Mercurial > hg > orthanc
changeset 3533:2090ec6a83a5
create a default user if none is provided, while issuing a warning in Orthanc Explorer
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Fri, 04 Oct 2019 17:41:43 +0200 |
| parents | e4b4b4dbef99 |
| children | cac8ffcb9cef |
| files | OrthancExplorer/explorer.html OrthancExplorer/explorer.js OrthancServer/OrthancRestApi/OrthancRestSystem.cpp OrthancServer/ServerContext.cpp OrthancServer/ServerContext.h OrthancServer/main.cpp |
| diffstat | 6 files changed, 74 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/OrthancExplorer/explorer.html Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancExplorer/explorer.html Fri Oct 04 17:41:43 2019 +0200 @@ -646,6 +646,19 @@ <div id="dialog" style="display:none"> </div> + + <div id="template-insecure" style="display:none"> + <div class="warning-insecure ui-body ui-body-e"> + <h1>Insecure setup</h1> + <p> + Your Orthanc server is accepting remote connections, but is + using the default username and password. Please carefully read + your logs and review your configuration, especially + options <tt>RemoteAccessAllowed</tt>, <tt>AuthenticationEnabled</tt>, + and <tt>RegisteredUsers</tt>. + </p> + </div> + </div> </body> </html>
--- a/OrthancExplorer/explorer.js Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancExplorer/explorer.js Fri Oct 04 17:41:43 2019 +0200 @@ -79,6 +79,11 @@ $tree.tree('openNode', event.node, true); } ); + + // Inject the template of the warning about insecure setup as the + // first child of each page + var insecure = $('#template-insecure').html(); + $('[data-role="page"]>[data-role="content"]').prepend(insecure); currentPage = $.mobile.pageData.active; currentUuid = $.mobile.pageData.uuid; @@ -388,6 +393,14 @@ .text(s.Name) .append(' » ')); } + + // New in Orthanc 1.5.8 + if ('IsDefaultUser' in s && + s.IsDefaultUser) { + $('.warning-insecure').show(); + } else { + $('.warning-insecure').hide(); + } } }); });
--- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Fri Oct 04 17:41:43 2019 +0200 @@ -53,11 +53,14 @@ static void GetSystemInformation(RestApiGetCall& call) { + ServerContext& context = OrthancRestApi::GetContext(call); + Json::Value result = Json::objectValue; result["ApiVersion"] = ORTHANC_API_VERSION; result["Version"] = ORTHANC_VERSION; result["DatabaseVersion"] = OrthancRestApi::GetIndex(call).GetDatabaseVersion(); + result["IsDefaultUser"] = context.IsDefaultUser(); // New in Orthanc 1.5.8 { OrthancConfiguration::ReaderLock lock; @@ -72,7 +75,7 @@ #if ORTHANC_ENABLE_PLUGINS == 1 result["PluginsEnabled"] = true; - const OrthancPlugins& plugins = OrthancRestApi::GetContext(call).GetPlugins(); + const OrthancPlugins& plugins = context.GetPlugins(); if (plugins.HasStorageArea()) {
--- a/OrthancServer/ServerContext.cpp Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancServer/ServerContext.cpp Fri Oct 04 17:41:43 2019 +0200 @@ -239,7 +239,8 @@ done_(false), haveJobsChanged_(false), isJobsEngineUnserialized_(false), - metricsRegistry_(new MetricsRegistry) + metricsRegistry_(new MetricsRegistry), + isDefaultUser_(false) { { OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.h Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancServer/ServerContext.h Fri Oct 04 17:41:43 2019 +0200 @@ -220,6 +220,7 @@ bool saveJobs_; std::auto_ptr<MetricsRegistry> metricsRegistry_; + bool isDefaultUser_; public: class DicomCacheLocker : public boost::noncopyable @@ -402,5 +403,15 @@ { return *metricsRegistry_; } + + void SetDefaultUser(bool isDefaultUser) + { + isDefaultUser_ = isDefaultUser; + } + + bool IsDefaultUser() const + { + return isDefaultUser_; + } }; }
--- a/OrthancServer/main.cpp Thu Oct 03 13:44:08 2019 +0200 +++ b/OrthancServer/main.cpp Fri Oct 04 17:41:43 2019 +0200 @@ -832,8 +832,8 @@ if (httpServer.IsRemoteAccessAllowed() && !authenticationEnabled) { - LOG(WARNING) << "Remote access is enabled while user authentication is disabled, " - << "make sure this does not affect the security of your setup"; + LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, " + << "make sure this does not affect the security of your setup <===="; } } else if (httpServer.IsRemoteAccessAllowed()) @@ -857,8 +857,35 @@ if (httpServer.IsAuthenticationEnabled() && !hasUsers) { - LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, " - << "check the value of configuration option \"RegisteredUsers\""; + if (httpServer.IsRemoteAccessAllowed()) + { + /** + * Starting with Orthanc 1.5.8, if no user is explicitly + * defined while remote access is allowed, we create a + * default user, and Orthanc Explorer shows a warning + * message about an "Insecure setup". This convention is + * used in Docker images "jodogne/orthanc", + * "jodogne/orthanc-plugins" and "osimis/orthanc". + **/ + LOG(ERROR) << "====> HTTP authentication is enabled, but no user is declared. " + << "Creating a default user: Review your configuration option \"RegisteredUsers\". " + << "Your setup is INSECURE <===="; + + context.SetDefaultUser(true); + + // This is the username/password of the default user in Orthanc. + httpServer.RegisterUser("orthanc", "orthanc"); + } + else + { + LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, " + << "check the value of configuration option \"RegisteredUsers\""; + } + } + else + { + // This setup is secure + context.SetDefaultUser(false); } if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false))