Service for managing role-based access control (RBAC). More...
#include <authorization_service.hpp>
Collaboration diagram for authorization_service:
Public Types | |
| using | context = ores::database::context |
| using | event_bus = ores::eventing::service::event_bus |
Public Member Functions | |
| authorization_service (context ctx, event_bus *event_bus=nullptr) | |
| Constructs an authorization_service with required repositories. | |
| std::vector< domain::permission > | list_permissions () |
| Lists all permissions in the system. | |
| std::optional< domain::permission > | find_permission_by_code (const std::string &code) |
| Finds a permission by its code. | |
| domain::permission | create_permission (const std::string &code, const std::string &description) |
| Creates a new permission. | |
| std::vector< domain::role > | list_roles () |
| Lists all roles in the system. | |
| std::optional< domain::role > | find_role (const boost::uuids::uuid &role_id) |
| Finds a role by its ID. | |
| std::optional< domain::role > | find_role_by_name (const std::string &name) |
| Finds a role by its name. | |
| domain::role | create_role (const std::string &name, const std::string &description, const std::vector< std::string > &permission_codes, const std::string &recorded_by) |
| Creates a new role with the specified permissions. | |
| std::vector< std::string > | get_role_permissions (const boost::uuids::uuid &role_id) |
| Gets the permission codes assigned to a role. | |
| void | assign_role (const boost::uuids::uuid &account_id, const boost::uuids::uuid &role_id, const std::string &assigned_by) |
| Assigns a role to an account. | |
| void | revoke_role (const boost::uuids::uuid &account_id, const boost::uuids::uuid &role_id) |
| Revokes a role from an account. | |
| std::vector< domain::role > | get_account_roles (const boost::uuids::uuid &account_id) |
| Gets all roles assigned to an account. | |
| std::vector< std::string > | get_effective_permissions (const boost::uuids::uuid &account_id) |
| Computes the effective permissions for an account. | |
| bool | has_permission (const boost::uuids::uuid &account_id, const std::string &permission_code) |
| Checks if an account has a specific permission. | |
Static Public Member Functions | |
| static bool | check_permission (const std::vector< std::string > &permissions, const std::string &required_permission) |
| Checks if the given permissions list satisfies a permission check. | |
Detailed Description
Service for managing role-based access control (RBAC).
This service provides functionality for:
- Managing permissions (CRUD operations)
- Managing roles and their associated permissions
- Assigning and revoking roles from accounts
- Checking if an account has specific permissions
- Computing the effective permissions for an account
Events are published when role assignments change, allowing other components (such as session management) to react to permission changes.
Constructor & Destructor Documentation
◆ authorization_service()
|
explicit |
Constructs an authorization_service with required repositories.
- Parameters
-
ctx The database context. event_bus Optional event bus for publishing permission change events.
Member Function Documentation
◆ create_permission()
| domain::permission create_permission | ( | const std::string & | code, |
| const std::string & | description | ||
| ) |
Creates a new permission.
- Parameters
-
code The permission code (e.g., "accounts:create") description Human-readable description
- Returns
- The created permission
Here is the caller graph for this function:
◆ create_role()
| domain::role create_role | ( | const std::string & | name, |
| const std::string & | description, | ||
| const std::vector< std::string > & | permission_codes, | ||
| const std::string & | recorded_by | ||
| ) |
Creates a new role with the specified permissions.
- Parameters
-
name The role name description Human-readable description permission_codes List of permission codes to assign recorded_by Username of the person creating the role
- Returns
- The created role
Here is the caller graph for this function:
◆ assign_role()
| void assign_role | ( | const boost::uuids::uuid & | account_id, |
| const boost::uuids::uuid & | role_id, | ||
| const std::string & | assigned_by | ||
| ) |
Assigns a role to an account.
Publishes a role_assigned_event and permissions_changed_event if an event bus is configured.
- Parameters
-
account_id The account to receive the role role_id The role to assign assigned_by Username of the person making the assignment
◆ revoke_role()
| void revoke_role | ( | const boost::uuids::uuid & | account_id, |
| const boost::uuids::uuid & | role_id | ||
| ) |
Revokes a role from an account.
Publishes a role_revoked_event and permissions_changed_event if an event bus is configured.
- Parameters
-
account_id The account to remove the role from role_id The role to revoke
◆ get_effective_permissions()
| std::vector< std::string > get_effective_permissions | ( | const boost::uuids::uuid & | account_id | ) |
Computes the effective permissions for an account.
This aggregates all permissions from all roles assigned to the account.
- Parameters
-
account_id The account to query
- Returns
- List of permission codes the account has
Here is the caller graph for this function:
◆ has_permission()
| bool has_permission | ( | const boost::uuids::uuid & | account_id, |
| const std::string & | permission_code | ||
| ) |
Checks if an account has a specific permission.
Supports the wildcard permission "*" which grants all permissions.
- Parameters
-
account_id The account to check permission_code The permission to check for
- Returns
- true if the account has the permission, false otherwise
◆ check_permission()
|
static |
Checks if the given permissions list satisfies a permission check.
Supports the wildcard permission "*" which grants all permissions.
- Parameters
-
permissions The list of permission codes required_permission The permission to check for
- Returns
- true if the permissions satisfy the requirement
Here is the caller graph for this function:
