Skip to content
Expired
Milestone Dec 4, 2023–Dec 31, 2024

Sonador Security Extensions: Access Control (SN MS1)

Refer to oak-tree/medical-imaging/imaging-development-env#58 and oak-tree/medical-imaging/sonador#53 for milestone discussion and questions/answers. The question lists previously part of this issue have been copied there. Refer to oak-tree/medical-imaging/sonador#53 for tracking/updates.

Filter Function Filter function dropped from implementation in favor of Orthanc Advanced Authorization Plugin. Newer version of the authorization plugin includes support for user profiles. Original requirements have been kept for reference.

  • Improve the permissions and access control to the Cloud Orthanc Database.
    • Build a User Model inside Orthanc ( orthanc-sonador#32 (closed)) --> to be complete, Feb 12 2024 Changed to be ACL models with regular synchronization against a user/group history endpoint provided by Sonador ( sonador#58).
    • Filter function in Orthanc for validating user configurations from Sonador. ( orthanc-sonador#32 (closed)) Dropped from milestone scope.
      • Refactor Orthanc Resources into their own class modules --> to be complete, Feb 12 2024
      • Parse DICOM Web requests for identifying Orthanc Resources in the filter function --> to be complete, Feb 12 2024
      • Parse Public System and resource requests for identifying Orthanc resources in the filter function (12/29/23) --> to be complete, Feb 12 2024
      • Write functional tests for all endpoints to test the filter method successfully --> to be complete, Feb 12 2024
      • Optimize the filter function to reduce the overhead of overloaded requests. --> to be complete, Feb 16 2024
    • Make Requests in Orthanc aware of the user associated. This way to limit the access to data based on user.

ACL Models: API Support for managing users in groups and providing a user context to Orthanc requests

  • Create Access Control Models (ACL) which can be used to securely authorize resource access ( orthanc-sonador#32 (closed), oak-tree/medical-imaging/sonador#53)
    • Implement model schema in both Orthanc and Sonador to provide support for query, upload, view, modify, remove, manage comments, and view comments
    • Expand the implementation of the Orthanc advanced authorization API in Sonador to support profiles, more granular permissions, and resource tokens
    • Integrate Orthanc Cloud Plugin ACL models with Sonador authorization forms/views in order to incorporate local (Orthanc) policy checks into the authorization workflow ( oak-tree/medical-imaging/sonador!64)
  • Expand test suite to test for data tenancy and isolation. access control. Ensure that data is only seen by authorized users ( sonador-client#23 (closed))
    • Create technical reference notebook showing the workflow for creating a test group, test user, and test credentials. Demonstrate use of authorizing patient, study, and series for view permissions via both global and local policies ( sonador-examples!13 (merged))
    • Implement notebook as set of functional tests within Sonador IO client library
    • Generate test matrix for all roles and combinations of permissions, ensure that roles and test cases are covered in both test and validation plan ( sonador#35)( https://code.oak-tree.tech/oak-tree/medical-imaging/sonador/-/issues/64 )(moved to MS4)
    • Implement all functional test cases within Sonador IO client library showing complete coverage of query, upload, view, modify, remove, manage comments, and view comments for all resource types (patient, study, and series) https://code.oak-tree.tech/oak-tree/medical-imaging/sonador/-/issues/64. (moved to MS4)
  • Implement API support for creating User, Groups, and access credentials within Sonador ( oak-tree/medical-imaging/sonador!63)
  • Create a "filter" API within Sonador to allow for users to be looked up via token (introspect) and UID (sonador#59 (closed))
  • Integrate the user/group lookup/filter/search into Orthanc so that Orthanc is able to verify user identity when creating comments and ACL policies (orthanc-sonador#39 (closed))

IdP Sync: Ensure that groups defined in the IdP are defined in Sonador and that the user is correctly assigned

  • Implement fields in wgtauth to allow for a sync_groups method which is able to execute after a user logs into Sonador (django-apps/wagtail-auth!4) and validate_token
    • Dynamic field for sync_groups
    • Dynamic field for validate_token
    • Group synchronization for Cognito (should be part of the login AND token validation)
      • Query the remote group membership in Cognito
      • If a group exists in the IdP, but not in Sonador, create a group of the same name in Sonador
      • Add the user to the group
      • If a user is member of a group in Sonador, but not in the IdP, remove the user from the group
    • Remote token validation: receive a token from Orthanc, check local token sources, if no match check remote providers to see if it is a valid token from an IdP (#60)
  • Add a "credentials cache" to Sonador that is able to determine if a credential has already been authorized by the system and is still valid (required to speed up IdP validation of remote tokens) oak-tree/medical-imaging/sonador#68
  • Add cryptography, hashlib, and other tools for performing "offline" validation of Cognito issued tokens sonador#67 (closed)
  • Add support to Cognito auth provider so it is able to perform offline/cryptographic validation of IdP tokens and cache the results

Test Suite: Data tenancy and access control

  • Test 1 (upload server permission): upload data to Sonador
    • Admin creates a policy to authorize upload to Sonador
    • Test user uploads an image to the server
    • Admin revokes the policy by setting upload to False
    • Test user attempts an upload to the server and receives a 403 error
  • Test 2 (query server permission): check that the user receives 403 if query is not enabled
    • Admin creates a policy with query permission
    • Known data is uploaded by admin
    • Test user is able to query and find the uploaded data
    • Policy is revoked
    • Test user receives a 403 when attempting to utilize query endpoint

Test Suite: Global Permissions

  • Test 1: series access permission (view)
  • Test 2: study access permission (view)
  • Test 3: patient access permission (view)

Test Suite: Local Permissions https://code.oak-tree.tech/oak-tree/medical-imaging/sonador/-/issues/65 (ultimately moving to MS4, but need to complete as we go.)

  • Test 1: User data tenancy control (Orthanc)
    • Admin creates policy allowing upload of image to Sonador
    • Test user uploads data to the server
    • Admin creates a user grant on Orthanc giving the test user permission to access the uploaded study
    • Verify that the user has authorization
  • Test 2: Inverse of Original test
    • User uploads image
    • Revoke their permissions with user model API, verifiy they aren't authorized
  • Test 3: Test User grant to second user
    • User uploads image to Sonador
    • Utilize Sonador user/groups API to create a new limited user.
    • Create a grant providing access to the data.
    • Perform a retrieve operation using the limited user and ensure access to the data.
    • Remove the grant, perform a retrieve operation and ensure that access to the data is denied

Notes:

  • February 15: Sonador was notified of changes to the scope of development due to updates to Orthanc's advanced authorization plugin (refer to comments above). The fundamental approach to validation of resource access will be the same and will be managed via an integration between Orthanc and Sonador.
  • March 24: Milestone updated with further detail on tests, documentation, and sub-tasks needed to close out.
  • March 28: Updated test cases with details about server permissions, global access policies, and local access policies. Agreed to focus on global policy tests for Mar 29 review.
  • May 8: Initial implementation of Cognito credential provider is too slow. When enabled, the time for processing authorization requests increases from significantly less than a second to multiple seconds. Added two new issues: one calling for the creation of a credentials cache and a second to inject cryptography and hashing tools into the provider context to allow for "offline" (cryptographic) validation, without requiring an external network call.
  • May 31: Added tasks for Sonador user/group lookup via UID and its integration into Orthanc.
  • October 24: Created a follow-up milestone to group overflow and additional development. %Centinel: Sonador Security Upgrades (Again)