Mercurial > hg > orthanc-tests
annotate NewTests/Authorization/test_authorization.py @ 659:3ac37a99a093
new tests for auth: uploader-a
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 24 Jun 2024 18:28:43 +0200 |
parents | aa11ab24ff3c |
children | 2f6686a3cd16 |
rev | line source |
---|---|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
1 import unittest |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
2 import time |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
3 import pprint |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
4 import subprocess |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
5 from helpers import OrthancTestCase, Helpers |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
6 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
7 from orthanc_api_client import OrthancApiClient, generate_test_dicom_file |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
8 from orthanc_api_client import exceptions as orthanc_exceptions |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
9 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
10 import logging |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
11 import pathlib |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
12 here = pathlib.Path(__file__).parent.resolve() |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
13 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
14 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
15 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
16 class TestAuthorization(OrthancTestCase): |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
17 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
18 label_a_study_id = None |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
19 label_b_study_id = None |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
20 no_label_study_id = None |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
21 auth_service_process = None |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
22 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
23 @classmethod |
577 | 24 def terminate(cls): |
578 | 25 |
26 if Helpers.is_docker(): | |
27 subprocess.run(["docker", "rm", "-f", "auth-service"]) | |
28 else: | |
29 cls.auth_service_process.terminate() | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
30 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
31 @classmethod |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
32 def prepare(cls): |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
33 test_name = "Authorization" |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
34 storage_name = "authorization" |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
35 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
36 print(f'-------------- preparing {test_name} tests') |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
37 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
38 cls.clear_storage(storage_name=storage_name) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
39 |
577 | 40 auth_service_hostname = "localhost" |
41 if Helpers.is_docker(): | |
42 auth_service_hostname = "auth-service" | |
43 cls.create_docker_network("auth-test-network") | |
44 | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
45 config = { |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
46 "AuthenticationEnabled": False, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
47 "Authorization": { |
577 | 48 "WebServiceRootUrl": f"http://{auth_service_hostname}:8020/", |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
49 "StandardConfigurations": [ |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
50 "orthanc-explorer-2", |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
51 "stone-webviewer" |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
52 ], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
53 "CheckedLevel": "studies", |
577 | 54 "TokenHttpHeaders": ["user-token-key", "resource-token-key"], |
634 | 55 "TokenGetArguments": ["resource-token-key"], |
56 "UncheckedFolders": ["/plugins"] # to allow testing plugin version while it is not included by default in the auth-plugin | |
578 | 57 }, |
58 "DicomWeb": { | |
59 "Enable": True | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
60 } |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
61 } |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
62 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
63 config_path = cls.generate_configuration( |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
64 config_name=f"{test_name}", |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
65 storage_name=storage_name, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
66 config=config, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
67 plugins=Helpers.plugins |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
68 ) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
69 |
577 | 70 if Helpers.is_exe(): |
71 # Start the auth-service application as a subprocess and wait for it to start | |
72 cls.auth_service_process = subprocess.Popen(["uvicorn", "auth_service:app", "--host", "0.0.0.0", "--port", "8020"], cwd=here) | |
73 time.sleep(2) | |
74 else: | |
75 # first build the docker image for the auth-service | |
76 subprocess.run(["docker", "build", "-t", "auth-service", "."], cwd=here) | |
77 cls.auth_service_process = subprocess.Popen(["docker", "run", "-p", "8020:8020", "--network", "auth-test-network", "--name", "auth-service", "auth-service"]) | |
579 | 78 time.sleep(5) |
577 | 79 |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
80 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
81 if Helpers.break_before_preparation: |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
82 print(f"++++ It is now time to start your Orthanc under tests with configuration file '{config_path}' +++++") |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
83 input("Press Enter to continue") |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
84 else: |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
85 cls.launch_orthanc_under_tests( |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
86 config_name=f"{test_name}", |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
87 storage_name=storage_name, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
88 config=config, |
577 | 89 plugins=Helpers.plugins, |
90 docker_network="auth-test-network" | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
91 ) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
92 |
578 | 93 o = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"}) |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
94 |
578 | 95 o.delete_all_content() |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
96 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
97 # upload a few studies and add labels |
578 | 98 cls.label_a_instance_id = o.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm")[0] |
99 cls.label_a_study_id = o.instances.get_parent_study_id(cls.label_a_instance_id) | |
100 cls.label_a_series_id = o.instances.get_parent_series_id(cls.label_a_instance_id) | |
101 cls.label_a_study_dicom_id = o.studies.get_tags(cls.label_a_study_id)["StudyInstanceUID"] | |
102 cls.label_a_series_dicom_id = o.series.get_tags(cls.label_a_series_id)["SeriesInstanceUID"] | |
103 cls.label_a_instance_dicom_id = o.instances.get_tags(cls.label_a_instance_id)["SOPInstanceUID"] | |
104 o.studies.add_label(cls.label_a_study_id, "label_a") | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
105 |
578 | 106 cls.label_b_instance_id = o.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm")[0] |
107 cls.label_b_study_id = o.instances.get_parent_study_id(cls.label_b_instance_id) | |
108 cls.label_b_series_id = o.instances.get_parent_series_id(cls.label_b_instance_id) | |
109 cls.label_b_study_dicom_id = o.studies.get_tags(cls.label_b_study_id)["StudyInstanceUID"] | |
110 cls.label_b_series_dicom_id = o.series.get_tags(cls.label_b_series_id)["SeriesInstanceUID"] | |
111 cls.label_b_instance_dicom_id = o.instances.get_tags(cls.label_b_instance_id)["SOPInstanceUID"] | |
112 o.studies.add_label(cls.label_b_study_id, "label_b") | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
113 |
578 | 114 instances_ids = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm") |
115 cls.no_label_study_id = o.instances.get_parent_study_id(instances_ids[0]) | |
116 | |
117 cls.no_label_instance_id = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")[0] | |
118 cls.no_label_study_id = o.instances.get_parent_study_id(cls.no_label_instance_id) | |
119 cls.no_label_series_id = o.instances.get_parent_series_id(cls.no_label_instance_id) | |
120 cls.no_label_study_dicom_id = o.studies.get_tags(cls.no_label_study_id)["StudyInstanceUID"] | |
121 cls.no_label_series_dicom_id = o.series.get_tags(cls.no_label_series_id)["SeriesInstanceUID"] | |
122 cls.no_label_instance_dicom_id = o.instances.get_tags(cls.no_label_instance_id)["SOPInstanceUID"] | |
123 | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
124 |
577 | 125 def assert_is_forbidden(self, api_call): |
126 with self.assertRaises(orthanc_exceptions.HttpError) as ctx: | |
127 api_call() | |
128 self.assertEqual(403, ctx.exception.http_status_code) | |
129 | |
130 | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
131 def test_admin_user(self): |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
132 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
133 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-admin"}) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
134 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
135 # make sure we can access all these urls (they would throw if not) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
136 system = o.get_system() |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
137 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
138 # make sure we can access all studies |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
139 o.studies.get_tags(self.no_label_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
140 o.studies.get_tags(self.label_a_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
141 o.studies.get_tags(self.label_b_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
142 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
143 # make sure we can access series and instances of these studies |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
144 series_ids = o.studies.get_series_ids(self.label_a_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
145 instances_ids = o.series.get_instances_ids(series_ids[0]) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
146 o.instances.get_tags(instances_ids[0]) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
147 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
148 # make sure labels filtering still works |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
149 self.assertEqual(3, len(o.studies.find(query={}, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
150 labels=[], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
151 labels_constraint='Any'))) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
152 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
153 self.assertEqual(2, len(o.studies.find(query={}, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
154 labels=['label_a', 'label_b'], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
155 labels_constraint='Any'))) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
156 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
157 self.assertEqual(2, len(o.studies.find(query={}, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
158 labels=['label_a'], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
159 labels_constraint='None'))) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
160 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
161 all_labels = o.get_all_labels() |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
162 self.assertEqual(2, len(all_labels)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
163 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
164 def test_user_a(self): |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
165 |
634 | 166 o_admin = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-admin"}) |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
167 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-user-a"}) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
168 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
169 # # make sure we can access all these urls (they would throw if not) |
578 | 170 system = o.get_system() |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
171 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
172 all_labels = o.get_all_labels() |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
173 self.assertEqual(1, len(all_labels)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
174 self.assertEqual("label_a", all_labels[0]) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
175 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
176 # make sure we can access only the label_a studies |
577 | 177 self.assert_is_forbidden(lambda: o.studies.get_tags(self.label_b_study_id)) |
178 self.assert_is_forbidden(lambda: o.studies.get_tags(self.no_label_study_id)) | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
179 |
659
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
180 # user_a shall not be able to upload a study |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
181 self.assert_is_forbidden(lambda: o.upload_file(here / "../../Database/Beaufix/IM-0001-0001.dcm")) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
182 self.assert_is_forbidden(lambda: o.upload_files_dicom_web(paths = [here / "../../Database/Beaufix/IM-0001-0001.dcm"])) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
183 |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
184 # should not raise |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
185 o.studies.get_tags(self.label_a_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
186 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
187 # make sure we can access series and instances of the label_a studies |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
188 series_ids = o.studies.get_series_ids(self.label_a_study_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
189 instances_ids = o.series.get_instances_ids(series_ids[0]) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
190 o.instances.get_tags(instances_ids[0]) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
191 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
192 # make sure we can not access series and instances of the label_b studies |
577 | 193 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
194 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
195 # make sure tools/find only returns the label_a studies |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
196 studies = o.studies.find(query={}, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
197 labels=[], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
198 labels_constraint='Any') |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
199 self.assertEqual(1, len(studies)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
200 self.assertEqual(self.label_a_study_id, studies[0].orthanc_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
201 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
202 # if searching Any of label_a & label_b, return only label_a |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
203 studies = o.studies.find(query={}, |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
204 labels=['label_a', 'label_b'], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
205 labels_constraint='Any') |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
206 self.assertEqual(1, len(studies)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
207 self.assertEqual(self.label_a_study_id, studies[0].orthanc_id) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
208 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
209 # if searching Any of label_b, expect a Forbidden access |
577 | 210 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
211 labels=['label_b'], | |
212 labels_constraint='Any')) | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
213 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
214 # if searching None of label_b, expect a Forbidden access because we are not able to compute this filter |
577 | 215 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
216 labels=['label_b'], | |
217 labels_constraint='None')) | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
218 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
219 # if searching All of label_b, expect a Forbidden access because we are not able to compute this filter |
577 | 220 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
221 labels=['label_b'], | |
222 labels_constraint='All')) | |
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
223 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
224 studies = o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
225 labels=[], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
226 labels_constraint='Any') |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
227 self.assertEqual(1, len(studies)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
228 |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
229 studies = o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
230 labels=['label_a'], |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
231 labels_constraint='Any') |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
232 self.assertEqual(1, len(studies)) |
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
233 |
577 | 234 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
235 labels=['label_b'], | |
236 labels_constraint='Any')) | |
237 | |
238 # make sure some generic routes are not accessible | |
239 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) | |
240 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) | |
241 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | |
242 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | |
243 self.assert_is_forbidden(lambda: o.get_json('studies')) | |
244 self.assert_is_forbidden(lambda: o.get_json('studies/')) | |
245 | |
578 | 246 # make sure the label_a study is accessible (it does not throw) |
247 o.studies.get_tags(self.label_a_study_id) | |
248 o.series.get_tags(self.label_a_series_id) | |
249 o.instances.get_tags(self.label_a_instance_id) | |
250 | |
625 | 251 # make sure you can access a resource route with a user token (it does not throw) |
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
252 m = o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata") |
625 | 253 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_b_study_dicom_id}/metadata")) |
578 | 254 |
634 | 255 if o_admin.is_plugin_version_at_least("authorization", 0, 7, 1): |
633 | 256 i = o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/instances") |
257 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_b_study_dicom_id}/instances")) | |
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
258 |
633 | 259 i = o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") |
260 self.assert_is_forbidden(lambda: o.get_binary(f"dicom-web/studies/{self.label_b_study_dicom_id}/series/{self.label_b_series_dicom_id}/instances/{self.label_b_instance_dicom_id}")) | |
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
261 |
643 | 262 o.get_json(f"/system") |
263 o.get_json(f"/plugins") | |
264 o.get_json(f"/plugins/dicom-web") | |
577 | 265 |
266 | |
659
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
267 def test_uploader_a(self): |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
268 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
269 o_admin = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-admin"}) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
270 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-uploader-a"}) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
271 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
272 # # make sure we can access all these urls (they would throw if not) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
273 system = o.get_system() |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
274 # time.sleep(10000) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
275 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
276 all_labels = o.get_all_labels() |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
277 self.assertEqual(1, len(all_labels)) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
278 self.assertEqual("label_a", all_labels[0]) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
279 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
280 # make sure we can access only the label_a studies |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
281 self.assert_is_forbidden(lambda: o.studies.get_tags(self.label_b_study_id)) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
282 self.assert_is_forbidden(lambda: o.studies.get_tags(self.no_label_study_id)) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
283 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
284 # uploader-a shall be able to upload a study |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
285 instances_ids = o.upload_file(here / "../../Database/Beaufix/IM-0001-0001.dcm") |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
286 o_admin.instances.delete(orthanc_ids=instances_ids) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
287 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
288 # uploader-a shall be able to upload a study through DICOMWeb too |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
289 o.upload_files_dicom_web(paths = [here / "../../Database/Beaufix/IM-0001-0001.dcm"]) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
290 o_admin.instances.delete(orthanc_ids=instances_ids) |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
291 |
3ac37a99a093
new tests for auth: uploader-a
Alain Mazy <am@orthanc.team>
parents:
643
diff
changeset
|
292 |
577 | 293 def test_resource_token(self): |
294 | |
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
295 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-a-study"}) |
634 | 296 |
577 | 297 # with a resource token, we can access only the given resource, not generic resources or resources from other studies |
298 | |
299 # generic resources are forbidden | |
578 | 300 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # tools/find is forbidden with a resource token |
577 | 301 labels=['label_b'], |
302 labels_constraint='Any')) | |
303 self.assert_is_forbidden(lambda: o.get_all_labels()) | |
304 self.assert_is_forbidden(lambda: o.studies.get_all_ids()) | |
305 self.assert_is_forbidden(lambda: o.patients.get_all_ids()) | |
306 self.assert_is_forbidden(lambda: o.series.get_all_ids()) | |
307 self.assert_is_forbidden(lambda: o.instances.get_all_ids()) | |
308 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) | |
309 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) | |
310 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | |
311 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | |
578 | 312 self.assert_is_forbidden(lambda: o.get_json('studies')) |
313 self.assert_is_forbidden(lambda: o.get_json('studies/')) | |
577 | 314 |
315 # some resources are still accessible to the 'anonymous' user -> does not throw | |
316 o.get_system() | |
317 o.lookup("1.2.3") # this route is still explicitely authorized because it is used by Stone | |
318 | |
319 # other studies are forbidden | |
320 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) | |
621 | 321 if self.o.is_orthanc_version_at_least(1, 12, 2): |
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
322 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_study_id}")) |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
323 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_series_id}")) |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
324 # if one of the studies is forbidden, the resource is forbidden |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
325 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_study_id}")) |
577 | 326 |
327 # the label_a study is allowed | |
328 o.studies.get_series_ids(self.label_a_study_id) | |
329 | |
578 | 330 # test with DicomWEB routes + sub-routes |
331 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}") | |
332 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata") | |
581 | 333 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series") |
578 | 334 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}") |
335 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/metadata") | |
336 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") | |
337 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}/metadata") | |
581 | 338 o.get_json(f"dicom-web/studies?StudyInstanceUID={self.label_a_study_dicom_id}") |
339 o.get_json(f"dicom-web/studies?0020000D={self.label_a_study_dicom_id}") | |
340 o.get_json(f"dicom-web/series?0020000D={self.label_a_study_dicom_id}") | |
341 o.get_json(f"dicom-web/instances?0020000D={self.label_a_study_dicom_id}") | |
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
342 |
621 | 343 if self.o.is_orthanc_version_at_least(1, 12, 2): |
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
344 o.get_binary(f"tools/create-archive?resources={self.label_a_study_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
345 o.get_binary(f"tools/create-archive?resources={self.label_a_series_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
346 |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
347 |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
348 # now test with token-both |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
349 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-both-studies"}) |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
350 |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
351 # other studies are forbidden |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
352 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.no_label_study_id)) |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
353 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.no_label_study_id}")) |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
354 |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
355 # any of both or both studies together are allowed |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
356 o.get_binary(f"tools/create-archive?resources={self.label_a_study_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
357 o.get_binary(f"tools/create-archive?resources={self.label_b_series_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
358 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_study_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
359 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_series_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
360 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_instance_id}") |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
361 |
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
362 |