doxygen/html/a05084_source.html

/* -*- mode: c++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-

 *

 * Copyright (C) 2025 Marco Craveiro <marco.craveiro@gmail.com>

 *

 * This program is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License as published by the Free Software

 * Foundation; either version 3 of the License, or (at your option) any later

 * version.

 *

 * This program is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

 * details.

 *

 * You should have received a copy of the GNU General Public License along with

 * this program; if not, write to the Free Software Foundation, Inc., 51

 * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

 *

 */

#ifndef ORES_IAM_SERVICE_AUTHORIZATION_SERVICE_HPP

#define ORES_IAM_SERVICE_AUTHORIZATION_SERVICE_HPP


#include <string>

#include <vector>

#include <optional>

#include <boost/uuid/uuid.hpp>

#include "ores.logging/make_logger.hpp"

#include "ores.utility/uuid/uuid_v7_generator.hpp"

#include "ores.database/domain/context.hpp"

#include "ores.iam/domain/role.hpp"

#include "ores.iam/domain/permission.hpp"

#include "ores.iam/domain/account_role.hpp"

#include "ores.iam/repository/role_repository.hpp"

#include "ores.iam/repository/permission_repository.hpp"

#include "ores.iam/repository/account_role_repository.hpp"

#include "ores.iam/repository/role_permission_repository.hpp"

#include "ores.eventing/service/event_bus.hpp"


namespace ores::iam::service {


class authorization_service {

private:

    inline static std::string_view logger_name =

        "ores.iam.service.authorization_service";


    [[nodiscard]] static auto& lg() {

        using namespace ores::logging;

        static auto instance = make_logger(logger_name);

        return instance;

    }


public:

    using context = ores::database::context;

    using event_bus = ores::eventing::service::event_bus;


    explicit authorization_service(context ctx,

        event_bus* event_bus = nullptr);


    // ========================================================================

    // Permission Management

    // ========================================================================


    std::vector<domain::permission> list_permissions();


    std::optional<domain::permission>

    find_permission_by_code(const std::string& code);


    domain::permission create_permission(const std::string& code,

        const std::string& description);


    // ========================================================================

    // Role Management

    // ========================================================================


    std::vector<domain::role> list_roles();


    std::optional<domain::role> find_role(const boost::uuids::uuid& role_id);


    std::optional<domain::role> find_role_by_name(const std::string& name);


    domain::role create_role(const std::string& name,

        const std::string& description,

        const std::vector<std::string>& permission_codes,

        const std::string& recorded_by);


    std::vector<std::string>

    get_role_permissions(const boost::uuids::uuid& role_id);


    // ========================================================================

    // Role Assignment

    // ========================================================================


    void assign_role(const boost::uuids::uuid& account_id,

        const boost::uuids::uuid& role_id,

        const std::string& assigned_by,

        const std::string& change_commentary = "Role assigned to account");


    void revoke_role(const boost::uuids::uuid& account_id,

        const boost::uuids::uuid& role_id);


    std::vector<domain::role>

    get_account_roles(const boost::uuids::uuid& account_id);


    // ========================================================================

    // Permission Checking

    // ========================================================================


    std::vector<std::string>

    get_effective_permissions(const boost::uuids::uuid& account_id);


    bool has_permission(const boost::uuids::uuid& account_id,

        std::string_view permission_code);


    static bool check_permission(const std::vector<std::string>& permissions,

        std::string_view required_permission);


private:

    void publish_account_permissions_changed(const boost::uuids::uuid& account_id);


    repository::permission_repository permission_repo_;

    repository::role_repository role_repo_;

    repository::account_role_repository account_role_repo_;

    repository::role_permission_repository role_permission_repo_;

    utility::uuid::uuid_v7_generator uuid_generator_;

    event_bus* event_bus_;

};


}


#endif

ores::iam::service
Service layer for the IAM module.
Definition account_service.hpp:34

ores::logging
Implements logging infrastructure for ORE Studio.
Definition boost_severity.hpp:28

ores::database::context
Context for the operations on a postgres database.
Definition context.hpp:30

ores::eventing::service::event_bus
A typed, thread-safe, in-process publish/subscribe event bus.
Definition event_bus.hpp:119

ores::iam::domain::permission
Represents an atomic permission that can be granted to roles.
Definition permission.hpp:41

ores::iam::domain::role
Represents a named collection of permissions that can be assigned to accounts.
Definition role.hpp:39

ores::iam::repository::account_role_repository
Reads and writes account-role assignments to data storage.
Definition account_role_repository.hpp:37

ores::iam::repository::permission_repository
Reads and writes permissions to data storage.
Definition permission_repository.hpp:36

ores::iam::repository::role_permission_repository
Reads and writes role-permission assignments to data storage.
Definition role_permission_repository.hpp:37

ores::iam::repository::role_repository
Reads and writes roles to data storage.
Definition role_repository.hpp:36

ores::iam::service::authorization_service
Service for managing role-based access control (RBAC).
Definition authorization_service.hpp:54

ores::iam::service::authorization_service::get_effective_permissions
std::vector< std::string > get_effective_permissions(const boost::uuids::uuid &account_id)
Computes the effective permissions for an account.
Definition authorization_service.cpp:299

ores::iam::service::authorization_service::find_role
std::optional< domain::role > find_role(const boost::uuids::uuid &role_id)
Finds a role by its ID.
Definition authorization_service.cpp:116

ores::iam::service::authorization_service::has_permission
bool has_permission(const boost::uuids::uuid &account_id, std::string_view permission_code)
Checks if an account has a specific permission.
Definition authorization_service.cpp:312

ores::iam::service::authorization_service::find_permission_by_code
std::optional< domain::permission > find_permission_by_code(const std::string &code)
Finds a permission by its code.
Definition authorization_service.cpp:56

ores::iam::service::authorization_service::find_role_by_name
std::optional< domain::role > find_role_by_name(const std::string &name)
Finds a role by its name.
Definition authorization_service.cpp:128

ores::iam::service::authorization_service::list_permissions
std::vector< domain::permission > list_permissions()
Lists all permissions in the system.
Definition authorization_service.cpp:50

ores::iam::service::authorization_service::check_permission
static bool check_permission(const std::vector< std::string > &permissions, std::string_view required_permission)
Checks if the given permissions list satisfies a permission check.
Definition authorization_service.cpp:319

ores::iam::service::authorization_service::create_permission
domain::permission create_permission(const std::string &code, const std::string &description)
Creates a new permission.
Definition authorization_service.cpp:65

ores::iam::service::authorization_service::create_role
domain::role create_role(const std::string &name, const std::string &description, const std::vector< std::string > &permission_codes, const std::string &recorded_by)
Creates a new role with the specified permissions.
Definition authorization_service.cpp:139

ores::iam::service::authorization_service::get_account_roles
std::vector< domain::role > get_account_roles(const boost::uuids::uuid &account_id)
Gets all roles assigned to an account.
Definition authorization_service.cpp:287

ores::iam::service::authorization_service::list_roles
std::vector< domain::role > list_roles()
Lists all roles in the system.
Definition authorization_service.cpp:97

ores::iam::service::authorization_service::assign_role
void assign_role(const boost::uuids::uuid &account_id, const boost::uuids::uuid &role_id, const std::string &assigned_by, const std::string &change_commentary="Role assigned to account")
Assigns a role to an account.
Definition authorization_service.cpp:215

ores::iam::service::authorization_service::revoke_role
void revoke_role(const boost::uuids::uuid &account_id, const boost::uuids::uuid &role_id)
Revokes a role from an account.
Definition authorization_service.cpp:263

ores::iam::service::authorization_service::get_role_permissions
std::vector< std::string > get_role_permissions(const boost::uuids::uuid &role_id)
Gets the permission codes assigned to a role.
Definition authorization_service.cpp:194

ores::utility::uuid::uuid_v7_generator
A generator for UUID version 7 (v7) based on RFC 9562.
Definition uuid_v7_generator.hpp:50