orthanc-tests: NewTests/Authorization/test

comparison NewTests/Authorization/test_authorization.py @ 578:c474f0f815b6

more authorization tests

author	Alain Mazy <am@osimis.io>
date	Sat, 09 Sep 2023 13:18:21 +0200
parents	0649a19df194
children	5d157c486568

comparison

equal deleted inserted replaced

-:0649a19df194
+:c474f0f815b6
 no_label_study_id = None
 auth_service_process = None
 @classmethod
 def terminate(cls):
-cls.auth_service_process.terminate()
+if Helpers.is_docker():
+subprocess.run(["docker", "rm", "-f", "auth-service"])
+else:
+cls.auth_service_process.terminate()
 @classmethod
 def prepare(cls):
 test_name = "Authorization"
 storage_name = "authorization"
 "stone-webviewer"
 ],
 "CheckedLevel": "studies",
 "TokenHttpHeaders": ["user-token-key", "resource-token-key"],
 "TokenGetArguments": ["resource-token-key"]
+},
+"DicomWeb": {
+"Enable": True
 }
 }
 config_path = cls.generate_configuration(
 config_name=f"{test_name}",
 config=config,
 plugins=Helpers.plugins,
 docker_network="auth-test-network"
 )
-uploader = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"})
+o = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"})
-uploader.delete_all_content()
+o.delete_all_content()
 # upload a few studies and add labels
-instances_ids = uploader.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm")
+cls.label_a_instance_id = o.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm")[0]
-cls.label_a_study_id = uploader.instances.get_parent_study_id(instances_ids[0])
+cls.label_a_study_id = o.instances.get_parent_study_id(cls.label_a_instance_id)
-uploader.studies.add_label(cls.label_a_study_id, "label_a")
+cls.label_a_series_id = o.instances.get_parent_series_id(cls.label_a_instance_id)
+cls.label_a_study_dicom_id = o.studies.get_tags(cls.label_a_study_id)["StudyInstanceUID"]
-instances_ids = uploader.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm")
+cls.label_a_series_dicom_id = o.series.get_tags(cls.label_a_series_id)["SeriesInstanceUID"]
-cls.label_b_study_id = uploader.instances.get_parent_study_id(instances_ids[0])
+cls.label_a_instance_dicom_id = o.instances.get_tags(cls.label_a_instance_id)["SOPInstanceUID"]
-uploader.studies.add_label(cls.label_b_study_id, "label_b")
+o.studies.add_label(cls.label_a_study_id, "label_a")
-instances_ids = uploader.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")
+cls.label_b_instance_id = o.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm")[0]
-cls.no_label_study_id = uploader.instances.get_parent_study_id(instances_ids[0])
+cls.label_b_study_id = o.instances.get_parent_study_id(cls.label_b_instance_id)
+cls.label_b_series_id = o.instances.get_parent_series_id(cls.label_b_instance_id)
+cls.label_b_study_dicom_id = o.studies.get_tags(cls.label_b_study_id)["StudyInstanceUID"]
+cls.label_b_series_dicom_id = o.series.get_tags(cls.label_b_series_id)["SeriesInstanceUID"]
+cls.label_b_instance_dicom_id = o.instances.get_tags(cls.label_b_instance_id)["SOPInstanceUID"]
+o.studies.add_label(cls.label_b_study_id, "label_b")
+instances_ids = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")
+cls.no_label_study_id = o.instances.get_parent_study_id(instances_ids[0])
+cls.no_label_instance_id = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")[0]
+cls.no_label_study_id = o.instances.get_parent_study_id(cls.no_label_instance_id)
+cls.no_label_series_id = o.instances.get_parent_series_id(cls.no_label_instance_id)
+cls.no_label_study_dicom_id = o.studies.get_tags(cls.no_label_study_id)["StudyInstanceUID"]
+cls.no_label_series_dicom_id = o.series.get_tags(cls.no_label_series_id)["SeriesInstanceUID"]
+cls.no_label_instance_dicom_id = o.instances.get_tags(cls.no_label_instance_id)["SOPInstanceUID"]
 def assert_is_forbidden(self, api_call):
 with self.assertRaises(orthanc_exceptions.HttpError) as ctx:
 api_call()
 def test_user_a(self):
 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-user-a"})
 # # make sure we can access all these urls (they would throw if not)
-# system = o.get_system()
+system = o.get_system()
 all_labels = o.get_all_labels()
 self.assertEqual(1, len(all_labels))
 self.assertEqual("label_a", all_labels[0])
 self.assert_is_forbidden(lambda: o.get_json('series?expand'))
 self.assert_is_forbidden(lambda: o.get_json('instances?expand'))
 self.assert_is_forbidden(lambda: o.get_json('studies'))
 self.assert_is_forbidden(lambda: o.get_json('studies/'))
+# make sure the label_a study is accessible (it does not throw)
+o.studies.get_tags(self.label_a_study_id)
+o.series.get_tags(self.label_a_series_id)
+o.instances.get_tags(self.label_a_instance_id)
+# right now, a user token can not access the dicom-web routes, only a resource token can
+self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata"))
 def test_resource_token(self):
 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-knix-study"})
 # with a resource token, we can access only the given resource, not generic resources or resources from other studies
 # generic resources are forbidden
-self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"},  # KNIX is label_a
+self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"},  # tools/find is forbidden with a resource token
 labels=['label_b'],
 labels_constraint='Any'))
 self.assert_is_forbidden(lambda: o.get_all_labels())
 self.assert_is_forbidden(lambda: o.studies.get_all_ids())
 self.assert_is_forbidden(lambda: o.patients.get_all_ids())
 self.assert_is_forbidden(lambda: o.instances.get_all_ids())
 self.assert_is_forbidden(lambda: o.get_json('patients?expand'))
 self.assert_is_forbidden(lambda: o.get_json('studies?expand'))
 self.assert_is_forbidden(lambda: o.get_json('series?expand'))
 self.assert_is_forbidden(lambda: o.get_json('instances?expand'))
+self.assert_is_forbidden(lambda: o.get_json('studies'))
+self.assert_is_forbidden(lambda: o.get_json('studies/'))
 # some resources are still accessible to the 'anonymous' user  -> does not throw
 o.get_system()
 o.lookup("1.2.3")   # this route is still explicitely authorized because it is used by Stone
 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id))
 # the label_a study is allowed
 o.studies.get_series_ids(self.label_a_study_id)
-# TODO: test with DicomWEB routes + sub-routes
+# test with DicomWEB routes + sub-routes
+o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}")
+o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata")
+o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}")
+o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/metadata")
+o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}")
+o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}/metadata")

Mercurial > hg > orthanc-tests

comparison NewTests/Authorization/test_authorization.py @ 578:c474f0f815b6