Mercurial > hg > orthanc
comparison OrthancServer/Sources/main.cpp @ 4888:8523078f3f4b
added new configuration to authorize C-Find for worklist independently from other C-Find
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Fri, 18 Feb 2022 15:45:28 +0100 |
| parents | 43e613a7756b |
| children | 6eff25f70121 |
comparison
equal
deleted
inserted
replaced
| 4887:a29a6bdba9dd | 4888:8523078f3f4b |
|---|---|
| 280 { | 280 { |
| 281 private: | 281 private: |
| 282 ServerContext& context_; | 282 ServerContext& context_; |
| 283 bool alwaysAllowEcho_; | 283 bool alwaysAllowEcho_; |
| 284 bool alwaysAllowFind_; // New in Orthanc 1.9.0 | 284 bool alwaysAllowFind_; // New in Orthanc 1.9.0 |
| 285 bool alwaysAllowFindWorklist_; // New in Orthanc 1.10.0 | |
| 285 bool alwaysAllowGet_; // New in Orthanc 1.9.0 | 286 bool alwaysAllowGet_; // New in Orthanc 1.9.0 |
| 286 bool alwaysAllowMove_; // New in Orthanc 1.9.7 | 287 bool alwaysAllowMove_; // New in Orthanc 1.9.7 |
| 287 bool alwaysAllowStore_; | 288 bool alwaysAllowStore_; |
| 288 | 289 |
| 289 public: | 290 public: |
| 292 { | 293 { |
| 293 { | 294 { |
| 294 OrthancConfiguration::ReaderLock lock; | 295 OrthancConfiguration::ReaderLock lock; |
| 295 alwaysAllowEcho_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowEcho", true); | 296 alwaysAllowEcho_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowEcho", true); |
| 296 alwaysAllowFind_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowFind", false); | 297 alwaysAllowFind_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowFind", false); |
| 298 alwaysAllowFindWorklist_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowFindWorklist", false); | |
| 297 alwaysAllowGet_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowGet", false); | 299 alwaysAllowGet_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowGet", false); |
| 298 alwaysAllowMove_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowMove", false); | 300 alwaysAllowMove_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowMove", false); |
| 299 alwaysAllowStore_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowStore", true); | 301 alwaysAllowStore_ = lock.GetConfiguration().GetBooleanParameter("DicomAlwaysAllowStore", true); |
| 300 } | 302 } |
| 301 | 303 |
| 302 if (alwaysAllowFind_) | 304 if (alwaysAllowFind_) |
| 303 { | 305 { |
| 304 LOG(WARNING) << "Security risk in DICOM SCP: C-FIND requests are always allowed, even from unknown modalities"; | 306 LOG(WARNING) << "Security risk in DICOM SCP: C-FIND requests are always allowed, even from unknown modalities"; |
| 305 } | 307 } |
| 306 | 308 |
| 309 if (alwaysAllowFindWorklist_) | |
| 310 { | |
| 311 LOG(WARNING) << "Security risk in DICOM SCP: C-FIND requests for worklists are always allowed, even from unknown modalities"; | |
| 312 } | |
| 313 | |
| 307 if (alwaysAllowGet_) | 314 if (alwaysAllowGet_) |
| 308 { | 315 { |
| 309 LOG(WARNING) << "Security risk in DICOM SCP: C-GET requests are always allowed, even from unknown modalities"; | 316 LOG(WARNING) << "Security risk in DICOM SCP: C-GET requests are always allowed, even from unknown modalities"; |
| 310 } | 317 } |
| 311 | 318 |
| 322 LOG(INFO) << "Incoming connection from AET " << remoteAet | 329 LOG(INFO) << "Incoming connection from AET " << remoteAet |
| 323 << " on IP " << remoteIp << ", calling AET " << calledAet; | 330 << " on IP " << remoteIp << ", calling AET " << calledAet; |
| 324 | 331 |
| 325 if (alwaysAllowEcho_ || | 332 if (alwaysAllowEcho_ || |
| 326 alwaysAllowFind_ || | 333 alwaysAllowFind_ || |
| 334 alwaysAllowFindWorklist_ || | |
| 327 alwaysAllowGet_ || | 335 alwaysAllowGet_ || |
| 328 alwaysAllowMove_ || | 336 alwaysAllowMove_ || |
| 329 alwaysAllowStore_) | 337 alwaysAllowStore_) |
| 330 { | 338 { |
| 331 return true; | 339 return true; |
| 339 | 347 |
| 340 static void ReportDisallowedCommand(const std::string& remoteIp, | 348 static void ReportDisallowedCommand(const std::string& remoteIp, |
| 341 const std::string& remoteAet, | 349 const std::string& remoteAet, |
| 342 DicomRequestType type) | 350 DicomRequestType type) |
| 343 { | 351 { |
| 344 LOG(WARNING) << "Unable to check DICOM authorization for AET " << remoteAet | 352 LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet |
| 345 << " on IP " << remoteIp << ": The DICOM command " | 353 << " on IP " << remoteIp << ": The DICOM command " |
| 346 << EnumerationToString(type) << " is not allowed for this modality " | 354 << EnumerationToString(type) << " is not allowed for this modality " |
| 347 << "according to configuration option \"DicomModalities\""; | 355 << "according to configuration option \"DicomModalities\""; |
| 348 } | 356 } |
| 349 | 357 |
| 366 alwaysAllowFind_) | 374 alwaysAllowFind_) |
| 367 { | 375 { |
| 368 // Incoming C-Find requests are always accepted, even from unknown AET | 376 // Incoming C-Find requests are always accepted, even from unknown AET |
| 369 return true; | 377 return true; |
| 370 } | 378 } |
| 379 else if (type == DicomRequestType_FindWorklist && | |
| 380 alwaysAllowFindWorklist_) | |
| 381 { | |
| 382 // Incoming C-Find requests for worklists are always accepted, even from unknown AET | |
| 383 return true; | |
| 384 } | |
| 371 else if (type == DicomRequestType_Store && | 385 else if (type == DicomRequestType_Store && |
| 372 alwaysAllowStore_) | 386 alwaysAllowStore_) |
| 373 { | 387 { |
| 374 // Incoming C-Store requests are always accepted, even from unknown AET | 388 // Incoming C-Store requests are always accepted, even from unknown AET |
| 375 return true; | 389 return true; |
| 397 checkIp = lock.GetConfiguration().GetBooleanParameter("DicomCheckModalityHost", false); | 411 checkIp = lock.GetConfiguration().GetBooleanParameter("DicomCheckModalityHost", false); |
| 398 } | 412 } |
| 399 | 413 |
| 400 if (modalities.empty()) | 414 if (modalities.empty()) |
| 401 { | 415 { |
| 402 LOG(WARNING) << "Unable to check DICOM authorization for AET " << remoteAet | 416 LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet |
| 403 << " on IP " << remoteIp << ": This AET is not listed in " | 417 << " on IP " << remoteIp << ": This AET is not listed in " |
| 404 << "configuration option \"DicomModalities\""; | 418 << "configuration option \"DicomModalities\""; |
| 405 return false; | 419 return false; |
| 406 } | 420 } |
| 407 else if (modalities.size() == 1) | 421 else if (modalities.size() == 1) |
| 408 { | 422 { |
| 409 // DicomCheckModalityHost is true: check if the IP match the configured IP | 423 // DicomCheckModalityHost is true: check if the IP match the configured IP |
| 410 if (checkIp && | 424 if (checkIp && |
| 411 remoteIp != modalities.front().GetHost()) | 425 remoteIp != modalities.front().GetHost()) |
| 412 { | 426 { |
| 413 LOG(WARNING) << "Unable to check DICOM authorization for AET " << remoteAet | 427 LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet |
| 414 << " on IP " << remoteIp << ": Its IP address should be " | 428 << " on IP " << remoteIp << ": Its IP address should be " |
| 415 << modalities.front().GetHost() | 429 << modalities.front().GetHost() |
| 416 << " according to configuration option \"DicomModalities\""; | 430 << " according to configuration option \"DicomModalities\""; |
| 417 return false; | 431 return false; |
| 418 } | 432 } |
| 444 return false; | 458 return false; |
| 445 } | 459 } |
| 446 } | 460 } |
| 447 } | 461 } |
| 448 | 462 |
| 449 LOG(WARNING) << "Unable to check DICOM authorization for AET " << remoteAet | 463 LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet |
| 450 << " on IP " << remoteIp << ": " << modalities.size() | 464 << " on IP " << remoteIp << ": " << modalities.size() |
| 451 << " modalites found with this AET in configuration option " | 465 << " modalites found with this AET in configuration option " |
| 452 << "\"DicomModalities\", but none of them matches the IP"; | 466 << "\"DicomModalities\", but none of them matches the IP"; |
| 453 return false; | 467 return false; |
| 454 } | 468 } |