IncomingHttpRequestFilter() Capabilities ?

sdscotti · March 3, 2021, 5:53am

I noticed that the Advanced Authorization Plug-in is Deprecated and there is a note about using a Python Script or a Lua Script in its place. I started playing around with the Python script and had it log the request in my Docker log:

pacs-1_1 | T0303 05:27:22.795985 HttpServer.cpp:1152] (http) HTTP header: [host]: [docker.medical.ky]
pacs-1_1 | T0303 05:27:22.796344 HttpServer.cpp:1152] (http) HTTP header: [x-real-ip]: [66.253.168.233]
php-fpm_1 | }
pacs-1_1 | T0303 05:27:22.796535 HttpServer.cpp:1152] (http) HTTP header: [connection]: [User trying to access URI: /osimis-viewer/images/84ae0a88-378efd5e-2b9f1ec3-7a1fccc4-4568507e/0/high-quality
pacs-1_1 | {‘get’: {},
pacs-1_1 | ‘headers’: {‘accept’: ‘application/json, text/plain, /’,
pacs-1_1 | ‘accept-encoding’: ‘gzip, deflate, br’,
pacs-1_1 | ‘accept-language’: ‘en-US,en;q=0.5’,
pacs-1_1 | ‘connection’: ‘close’,
pacs-1_1 | ‘content-type’: ‘application/json’,
pacs-1_1 | ‘cookie’: 'laravel_session=XXX; ’
pacs-1_1 | 'XSRF-TOKEN=XXX; ’
pacs-1_1 | ‘laravel_cookie_consent=1’,
pacs-1_1 | ‘host’: ‘docker.medical.ky’,
pacs-1_1 | ‘referer’: ‘https://docker.medical.ky/api/osimis-viewer/app/index.html?study=013cf8c2-c32e3628-67eb9cbf-9b704655-1fe39f8c’,
pacs-1_1 | ‘study’: ‘013cf8c2-c32e3628-67eb9cbf-9b704655-1fe39f8c’,
pacs-1_1 | ‘user-agent’: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; ’
pacs-1_1 | ‘rv:86.0) Gecko/20100101 Firefox/86.0’,
pacs-1_1 | ‘x-real-ip’: ‘66.253.168.233’},
pacs-1_1 | ‘ip’: ‘172.21.0.6’,
pacs-1_1 | ‘method’: 1}
pacs-1_1 | close]

That looks very helpful since even more info could be passed in with an encrypted JWT COOKIE and a framework could be setup in a plug-in for fine-grained access to resources.

The documentation looks like it says you just return True or False in the callback, and then you are either passed through or get a 403 Forbidden response from the server. That is probably manageable if the request is via CURL or AJAX, but not so great if it is a GET with a browser. Is there a way to have the 403 redirect back to a configurable URL with an intelligent reason for the denial so that the denial could be handled more smoothly ? I’m not a CPP person, but looks like there is some code: OrthancServer/Sources/main.cpp

jodogne · March 4, 2021, 11:25am

In HTTP, the “403 Forbidden” status code is the correct way of denying access to a resource:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_client_errors

If redirection is desirable, it should be handled by a higher-level application (e.g. a PHP application that uses the “curl_*” functions to contact Orthanc):
https://book.orthanc-server.com/faq/improving-interface.html

A similar feature could be implemented as a Python plugin, but this is really not recommanded:
https://book.orthanc-server.com/plugins/python.html

Here is a basic skeleton for such a Python plugin (do not use it as such, it is just a starting point, and I won’t comment it further):

import orthanc
import pprint

def OnRest(output, uri, **request):
if uri == ‘/not-allowed’:
if request[‘method’] == ‘GET’:
output.AnswerBuffer(‘You are not allowed to access this ressource\n’, ‘text/plain’)
else:
output.SendMethodNotAllowed(‘GET’)

elif (not ‘authorization’ in request[‘headers’] or
request[‘headers’][‘authorization’] != ‘Bearer token’):
output.Redirect(‘/not-allowed’)

elif request[‘method’] == ‘GET’:
output.AnswerBuffer(orthanc.RestApiGet(uri), ‘text/plain’)

else:

TODO

output.SendHttpStatus(501, ‘Not Implemented’)

orthanc.RegisterRestCallback(‘.*’, OnRest)

sdscotti · March 4, 2021, 1:53pm

Thank you. That is all very helpful. I think that between the Python Plug-in and the NGINX http_auth_request_module there is a fair bit of flexibility now.

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html (seems to work in a similar fashion).

Might actually make more sense to use the NGINX auth mechanism in many cases since Orthanc would not even be called then.

I will experiment around with the options. There are some nice composer PHP packages for managing JWT’s. That might be one way to go if the auth server is running PHP.

Thank you for your help. Hope to have some of this packaged up in my little project soon. Actually started to get parts of the RIS implemented as far as radiology reports are concerned. Nice to have a Docker Dev Container and a decent PHP framework (Laravel) to work with.

Darren_Gallagher · March 17, 2021, 1:59pm

Hi

Earlier on in this thread someone wrote:

“A similar feature could be implemented as a Python plugin, but this is really not recommended:
https://book.orthanc-server.com/plugins/python.html”

Can someone please clarify if this means that the use of the Python plugin is not recommended?

Is this because the Lua one is preferred? Or have I misinterpreted this?

Myself and a colleague are trying to decide how best to implement authentication to assets stored on Orthanc (in S3) and are considering using either the Lua or Python plugin.

Thanks

Darren Gallagher

jodogne · March 31, 2021, 11:53am

Hello,

You have misinterpreted me: The use of Python plugins IS definitely recommended. Python plugins are much more expressive than Lua scripts.

What is not recommended, is trying to bypass the “403 Forbidden” HTTP error code as requested by the original poster.

Sébastien-