Mercurial > hg > orthanc-tests
comparison NewTests/Authorization/test_authorization.py @ 578:c474f0f815b6
more authorization tests
author | Alain Mazy <am@osimis.io> |
---|---|
date | Sat, 09 Sep 2023 13:18:21 +0200 |
parents | 0649a19df194 |
children | 5d157c486568 |
comparison
equal
deleted
inserted
replaced
577:0649a19df194 | 578:c474f0f815b6 |
---|---|
20 no_label_study_id = None | 20 no_label_study_id = None |
21 auth_service_process = None | 21 auth_service_process = None |
22 | 22 |
23 @classmethod | 23 @classmethod |
24 def terminate(cls): | 24 def terminate(cls): |
25 cls.auth_service_process.terminate() | 25 |
26 if Helpers.is_docker(): | |
27 subprocess.run(["docker", "rm", "-f", "auth-service"]) | |
28 else: | |
29 cls.auth_service_process.terminate() | |
26 | 30 |
27 @classmethod | 31 @classmethod |
28 def prepare(cls): | 32 def prepare(cls): |
29 test_name = "Authorization" | 33 test_name = "Authorization" |
30 storage_name = "authorization" | 34 storage_name = "authorization" |
47 "stone-webviewer" | 51 "stone-webviewer" |
48 ], | 52 ], |
49 "CheckedLevel": "studies", | 53 "CheckedLevel": "studies", |
50 "TokenHttpHeaders": ["user-token-key", "resource-token-key"], | 54 "TokenHttpHeaders": ["user-token-key", "resource-token-key"], |
51 "TokenGetArguments": ["resource-token-key"] | 55 "TokenGetArguments": ["resource-token-key"] |
56 }, | |
57 "DicomWeb": { | |
58 "Enable": True | |
52 } | 59 } |
53 } | 60 } |
54 | 61 |
55 config_path = cls.generate_configuration( | 62 config_path = cls.generate_configuration( |
56 config_name=f"{test_name}", | 63 config_name=f"{test_name}", |
80 config=config, | 87 config=config, |
81 plugins=Helpers.plugins, | 88 plugins=Helpers.plugins, |
82 docker_network="auth-test-network" | 89 docker_network="auth-test-network" |
83 ) | 90 ) |
84 | 91 |
85 uploader = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"}) | 92 o = OrthancApiClient(cls.o._root_url, headers={"user-token-key": "token-uploader"}) |
86 | 93 |
87 uploader.delete_all_content() | 94 o.delete_all_content() |
88 | 95 |
89 # upload a few studies and add labels | 96 # upload a few studies and add labels |
90 instances_ids = uploader.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm") | 97 cls.label_a_instance_id = o.upload_file(here / "../../Database/Knix/Loc/IM-0001-0001.dcm")[0] |
91 cls.label_a_study_id = uploader.instances.get_parent_study_id(instances_ids[0]) | 98 cls.label_a_study_id = o.instances.get_parent_study_id(cls.label_a_instance_id) |
92 uploader.studies.add_label(cls.label_a_study_id, "label_a") | 99 cls.label_a_series_id = o.instances.get_parent_series_id(cls.label_a_instance_id) |
93 | 100 cls.label_a_study_dicom_id = o.studies.get_tags(cls.label_a_study_id)["StudyInstanceUID"] |
94 instances_ids = uploader.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm") | 101 cls.label_a_series_dicom_id = o.series.get_tags(cls.label_a_series_id)["SeriesInstanceUID"] |
95 cls.label_b_study_id = uploader.instances.get_parent_study_id(instances_ids[0]) | 102 cls.label_a_instance_dicom_id = o.instances.get_tags(cls.label_a_instance_id)["SOPInstanceUID"] |
96 uploader.studies.add_label(cls.label_b_study_id, "label_b") | 103 o.studies.add_label(cls.label_a_study_id, "label_a") |
97 | 104 |
98 instances_ids = uploader.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm") | 105 cls.label_b_instance_id = o.upload_file(here / "../../Database/Brainix/Epi/IM-0001-0001.dcm")[0] |
99 cls.no_label_study_id = uploader.instances.get_parent_study_id(instances_ids[0]) | 106 cls.label_b_study_id = o.instances.get_parent_study_id(cls.label_b_instance_id) |
107 cls.label_b_series_id = o.instances.get_parent_series_id(cls.label_b_instance_id) | |
108 cls.label_b_study_dicom_id = o.studies.get_tags(cls.label_b_study_id)["StudyInstanceUID"] | |
109 cls.label_b_series_dicom_id = o.series.get_tags(cls.label_b_series_id)["SeriesInstanceUID"] | |
110 cls.label_b_instance_dicom_id = o.instances.get_tags(cls.label_b_instance_id)["SOPInstanceUID"] | |
111 o.studies.add_label(cls.label_b_study_id, "label_b") | |
112 | |
113 instances_ids = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm") | |
114 cls.no_label_study_id = o.instances.get_parent_study_id(instances_ids[0]) | |
115 | |
116 cls.no_label_instance_id = o.upload_file(here / "../../Database/Comunix/Pet/IM-0001-0001.dcm")[0] | |
117 cls.no_label_study_id = o.instances.get_parent_study_id(cls.no_label_instance_id) | |
118 cls.no_label_series_id = o.instances.get_parent_series_id(cls.no_label_instance_id) | |
119 cls.no_label_study_dicom_id = o.studies.get_tags(cls.no_label_study_id)["StudyInstanceUID"] | |
120 cls.no_label_series_dicom_id = o.series.get_tags(cls.no_label_series_id)["SeriesInstanceUID"] | |
121 cls.no_label_instance_dicom_id = o.instances.get_tags(cls.no_label_instance_id)["SOPInstanceUID"] | |
122 | |
100 | 123 |
101 | 124 |
102 def assert_is_forbidden(self, api_call): | 125 def assert_is_forbidden(self, api_call): |
103 with self.assertRaises(orthanc_exceptions.HttpError) as ctx: | 126 with self.assertRaises(orthanc_exceptions.HttpError) as ctx: |
104 api_call() | 127 api_call() |
141 def test_user_a(self): | 164 def test_user_a(self): |
142 | 165 |
143 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-user-a"}) | 166 o = OrthancApiClient(self.o._root_url, headers={"user-token-key": "token-user-a"}) |
144 | 167 |
145 # # make sure we can access all these urls (they would throw if not) | 168 # # make sure we can access all these urls (they would throw if not) |
146 # system = o.get_system() | 169 system = o.get_system() |
147 | 170 |
148 all_labels = o.get_all_labels() | 171 all_labels = o.get_all_labels() |
149 self.assertEqual(1, len(all_labels)) | 172 self.assertEqual(1, len(all_labels)) |
150 self.assertEqual("label_a", all_labels[0]) | 173 self.assertEqual("label_a", all_labels[0]) |
151 | 174 |
213 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | 236 self.assert_is_forbidden(lambda: o.get_json('series?expand')) |
214 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | 237 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) |
215 self.assert_is_forbidden(lambda: o.get_json('studies')) | 238 self.assert_is_forbidden(lambda: o.get_json('studies')) |
216 self.assert_is_forbidden(lambda: o.get_json('studies/')) | 239 self.assert_is_forbidden(lambda: o.get_json('studies/')) |
217 | 240 |
241 # make sure the label_a study is accessible (it does not throw) | |
242 o.studies.get_tags(self.label_a_study_id) | |
243 o.series.get_tags(self.label_a_series_id) | |
244 o.instances.get_tags(self.label_a_instance_id) | |
245 | |
246 # right now, a user token can not access the dicom-web routes, only a resource token can | |
247 self.assert_is_forbidden(lambda: o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata")) | |
248 | |
218 | 249 |
219 | 250 |
220 def test_resource_token(self): | 251 def test_resource_token(self): |
221 | 252 |
222 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-knix-study"}) | 253 o = OrthancApiClient(self.o._root_url, headers={"resource-token-key": "token-knix-study"}) |
223 | 254 |
224 # with a resource token, we can access only the given resource, not generic resources or resources from other studies | 255 # with a resource token, we can access only the given resource, not generic resources or resources from other studies |
225 | 256 |
226 # generic resources are forbidden | 257 # generic resources are forbidden |
227 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # KNIX is label_a | 258 self.assert_is_forbidden(lambda: o.studies.find(query={"PatientName": "KNIX"}, # tools/find is forbidden with a resource token |
228 labels=['label_b'], | 259 labels=['label_b'], |
229 labels_constraint='Any')) | 260 labels_constraint='Any')) |
230 self.assert_is_forbidden(lambda: o.get_all_labels()) | 261 self.assert_is_forbidden(lambda: o.get_all_labels()) |
231 self.assert_is_forbidden(lambda: o.studies.get_all_ids()) | 262 self.assert_is_forbidden(lambda: o.studies.get_all_ids()) |
232 self.assert_is_forbidden(lambda: o.patients.get_all_ids()) | 263 self.assert_is_forbidden(lambda: o.patients.get_all_ids()) |
234 self.assert_is_forbidden(lambda: o.instances.get_all_ids()) | 265 self.assert_is_forbidden(lambda: o.instances.get_all_ids()) |
235 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) | 266 self.assert_is_forbidden(lambda: o.get_json('patients?expand')) |
236 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) | 267 self.assert_is_forbidden(lambda: o.get_json('studies?expand')) |
237 self.assert_is_forbidden(lambda: o.get_json('series?expand')) | 268 self.assert_is_forbidden(lambda: o.get_json('series?expand')) |
238 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) | 269 self.assert_is_forbidden(lambda: o.get_json('instances?expand')) |
270 self.assert_is_forbidden(lambda: o.get_json('studies')) | |
271 self.assert_is_forbidden(lambda: o.get_json('studies/')) | |
239 | 272 |
240 # some resources are still accessible to the 'anonymous' user -> does not throw | 273 # some resources are still accessible to the 'anonymous' user -> does not throw |
241 o.get_system() | 274 o.get_system() |
242 o.lookup("1.2.3") # this route is still explicitely authorized because it is used by Stone | 275 o.lookup("1.2.3") # this route is still explicitely authorized because it is used by Stone |
243 | 276 |
245 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) | 278 self.assert_is_forbidden(lambda: o.studies.get_series_ids(self.label_b_study_id)) |
246 | 279 |
247 # the label_a study is allowed | 280 # the label_a study is allowed |
248 o.studies.get_series_ids(self.label_a_study_id) | 281 o.studies.get_series_ids(self.label_a_study_id) |
249 | 282 |
250 # TODO: test with DicomWEB routes + sub-routes | 283 # test with DicomWEB routes + sub-routes |
284 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}") | |
285 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/metadata") | |
286 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}") | |
287 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/metadata") | |
288 o.get_binary(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}") | |
289 o.get_json(f"dicom-web/studies/{self.label_a_study_dicom_id}/series/{self.label_a_series_dicom_id}/instances/{self.label_a_instance_dicom_id}/metadata") |