != OrthancPluginHttpMethod_Post)
+try
 {
-OrthancPluginSendMethodNotAllowed(context, output, "POST");
+if (request->method != OrthancPluginHttpMethod_Post)
-}
+{
-else
+OrthancPluginSendMethodNotAllowed(context, output, "POST");
-{
+}
-// The filtering to this route is performed by this plugin as it is done for any other route before we get here.
+else
+{
-Json::Value body;
+// The filtering to this route is performed by this plugin as it is done for any other route before we get here.
-if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize))
-{
+Json::Value body;
-throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected");
+if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize))
-}
+{
+throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected");
-// If the logged in user has restrictions on the labels he can access, modify the tools/find payload before reposting it to Orthanc
+}
-OrthancPlugins::IAuthorizationService::UserProfile profile;
-if (GetUserProfileInternal(profile, request) && HasAccessToSomeLabels(profile))
+// If the logged in user has restrictions on the labels he can access, modify the tools/find payload before reposting it to Orthanc
-{
+OrthancPlugins::IAuthorizationService::UserProfile profile;
-AdjustToolsFindQueryLabels(body, profile);
+if (GetUserProfileInternal(profile, request) && HasAccessToSomeLabels(profile))
-}
+{
-else // anonymous user profile or resource token
+AdjustToolsFindQueryLabels(body, profile);
-{
+}
-std::string studyInstanceUID;
+else // anonymous user profile or resource token
+{
-// If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata
+std::string studyInstanceUID;
-// -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service
-// If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to
+// If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata
-if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body))
+// -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service
-{
+// If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to
-throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
+if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body))
-}
+{
+throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
-Json::Value studyOrhtancIds;
+}
-if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1)
-{
+Json::Value studyOrhtancIds;
-throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query.");
+if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1)
-}
+{
+throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query.");
-std::vector<TokenAndValue> authTokens;  // the tokens that are set in this request
+}
-GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues);
+std::vector<TokenAndValue> authTokens;  // the tokens that are set in this request
-std::set<std::string> labels;
+GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues);
-OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels);
-if (!IsResourceAccessGranted(authTokens, request->method, accessedResource))
+std::set<std::string> labels;
-{
+OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels);
-throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query.");
+if (!IsResourceAccessGranted(authTokens, request->method, accessedResource))
-}
+{
+throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query.");
 }
-Json::Value result;
+}
-if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false))
-{
+Json::Value result;
-OrthancPlugins::AnswerJson(result, output);
+if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false))
-}
+{
+OrthancPlugins::AnswerJson(result, output);
 }
+}
+}
+catch(const Orthanc::OrthancException& e)
+{
+// this error is not yet supported in Orthanc 1.12.1
+if (e.GetErrorCode() == Orthanc::ErrorCode_ForbiddenAccess && !OrthancPlugins::CheckMinimalOrthancVersion(1, 12, 2))
+{
+SendForbiddenError(e.GetDetails(), output);
+}
+else
+{
+throw e;
+}
+}
 }
 void ToolsLabels(OrthancPluginRestOutput* output,
 const char* /*url*/,
 const OrthancPluginHttpRequest* request)
 {
 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext();
-if (request->method != OrthancPluginHttpMethod_Get)
+try
 {
-OrthancPluginSendMethodNotAllowed(context, output, "GET");
+if (request->method != OrthancPluginHttpMethod_Get)
-}
+{
-else
+OrthancPluginSendMethodNotAllowed(context, output, "GET");
-{
-// The filtering to this route is performed by this plugin as it is done for any other route before we get here.
-// If the logged in user has restrictions on the labels he can access, modify the tools/labels response before answering
-OrthancPlugins::IAuthorizationService::UserProfile profile;
-if (GetUserProfileInternal(profile, request))
-{
-if (!HasAccessToSomeLabels(profile))
-{
-Json::Value emptyLabels;
-OrthancPlugins::AnswerJson(emptyLabels, output);
-return;
-}
-Json::Value jsonLabels;
-if (OrthancPlugins::RestApiGet(jsonLabels, "/tools/labels", false))
-{
-std::set<std::string> allLabels;
-Orthanc::SerializationToolbox::ReadSetOfStrings(allLabels, jsonLabels);
-if (!HasAccessToAllLabels(profile))
-{
-std::set<std::string> authorizedLabels;
-Orthanc::Toolbox::GetIntersection(authorizedLabels, allLabels, profile.authorizedLabels);
-Orthanc::SerializationToolbox::WriteSetOfStrings(jsonLabels, authorizedLabels);
-}
-OrthancPlugins::AnswerJson(jsonLabels, output);
-}
 }
 else
 {
-throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: no user profile found, access to tools/labels is forbidden.");
+// The filtering to this route is performed by this plugin as it is done for any other route before we get here.
+// If the logged in user has restrictions on the labels he can access, modify the tools/labels response before answering
+OrthancPlugins::IAuthorizationService::UserProfile profile;
+if (GetUserProfileInternal(profile, request))
+{
+if (!HasAccessToSomeLabels(profile))
+{
+Json::Value emptyLabels;
+OrthancPlugins::AnswerJson(emptyLabels, output);
+return;
+}
+Json::Value jsonLabels;
+if (OrthancPlugins::RestApiGet(jsonLabels, "/tools/labels", false))
+{
+std::set<std::string> allLabels;
+Orthanc::SerializationToolbox::ReadSetOfStrings(allLabels, jsonLabels);
+if (!HasAccessToAllLabels(profile))
+{
+std::set<std::string> authorizedLabels;
+Orthanc::Toolbox::GetIntersection(authorizedLabels, allLabels, profile.authorizedLabels);
+Orthanc::SerializationToolbox::WriteSetOfStrings(jsonLabels, authorizedLabels);
+}
+OrthancPlugins::AnswerJson(jsonLabels, output);
+}
+}
+else
+{
+throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: no user profile found, access to tools/labels is forbidden.");
+}
+}
+}
+catch(const Orthanc::OrthancException& e)
+{
+// this error is not yet supported in Orthanc 1.12.1
+if (e.GetErrorCode() == Orthanc::ErrorCode_ForbiddenAccess && !OrthancPlugins::CheckMinimalOrthancVersion(1, 12, 2))
+{
+SendForbiddenError(e.GetDetails(), output);
+}
+else
+{
+throw e;
 }
 }
 }

Mercurial > hg > orthanc-authorization

comparison Plugin/Plugin.cpp @ 124:d5232d374fd8 0.6.0