From c64a5419ee05552793c133d69f8f64c309727f99 Mon Sep 17 00:00:00 2001
From: Alain Mazy <alain@mazy.be>
Date: Fri, 14 Jun 2024 16:23:16 +0200
Subject: [PATCH] fixes

---
 .github/workflows/build-orthanc-share.yml     | 28 +++++++++----------
 minimal-setup/keycloak/permissions.jsonc      |  2 +-
 sources/orthanc_auth_service/app.py           |  2 +-
 .../orthanc_auth_service/shares/keycloak.py   |  4 ++-
 .../shares/keycloak_admin.py                  | 27 ------------------
 sources/orthanc_auth_service/shares/models.py |  1 +
 .../shares/roles_configuration.py             |  2 +-
 7 files changed, 21 insertions(+), 45 deletions(-)

diff --git a/.github/workflows/build-orthanc-share.yml b/.github/workflows/build-orthanc-share.yml
index 44954ed..7157dfa 100644
--- a/.github/workflows/build-orthanc-share.yml
+++ b/.github/workflows/build-orthanc-share.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
 
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: REUSE Compliance Check
         uses: fsfe/reuse-action@v1
@@ -29,14 +29,14 @@ jobs:
           ./sources/tests/run-tests.sh
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Extract metadata (tags, labels) for Docker (orthanc-nginx)
         id: meta-orthanc-nginx
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/orthanc-nginx
           labels: |
@@ -45,7 +45,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker (orthanc-auth-service)
         id: meta-orthanc-auth-service
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/orthanc-auth-service
           labels: |
@@ -54,7 +54,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker (meddream-viewer)
         id: meta-meddream-viewer
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/meddream-viewer
           labels: |
@@ -63,7 +63,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker (meddream-token-service)
         id: meta-meddream-token-service
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/meddream-token-service
           labels: |
@@ -72,7 +72,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker (orthanc-keycloak)
         id: meta-orthanc-keycloak
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/orthanc-keycloak
           labels: |
@@ -81,7 +81,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker (ohif-v3)
         id: meta-ohif-v3
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: orthancteam/ohif-v3
           labels: |
@@ -89,7 +89,7 @@ jobs:
             org.opencontainers.image.vendor=Orthanc Team SRL
 
       - name: Build and push orthanc-nginx Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/
           file: sources/nginx/Dockerfile.orthanc-nginx
@@ -98,7 +98,7 @@ jobs:
           labels: ${{ steps.meta-orthanc-nginx.outputs.labels }}
 
       - name: Build and push orthanc-auth-service Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/
           file: sources/Dockerfile.orthanc-auth-service
@@ -107,7 +107,7 @@ jobs:
           labels: ${{ steps.meta-orthanc-auth-service.outputs.labels }}
 
       - name: Build and push meddream-viewer Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/meddream/viewer
           file: sources/meddream/viewer/Dockerfile.meddream-viewer
@@ -116,7 +116,7 @@ jobs:
           labels: ${{ steps.meta-meddream-viewer.outputs.labels }}
 
       - name: Build and push meddream-token-service Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/meddream/token-service
           file: sources/meddream/token-service/Dockerfile.meddream-token-service
@@ -125,7 +125,7 @@ jobs:
           labels: ${{ steps.meta-meddream-token-service.outputs.labels }}
 
       - name: Build and push orthanc-keycloak Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/
           file: sources/keycloak/Dockerfile.orthanc-keycloak
@@ -134,7 +134,7 @@ jobs:
           labels: ${{ steps.meta-orthanc-keycloak.outputs.labels }}
 
       - name: Build and push ohif-v3 Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: sources/ohif/
           file: sources/ohif/Dockerfile.ohif-v3
diff --git a/minimal-setup/keycloak/permissions.jsonc b/minimal-setup/keycloak/permissions.jsonc
index 4213baf..221d694 100644
--- a/minimal-setup/keycloak/permissions.jsonc
+++ b/minimal-setup/keycloak/permissions.jsonc
@@ -3,7 +3,7 @@
 {
   "roles" : {
     "admin-role": {
-      "permissions": ["all"],
+      "permissions": ["all", "admin-permissions"],
       "authorized_labels": ["*"]
     },
     "doctor-role": {
diff --git a/sources/orthanc_auth_service/app.py b/sources/orthanc_auth_service/app.py
index 28a64e2..7dc6e52 100644
--- a/sources/orthanc_auth_service/app.py
+++ b/sources/orthanc_auth_service/app.py
@@ -238,7 +238,7 @@ def get_settings_roles():
     return roles_config
 
 
-@app.post("/settings/roles", dependencies=basic_auth_dependencies)
+@app.put("/settings/roles", dependencies=basic_auth_dependencies)
 def set_settings_roles(roles_config_request: RolesConfigurationModel):
     logging.info("set settings roles ")
 
diff --git a/sources/orthanc_auth_service/shares/keycloak.py b/sources/orthanc_auth_service/shares/keycloak.py
index 41c9f59..dcd8c32 100644
--- a/sources/orthanc_auth_service/shares/keycloak.py
+++ b/sources/orthanc_auth_service/shares/keycloak.py
@@ -96,7 +96,9 @@ def get_user_profile_from_token(self, jwt_token: str) -> UserProfileResponse:
 
         roles = self.get_roles_from_decoded_token(decoded_token=decoded_token)
 
-        response.permissions, response.authorized_labels = self.roles_configuration.get_role_configuration(roles)
+        role_config = self.roles_configuration.get_role_configuration(roles)
+        response.permissions = role_config.permissions
+        response.authorized_labels = role_config.authorized_labels
 
         return response
 
diff --git a/sources/orthanc_auth_service/shares/keycloak_admin.py b/sources/orthanc_auth_service/shares/keycloak_admin.py
index 363dd49..7bb8d92 100644
--- a/sources/orthanc_auth_service/shares/keycloak_admin.py
+++ b/sources/orthanc_auth_service/shares/keycloak_admin.py
@@ -112,30 +112,3 @@ def get_all_roles(self) -> List[str]:
 
     def update_roles_configuration(self, roles_configuration: RolesConfiguration):
         self._roles_configuration = roles_configuration
-
-
-    # def get_all_roles(self) -> List[str]:
-
-# def create_api_keys(keycloak_uri: str, keycloak_admin_uri: str, keycloak_client_secret: str, roles_configuration: RolesConfiguration):
-#     try:
-#         #validate that we can connect to keycloak and retrieve users list
-#         keycloak_users_url = urljoin(keycloak_admin_uri, "users")
-#         headers = {
-#             'Authorization': 'Bearer ' + _get_keycloak_access_token(keycloak_uri, keycloak_client_secret),
-#             'Content-Type': 'application/json'
-#         }
-#         response = requests.get(keycloak_users_url, headers=headers)
-#         if response.status_code != 200:
-#             logging.error(f"Unable to retrieve users list from keycloak to validate client connection " + str(response) + ", exiting...")
-#             exit(-1)
-#
-#         return KeycloakAdmin(keycloak_uri=keycloak_uri,
-#                              keycloak_admin_uri=keycloak_admin_uri,
-#                              keycloak_client_secret=keycloak_client_secret,
-#                              roles_configuration=roles_configuration)
-#
-#     except Exception as ex:
-#         logging.exception(ex)
-#         logging.error(f"Unable to validate client connection with keycloak, exiting...")
-#         exit(-1)
-#
diff --git a/sources/orthanc_auth_service/shares/models.py b/sources/orthanc_auth_service/shares/models.py
index d734a36..009fda5 100644
--- a/sources/orthanc_auth_service/shares/models.py
+++ b/sources/orthanc_auth_service/shares/models.py
@@ -121,6 +121,7 @@ class UserPermissions(str, Enum):
     SETTINGS = 'settings'
     API_VIEW = 'api-view'
     EDIT_LABELS = 'edit-labels'
+    ADMIN_PERMISSIONS = 'admin-permissions'
 
     SHARE = 'share'
 
diff --git a/sources/orthanc_auth_service/shares/roles_configuration.py b/sources/orthanc_auth_service/shares/roles_configuration.py
index 2725283..60cfdb9 100644
--- a/sources/orthanc_auth_service/shares/roles_configuration.py
+++ b/sources/orthanc_auth_service/shares/roles_configuration.py
@@ -32,7 +32,7 @@ def _load_roles_configuration_from_file(self):
             logging.error(f"Unable to get roles and permissions from configuration file ({self._permissions_file_path}), exiting...")
             exit(-1)
 
-    def get_configured_roles(self):
+    def get_configured_roles(self) -> RolesConfigurationModel:
         return self._configured_roles
 
     def update_configured_roles(self, new_configuration: RolesConfigurationModel):