Namespaces
namespace	Action
	specific actions that can be performed

namespace	atna_event_ids

namespace	atna_event_types

namespace	atna_object_id_types

namespace	atna_role_ids

namespace	hipaa_identifiers
	HIPAA Safe Harbor identifiers (18 categories)

Classes
class	access_control_manager
	Manages permissions and access checks. More...

struct	AccessCheckResult
	Result of an access check. More...

struct	anonymization_report
	Report generated after anonymization. More...

class	anonymizer

struct	atna_active_participant
	An active participant in the audit event. More...

class	atna_audit_logger
	RFC 3881 XML audit message generator. More...

struct	atna_audit_message
	Complete RFC 3881 audit message. More...

struct	atna_audit_source
	Identifies the audit source system. More...

struct	atna_coded_value
	A coded value with code, code system name, and display name. More...

struct	atna_config
	Configuration for ATNA audit logging. More...

struct	atna_config_validation
	Validation result for ATNA configuration. More...

struct	atna_object_detail
	Additional detail about a participant object. More...

struct	atna_participant_object
	An object (patient, study, query) involved in the event. More...

class	atna_service_auditor
	High-level facade for emitting ATNA audit events from DICOM services. More...

class	atna_syslog_transport
	Sends ATNA audit messages via Syslog protocol. More...

class	certificate

class	certificate_chain
	Represents a certificate chain for validation. More...

struct	certificate_constraints
	Certificate validation constraints. More...

class	certificate_impl

struct	cipher_suite_spec
	TLS cipher suite specification. More...

class	digital_signature

struct	Permission
	Represents a permission grant. More...

class	private_key

class	private_key_impl

class	security_storage_interface
	Abstract interface for persisting security data (Users, Roles) More...

struct	signature_info
	Information about a digital signature. More...

struct	syslog_transport_config
	Configuration for the Syslog transport. More...

struct	tag_action_config
	Configuration for a custom tag action. More...

struct	tag_action_record
	Record of an action performed on a tag. More...

class	tls_policy
	TLS security policy configuration. More...

class	uid_mapping

struct	User
	Represents a user in the system. More...

class	user_context
	Represents the security context for a user session. More...

Typedefs
using	AccessAuditCallback
	Callback for audit logging of access attempts.

Enumerations
enum class	DicomOperation { CStore , CFind , CMove , CGet , CEcho , NCreate , NSet , NGet , NDelete , NAction , NEventReport }
	DICOM operation types for permission checking. More...

enum class	anonymization_profile : std::uint8_t { basic = 0 , clean_pixel = 1 , clean_descriptions = 2 , retain_longitudinal = 3 , retain_patient_characteristics = 4 , hipaa_safe_harbor = 5 , gdpr_compliant = 6 }
	DICOM de-identification profiles based on PS3.15 Annex E. More...

enum class	private_tag_action : std::uint8_t { keep , remove_all , remove_data }
	Action to take on private tags during anonymization. More...

enum class	atna_event_action : char { create = 'C' , read = 'R' , update = 'U' , delete_action = 'D' , execute = 'E' }
	Action that triggered the audit event. More...

enum class	atna_event_outcome : uint8_t { success = 0 , minor_failure = 4 , serious_failure = 8 , major_failure = 12 }
	Outcome of the audited event. More...

enum class	atna_network_access_type : uint8_t { machine_name = 1 , ip_address = 2 , phone_number = 3 }
	Type of network access point identifier. More...

enum class	atna_object_type : uint8_t { person = 1 , system_object = 2 , organization = 3 , other = 4 }
	Type of participant object. More...

enum class	atna_object_role : uint8_t { patient = 1 , location = 2 , report = 3 , resource = 4 , master_file = 5 , user = 6 , list = 7 , doctor = 8 , subscriber = 9 , guarantor = 10 , security_user_entity = 11 , security_user_group = 12 , security_resource = 13 , security_granularity_def = 14 , provider = 15 , data_destination = 16 , data_repository = 17 , schedule = 18 , customer = 19 , job = 20 , job_stream = 21 , table = 22 , routing_criteria = 23 , query = 24 }
	Role of the participant object in the event. More...

enum class	syslog_facility : uint8_t { kern = 0 , user = 1 , mail = 2 , daemon = 3 , auth = 4 , syslog = 5 , lpr = 6 , news = 7 , uucp = 8 , cron = 9 , authpriv = 10 , ftp = 11 , ntp = 12 , log_audit = 13 , log_alert = 14 , clock = 15 , local0 = 16 , local1 = 17 , local2 = 18 , local3 = 19 , local4 = 20 , local5 = 21 , local6 = 22 , local7 = 23 }
	Syslog facility values. More...

enum class	syslog_severity : uint8_t { emergency = 0 , alert = 1 , critical = 2 , error = 3 , warning = 4 , notice = 5 , informational = 6 , debug = 7 }
	Syslog severity levels. More...

enum class	syslog_transport_protocol : uint8_t { udp , tls }
	Syslog transport protocol. More...

enum class	ResourceType { Study , Metadata , System , Audit , User , Role , Series , Image }
	Categories of resources requiring protection. More...

enum class	Role { Viewer , Technologist , Radiologist , Administrator , System }
	User roles in the PACS system. More...

enum class	signature_algorithm { rsa_sha256 , rsa_sha384 , rsa_sha512 , ecdsa_sha256 , ecdsa_sha384 }
	Signature algorithms supported for DICOM digital signatures. More...

enum class	signature_status { valid , invalid , expired , untrusted_signer , revoked , no_signature }
	Status of signature verification. More...

enum class	mac_algorithm { sha256 , sha384 , sha512 }
	MAC algorithm identifiers per DICOM PS3.15. More...

enum class	certificate_type { x509_certificate , x509_certificate_chain }
	Certificate type for DICOM signatures. More...

enum class	tag_action : std::uint8_t { remove = 0 , empty = 1 , remove_or_empty = 2 , keep = 3 , replace = 4 , replace_uid = 5 , hash = 6 , encrypt = 7 , shift_date = 8 }
	Actions to perform on DICOM attributes during de-identification. More...

enum class	tls_profile { bcp195_basic , bcp195_non_downgrading , bcp195_extended }
	TLS policy profile levels. More...

Functions
constexpr auto	to_string (anonymization_profile profile) noexcept -> std::string_view
	Convert profile enum to string representation.

auto	profile_from_string (std::string_view name) -> std::optional< anonymization_profile >
	Parse profile from string.

atna_config	make_default_atna_config ()
	Create a default ATNA configuration.

std::string	to_json (const atna_config &config)
	Serialize an atna_config to a JSON string.

atna_config	parse_atna_config (std::string_view json_str)
	Parse an atna_config from a JSON string.

atna_config_validation	validate (const atna_config &config)
	Validate an ATNA configuration.

constexpr std::string_view	to_string (Role role)
	Convert Role to string.

std::optional< Role >	parse_role (std::string_view str)
	Parse Role from string.

constexpr std::string_view	to_string (signature_algorithm algo)
	Convert signature_algorithm to string representation.

std::optional< signature_algorithm >	parse_signature_algorithm (std::string_view str)
	Parse signature_algorithm from string.

constexpr std::string_view	to_string (signature_status status)
	Convert signature_status to string representation.

constexpr std::string_view	to_dicom_uid (mac_algorithm algo)
	Convert mac_algorithm to DICOM UID string.

constexpr std::string_view	to_dicom_term (certificate_type type)
	Convert certificate_type to DICOM defined term.

constexpr auto	to_string (tag_action action) noexcept -> std::string_view
	Convert tag action enum to string representation.

std::string_view	to_string (tls_profile profile) noexcept
	Convert TLS profile to string.

std::optional< tls_profile >	parse_tls_profile (std::string_view str) noexcept
	Parse TLS profile from string.

std::vector< tls_profile >	available_tls_profiles ()
	Get a list of all available TLS profiles.

X509 *	get_x509_from_certificate (const certificate &cert)

Typedef Documentation

◆ AccessAuditCallback

using kcenon::pacs::security::AccessAuditCallback

Initial value:

 
    std::function<void(const user_context &ctx, DicomOperation op,
                       const AccessCheckResult &result)>

Callback for audit logging of access attempts.

Definition at line 64 of file access_control_manager.h.

Enumeration Type Documentation

◆ anonymization_profile

enum class kcenon::pacs::security::anonymization_profile : std::uint8_t

strong

DICOM de-identification profiles based on PS3.15 Annex E.

Each profile defines a set of actions to be performed on specific DICOM attributes to achieve varying levels of de-identification.

Profile selection depends on:

Regulatory requirements (HIPAA, GDPR)
Use case (research, clinical trial, data sharing)
Need to preserve clinical utility

See also: DICOM PS3.15 Annex E Table E.1-1

Enumerator
basic	Basic Profile - Remove direct identifiers. Removes or empties elements that directly identify the patient: Patient Name, ID, Birth Date, Address Accession Number, Institution Name UIDs are replaced with new values Suitable for: Basic de-identification needs
clean_pixel	Clean Pixel Data - Remove burned-in annotations. Extends basic profile by processing pixel data to remove burned-in patient information in image corners. Suitable for: Images that may contain overlay text
clean_descriptions	Clean Descriptions - Sanitize text fields. Extends basic profile by cleaning free-text fields that may contain identifying information: Study/Series Description Patient Comments Additional Patient History Suitable for: Data with descriptive fields
retain_longitudinal	Retain Longitudinal - Preserve temporal relationships. Maintains date relationships through date shifting rather than zeroing, allowing longitudinal studies to be linked. UIDs are consistently mapped across studies. Suitable for: Research requiring temporal analysis
retain_patient_characteristics	Retain Patient Characteristics. Preserves patient demographic information needed for research while removing direct identifiers: Patient Sex, Age, Size, Weight Suitable for: Clinical research with demographics
hipaa_safe_harbor	HIPAA Safe Harbor - 18 identifier removal. Implements HIPAA Safe Harbor method by removing all 18 categories of identifiers specified in 45 CFR 164.514(b)(2): Names, addresses, dates (except year) Phone/fax numbers, email addresses SSN, medical record numbers, account numbers Certificate/license numbers, vehicle identifiers Device identifiers, web URLs, IP addresses Biometric identifiers, photos, unique codes Suitable for: HIPAA-compliant data sharing in US
gdpr_compliant	GDPR Compliant - European data protection. Implements GDPR pseudonymization requirements: All personal data processed per Article 4(5) Maintains ability to re-identify with separate key Supports data subject rights (erasure, portability) Suitable for: European Union data processing

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/security/anonymizer.h.

Definition at line 40 of file anonymization_profile.h.

                                 : std::uint8_t {
    basic = 0,
 
    clean_pixel = 1,
 
    clean_descriptions = 2,
 
    retain_longitudinal = 3,
 
    retain_patient_characteristics = 4,
 
    hipaa_safe_harbor = 5,
 
    gdpr_compliant = 6
};

◆ atna_event_action

enum class kcenon::pacs::security::atna_event_action : char

strong

Action that triggered the audit event.

Enumerator
create
read
update
delete_action
execute

Definition at line 53 of file atna_audit_logger.h.

                             : char {
    create = 'C',
    read = 'R',
    update = 'U',
    delete_action = 'D',
    execute = 'E'
};

◆ atna_event_outcome

enum class kcenon::pacs::security::atna_event_outcome : uint8_t

strong

Outcome of the audited event.

Enumerator
success
minor_failure
serious_failure
major_failure

Definition at line 68 of file atna_audit_logger.h.

                              : uint8_t {
    success = 0,
    minor_failure = 4,
    serious_failure = 8,
    major_failure = 12
};

◆ atna_network_access_type

enum class kcenon::pacs::security::atna_network_access_type : uint8_t

strong

Type of network access point identifier.

Enumerator
machine_name
ip_address
phone_number

Definition at line 82 of file atna_audit_logger.h.

                                    : uint8_t {
    machine_name = 1,
    ip_address = 2,
    phone_number = 3
};

◆ atna_object_role

enum class kcenon::pacs::security::atna_object_role : uint8_t

strong

Role of the participant object in the event.

Enumerator
patient
location
report
resource
master_file
user
list
doctor
subscriber
guarantor
security_user_entity
security_user_group
security_resource
security_granularity_def
provider
data_destination
data_repository
schedule
customer
job
job_stream
table
routing_criteria
query

Definition at line 105 of file atna_audit_logger.h.

                            : uint8_t {
    patient = 1,
    location = 2,
    report = 3,
    resource = 4,
    master_file = 5,
    user = 6,
    list = 7,
    doctor = 8,
    subscriber = 9,
    guarantor = 10,
    security_user_entity = 11,
    security_user_group = 12,
    security_resource = 13,
    security_granularity_def = 14,
    provider = 15,
    data_destination = 16,
    data_repository = 17,
    schedule = 18,
    customer = 19,
    job = 20,
    job_stream = 21,
    table = 22,
    routing_criteria = 23,
    query = 24
};

◆ atna_object_type

enum class kcenon::pacs::security::atna_object_type : uint8_t

strong

Type of participant object.

Enumerator
person
system_object
organization
other

Definition at line 95 of file atna_audit_logger.h.

                            : uint8_t {
    person = 1,
    system_object = 2,
    organization = 3,
    other = 4
};

◆ certificate_type

enum class kcenon::pacs::security::certificate_type

strong

Certificate type for DICOM signatures.

Specifies the type of certificate used in the signature.

Enumerator
x509_certificate	X.509 certificate (most common)
x509_certificate_chain	Full X.509 certificate chain.

Definition at line 155 of file signature_types.h.

                            {
    x509_certificate,       
    x509_certificate_chain  
};

◆ DicomOperation

enum class kcenon::pacs::security::DicomOperation

strong

DICOM operation types for permission checking.

Enumerator
CStore	C-STORE (storage)
CFind	C-FIND (query)
CMove	C-MOVE (retrieve/move)
CGet	C-GET (retrieve)
CEcho	C-ECHO (verification)
NCreate	N-CREATE.
NSet	N-SET.
NGet	N-GET.
NDelete	N-DELETE.
NAction	N-ACTION.
NEventReport	N-EVENT-REPORT.

Definition at line 32 of file access_control_manager.h.

                          {
  CStore,   
  CFind,    
  CMove,    
  CGet,     
  CEcho,    
  NCreate,  
  NSet,     
  NGet,     
  NDelete,  
  NAction,  
  NEventReport 
};

◆ mac_algorithm

enum class kcenon::pacs::security::mac_algorithm

strong

MAC algorithm identifiers per DICOM PS3.15.

These identifiers are used in the MAC Algorithm (0400,0015) attribute.

Enumerator
sha256	SHA-256 (recommended)
sha384	SHA-384.
sha512	SHA-512.

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/security/digital_signature.h.

Definition at line 130 of file signature_types.h.

◆ private_tag_action

enum class kcenon::pacs::security::private_tag_action : std::uint8_t

strong

Action to take on private tags during anonymization.

DICOM PS3.15 Annex E recommends removing private data elements during de-identification, as they may contain Protected Health Information (PHI) in vendor-specific formats.

See also: DICOM PS3.15 Annex E - Basic Profile

Enumerator
keep	Preserve all private tags (default for backward compatibility)
remove_all	Remove all private data elements and their creators.
remove_data	Remove private data elements but keep creators (for auditing)

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/security/anonymizer.h.

Definition at line 49 of file anonymizer.h.

                              : std::uint8_t {
    keep,        
    remove_all,  
    remove_data  
};

◆ ResourceType

enum class kcenon::pacs::security::ResourceType

strong

Categories of resources requiring protection.

Enumerator
Study	DICOM studies/series/instances.
Metadata	Patient/Study metadata.
System	System configuration and services.
Audit	Audit logs.
User	User management.
Role	Role management.
Series	DICOM Series.
Image	DICOM Image.

Definition at line 25 of file permission.h.

                        {
  Study,    
  Metadata, 
  System,   
  Audit,    
  User,     
  Role,     
  Series,   
  Image     
};

◆ Role

enum class kcenon::pacs::security::Role

strong

User roles in the PACS system.

Enumerator
Viewer	Read-only access to studies.
Technologist	Can upload/modify studies, but not delete.
Radiologist	Full clinical access (includes verification)
Administrator	User management, system config.
System	Internal system operations.

Definition at line 25 of file role.h.

                {
    Viewer,         
    Technologist,   
    Radiologist,    
    Administrator,  
    System          
};

◆ signature_algorithm

enum class kcenon::pacs::security::signature_algorithm

strong

Signature algorithms supported for DICOM digital signatures.

Per DICOM PS3.15, the following algorithms are defined:

RSA with SHA-256 (recommended)
RSA with SHA-384
RSA with SHA-512
ECDSA with SHA-256 (for smaller key sizes)
ECDSA with SHA-384

Enumerator
rsa_sha256	RSA with SHA-256 (recommended for most use cases)
rsa_sha384	RSA with SHA-384.
rsa_sha512	RSA with SHA-512 (highest security)
ecdsa_sha256	ECDSA with SHA-256 (compact signatures)
ecdsa_sha384	ECDSA with SHA-384.

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/security/digital_signature.h.

Definition at line 40 of file signature_types.h.

                               {
    rsa_sha256,     
    rsa_sha384,     
    rsa_sha512,     
    ecdsa_sha256,   
    ecdsa_sha384    
};

◆ signature_status

enum class kcenon::pacs::security::signature_status

strong

Status of signature verification.

Enumerator
valid	Signature is valid and trusted.
invalid	Signature verification failed (tampered data)
expired	Signer certificate has expired.
untrusted_signer	Signer certificate is not trusted.
revoked	Signer certificate has been revoked.
no_signature	No signature present in dataset.

Definition at line 81 of file signature_types.h.

                            {
    valid,              
    invalid,            
    expired,            
    untrusted_signer,   
    revoked,            
    no_signature        
};

◆ syslog_facility

enum class kcenon::pacs::security::syslog_facility : uint8_t

strong

Syslog facility values.

The audit facility is typically 10 (security/authorization) or 13 (log audit) per IHE ATNA recommendations.

Enumerator
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv	Security/authorization (recommended for ATNA)
ftp
ntp
log_audit	Log audit.
log_alert
clock
local0
local1
local2
local3
local4
local5
local6
local7

Definition at line 38 of file atna_syslog_transport.h.

                           : uint8_t {
    kern = 0,
    user = 1,
    mail = 2,
    daemon = 3,
    auth = 4,
    syslog = 5,
    lpr = 6,
    news = 7,
    uucp = 8,
    cron = 9,
    authpriv = 10,   
    ftp = 11,
    ntp = 12,
    log_audit = 13,  
    log_alert = 14,
    clock = 15,
    local0 = 16,
    local1 = 17,
    local2 = 18,
    local3 = 19,
    local4 = 20,
    local5 = 21,
    local6 = 22,
    local7 = 23
};

◆ syslog_severity

enum class kcenon::pacs::security::syslog_severity : uint8_t

strong

Syslog severity levels.

Enumerator
emergency
alert
critical
error
warning
notice
informational	Default for audit events.
debug

Definition at line 72 of file atna_syslog_transport.h.

                           : uint8_t {
    emergency = 0,
    alert = 1,
    critical = 2,
    error = 3,
    warning = 4,
    notice = 5,
    informational = 6,  
    debug = 7
};

◆ syslog_transport_protocol

enum class kcenon::pacs::security::syslog_transport_protocol : uint8_t

strong

Syslog transport protocol.

Enumerator
udp	UDP (RFC 5426) — Fire-and-forget.
tls	TLS over TCP (RFC 5425) — Secure.

Definition at line 90 of file atna_syslog_transport.h.

                                     : uint8_t {
    udp,  
    tls   
};

◆ tag_action

enum class kcenon::pacs::security::tag_action : std::uint8_t

strong

Actions to perform on DICOM attributes during de-identification.

These actions correspond to the action codes defined in DICOM PS3.15 Annex E Table E.1-1.

Enumerator
remove	D - Remove the attribute entirely. The attribute is completely removed from the dataset.
empty	Z - Replace with zero-length value. The attribute is retained but its value is replaced with a zero-length (empty) value.
remove_or_empty	X - Remove or empty based on presence. If the attribute exists, replace with zero-length value. Equivalent to empty for present attributes.
keep	K - Keep the attribute unchanged. The attribute and its value are retained as-is.
replace	C - Clean (replace with dummy value) The attribute value is replaced with a configurable dummy value (e.g., "ANONYMOUS" for names).
replace_uid	U - Replace UIDs with new values. UID values are replaced with newly generated UIDs. Use UID mapping for consistent replacement across datasets.
hash	Hash the value for research linkage. The value is replaced with a cryptographic hash, allowing de-identified datasets to be linked without revealing the original value.
encrypt	Encrypt the value. The value is encrypted and can be decrypted with the appropriate key. Used for pseudonymization.
shift_date	Shift dates by a fixed offset. Date and time values are shifted by a consistent offset while preserving temporal relationships.

Definition at line 39 of file tag_action.h.

                      : std::uint8_t {
    remove = 0,
 
    empty = 1,
 
    remove_or_empty = 2,
 
    keep = 3,
 
    replace = 4,
 
    replace_uid = 5,
 
    hash = 6,
 
    encrypt = 7,
 
    shift_date = 8
};

◆ tls_profile

enum class kcenon::pacs::security::tls_profile

strong

TLS policy profile levels.

Predefined security profiles aligned with DICOM PS3.15 and BCP 195.

Enumerator
bcp195_basic	BCP 195 basic profile: TLS 1.2 minimum, standard cipher suites.
bcp195_non_downgrading	BCP 195 non-downgrading profile: TLS 1.2+ with no downgrade This is the DICOM PS3.15 recommended profile.
bcp195_extended	Extended profile: TLS 1.3 only, strictest cipher suites.

Definition at line 36 of file tls_policy.h.

                       {
    bcp195_basic,
 
    bcp195_non_downgrading,
 
    bcp195_extended
};

Function Documentation

◆ available_tls_profiles()

std::vector< tls_profile > kcenon::pacs::security::available_tls_profiles ( )

nodiscard

Get a list of all available TLS profiles.

Definition at line 152 of file tls_policy.cpp.

                                                {
    return {tls_profile::bcp195_basic,
            tls_profile::bcp195_non_downgrading,
            tls_profile::bcp195_extended};
}

References bcp195_basic, bcp195_extended, and bcp195_non_downgrading.

◆ get_x509_from_certificate()

X509 * kcenon::pacs::security::get_x509_from_certificate ( const certificate & cert )

Definition at line 276 of file digital_signature.cpp.

                                                         {
    auto* impl = cert.impl();
    if (!impl) return nullptr;
    // Access x509 through the impl
    // This is a workaround - in production, expose a proper internal API
    return reinterpret_cast<X509*>(const_cast<void*>(
        static_cast<const void*>(impl)));
}

References kcenon::pacs::security::certificate::impl().

Here is the call graph for this function:

◆ make_default_atna_config()

atna_config kcenon::pacs::security::make_default_atna_config ( )

nodiscard

Create a default ATNA configuration.

Returns a configuration with sensible defaults:

Disabled by default (must be explicitly enabled)
UDP transport to localhost:514
All event types enabled

Returns: Default atna_config

Definition at line 156 of file atna_config.cpp.

                                       {
    return atna_config{};
}

◆ parse_atna_config()

atna_config kcenon::pacs::security::parse_atna_config ( std::string_view json_str )

nodiscard

Parse an atna_config from a JSON string.

Reads a JSON configuration string and populates an atna_config struct. Fields not present in the JSON retain their default values.

Parameters

json_str JSON string to parse

Returns: Parsed atna_config, or defaults for malformed input

Definition at line 196 of file atna_config.cpp.

                                                       {
    atna_config config;
 
    // Top-level fields
    auto enabled_val = find_json_value(json_str, "enabled");
    if (!enabled_val.empty()) {
        config.enabled = parse_bool(enabled_val, config.enabled);
    }
 
    auto source_id = find_json_value(json_str, "audit_source_id");
    if (!source_id.empty()) {
        config.audit_source_id = source_id;
    }
 
    // Event filtering
    auto storage_val = find_json_value(json_str, "audit_storage");
    if (!storage_val.empty()) {
        config.audit_storage = parse_bool(storage_val, config.audit_storage);
    }
 
    auto query_val = find_json_value(json_str, "audit_query");
    if (!query_val.empty()) {
        config.audit_query = parse_bool(query_val, config.audit_query);
    }
 
    auto auth_val = find_json_value(json_str, "audit_authentication");
    if (!auth_val.empty()) {
        config.audit_authentication =
            parse_bool(auth_val, config.audit_authentication);
    }
 
    auto alerts_val = find_json_value(json_str, "audit_security_alerts");
    if (!alerts_val.empty()) {
        config.audit_security_alerts =
            parse_bool(alerts_val, config.audit_security_alerts);
    }
 
    // Transport nested object
    auto proto = find_nested_value(json_str, "transport", "protocol");
    if (!proto.empty()) {
        config.transport.protocol = parse_protocol(proto);
    }
 
    auto host = find_nested_value(json_str, "transport", "host");
    if (!host.empty()) {
        config.transport.host = host;
    }
 
    auto port = find_nested_value(json_str, "transport", "port");
    if (!port.empty()) {
        config.transport.port =
            parse_uint16(port, config.transport.port);
    }
 
    auto app = find_nested_value(json_str, "transport", "app_name");
    if (!app.empty()) {
        config.transport.app_name = app;
    }
 
    auto ca = find_nested_value(json_str, "transport", "ca_cert_path");
    if (!ca.empty()) {
        config.transport.ca_cert_path = ca;
    }
 
    auto cert = find_nested_value(json_str, "transport", "client_cert_path");
    if (!cert.empty()) {
        config.transport.client_cert_path = cert;
    }
 
    auto key = find_nested_value(json_str, "transport", "client_key_path");
    if (!key.empty()) {
        config.transport.client_key_path = key;
    }
 
    auto verify = find_nested_value(json_str, "transport", "verify_server");
    if (!verify.empty()) {
        config.transport.verify_server =
            parse_bool(verify, config.transport.verify_server);
    }
 
    return config;
}

◆ parse_role()

std::optional< Role > kcenon::pacs::security::parse_role ( std::string_view str )

inline

Parse Role from string.

Definition at line 50 of file role.h.

                                                        {
    if (str == "Viewer") return Role::Viewer;
    if (str == "Technologist") return Role::Technologist;
    if (str == "Radiologist") return Role::Radiologist;
    if (str == "Administrator") return Role::Administrator;
    if (str == "System") return Role::System;
    return std::nullopt;
}

References Administrator, Radiologist, System, Technologist, and Viewer.

Referenced by kcenon::pacs::web::endpoints::register_security_endpoints_impl().

Here is the caller graph for this function:

◆ parse_signature_algorithm()

std::optional< signature_algorithm > kcenon::pacs::security::parse_signature_algorithm ( std::string_view str )

inline

Parse signature_algorithm from string.

Parameters

str	The string to parse

Returns: Optional containing the algorithm, or nullopt if parsing fails

Definition at line 69 of file signature_types.h.

                                                                                      {
    if (str == "RSA-SHA256") return signature_algorithm::rsa_sha256;
    if (str == "RSA-SHA384") return signature_algorithm::rsa_sha384;
    if (str == "RSA-SHA512") return signature_algorithm::rsa_sha512;
    if (str == "ECDSA-SHA256") return signature_algorithm::ecdsa_sha256;
    if (str == "ECDSA-SHA384") return signature_algorithm::ecdsa_sha384;
    return std::nullopt;
}

References ecdsa_sha256, ecdsa_sha384, rsa_sha256, rsa_sha384, and rsa_sha512.

◆ parse_tls_profile()

std::optional< tls_profile > kcenon::pacs::security::parse_tls_profile ( std::string_view str )

nodiscardnoexcept

Parse TLS profile from string.

Definition at line 25 of file tls_policy.cpp.

                                                                        {
    if (str == "BCP195-Basic" || str == "basic")
        return tls_profile::bcp195_basic;
    if (str == "BCP195-NonDowngrading" || str == "non-downgrading")
        return tls_profile::bcp195_non_downgrading;
    if (str == "BCP195-Extended" || str == "extended")
        return tls_profile::bcp195_extended;
    return std::nullopt;
}

References bcp195_basic, bcp195_extended, and bcp195_non_downgrading.

◆ profile_from_string()

auto kcenon::pacs::security::profile_from_string ( std::string_view name ) -> std::optional<anonymization_profile>

inlinenodiscard

Parse profile from string.

Parameters

name	String name of the profile

Returns: Optional containing the profile, or nullopt if invalid

Examples: dcm_anonymize/main.cpp.

Definition at line 158 of file anonymization_profile.h.

                                          {
    if (name == "basic") return anonymization_profile::basic;
    if (name == "clean_pixel") return anonymization_profile::clean_pixel;
    if (name == "clean_descriptions") return anonymization_profile::clean_descriptions;
    if (name == "retain_longitudinal") return anonymization_profile::retain_longitudinal;
    if (name == "retain_patient_characteristics") {
        return anonymization_profile::retain_patient_characteristics;
    }
    if (name == "hipaa_safe_harbor") return anonymization_profile::hipaa_safe_harbor;
    if (name == "gdpr_compliant") return anonymization_profile::gdpr_compliant;
    return std::nullopt;
}

References basic, clean_descriptions, clean_pixel, gdpr_compliant, hipaa_safe_harbor, name, retain_longitudinal, and retain_patient_characteristics.

◆ to_dicom_term()

std::string_view kcenon::pacs::security::to_dicom_term ( certificate_type type )

constexpr

Convert certificate_type to DICOM defined term.

Parameters

type	The certificate type

Returns: DICOM defined term

Definition at line 165 of file signature_types.h.

                                                              {
    switch (type) {
        case certificate_type::x509_certificate: return "X509_1993_SIG";
        case certificate_type::x509_certificate_chain: return "X509_1993_SIG_CHAIN";
    }
    return "";
}

References x509_certificate, and x509_certificate_chain.

◆ to_dicom_uid()

std::string_view kcenon::pacs::security::to_dicom_uid ( mac_algorithm algo )

constexpr

Convert mac_algorithm to DICOM UID string.

Parameters

algo	The MAC algorithm

Returns: DICOM defined term for the algorithm

Definition at line 141 of file signature_types.h.

                                                          {
    switch (algo) {
        case mac_algorithm::sha256: return "2.16.840.1.101.3.4.2.1";
        case mac_algorithm::sha384: return "2.16.840.1.101.3.4.2.2";
        case mac_algorithm::sha512: return "2.16.840.1.101.3.4.2.3";
    }
    return "";
}

References sha256, sha384, and sha512.

Referenced by kcenon::pacs::security::digital_signature::sign_tags().

Here is the caller graph for this function:

◆ to_json()

std::string kcenon::pacs::security::to_json ( const atna_config & config )

nodiscard

Serialize an atna_config to a JSON string.

Produces a compact JSON representation suitable for configuration files and REST API responses.

Parameters

config The configuration to serialize

Returns: JSON string

Definition at line 164 of file atna_config.cpp.

                                             {
    std::ostringstream oss;
    oss << R"({"enabled":)" << (config.enabled ? "true" : "false")
        << R"(,"audit_source_id":")" << escape_json(config.audit_source_id)
        << R"(","transport":{"protocol":")"
        << protocol_to_string(config.transport.protocol)
        << R"(","host":")" << escape_json(config.transport.host)
        << R"(","port":)" << config.transport.port
        << R"(,"app_name":")" << escape_json(config.transport.app_name)
        << R"(","ca_cert_path":")" << escape_json(config.transport.ca_cert_path)
        << R"(","client_cert_path":")"
        << escape_json(config.transport.client_cert_path)
        << R"(","client_key_path":")"
        << escape_json(config.transport.client_key_path)
        << R"(","verify_server":)"
        << (config.transport.verify_server ? "true" : "false")
        << R"(},"audit_storage":)"
        << (config.audit_storage ? "true" : "false")
        << R"(,"audit_query":)"
        << (config.audit_query ? "true" : "false")
        << R"(,"audit_authentication":)"
        << (config.audit_authentication ? "true" : "false")
        << R"(,"audit_security_alerts":)"
        << (config.audit_security_alerts ? "true" : "false")
        << "}";
    return oss.str();
}

◆ to_string() [1/6]

auto kcenon::pacs::security::to_string ( anonymization_profile profile ) -> std::string_view

nodiscardconstexprnoexcept

Convert profile enum to string representation.

Parameters

profile The anonymization profile

Returns: String name of the profile

Definition at line 132 of file anonymization_profile.h.

                      {
    switch (profile) {
        case anonymization_profile::basic:
            return "basic";
        case anonymization_profile::clean_pixel:
            return "clean_pixel";
        case anonymization_profile::clean_descriptions:
            return "clean_descriptions";
        case anonymization_profile::retain_longitudinal:
            return "retain_longitudinal";
        case anonymization_profile::retain_patient_characteristics:
            return "retain_patient_characteristics";
        case anonymization_profile::hipaa_safe_harbor:
            return "hipaa_safe_harbor";
        case anonymization_profile::gdpr_compliant:
            return "gdpr_compliant";
    }
    return "unknown";
}

References basic, clean_descriptions, clean_pixel, gdpr_compliant, hipaa_safe_harbor, retain_longitudinal, and retain_patient_characteristics.

Referenced by kcenon::pacs::security::anonymizer::anonymize_with_mapping(), and kcenon::pacs::security::tls_policy::profile_name().

Here is the caller graph for this function:

◆ to_string() [2/6]

std::string_view kcenon::pacs::security::to_string ( Role role )

constexpr

Convert Role to string.

Definition at line 36 of file role.h.

                                              {
    switch (role) {
        case Role::Viewer: return "Viewer";
        case Role::Technologist: return "Technologist";
        case Role::Radiologist: return "Radiologist";
        case Role::Administrator: return "Administrator";
        case Role::System: return "System";
    }
    return "Unknown";
}

References Administrator, Radiologist, System, Technologist, and Viewer.

◆ to_string() [3/6]

std::string_view kcenon::pacs::security::to_string ( signature_algorithm algo )

constexpr

Convert signature_algorithm to string representation.

Parameters

algo	The algorithm to convert

Returns: String representation of the algorithm

Definition at line 53 of file signature_types.h.

                                                             {
    switch (algo) {
        case signature_algorithm::rsa_sha256: return "RSA-SHA256";
        case signature_algorithm::rsa_sha384: return "RSA-SHA384";
        case signature_algorithm::rsa_sha512: return "RSA-SHA512";
        case signature_algorithm::ecdsa_sha256: return "ECDSA-SHA256";
        case signature_algorithm::ecdsa_sha384: return "ECDSA-SHA384";
    }
    return "Unknown";
}

References ecdsa_sha256, ecdsa_sha384, rsa_sha256, rsa_sha384, and rsa_sha512.

◆ to_string() [4/6]

std::string_view kcenon::pacs::security::to_string ( signature_status status )

constexpr

Convert signature_status to string representation.

Parameters

status The status to convert

Returns: String representation of the status

Definition at line 95 of file signature_types.h.

                                                            {
    switch (status) {
        case signature_status::valid: return "Valid";
        case signature_status::invalid: return "Invalid";
        case signature_status::expired: return "Expired";
        case signature_status::untrusted_signer: return "UntrustedSigner";
        case signature_status::revoked: return "Revoked";
        case signature_status::no_signature: return "NoSignature";
    }
    return "Unknown";
}

References expired, invalid, no_signature, revoked, untrusted_signer, and valid.

◆ to_string() [5/6]

auto kcenon::pacs::security::to_string ( tag_action action ) -> std::string_view

nodiscardconstexprnoexcept

Convert tag action enum to string representation.

Parameters

action The tag action

Returns: String name of the action

Definition at line 117 of file tag_action.h.

                      {
    switch (action) {
        case tag_action::remove:
            return "remove";
        case tag_action::empty:
            return "empty";
        case tag_action::remove_or_empty:
            return "remove_or_empty";
        case tag_action::keep:
            return "keep";
        case tag_action::replace:
            return "replace";
        case tag_action::replace_uid:
            return "replace_uid";
        case tag_action::hash:
            return "hash";
        case tag_action::encrypt:
            return "encrypt";
        case tag_action::shift_date:
            return "shift_date";
    }
    return "unknown";
}

References empty, encrypt, hash, keep, remove, remove_or_empty, replace, replace_uid, and shift_date.

◆ to_string() [6/6]

std::string_view kcenon::pacs::security::to_string ( tls_profile profile )

nodiscardnoexcept

Convert TLS profile to string.

Definition at line 13 of file tls_policy.cpp.

                                                       {
    switch (profile) {
        case tls_profile::bcp195_basic:
            return "BCP195-Basic";
        case tls_profile::bcp195_non_downgrading:
            return "BCP195-NonDowngrading";
        case tls_profile::bcp195_extended:
            return "BCP195-Extended";
    }
    return "Unknown";
}

References bcp195_basic, bcp195_extended, and bcp195_non_downgrading.

◆ validate()

atna_config_validation kcenon::pacs::security::validate ( const atna_config & config )

nodiscard

Validate an ATNA configuration.

Checks for:

Non-empty audit_source_id
Non-empty transport host
Valid port range (1-65535)
TLS certificate paths exist when protocol is TLS

Parameters

config The configuration to validate

Returns: Validation result with any errors

Definition at line 283 of file atna_config.cpp.

                                                           {
    atna_config_validation result;
 
    if (config.audit_source_id.empty()) {
        result.valid = false;
        result.errors.emplace_back("audit_source_id must not be empty");
    }
 
    if (config.transport.host.empty()) {
        result.valid = false;
        result.errors.emplace_back("transport.host must not be empty");
    }
 
    if (config.transport.port == 0) {
        result.valid = false;
        result.errors.emplace_back(
            "transport.port must be in range 1-65535");
    }
 
    if (config.transport.protocol == syslog_transport_protocol::tls) {
        if (config.transport.ca_cert_path.empty()) {
            result.valid = false;
            result.errors.emplace_back(
                "transport.ca_cert_path is required for TLS protocol");
        } else if (!std::filesystem::exists(
                       config.transport.ca_cert_path)) {
            result.valid = false;
            result.errors.emplace_back(
                "transport.ca_cert_path file does not exist: " +
                config.transport.ca_cert_path);
        }
 
        if (!config.transport.client_cert_path.empty() &&
            !std::filesystem::exists(config.transport.client_cert_path)) {
            result.valid = false;
            result.errors.emplace_back(
                "transport.client_cert_path file does not exist: " +
                config.transport.client_cert_path);
        }
 
        if (!config.transport.client_key_path.empty() &&
            !std::filesystem::exists(config.transport.client_key_path)) {
            result.valid = false;
            result.errors.emplace_back(
                "transport.client_key_path file does not exist: " +
                config.transport.client_key_path);
        }
    }
 
    return result;
}

Namespaces

Classes

Typedefs

Enumerations

Functions

Typedef Documentation

◆ AccessAuditCallback

Enumeration Type Documentation

◆ anonymization_profile

◆ atna_event_action

◆ atna_event_outcome

◆ atna_network_access_type

◆ atna_object_role

◆ atna_object_type

◆ certificate_type

◆ DicomOperation

◆ mac_algorithm

◆ private_tag_action

◆ ResourceType

◆ Role

◆ signature_algorithm

◆ signature_status

◆ syslog_facility

◆ syslog_severity

◆ syslog_transport_protocol

◆ tag_action

◆ tls_profile

Function Documentation

◆ available_tls_profiles()

◆ get_x509_from_certificate()

◆ make_default_atna_config()

◆ parse_atna_config()

◆ parse_role()

◆ parse_signature_algorithm()

◆ parse_tls_profile()

◆ profile_from_string()

◆ to_dicom_term()

◆ to_dicom_uid()

◆ to_json()

◆ to_string() [1/6]

◆ to_string() [2/6]

◆ to_string() [3/6]

◆ to_string() [4/6]

◆ to_string() [5/6]

◆ to_string() [6/6]

◆ validate()