orthanc-book: Sphinx/source/plugins/authorization.rst comparison

comparison Sphinx/source/plugins/authorization.rst @ 920:1d9e0aa08fdd

auth plugin

author	Alain Mazy <am@osimis.io>
date	Fri, 17 Mar 2023 16:59:14 +0100
parents	8b48d42665c4
children	33e8cb14142f

comparison

equal deleted inserted replaced

-:5c1ce758f748
+:1d9e0aa08fdd
 The `source code of this plugin
 <https://hg.orthanc-server.com/orthanc-authorization/file/default>`__ is
 freely available under the terms of the AGPLv3 license.
+Binaries
-Compilation
+--------
------------
+Binaries are available:
-.. highlight:: bash
+- in the `Windows Installers <https://www.orthanc-server.com/download-windows.php>`__ .
-The procedure to compile this plugin is similar of that for the
+- in the `MacOS package <https://www.orthanc-server.com/static.php?page=download-mac>`__ .
-:ref:`core of Orthanc <binaries>`. The following commands should work
+- in the :ref:`osimis/orthanc Docker images <docker-osimis>`
-for most UNIX-like distribution (including GNU/Linux)::
+Release notes
-$ mkdir Build
+-------------
-$ cd Build
-$ cmake .. -DSTATIC_BUILD=ON -DCMAKE_BUILD_TYPE=Release
+Release notes are available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/NEWS>`__.
-$ make
-The compilation will produce a shared library ``OrthancAuthorization``
-that contains the authorization plugin.
 Usage
 -----
 .. highlight:: json
 [...]
 "Plugins" : [
 "/home/user/OrthancAuthorization/Build/libOrthancAuthorization.so"
 ],
 "Authorization" : {
-"WebService" : "http://localhost:8000/",
+"WebServiceRootUrl" : "http://localhost:8000/",
 "WebServiceUsername": "my-user",
-"WebServicePassword": "my-password",
+"WebServicePassword": "my-password"
-"WebServiceIdentifier": "my-id"
 }
 }
 Orthanc must of course be restarted after the modification of its
 configuration file.
 Web Service
 -----------
 This section describes how a Web service suitable for the
 authorization plugin can be designed.
-**Note:** The behavior described in this section is implemented by the
-``AuthorizationWebService`` C++ class in the source code. It is
-possible to define a different authorization back-end by deriving
-from interface ``IAuthorizationService``.
 Incoming request
 ^^^^^^^^^^^^^^^^
 {
 "dicom-uid" : "123ABC",
 "level" : "patient",
 "method" : "get",
 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
-"identifier": "my-id"
+"server-id": "my-id"
 }
 In this example, the user is accessing an URI that is related to some
 DICOM resource, namely a patient whose DICOM identifier is
 ``123ABC``. In such a case, the following fields will be set in the
 tag. For a study, it contains its ``StudyInstanceUID``.  For a
 series, it contains its ``SeriesInstanceUID``. For an instance, it
 contains its ``SOPInstanceUID``.
 * The ``orthanc-id`` field gives the :ref:`Orthanc identifier
 <orthanc-ids>` of the resource.
-* The ``identifier`` field contains the value of the ``WebServiceIdentifier``
+* The ``server-id`` field contains the value of the ``WebServiceIdentifier``
 configuration or ``null`` if this configuration is not defined.  This allows
 the WebService to identity which Orthanc instance is calling it (new in v 0.3.0).
 When the user accesses a lower-level resource in the DICOM hierarchy
 (a study, a series or an instance), the authorization plugin will
 {
 "Name" : "MyOrthanc",
 [...]
 "Authorization" : {
 "WebService" : "http://localhost:8000/",
-"TokenHttpHeaders" : [ "hello" ]
+"TokenHttpHeaders" : [ "token" ]
 }
 }
 .. highlight:: text
 In such a situation, if some HTTP client issues the following call::
-# curl -H 'hello: world' http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8
+# curl -H 'token: my-token' http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8
 .. highlight:: json
 Here is the JSON body the Web service would receive::
 {
 "dicom-uid" : "123ABC",
 "level" : "patient",
 "method" : "get",
 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
-"token-key" : "hello",
+"token-key" : "token",
-"token-value" : "world"
+"token-value" : "my-token"
 }
 .. highlight:: text
 Note how the key and the value of the authentication token stored as a
 {
 "dicom-uid" : "123ABC",
 "level" : "patient",
 "method" : "get",
 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
-"token-key" : "hello",
+"token-key" : "token",
-"token-value" : "world"
+"token-value" : "my-token"
 }
 **Note 1:** It is allowed to provide a list of HTTP tokens or a list
 of ``GET`` arguments in the configuration options. In this case, the
 authorization plugin will loop over all the available authentication
 Full configuration
 ------------------
 .. highlight:: json
+The full list of configuration is available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/Plugin/DefaultConfiguration.json>`__.
 Here is the list of all the configuration options::
 {
-"Name" : "MyOrthanc",
+"Authorization" : {
-[...]
+// The Base URL of the auth webservice.  This is an alias for all 3 next configurations:
-"Authorization" : {
+// // "WebServiceUserProfileUrl" : " ROOT /user/get-profile",
-"WebService" : "http://localhost:8000/",
+// // "WebServiceTokenValidationUrl" : " ROOT /tokens/validate",
-"WebServiceUsername": "my-user",          // new in v 0.3.0
+// // "WebServiceTokenCreationBaseUrl" : " ROOT /tokens/",
-"WebServicePassword": "my-password",      // new in v 0.3.0
+// // "WebServiceTokenDecoderUrl" : " ROOT /tokens/decode",
-"WebServiceIdentifier": "my-id",          // new in v 0.3.0
+// You should define it only if your auth webservice implements all 3 routes !
-"TokenGetArguments" : [ "user" ],
+// "WebServiceRootUrl" : "http://change-me:8000/",
-"TokenHttpHeaders" : [ "hello" ],
-"StandardConfigurations": [               // new in v 0.4.0
+// The URL of the auth webservice route implementing user profile (optional)
-"osimis-web-viewer",
+// (this configuration was previously named "WebService" and its old name is still accepted
-"stone-webviewer"
+//  for backward compatibility)
-],
+// "WebServiceUserProfileUrl" : "http://change-me:8000/user/profile",
-"UncheckedResources" : [
-"/series",
+// The URL of the auth webservice route implementing resource level authorization (optional)
-"/instances",
+// "WebServiceTokenValidationUrl" : "http://change-me:8000/tokens/validate",
-"/patients",
-"/studies",
+// The Base URL of the auth webservice route to create tokens (optional)
-"/plugins/explorer.js",
+// "WebServiceTokenCreationBaseUrl" : "http://change-me:8000/tokens/",
-"/system"
-],
+// The URL of the auth webservice route implementing token decoding (optional)
-"UncheckedFolders" : [
+// "WebServiceTokenDecoderUrl": "http://change-me:8000/tokens/decode"
-"/app/",
-"/web-viewer/app/",
+// The username and password to connect to the webservice (optional)
-"/web-viewer/libs/",
+//"WebServiceUsername": "change-me",
-"/wsi/app/"
+//"WebServicePassword": "change-me",
-],
-"CheckedLevel" : "studies",               // new in v 0.4.0
+// An identifier added to the payload of each request to the auth webservice (optional)
-"UncheckedLevels" : [
+//"WebServiceIdentifier": "change-me"
-"patients",
-"series",
+// The name of the HTTP headers that may contain auth tokens
-"instances"
+//"TokenHttpHeaders" : [],
-]
-}
+// the name of the GET arguments that may contain auth tokens
-}
+//"TokenGetArguments" : [],
-The following options have been described above: ``WebService``,
+// A list of predefined configurations for well-known plugins
+// "StandardConfigurations": [               // new in v 0.4.0
+//     "osimis-web-viewer",
+//     "stone-webviewer",
+//     "orthanc-explorer-2"
+// ],
+//"UncheckedResources" : [],
+//"UncheckedFolders" : [],
+//"CheckedLevel" : "studies",
+//"UncheckedLevels" : [],
+// Definition of required "user-permissions".  This can be fully customized.
+// You may define other permissions yourself as long as they match the permissions
+// provided in the user-profile route implemented by the auth-service.
+// You may test your regex in https://regex101.com/ by selecting .NET (C#) and removing the leading ^ and trailing $
+// The default configuration is suitable for Orthanc-Explorer-2 (see TBD sample)
+"Permissions" : [
+["post", "^/auth/tokens/decode$", ""],
+["post", "^/tools/lookup$", ""], // currently used to authorize downloads in Stone (to map the StudyInstanceUID into an OrthancID.  Not ideal -> we should define a new API that has the resource ID in the path to be able to check it at resource level) but, on another hand, you do not get any Patient information from this route
+// elemental browsing in OE2
+["post", "^/tools/find$", "all|view"],
+["get" , "^/(patients|studies|series|instances)/([a-f0-9-]+)$", "all|view"],
+["get" , "^/(patients|studies|series|instances)/([a-f0-9-]+)/(studies|study|series|instances)$", "all|view"],
+["get" , "^/instances/([a-f0-9-]+)/(tags|header)$", "all|view"],
+["get" , "^/statistics$", "all|view"],
+// create links to open viewer or download resources
+["put", "^/auth/tokens/(viewer-instant-link|meddream-instant-link)$", "all|view"],
+["put", "^/auth/tokens/(download-instant-link)$", "all|download"],
+// share a link to open a study
+["put", "^/auth/tokens/(stone-viewer-publication|meddream-viewer-publication|osimis-viewer-publication)$", "all|share"],
+// uploads
+["post", "^/instances$", "all|upload"],
+// monitor jobs you have created
+["get" , "^/jobs/([a-f0-9-]+)$", "all|send|modify|anonymize|q-r-remote-modalities"],
+// interacting with peers/modalities/dicomweb
+["post", "^/(peers|modalities)/(.*)/store$", "all|send"],
+["get" , "^/(peers|modalities)$", "all|send|q-r-remote-modalities"],
+["post", "^/modalities/(.*)/echo$", "all|send|q-r-remote-modalities"],
+["post", "^/modalities/(.*)/query$", "all|q-r-remote-modalities"],
+["get", "^/queries/([a-f0-9-]+)/answers$", "all|q-r-remote-modalities"],
+["post", "^/modalities/(.*)/move$", "all|q-r-remote-modalities"],
+["get" , "^/DICOM_WEB_ROOT/servers$", "all|send|q-r-remote-modalities"],
+["get" , "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$", "all|send"],
+// modifications/anonymization
+["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/modify(.*)$", "all|modify"],
+["post", "^/(patients|studies|series|instances)/([a-f0-9-]+)/anonymize(.*)$", "all|anonymize"],
+// deletes
+["delete" , "^/(patients|studies|series|instances)/([a-f0-9-]+)$", "all|delete"],
+// settings
+["put", "^/tools/log-level$", "all|settings"],
+["get", "^/tools/log-level$", "all|settings"]
+]
+}
+}
+The following options have been described above: ``WebServiceRootUrl``,
 ``TokenGetArguments``, and ``TokenHttpHeaders``. Here are the
 remaining options:
 * ``StandardConfigurations`` is a helper configuration to pre-populate
 ``UncheckedResources``, ``UncheckedFolders``, ``TokenGetArguments``,
 {
 // disable basic authentication since it is replaced by the authorization plugin
 "AuthenticationEnabled": false,
 "Authorization" : {
-"WebService" : "http://localhost:8000/shares/validate",
+"WebServiceTokenValidationUrl" : "http://localhost:8000/shares/validate",
 "StandardConfigurations": [
 "stone-webviewer"
 ],
 "CheckedLevel" : "studies"
 }
 }
+.. _orthanc-explorer-authorization:
+Integration with the Orthanc Explorer 2
+---------------------------------------
+More info to come soon.
 .. _orthanc-explorer-authorization:
 Integration with the Orthanc Explorer
 and ``authorization``.
 Please note that the Orthanc Explorer has not been designed to handle
 the authorization so, when an authorization is not granted, it will simply
 display an empty page or an error message.
+Compilation
+-----------
+.. highlight:: bash
+The procedure to compile this plugin is similar of that for the
+:ref:`core of Orthanc <binaries>`. The following commands should work
+for most UNIX-like distribution (including GNU/Linux)::
+$ mkdir Build
+$ cd Build
+$ cmake .. -DSTATIC_BUILD=ON -DCMAKE_BUILD_TYPE=Release
+$ make
+The compilation will produce a shared library ``OrthancAuthorization``
+that contains the authorization plugin.

Mercurial > hg > orthanc-book

comparison Sphinx/source/plugins/authorization.rst @ 920:1d9e0aa08fdd