Mercurial > hg > orthanc-tests
annotate NewTests/Authorization/test_authorization.py @ 648:810390d3968a large-queries
new hk2 tests
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Tue, 21 May 2024 17:10:27 +0200 |
| parents | a25e7a641f26 |
| children |
| rev | line source |
|---|---|
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
1 import unittest |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
2 import time |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
3 import pprint |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
4 import subprocess |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
5 from helpers import OrthancTestCase, Helpers |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
6 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
7 from orthanc_api_client import OrthancApiClient, generate_test_dicom_file |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
8 from orthanc_api_client import exceptions as orthanc_exceptions |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
9 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
10 import logging |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
11 import pathlib |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
12 here = pathlib.Path(__file__).parent.resolve() |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
13 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
14 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
15 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
16 class TestAuthorization(OrthancTestCase): |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
17 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
18 label_a_study_id = None |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
19 label_b_study_id = None |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
20 no_label_study_id = None |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
21 auth_service_process = None |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
22 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
23 @classmethod |
| 577 | 24 def terminate(cls): |
| 578 | 25 |
| 26 if Helpers.is_docker(): | |
| 27 subprocess.run(["docker", "rm", "-f", "auth-service"]) | |
| 28 else: | |
| 29 cls.auth_service_process.terminate() | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
30 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
31 @classmethod |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
32 def prepare(cls): |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
33 test_name = "Authorization" |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
34 storage_name = "authorization" |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
35 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
36 print(f'-------------- preparing {test_name} tests') |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
37 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
38 cls.clear_storage(storage_name=storage_name) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
39 |
| 577 | 40 auth_service_hostname = "localhost" |
| 41 if Helpers.is_docker(): | |
| 42 auth_service_hostname = "auth-service" | |
| 43 cls.create_docker_network("auth-test-network") | |
| 44 | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
45 config = { |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
46 "AuthenticationEnabled": False, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
47 "Authorization": { |
| 577 | 48 "WebServiceRootUrl": f"http://{auth_service_hostname}:8020/", |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
49 "StandardConfigurations": [ |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
50 "orthanc-explorer-2", |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
51 "stone-webviewer" |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
52 ], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
53 "CheckedLevel": "studies", |
| 577 | 54 "TokenHttpHeaders": ["user-token-key", "resource-token-key"], |
| 634 | 55 "TokenGetArguments": ["resource-token-key"], |
| 56 "UncheckedFolders": ["/plugins"] # to allow testing plugin version while it is not included by default in the auth-plugin | |
| 578 | 57 }, |
| 58 "DicomWeb": { | |
| 59 "Enable": True | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
60 } |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
61 } |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
62 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
63 config_path = cls.generate_configuration( |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
64 config_name=f"{test_name}", |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
65 storage_name=storage_name, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
66 config=config, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
67 plugins=Helpers.plugins |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
68 ) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
69 |
| 577 | 70 if Helpers.is_exe(): |
| 71 # Start the auth-service application as a subprocess and wait for it to start | |
| 72 cls.auth_service_process = subprocess.Popen(["uvicorn", "auth_service:app", "--host", "0.0.0.0", "--port", "8020"], cwd=here) | |
| 73 time.sleep(2) | |
| 74 else: | |
| 75 # first build the docker image for the auth-service | |
| 76 subprocess.run(["docker", "build", "-t", "auth-service", "."], cwd=here) | |
| 77 cls.auth_service_process = subprocess.Popen(["docker", "run", "-p", "8020:8020", "--network", "auth-test-network", "--name", "auth-service", "auth-service"]) | |
| 579 | 78 time.sleep(5) |
| 577 | 79 |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
80 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
81 if Helpers.break_before_preparation: |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
82 print(f"++++ It is now time to start your Orthanc under tests with configuration file '{config_path}' +++++") |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
83 input("Press Enter to continue") |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
84 else: |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
85 cls.launch_orthanc_under_tests( |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
86 config_name=f"{test_name}", |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
87 storage_name=storage_name, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
88 config=config, |
| 577 | 89 plugins=Helpers.plugins, |
| 90 docker_network="auth-test-network" | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
91 ) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
92 |
| 578 | 93 o = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"}) |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
94 |
| 578 | 95 o.delete_all_content() |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
96 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
97 # upload a few studies and add labels |
| 578 | 98 cls.label_a_instance_id = o.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm")[0] |
| 99 cls.label_a_study_id = o.instances.get_parent_study_id(cls.label_a_instance_id) | |
| 100 cls.label_a_series_id = o.instances.get_parent_series_id(cls.label_a_instance_id) | |
| 101 cls.label_a_study_dicom_id = o.studies.get_tags(cls.label_a_study_id)["StudyInstanceUID"] | |
| 102 cls.label_a_series_dicom_id = o.series.get_tags(cls.label_a_series_id)["SeriesInstanceUID"] | |
| 103 cls.label_a_instance_dicom_id = o.instances.get_tags(cls.label_a_instance_id)["SOPInstanceUID"] | |
| 104 o.studies.add_label(cls.label_a_study_id, "label_a") | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
105 |
| 578 | 106 cls.label_b_instance_id = o.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm")[0] |
| 107 cls.label_b_study_id = o.instances.get_parent_study_id(cls.label_b_instance_id) | |
| 108 cls.label_b_series_id = o.instances.get_parent_series_id(cls.label_b_instance_id) | |
| 109 cls.label_b_study_dicom_id = o.studies.get_tags(cls.label_b_study_id)["StudyInstanceUID"] | |
| 110 cls.label_b_series_dicom_id = o.series.get_tags(cls.label_b_series_id)["SeriesInstanceUID"] | |
| 111 cls.label_b_instance_dicom_id = o.instances.get_tags(cls.label_b_instance_id)["SOPInstanceUID"] | |
| 112 o.studies.add_label(cls.label_b_study_id, "label_b") | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
113 |
| 578 | 114 instances_ids = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm") |
| 115 cls.no_label_study_id = o.instances.get_parent_study_id(instances_ids[0]) | |
| 116 | |
| 117 cls.no_label_instance_id = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")[0] | |
| 118 cls.no_label_study_id = o.instances.get_parent_study_id(cls.no_label_instance_id) | |
| 119 cls.no_label_series_id = o.instances.get_parent_series_id(cls.no_label_instance_id) | |
| 120 cls.no_label_study_dicom_id = o.studies.get_tags(cls.no_label_study_id)["StudyInstanceUID"] | |
| 121 cls.no_label_series_dicom_id = o.series.get_tags(cls.no_label_series_id)["SeriesInstanceUID"] | |
| 122 cls.no_label_instance_dicom_id = o.instances.get_tags(cls.no_label_instance_id)["SOPInstanceUID"] | |
| 123 | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
124 |
| 577 | 125 def assert_is_forbidden(self, api_call): |
| 126 with self.assertRaises(orthanc_exceptions.HttpError) as ctx: | |
| 127 api_call() | |
| 128 self.assertEqual(403, ctx.exception.http_status_code) | |
| 129 | |
| 130 | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
131 def test_admin_user(self): |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
132 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
133 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-admin"}) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
134 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
135 # make sure we can access all these urls (they would throw if not) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
136 system = o.get_system() |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
137 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
138 # make sure we can access all studies |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
139 o.studies.get_tags(self.no_label_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
140 o.studies.get_tags(self.label_a_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
141 o.studies.get_tags(self.label_b_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
142 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
143 # make sure we can access series and instances of these studies |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
144 series_ids = o.studies.get_series_ids(self.label_a_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
145 instances_ids = o.series.get_instances_ids(series_ids[0]) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
146 o.instances.get_tags(instances_ids[0]) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
147 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
148 # make sure labels filtering still works |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
149 self.assertEqual(3, len(o.studies.find(query={}, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
150 labels=[], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
151 labels_constraint='Any'))) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
152 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
153 self.assertEqual(2, len(o.studies.find(query={}, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
154 labels=['label_a', 'label_b'], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
155 labels_constraint='Any'))) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
156 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
157 self.assertEqual(2, len(o.studies.find(query={}, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
158 labels=['label_a'], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
159 labels_constraint='None'))) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
160 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
161 all_labels = o.get_all_labels() |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
162 self.assertEqual(2, len(all_labels)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
163 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
164 def test_user_a(self): |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
165 |
| 634 | 166 o_admin = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-admin"}) |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
167 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-user-a"}) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
168 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
169 # # make sure we can access all these urls (they would throw if not) |
| 578 | 170 system = o.get_system() |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
171 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
172 all_labels = o.get_all_labels() |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
173 self.assertEqual(1, len(all_labels)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
174 self.assertEqual("label_a", all_labels[0]) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
175 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
176 # make sure we can access only the label_a studies |
| 577 | 177 self.assert_is_forbidden(lambda: o.studies.get_tags(self.label_b_study_id)) |
| 178 self.assert_is_forbidden(lambda: o.studies.get_tags(self.no_label_study_id)) | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
179 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
180 # should not raise |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
181 o.studies.get_tags(self.label_a_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
182 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
183 # make sure we can access series and instances of the label_a studies |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
184 series_ids = o.studies.get_series_ids(self.label_a_study_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
185 instances_ids = o.series.get_instances_ids(series_ids[0]) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
186 o.instances.get_tags(instances_ids[0]) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
187 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
188 # make sure we can not access series and instances of the label_b studies |
| 577 | 189 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
190 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
191 # make sure tools/find only returns the label_a studies |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
192 studies = o.studies.find(query={}, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
193 labels=[], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
194 labels_constraint='Any') |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
195 self.assertEqual(1, len(studies)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
196 self.assertEqual(self.label_a_study_id, studies[0].orthanc_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
197 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
198 # if searching Any of label_a & label_b, return only label_a |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
199 studies = o.studies.find(query={}, |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
200 labels=['label_a', 'label_b'], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
201 labels_constraint='Any') |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
202 self.assertEqual(1, len(studies)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
203 self.assertEqual(self.label_a_study_id, studies[0].orthanc_id) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
204 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
205 # if searching Any of label_b, expect a Forbidden access |
| 577 | 206 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
| 207 labels=['label_b'], | |
| 208 labels_constraint='Any')) | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
209 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
210 # if searching None of label_b, expect a Forbidden access because we are not able to compute this filter |
| 577 | 211 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
| 212 labels=['label_b'], | |
| 213 labels_constraint='None')) | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
214 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
215 # if searching All of label_b, expect a Forbidden access because we are not able to compute this filter |
| 577 | 216 self.assert_is_forbidden(lambda: o.studies.find(query={}, |
| 217 labels=['label_b'], | |
| 218 labels_constraint='All')) | |
|
576
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
219 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
220 studies = o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
221 labels=[], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
222 labels_constraint='Any') |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
223 self.assertEqual(1, len(studies)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
224 |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
225 studies = o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
226 labels=['label_a'], |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
227 labels_constraint='Any') |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
228 self.assertEqual(1, len(studies)) |
|
80ba6f1d521c
new tests for authorization plugin (native only)
Alain Mazy <am@osimis.io>
parents:
diff
changeset
|
229 |
| 577 | 230 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a |
| 231 labels=['label_b'], | |
| 232 labels_constraint='Any')) | |
| 233 | |
| 234 # make sure some generic routes are not accessible | |
| 235 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) | |
| 236 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) | |
| 237 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | |
| 238 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | |
| 239 self.assert_is_forbidden(lambda: o.get_json('studies')) | |
| 240 self.assert_is_forbidden(lambda: o.get_json('studies/')) | |
| 241 | |
| 578 | 242 # make sure the label_a study is accessible (it does not throw) |
| 243 o.studies.get_tags(self.label_a_study_id) | |
| 244 o.series.get_tags(self.label_a_series_id) | |
| 245 o.instances.get_tags(self.label_a_instance_id) | |
| 246 | |
| 625 | 247 # make sure you can access a resource route with a user token (it does not throw) |
|
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
248 m = o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata") |
| 625 | 249 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_b_study_dicom_id}/metadata")) |
| 578 | 250 |
| 634 | 251 if o_admin.is_plugin_version_at_least("authorization", 0, 7, 1): |
| 633 | 252 i = o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/instances") |
| 253 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_b_study_dicom_id}/instances")) | |
|
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
254 |
| 633 | 255 i = o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") |
| 256 self.assert_is_forbidden(lambda: o.get_binary(f"dicom-web/studies/{self.label_b_study_dicom_id}/series/{self.label_b_series_dicom_id}/instances/{self.label_b_instance_dicom_id}")) | |
|
632
2084e0640775
test WADO-RS of a single instance based on study label
Alain Mazy <am@osimis.io>
parents:
625
diff
changeset
|
257 |
| 645 | 258 i = o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series?includefield=00080021%2C00080031%2C0008103E%2C00200011") |
| 259 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_b_study_dicom_id}/series?includefield=00080021%2C00080031%2C0008103E%2C00200011")) | |
| 260 | |
| 643 | 261 o.get_json(f"/system") |
| 262 o.get_json(f"/plugins") | |
| 263 o.get_json(f"/plugins/dicom-web") | |
| 577 | 264 |
| 648 | 265 if o_admin.is_plugin_version_at_least("authorization", 0, 7, 2): |
| 266 # also check that this works with the admin user ! | |
| 267 i = o_admin.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/instances") | |
| 268 i = o_admin.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") | |
| 269 i = o_admin.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series?includefield=00080021%2C00080031%2C0008103E%2C00200011") | |
| 270 | |
| 577 | 271 |
| 272 def test_resource_token(self): | |
| 273 | |
|
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
274 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-a-study"}) |
| 634 | 275 |
| 577 | 276 # with a resource token, we can access only the given resource, not generic resources or resources from other studies |
| 277 | |
| 278 # generic resources are forbidden | |
| 578 | 279 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # tools/find is forbidden with a resource token |
| 577 | 280 labels=['label_b'], |
| 281 labels_constraint='Any')) | |
| 282 self.assert_is_forbidden(lambda: o.get_all_labels()) | |
| 283 self.assert_is_forbidden(lambda: o.studies.get_all_ids()) | |
| 284 self.assert_is_forbidden(lambda: o.patients.get_all_ids()) | |
| 285 self.assert_is_forbidden(lambda: o.series.get_all_ids()) | |
| 286 self.assert_is_forbidden(lambda: o.instances.get_all_ids()) | |
| 287 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) | |
| 288 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) | |
| 289 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | |
| 290 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | |
| 578 | 291 self.assert_is_forbidden(lambda: o.get_json('studies')) |
| 292 self.assert_is_forbidden(lambda: o.get_json('studies/')) | |
| 577 | 293 |
| 294 # some resources are still accessible to the 'anonymous' user -> does not throw | |
| 295 o.get_system() | |
| 296 o.lookup("1.2.3") # this route is still explicitely authorized because it is used by Stone | |
| 297 | |
| 298 # other studies are forbidden | |
| 299 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) | |
| 621 | 300 if self.o.is_orthanc_version_at_least(1, 12, 2): |
|
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
301 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_study_id}")) |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
302 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_series_id}")) |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
303 # if one of the studies is forbidden, the resource is forbidden |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
304 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_study_id}")) |
| 577 | 305 |
| 306 # the label_a study is allowed | |
| 307 o.studies.get_series_ids(self.label_a_study_id) | |
| 308 | |
| 578 | 309 # test with DicomWEB routes + sub-routes |
| 310 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}") | |
| 311 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata") | |
| 581 | 312 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series") |
| 645 | 313 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series?includefield=00080021%2C00080031%2C0008103E%2C00200011") |
| 578 | 314 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}") |
| 315 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/metadata") | |
| 316 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") | |
| 317 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}/metadata") | |
| 581 | 318 o.get_json(f"dicom-web/studies?StudyInstanceUID={self.label_a_study_dicom_id}") |
| 319 o.get_json(f"dicom-web/studies?0020000D={self.label_a_study_dicom_id}") | |
| 320 o.get_json(f"dicom-web/series?0020000D={self.label_a_study_dicom_id}") | |
| 321 o.get_json(f"dicom-web/instances?0020000D={self.label_a_study_dicom_id}") | |
|
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
322 |
| 621 | 323 if self.o.is_orthanc_version_at_least(1, 12, 2): |
|
590
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
324 o.get_binary(f"tools/create-archive?resources={self.label_a_study_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
325 o.get_binary(f"tools/create-archive?resources={self.label_a_series_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
326 |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
327 |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
328 # now test with token-both |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
329 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-both-studies"}) |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
330 |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
331 # other studies are forbidden |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
332 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.no_label_study_id)) |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
333 self.assert_is_forbidden(lambda: o.get_binary(f"tools/create-archive?resources={self.no_label_study_id}")) |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
334 |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
335 # any of both or both studies together are allowed |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
336 o.get_binary(f"tools/create-archive?resources={self.label_a_study_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
337 o.get_binary(f"tools/create-archive?resources={self.label_b_series_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
338 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_study_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
339 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_series_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
340 o.get_binary(f"tools/create-archive?resources={self.label_b_study_id},{self.label_a_instance_id}") |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
341 |
|
c28bd957cb93
new tests for auth wrt /tools/create-media
Alain Mazy <am@osimis.io>
parents:
581
diff
changeset
|
342 |