Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 190:de232f9b3a60
cppcheck
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Wed, 05 Jun 2024 15:08:41 +0200 |
parents | c4b908970ae4 |
children | 2f1e872e8eaa |
comparison
equal
deleted
inserted
replaced
188:c4b908970ae4 | 190:de232f9b3a60 |
---|---|
227 | 227 |
228 static bool IsResourceAccessGranted(const std::vector<TokenAndValue>& authTokens, | 228 static bool IsResourceAccessGranted(const std::vector<TokenAndValue>& authTokens, |
229 OrthancPluginHttpMethod method, | 229 OrthancPluginHttpMethod method, |
230 const OrthancPlugins::AccessedResource& access) | 230 const OrthancPlugins::AccessedResource& access) |
231 { | 231 { |
232 unsigned int validity; // ignored | |
233 | |
234 // Ignored the access levels that are unchecked | 232 // Ignored the access levels that are unchecked |
235 // (cf. "UncheckedLevels" option) | 233 // (cf. "UncheckedLevels" option) |
236 if (uncheckedLevels_.find(access.GetLevel()) == uncheckedLevels_.end()) | 234 if (uncheckedLevels_.find(access.GetLevel()) == uncheckedLevels_.end()) |
237 { | 235 { |
238 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access.GetLevel()) + " \"" + access.GetOrthancId() + "\" is allowed with a resource token"; | 236 std::string msg = std::string("Testing whether access to ") + OrthancPlugins::EnumerationToString(access.GetLevel()) + " \"" + access.GetOrthancId() + "\" is allowed with a resource token"; |
240 | 238 |
241 bool granted = false; | 239 bool granted = false; |
242 | 240 |
243 if (authTokens.empty()) | 241 if (authTokens.empty()) |
244 { | 242 { |
243 unsigned int validity; // ignored | |
245 granted = authorizationService_->IsGrantedToAnonymousUser(validity, method, access); | 244 granted = authorizationService_->IsGrantedToAnonymousUser(validity, method, access); |
246 } | 245 } |
247 else | 246 else |
248 { | 247 { |
249 // Loop over all the authorization tokens in the request until finding one that is granted | 248 // Loop over all the authorization tokens in the request until finding one that is granted |
250 for (size_t i = 0; i < authTokens.size(); ++i) | 249 for (size_t i = 0; i < authTokens.size(); ++i) |
251 { | 250 { |
251 unsigned int validity; // ignored | |
252 if (authorizationService_->IsGranted(validity, method, access, authTokens[i].GetToken(), authTokens[i].GetValue())) | 252 if (authorizationService_->IsGranted(validity, method, access, authTokens[i].GetToken(), authTokens[i].GetValue())) |
253 { | 253 { |
254 granted = true; | 254 granted = true; |
255 break; | 255 break; |
256 } | 256 } |
282 const char *const *getArgumentsKeys, | 282 const char *const *getArgumentsKeys, |
283 const char *const *getArgumentsValues) | 283 const char *const *getArgumentsValues) |
284 { | 284 { |
285 try | 285 try |
286 { | 286 { |
287 unsigned int validity; // ignored | |
288 | |
289 // Allow GET accesses to unchecked resources/folders (usually static resources) | 287 // Allow GET accesses to unchecked resources/folders (usually static resources) |
290 //////////////////////////////////////////////////////////////// | 288 //////////////////////////////////////////////////////////////// |
291 | 289 |
292 if (method == OrthancPluginHttpMethod_Get) | 290 if (method == OrthancPluginHttpMethod_Get) |
293 { | 291 { |
312 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); | 310 OrthancPlugins::AssociativeArray getArguments(getArgumentsCount, getArgumentsKeys, getArgumentsValues, true); |
313 | 311 |
314 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions | 312 // Based on the tokens, check if the user has access based on its permissions and the mapping between urls and permissions |
315 //////////////////////////////////////////////////////////////// | 313 //////////////////////////////////////////////////////////////// |
316 bool hasUserRequiredPermissions = false; | 314 bool hasUserRequiredPermissions = false; |
317 bool hasAuthorizedLabelsForResource = false; | |
318 | 315 |
319 if (permissionParser_.get() != NULL && | 316 if (permissionParser_.get() != NULL && |
320 authorizationService_.get() != NULL) | 317 authorizationService_.get() != NULL) |
321 { | 318 { |
322 std::set<std::string> requiredPermissions; | 319 std::set<std::string> requiredPermissions; |
326 if (authTokens.empty()) | 323 if (authTokens.empty()) |
327 { | 324 { |
328 std::string msg = std::string("Testing whether anonymous user has any of the required permissions '") + JoinStrings(requiredPermissions) + "'"; | 325 std::string msg = std::string("Testing whether anonymous user has any of the required permissions '") + JoinStrings(requiredPermissions) + "'"; |
329 | 326 |
330 LOG(INFO) << msg; | 327 LOG(INFO) << msg; |
328 | |
329 unsigned int validity; // ignored | |
331 if (authorizationService_->HasAnonymousUserPermission(validity, requiredPermissions)) | 330 if (authorizationService_->HasAnonymousUserPermission(validity, requiredPermissions)) |
332 { | 331 { |
333 LOG(INFO) << msg << " -> granted"; | 332 LOG(INFO) << msg << " -> granted"; |
334 hasUserRequiredPermissions = true; | 333 hasUserRequiredPermissions = true; |
335 } | 334 } |
349 // LOG(INFO) << msg; | 348 // LOG(INFO) << msg; |
350 OrthancPlugins::IAuthorizationService::UserProfile profile; | 349 OrthancPlugins::IAuthorizationService::UserProfile profile; |
351 unsigned int validityNotUsed; | 350 unsigned int validityNotUsed; |
352 authorizationService_->GetUserProfile(validityNotUsed, profile, authTokens[i].GetToken(), authTokens[i].GetValue()); | 351 authorizationService_->GetUserProfile(validityNotUsed, profile, authTokens[i].GetToken(), authTokens[i].GetValue()); |
353 | 352 |
353 unsigned int validity; // ignored | |
354 if (authorizationService_->HasUserPermission(validity, requiredPermissions, profile)) | 354 if (authorizationService_->HasUserPermission(validity, requiredPermissions, profile)) |
355 { | 355 { |
356 LOG(INFO) << msg << " -> granted"; | 356 LOG(INFO) << msg << " -> granted"; |
357 hasUserRequiredPermissions = true; | 357 hasUserRequiredPermissions = true; |
358 | 358 |
359 // check labels permissions | 359 // check labels permissions |
360 std::string msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; | 360 msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; |
361 | |
362 bool hasAuthorizedLabelsForResource = false; | |
361 if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) | 363 if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) |
362 { | 364 { |
363 if (hasAuthorizedLabelsForResource) | 365 if (hasAuthorizedLabelsForResource) |
364 { | 366 { |
365 LOG(INFO) << msg << " -> granted"; | 367 LOG(INFO) << msg << " -> granted"; |
793 { | 795 { |
794 SendForbiddenError(e.GetDetails(), output); | 796 SendForbiddenError(e.GetDetails(), output); |
795 } | 797 } |
796 else | 798 else |
797 { | 799 { |
798 throw e; | 800 throw; |
799 } | 801 } |
800 } | 802 } |
801 | 803 |
802 } | 804 } |
803 | 805 |
858 { | 860 { |
859 SendForbiddenError(e.GetDetails(), output); | 861 SendForbiddenError(e.GetDetails(), output); |
860 } | 862 } |
861 else | 863 else |
862 { | 864 { |
863 throw e; | 865 throw; |
864 } | 866 } |
865 } | 867 } |
866 } | 868 } |
867 | 869 |
868 | 870 |
986 Json::Value body; | 988 Json::Value body; |
987 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) | 989 if (!OrthancPlugins::ReadJson(body, request->body, request->bodySize)) |
988 { | 990 { |
989 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); | 991 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "A JSON payload was expected"); |
990 } | 992 } |
991 | |
992 Json::Value authPayload; | |
993 | |
994 authPayload["token-key"] = body["TokenKey"].asString(); | |
995 authPayload["token-value"] = body["TokenValue"].asString(); | |
996 | 993 |
997 OrthancPlugins::IAuthorizationService::DecodedToken decodedToken; | 994 OrthancPlugins::IAuthorizationService::DecodedToken decodedToken; |
998 if (authorizationService_->DecodeToken(decodedToken, | 995 if (authorizationService_->DecodeToken(decodedToken, |
999 body["TokenKey"].asString(), | 996 body["TokenKey"].asString(), |
1000 body["TokenValue"].asString())) | 997 body["TokenValue"].asString())) |
1105 | 1102 |
1106 OrthancPlugins::SetDescription(ORTHANC_PLUGIN_NAME, "Advanced authorization plugin for Orthanc."); | 1103 OrthancPlugins::SetDescription(ORTHANC_PLUGIN_NAME, "Advanced authorization plugin for Orthanc."); |
1107 | 1104 |
1108 try | 1105 try |
1109 { | 1106 { |
1110 static const char* PLUGIN_SECTION = "Authorization"; | 1107 static const char* const PLUGIN_SECTION = "Authorization"; |
1111 | 1108 |
1112 OrthancPlugins::OrthancConfiguration orthancFullConfiguration; | 1109 OrthancPlugins::OrthancConfiguration orthancFullConfiguration; |
1113 | 1110 |
1114 // read default configuration | 1111 // read default configuration |
1115 std::string defaultConfigurationFileContent; | 1112 std::string defaultConfigurationFileContent; |
1187 std::string urlTokenValidation; | 1184 std::string urlTokenValidation; |
1188 std::string urlTokenCreationBase; | 1185 std::string urlTokenCreationBase; |
1189 std::string urlUserProfile; | 1186 std::string urlUserProfile; |
1190 std::string urlRoot; | 1187 std::string urlRoot; |
1191 | 1188 |
1192 static const char* WEB_SERVICE_ROOT = "WebServiceRootUrl"; | 1189 static const char* const WEB_SERVICE_ROOT = "WebServiceRootUrl"; |
1193 static const char* WEB_SERVICE_TOKEN_DECODER = "WebServiceTokenDecoderUrl"; | 1190 |
1194 static const char* WEB_SERVICE_TOKEN_VALIDATION = "WebServiceTokenValidationUrl"; | |
1195 static const char* WEB_SERVICE_TOKEN_CREATION_BASE = "WebServiceTokenCreationBaseUrl"; | |
1196 static const char* WEB_SERVICE_USER_PROFILE = "WebServiceUserProfileUrl"; | |
1197 static const char* WEB_SERVICE_TOKEN_VALIDATION_LEGACY = "WebService"; | |
1198 if (pluginConfiguration.LookupStringValue(urlRoot, WEB_SERVICE_ROOT)) | 1191 if (pluginConfiguration.LookupStringValue(urlRoot, WEB_SERVICE_ROOT)) |
1199 { | 1192 { |
1200 urlTokenDecoder = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/decode"); | 1193 urlTokenDecoder = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/decode"); |
1201 urlTokenValidation = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/validate"); | 1194 urlTokenValidation = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/validate"); |
1202 urlTokenCreationBase = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/"); | 1195 urlTokenCreationBase = Orthanc::Toolbox::JoinUri(urlRoot, "/tokens/"); |
1203 urlUserProfile = Orthanc::Toolbox::JoinUri(urlRoot, "/user/get-profile"); | 1196 urlUserProfile = Orthanc::Toolbox::JoinUri(urlRoot, "/user/get-profile"); |
1204 } | 1197 } |
1205 else | 1198 else |
1206 { | 1199 { |
1200 static const char* const WEB_SERVICE_TOKEN_DECODER = "WebServiceTokenDecoderUrl"; | |
1201 static const char* const WEB_SERVICE_TOKEN_VALIDATION = "WebServiceTokenValidationUrl"; | |
1202 static const char* const WEB_SERVICE_TOKEN_CREATION_BASE = "WebServiceTokenCreationBaseUrl"; | |
1203 static const char* const WEB_SERVICE_USER_PROFILE = "WebServiceUserProfileUrl"; | |
1204 static const char* const WEB_SERVICE_TOKEN_VALIDATION_LEGACY = "WebService"; | |
1205 | |
1207 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION); | 1206 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION); |
1208 pluginConfiguration.LookupStringValue(urlTokenDecoder, WEB_SERVICE_TOKEN_DECODER); | 1207 pluginConfiguration.LookupStringValue(urlTokenDecoder, WEB_SERVICE_TOKEN_DECODER); |
1209 if (urlTokenValidation.empty()) | 1208 if (urlTokenValidation.empty()) |
1210 { | 1209 { |
1211 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION_LEGACY); | 1210 pluginConfiguration.LookupStringValue(urlTokenValidation, WEB_SERVICE_TOKEN_VALIDATION_LEGACY); |
1231 if (!urlUserProfile.empty()) | 1230 if (!urlUserProfile.empty()) |
1232 { | 1231 { |
1233 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; | 1232 LOG(WARNING) << "Authorization plugin: url defined for User Profile: " << urlUserProfile << ", user tokens validation is enabled"; |
1234 userTokensEnabled_ = true; | 1233 userTokensEnabled_ = true; |
1235 | 1234 |
1236 static const char* PERMISSIONS = "Permissions"; | 1235 static const char* const PERMISSIONS = "Permissions"; |
1237 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) | 1236 if (!pluginConfiguration.GetJson().isMember(PERMISSIONS)) |
1238 { | 1237 { |
1239 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + | 1238 throw Orthanc::OrthancException(Orthanc::ErrorCode_BadFileFormat, "Authorization plugin: Missing required \"" + std::string(PERMISSIONS) + |
1240 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); | 1239 "\" option since you have defined the \"" + std::string(WEB_SERVICE_ROOT) + "\" option"); |
1241 } | 1240 } |