Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 190:de232f9b3a60
cppcheck
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Wed, 05 Jun 2024 15:08:41 +0200 |
| parents | c4b908970ae4 |
| children | 2f1e872e8eaa |
comparison
equal
deleted
inserted
replaced
| 188:c4b908970ae4 | 190:de232f9b3a60 |
|---|---|
| 227 | 227 |
| 228 static bool IsResourceAccessGranted(const std::vector<TokenAndValue>& authTokens, | 228 static bool IsResourceAccessGranted(const std::vector<TokenAndValue>& authTokens, |
| 229 OrthancPluginHttpMethod method, | 229 OrthancPluginHttpMethod method, |
| 230 const OrthancPlugins::AccessedResource& access) | 230 const OrthancPlugins::AccessedResource& access) |
| 231 { | 231 { |
| 232 unsigned int validity; // ignored | |
| 233 | |
| 234 // Ignored the access levels that are unchecked | 232 // Ignored the access levels that are unchecked |
| 235 // (cf. "UncheckedLevels" option) | 233 // (cf. "UncheckedLevels" option) |
| 236 if (uncheckedLevels_.find(access.GetLevel()) == uncheckedLevels_.end()) | 234 if (uncheckedLevels_.find(access.GetLevel()) == uncheckedLevels_.end()) |
| 237 { | 235 { |
| 238 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access.GetLevel()) + " \"" + access.GetOrthancId() + "\" is allowed with a resource token"; | 236 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access.GetLevel()) + " \"" + access.GetOrthancId() + "\" is allowed with a resource token"; |
| 240 | 238 |
| 241 bool granted = false; | 239 bool granted = false; |
| 242 | 240 |
| 243 if (authTokens.empty()) | 241 if (authTokens.empty()) |
| 244 { | 242 { |
| 243 unsigned int validity; // ignored | |
| 245 granted = authorizationService_->IsGrantedToAnonymousUser(validity, method, access); | 244 granted = authorizationService_->IsGrantedToAnonymousUser(validity, method, access); |
| 246 } | 245 } |
| 247 else | 246 else |
| 248 { | 247 { |
| 249 // Loop over all the authorization tokens in the request until finding one that is granted | 248 // Loop over all the authorization tokens in the request until finding one that is granted |
| 250 for (size_t i = 0; i < authTokens.size(); ++i) | 249 for (size_t i = 0; i < authTokens.size(); ++i) |
| 251 { | 250 { |
| 251 unsigned int validity; // ignored | |
| 252 if (authorizationService_->IsGranted(validity, method, access, authTokens[i].GetToken(), authTokens[i].GetValue())) | 252 if (authorizationService_->IsGranted(validity, method, access, authTokens[i].GetToken(), authTokens[i].GetValue())) |
| 253 { | 253 { |
| 254 granted = true; | 254 granted = true; |
| 255 break; | 255 break; |
| 256 } | 256 } |
| 282 const char *const *getArgumentsKeys, | 282 const char *const *getArgumentsKeys, |
| 283 const char *const *getArgumentsValues) | 283 const char *const *getArgumentsValues) |
| 284 { | 284 { |
| 285 try | 285 try |
| 286 { | 286 { |
| 287 unsigned int validity; // ignored | |
| 288 | |
| 289 // Allow GET accesses to unchecked resources/folders (usually static resources) | 287 // Allow GET accesses to unchecked resources/folders (usually static resources) |
| 290 //////////////////////////////////////////////////////////////// | 288 //////////////////////////////////////////////////////////////// |
| 291 | 289 |
| 292 if (method == OrthancPluginHttpMethod_Get) | 290 if (method == OrthancPluginHttpMethod_Get) |
| 293 { | 291 { |
| 312 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); | 310 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
| 313 | 311 |
| 314 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions | 312 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions |
| 315 //////////////////////////////////////////////////////////////// | 313 //////////////////////////////////////////////////////////////// |
| 316 bool hasUserRequiredPermissions = false; | 314 bool hasUserRequiredPermissions = false; |
| 317 bool hasAuthorizedLabelsForResource = false; | |
| 318 | 315 |
| 319 if (permissionParser_.get() != NULL && | 316 if (permissionParser_.get() != NULL && |
| 320 authorizationService_.get() != NULL) | 317 authorizationService_.get() != NULL) |
| 321 { | 318 { |
| 322 std::set<std::string> requiredPermissions; | 319 std::set<std::string> requiredPermissions; |
| 326 if (authTokens.empty()) | 323 if (authTokens.empty()) |
| 327 { | 324 { |
| 328 std::string msg = std::string("Testing whether anonymous user has any of the required permissions '") + JoinStrings(requiredPermissions) + "'"; | 325 std::string msg = std::string("Testing whether anonymous user has any of the required permissions '") + JoinStrings(requiredPermissions) + "'"; |
| 329 | 326 |
| 330 LOG(INFO) << msg; | 327 LOG(INFO) << msg; |
| 328 | |
| 329 unsigned int validity; // ignored | |
| 331 if (authorizationService_->HasAnonymousUserPermission(validity, requiredPermissions)) | 330 if (authorizationService_->HasAnonymousUserPermission(validity, requiredPermissions)) |
| 332 { | 331 { |
| 333 LOG(INFO) << msg << " -> granted"; | 332 LOG(INFO) << msg << " -> granted"; |
| 334 hasUserRequiredPermissions = true; | 333 hasUserRequiredPermissions = true; |
| 335 } | 334 } |
| 349 // LOG(INFO) << msg; | 348 // LOG(INFO) << msg; |
| 350 OrthancPlugins::IAuthorizationService::UserProfile profile; | 349 OrthancPlugins::IAuthorizationService::UserProfile profile; |
| 351 unsigned int validityNotUsed; | 350 unsigned int validityNotUsed; |
| 352 authorizationService_->GetUserProfile(validityNotUsed, profile, authTokens[i].GetToken(), authTokens[i].GetValue()); | 351 authorizationService_->GetUserProfile(validityNotUsed, profile, authTokens[i].GetToken(), authTokens[i].GetValue()); |
| 353 | 352 |
| 353 unsigned int validity; // ignored | |
| 354 if (authorizationService_->HasUserPermission(validity, requiredPermissions, profile)) | 354 if (authorizationService_->HasUserPermission(validity, requiredPermissions, profile)) |
| 355 { | 355 { |
| 356 LOG(INFO) << msg << " -> granted"; | 356 LOG(INFO) << msg << " -> granted"; |
| 357 hasUserRequiredPermissions = true; | 357 hasUserRequiredPermissions = true; |
| 358 | 358 |
| 359 // check labels permissions | 359 // check labels permissions |
| 360 std::string msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; | 360 msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; |
| 361 | |
| 362 bool hasAuthorizedLabelsForResource = false; | |
| 361 if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) | 363 if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) |
| 362 { | 364 { |
| 363 if (hasAuthorizedLabelsForResource) | 365 if (hasAuthorizedLabelsForResource) |
| 364 { | 366 { |
| 365 LOG(INFO) << msg << " -> granted"; | 367 LOG(INFO) << msg << " -> granted"; |
| 793 { | 795 { |
| 794 SendForbiddenError(e.GetDetails(), output); | 796 SendForbiddenError(e.GetDetails(), output); |
| 795 } | 797 } |
| 796 else | 798 else |
| 797 { | 799 { |
| 798 throw e; | 800 throw; |
| 799 } | 801 } |
| 800 } | 802 } |
| 801 | 803 |
| 802 } | 804 } |
| 803 | 805 |
| 858 { | 860 { |
| 859 SendForbiddenError(e.GetDetails(), output); | 861 SendForbiddenError(e.GetDetails(), output); |
| 860 } | 862 } |
| 861 else | 863 else |
| 862 { | 864 { |
| 863 throw e; | 865 throw; |
| 864 } | 866 } |
| 865 } | 867 } |
| 866 } | 868 } |
| 867 | 869 |
| 868 | 870 |
| 986 Json::Value body; | 988 Json::Value body; |
| 987 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) | 989 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) |
| 988 { | 990 { |
| 989 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); | 991 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); |
| 990 } | 992 } |
| 991 | |
| 992 Json::Value authPayload; | |
| 993 | |
| 994 authPayload["token-key"] = body["TokenKey"].asString(); | |
| 995 authPayload["token-value"] = body["TokenValue"].asString(); | |
| 996 | 993 |
| 997 OrthancPlugins::IAuthorizationService::DecodedToken decodedToken; | 994 OrthancPlugins::IAuthorizationService::DecodedToken decodedToken; |
| 998 if (authorizationService_->DecodeToken(decodedToken, | 995 if (authorizationService_->DecodeToken(decodedToken, |
| 999 body["TokenKey"].asString(), | 996 body["TokenKey"].asString(), |
| 1000 body["TokenValue"].asString())) | 997 body["TokenValue"].asString())) |
| 1105 | 1102 |
| 1106 OrthancPlugins::SetDescription(ORTHANC_PLUGIN_NAME, "Advanced authorization plugin for Orthanc."); | 1103 OrthancPlugins::SetDescription(ORTHANC_PLUGIN_NAME, "Advanced authorization plugin for Orthanc."); |
| 1107 | 1104 |
| 1108 try | 1105 try |
| 1109 { | 1106 { |
| 1110 static const char* PLUGIN_SECTION = "Authorization"; | 1107 static const char* const PLUGIN_SECTION = "Authorization"; |
| 1111 | 1108 |
| 1112 OrthancPlugins::OrthancConfiguration orthancFullConfiguration; | 1109 OrthancPlugins::OrthancConfiguration orthancFullConfiguration; |
| 1113 | 1110 |
| 1114 // read default configuration | 1111 // read default configuration |
| 1115 std::string defaultConfigurationFileContent; | 1112 std::string defaultConfigurationFileContent; |
| 1187 std::string urlTokenValidation; | 1184 std::string urlTokenValidation; |
| 1188 std::string urlTokenCreationBase; | 1185 std::string urlTokenCreationBase; |
| 1189 std::string urlUserProfile; | 1186 std::string urlUserProfile; |
| 1190 std::string urlRoot; | 1187 std::string urlRoot; |
| 1191 | 1188 |
| 1192 static const char* WEB_SERVICE_ROOT = "WebServiceRootUrl"; | 1189 static const char* const WEB_SERVICE_ROOT = "WebServiceRootUrl"; |
| 1193 static const char* WEB_SERVICE_TOKEN_DECODER = "WebServiceTokenDecoderUrl"; | 1190 |
| 1194 static const char* WEB_SERVICE_TOKEN_VALIDATION = "WebServiceTokenValidationUrl"; | |
| 1195 static const char* WEB_SERVICE_TOKEN_CREATION_BASE = "WebServiceTokenCreationBaseUrl"; | |
| 1196 static const char* WEB_SERVICE_USER_PROFILE = "WebServiceUserProfileUrl"; | |
| 1197 static const char* WEB_SERVICE_TOKEN_VALIDATION_LEGACY = "WebService"; | |
| 1198 if (pluginConfiguration.LookupStringValue(urlRoot, WEB_SERVICE_ROOT)) | 1191 if (pluginConfiguration.LookupStringValue(urlRoot, WEB_SERVICE_ROOT)) |
| 1199 { | 1192 { |
| 1200 urlTokenDecoder = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/decode"); | 1193 urlTokenDecoder = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/decode"); |
| 1201 urlTokenValidation = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/validate"); | 1194 urlTokenValidation = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/validate"); |
| 1202 urlTokenCreationBase = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/"); | 1195 urlTokenCreationBase = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/"); |
| 1203 urlUserProfile = Orthanc::Toolbox::JoinUri(urlRoot, "/user/get-profile"); | 1196 urlUserProfile = Orthanc::Toolbox::JoinUri(urlRoot, "/user/get-profile"); |
| 1204 } | 1197 } |
| 1205 else | 1198 else |
| 1206 { | 1199 { |
| 1200 static const char* const WEB_SERVICE_TOKEN_DECODER = "WebServiceTokenDecoderUrl"; | |
| 1201 static const char* const WEB_SERVICE_TOKEN_VALIDATION = "WebServiceTokenValidationUrl"; | |
| 1202 static const char* const WEB_SERVICE_TOKEN_CREATION_BASE = "WebServiceTokenCreationBaseUrl"; | |
| 1203 static const char* const WEB_SERVICE_USER_PROFILE = "WebServiceUserProfileUrl"; | |
| 1204 static const char* const WEB_SERVICE_TOKEN_VALIDATION_LEGACY = "WebService"; | |
| 1205 | |
| 1207 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION); | 1206 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION); |
| 1208 pluginConfiguration.LookupStringValue(urlTokenDecoder, WEB_SERVICE_TOKEN_DECODER); | 1207 pluginConfiguration.LookupStringValue(urlTokenDecoder, WEB_SERVICE_TOKEN_DECODER); |
| 1209 if (urlTokenValidation.empty()) | 1208 if (urlTokenValidation.empty()) |
| 1210 { | 1209 { |
| 1211 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION_LEGACY); | 1210 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION_LEGACY); |
| 1231 if (!urlUserProfile.empty()) | 1230 if (!urlUserProfile.empty()) |
| 1232 { | 1231 { |
| 1233 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; | 1232 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; |
| 1234 userTokensEnabled_ = true; | 1233 userTokensEnabled_ = true; |
| 1235 | 1234 |
| 1236 static const char* PERMISSIONS = "Permissions"; | 1235 static const char* const PERMISSIONS = "Permissions"; |
| 1237 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) | 1236 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) |
| 1238 { | 1237 { |
| 1239 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + | 1238 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + |
| 1240 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); | 1239 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); |
| 1241 } | 1240 } |