changeset 119:66b2b938c43e

fix resource-token when no anonymous profile is available
author Alain Mazy <am@osimis.io>
date Tue, 12 Sep 2023 12:39:15 +0200
parents 6fa53f624e1c
children 9ebcda90587f
files Plugin/Plugin.cpp README
diffstat 2 files changed, 35 insertions(+), 36 deletions(-) [+]
line wrap: on
line diff
--- a/Plugin/Plugin.cpp	Tue Sep 12 12:24:52 2023 +0200
+++ b/Plugin/Plugin.cpp	Tue Sep 12 12:39:15 2023 +0200
@@ -642,53 +642,46 @@
 
     // If the logged in user has restrictions on the labels he can access, modify the tools/find payload before reposting it to Orthanc
     OrthancPlugins::IAuthorizationService::UserProfile profile;
-    if (GetUserProfileInternal(profile, request))
+    if (GetUserProfileInternal(profile, request) && HasAccessToSomeLabels(profile))
     {
-      if (!HasAccessToSomeLabels(profile))
-      {
-        std::string studyInstanceUID;
-
-        // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata 
-        // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service
-        // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to
-        if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body))
-        {
-          throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
-        }
+      AdjustToolsFindQueryLabels(body, profile);
+    }
+    else // anonymous user profile or resource token
+    {
+      std::string studyInstanceUID;
 
-        Json::Value studyOrhtancIds;
-        if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1)
-        {
-          throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query.");
-        }
-
-        std::vector<TokenAndValue> authTokens;  // the tokens that are set in this request
-        GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues);
-
-        std::set<std::string> labels;
-        OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels);
-        if (!IsResourceAccessGranted(authTokens, request->method, accessedResource))
-        {
-          throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query.");
-        }
-        
-      }
-      else
+      // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata 
+      // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service
+      // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to
+      if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, body))
       {
-        AdjustToolsFindQueryLabels(body, profile);
+        throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
       }
 
-      Json::Value result;
-      if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false))
+      Json::Value studyOrhtancIds;
+      if (!OrthancPlugins::RestApiPost(studyOrhtancIds, "/tools/lookup", studyInstanceUID, false) || studyOrhtancIds.size() != 1)
       {
-        OrthancPlugins::AnswerJson(result, output);
+        throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query.");
+      }
+
+      std::vector<TokenAndValue> authTokens;  // the tokens that are set in this request
+      GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues);
+
+      std::set<std::string> labels;
+      OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrhtancIds[0]["ID"].asString(), studyInstanceUID, labels);
+      if (!IsResourceAccessGranted(authTokens, request->method, accessedResource))
+      {
+        throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query.");
       }
 
     }
-    else
+
+    Json::Value result;
+    if (OrthancPlugins::RestApiPost(result, "/tools/find", body, false))
     {
-      throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: no user profile found, access to tools/find is forbidden.");
+      OrthancPlugins::AnswerJson(result, output);
     }
+
   }
 }
 
--- a/README	Tue Sep 12 12:24:52 2023 +0200
+++ b/README	Tue Sep 12 12:39:15 2023 +0200
@@ -24,6 +24,12 @@
 http://book.orthanc-server.com/plugins/authorization.html
 
 
+Integration tests
+-----------------
+
+Integration tests are available in the https://hg.orthanc-server.com/orthanc-tests/ repo
+in the folder NewTests/Authorization.
+
 API
 ---