# HG changeset patch # User Alain Mazy # Date 1694515155 -7200 # Node ID 66b2b938c43e08770d6e45b5e4a1dcb10e6b3a22 # Parent 6fa53f624e1c35985d271a351be152ffda7f8989 fix resource-token when no anonymous profile is available diff -r 6fa53f624e1c -r 66b2b938c43e Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Tue Sep 12 12:24:52 2023 +0200 +++ b/Plugin/Plugin.cpp Tue Sep 12 12:39:15 2023 +0200 @@ -642,53 +642,46 @@ // If the logged in user has restrictions on the labels he can access, modify the tools/find payload before reposting it to Orthanc OrthancPlugins::IAuthorizationService::UserProfile profile; - if (GetUserProfileInternal(profile, request)) + if (GetUserProfileInternal(profile, request) && HasAccessToSomeLabels(profile)) { - if (!HasAccessToSomeLabels(profile)) - { - std::string studyInstanceUID; - - // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata - // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service - // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to - if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body)) - { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); - } + AdjustToolsFindQueryLabels(body, profile); + } + else // anonymous user profile or resource token + { + std::string studyInstanceUID; - Json::Value studyOrhtancIds; - if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1) - { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); - } - - std::vector authTokens; // the tokens that are set in this request - GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); - - std::set labels; - OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels); - if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) - { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); - } - - } - else + // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata + // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service + // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body)) { - AdjustToolsFindQueryLabels(body, profile); + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); } - Json::Value result; - if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false)) + Json::Value studyOrhtancIds; + if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1) { - OrthancPlugins::AnswerJson(result, output); + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); + } + + std::vector authTokens; // the tokens that are set in this request + GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); + + std::set labels; + OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels); + if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); } } - else + + Json::Value result; + if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false)) { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: no user profile found, access to tools/find is forbidden."); + OrthancPlugins::AnswerJson(result, output); } + } } diff -r 6fa53f624e1c -r 66b2b938c43e README --- a/README Tue Sep 12 12:24:52 2023 +0200 +++ b/README Tue Sep 12 12:39:15 2023 +0200 @@ -24,6 +24,12 @@ http://book.orthanc-server.com/plugins/authorization.html +Integration tests +----------------- + +Integration tests are available in the https://hg.orthanc-server.com/orthanc-tests/ repo +in the folder NewTests/Authorization. + API ---