std::function<permission::v1::PermissionQueryReply(pqxx::read_transaction &)>; |
- |
- |
std::function<role::v1::RoleQueryReply(pqxx::read_transaction &)>; |
- |
- |
std::function<grant::v1::GrantQueryReply(pqxx::read_transaction &)>; |
- |
- |
std::function<std::vector<std::string>(pqxx::read_transaction &)>; |
- |
- |
std::function<oidc::v1::OidcProviderQueryReply(pqxx::read_transaction &)>; |
- |
- |
std::function<AdminOidcBootstrapResult(pqxx::work &)>; |
- |
- |
std::function<std::optional<commons::OidcTokenValidator::Config>(pqxx::read_transaction &)>; |
- |
- |
std::function<std::optional<oidc::v1::OidcProvider>(pqxx::read_transaction &)>; |
- |
- |
[[nodiscard]] static ReadPermissionQueryOperation MakeReadPermissionQueryOperation( const permission::v1::PermissionQueryRequest *request ); |
Builds a read operation that searches t_permission_definitions. The returned callback: - validates that request and request.query are present. - validates common paging fields. - resolves SQL by searched protobuf descriptor and QueryMode. - returns PermissionQueryReply populated with query_result metadata and the matching permission rows. request: Permission query request payload. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: std::invalid_argument for null request or invalid query fields. |
- |
[[nodiscard]] static ReadRoleQueryOperation MakeReadRoleQueryOperation( const role::v1::RoleQueryRequest *request ); |
Builds a read operation that searches global rows in t_roles. The returned callback: - validates that request and request.query are present. - validates common paging fields. - resolves SQL by searched protobuf descriptor and QueryMode. - returns RoleQueryReply populated with query_result metadata and the matching role rows. request: Role query request payload. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: std::invalid_argument for null request or invalid query fields. |
- |
[[nodiscard]] static CreateAdminRoleOperation MakeCreateAdminRoleOperation( const role::v1::RoleCreateRequest &request ); |
Builds a write operation that inserts one global ADMIN role row. The returned callback: - rejects tenant-scoped role creation - fixes role='ADMIN', origin='CUSTOM', and domain='AUTHZ' at the SQL layer - persists name, description, optional template_key, and optional valid_until - returns the inserted row mapped back into role::v1::Role request: Role creation payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. |
- |
[[nodiscard]] static UpdateAdminRoleOperation MakeUpdateAdminRoleOperation( const role::v1::RoleUpdateRequest &request ); |
Builds a write operation that updates one global ADMIN role row. The returned callback: - rejects tenant-scoped role updates - requires one target role UUID - filters to origin='CUSTOM' so TEMPLATE rows cannot be edited - fixes role='ADMIN' and domain='AUTHZ' at the SQL layer - updates name, description, optional template_key, and optional valid_until - returns the updated row mapped back into role::v1::Role request: Role update payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. |
- |
[[nodiscard]] static CopyAdminRoleOperation MakeCopyAdminRoleOperation( const role::v1::RoleCopyRequest &request ); |
Builds a write operation that clones one global ADMIN role row. The returned callback runs inside one pqxx::work so the new row and its copied grants commit together: - resolves the source by source_role_uuid (must be ADMIN/AUTHZ and tenantless; TEMPLATE or CUSTOM) - inserts a new CUSTOM row carrying the caller-supplied name, description, optional template_key, and optional valid_until - copies every t_role_grants row from the source onto the new row - returns the inserted row mapped back into role::v1::Role request: Role copy payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. |
- |
[[nodiscard]] static DeleteAdminRolesOperation MakeDeleteAdminRolesOperation( const role::v1::RoleDeleteRequest &request ); |
Builds a write operation that deletes global admin roles by UUID. The returned callback: - rejects tenant-scoped deletes - requires at least one non-empty role UUID - filters to origin='CUSTOM' so TEMPLATE rows cannot be deleted - deletes only rows where tenant_id IS NULL - returns the deleted UUID list for post-delete verification/logging request: Role deletion payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. |
- |
[[nodiscard]] static ReadGrantQueryOperation MakeReadGrantQueryOperation( const grant::v1::GrantQueryRequest *request ); |
Builds a read operation that searches t_role_grants joined with role and permission rows. The returned callback: - validates that request.query is present - filters by request.role_uuid when set (admin-scope rows only) - resolves SQL by searched protobuf descriptor and QueryMode - returns GrantQueryReply populated with query_result metadata and the matching grant rows (role and permission identity resolved server-side for client convenience) Throws: std::invalid_argument for null request or invalid query fields. |
- |
[[nodiscard]] static CreateGrantOperation MakeCreateGrantOperation( const grant::v1::GrantCreateRequest &request ); |
Builds a write operation that inserts one t_role_grants row. The returned callback: - validates mask in [1, 31] - resolves the role and permission rows by uuid - refuses TEMPLATE-origin role targets (FAILED_PRECONDITION) - persists mask and optional valid_until - returns the inserted row mapped back into grant::v1::Grant Throws: std::invalid_argument for invalid request payloads. |
- |
[[nodiscard]] static UpdateGrantOperation MakeUpdateGrantOperation( const grant::v1::GrantUpdateRequest &request ); |
Builds a write operation that updates the mutable fields (mask, valid_until) of one t_role_grants row. The returned callback: - validates grant_uuid non-empty - validates mask in [1, 31] - rejects role_uuid / perm_uuid changes on the update path (the pairing is the natural identity of the row) - refuses TEMPLATE-origin role targets (FAILED_PRECONDITION) - returns the updated row mapped back into grant::v1::Grant |
- |
[[nodiscard]] static DeleteGrantsOperation MakeDeleteGrantsOperation( const grant::v1::GrantDeleteRequest &request ); |
Builds a write operation that deletes t_role_grants rows by uuid. The returned callback: - requires at least one non-empty grant uuid - refuses to delete grants owned by TEMPLATE-origin roles - returns the sorted, deduplicated uuid list for post-delete verification by the handler |
- |
[[nodiscard]] static LookupGrantOwnerRolesOperation MakeLookupGrantOwnerRolesOperation(std::vector<std::string> grant_uuids); |
Builds a read operation that returns the role uuids that own the supplied grant uuids on admin-scope roles. The returned vector contains one entry per matched grant (rows that don't exist or are tenant-scoped are silently omitted). The handler uses this to decide whether the caller would be mutating a grant on a role they themselves currently hold. |
- |
[[nodiscard]] static ReadOidcProviderQueryOperation MakeReadOidcProviderQueryOperation( const oidc::v1::OidcProviderQueryRequest *request ); |
Builds a read operation that loads the singleton ADMIN-scope OIDC identity provider + its connection. Joins t_identity_providers with t_identity_provider_oidcs and filters to scope = 'ADMIN'. The persisted introspection_client_secret ciphertext is NOT decrypted by this operation — connection replies leave the secret unset so the admin UI never surfaces it (the operator must retype it to change it). The OidcProvider.connection.uuid is populated from the OIDC row's uuid. Returns: Read operation compatible with PgUtility::ExecuteRead. |
- |
[[nodiscard]] static UpdateOidcProviderOperation MakeUpdateOidcProviderOperation( const oidc::v1::OidcProviderUpdateRequest &request ); |
Builds a write operation that updates the singleton ADMIN OIDC provider's connection fields. Behaviour: - provider.uuid identifies the row; scope and tenant_uuid are immutable and rejected when changed against the persisted row. - Updates all OIDC connection fields from the request. - When introspection_client_secret is present in the proto, it is re-encrypted under the process SecretKey; when absent, the existing ciphertext is preserved (operator did not retype the secret). request: Update request payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. |
- |
[[nodiscard]] static IsBootstrapInitializedOperation MakeIsBootstrapInitializedOperation(); |
Builds a read operation that returns whether the system is already initialized. Returns true iff t_bootstrap_state has a row with initialized_on IS NOT NULL. Absent rows are reported as not-initialized. Returns: Read operation compatible with PgUtility::ExecuteRead. |
- |
[[nodiscard]] static BootstrapAdminOidcProviderOperation MakeBootstrapAdminOidcProviderOperation( const oidc::v1::OidcProvider &provider, std::vector<std::uint8_t> subject_id_hash, std::vector<std::uint8_t> install_secret_hash, std::vector<std::uint8_t> client_dek_blob, std::vector<std::uint8_t> client_profile_blob, std::vector<std::uint8_t> recovery_pin_plaintext ); |
Builds the atomic one-shot ADMIN-scope OIDC bootstrap operation. This operation is invoked exclusively by ReefInitService.initialize. In one pqxx::work transaction it: - Locks t_bootstrap_state rows; fails closed if any row has initialized_on IS NOT NULL. - Inserts the singleton ADMIN row into t_identity_providers (the partial unique index t_identity_providers_admin_scope_uq enforces single-row at the schema level). - Inserts the matching row into t_identity_provider_oidcs with introspection_client_secret encrypted via the process SecretKey and base64-encoded. - When escrow blobs are provided, upserts a row into t_subject_profile_escrow keyed by subject_id_hash. Both dek_ciphertext and profile_ciphertext are wrapped a second time by the process SecretKey (with AAD pinned to subject_id_hash) before storage. - Writes / updates t_bootstrap_state.initialized_on = now() and t_bootstrap_state.initialized_by_subject_hash = $. provider: Validated ADMIN-scope OidcProvider from the init request. subject_id_hash: SHA-256 of iss\|sub extracted from the validated bearer token. client_dek_blob: Optional client-supplied opaque DEK blob; empty disables escrow. client_profile_blob: Optional client-supplied opaque profile blob; required iff DEK is present. recovery_pin_plaintext: Optional plaintext recovery PIN bytes (after KEM-decipher on the server). When non-empty, the operation generates a fresh per-row salt and stores the PIN encrypted under ProcessContext::GlobalSecretKey with the salt bound as AAD. Required for self-service profile recovery; absent when the user opted out of PIN escrow. Returns: Write operation compatible with PgUtility::ExecuteWrite. Throws: std::invalid_argument when the provider is not ADMIN-scoped or fields are missing. Throws: ServerAdminDbOperationError when the bootstrap row indicates the system is already initialized, or when DB invariants are violated. |
- |
[[nodiscard]] static LoadAdminOidcValidatorConfigOperation MakeLoadAdminOidcValidatorConfigOperation(); |
Builds a read operation that loads the singleton ADMIN-scope OIDC validator configuration from t_identity_provider_oidcs. Returns std::nullopt when the system has not been initialized (no ADMIN row in t_identity_providers). When found, decrypts introspection_client_secret ciphertext using the process SecretKey so the validator can be constructed against any oidc_token_mode. The returned Config is suitable for direct construction of commons::OidcTokenValidator. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: ServerAdminDbOperationError when the row's token_mode enum value is unrecognized or the introspection secret ciphertext cannot be decrypted. |
- |
[[nodiscard]] static LoadPublicAdminOidcProviderOperation MakeLoadPublicAdminOidcProviderOperation(); |
Builds a read operation that returns the public ADMIN-scope OIDC provider proto (no introspection client secret). Used by ReefStatusService.is_initialized so a fresh admin client can run a PKCE login against the same IdP without re-typing the issuer/client_id/audience. Returns std::nullopt when the system has not been initialized (no ADMIN row in t_identity_providers). |
- |
std::function<tenant::v1::TenantQueryReply(pqxx::read_transaction &)>; |
- |
- |
[[nodiscard]] static ReadTenantQueryOperation MakeReadTenantQueryOperation( const tenant::v1::TenantQueryRequest *request ); |
Builds a read operation that searches t_tenants joined with the per-tenant OIDC binding. The returned callback: - validates that request and request.query are present - validates common paging fields - resolves SQL by searched protobuf descriptor and QueryMode - returns TenantQueryReply populated with query_result metadata and the matching tenant rows Throws: std::invalid_argument for null request or invalid query fields. |
- |
[[nodiscard]] static CreateTenantOperation MakeCreateTenantOperation( const tenant::v1::TenantCreateRequest &request ); |
Builds a write operation that creates one tenant atomically with its OIDC binding and seed roles. The returned callback runs inside one pqxx::work so: - t_tenants row insert (uuid override applied via COALESCE) - t_identity_providers row insert (scope=TENANT, FK=new tenant id) - t_identity_provider_oidcs row insert (issuer/audience/etc., with introspection client secret encrypted under the process SecretKey) - two t_roles TEMPLATE seeds inserted (tenant-super-admin and tenant-auditor, each with editable=false, domain=AUTHZ) - starter t_role_grants rows: every permission tagged TENANT-allowed in t_permission_allowed_role_types is granted to tenant-super-admin with mask=31 (CRUDX) and to tenant-auditor with mask=2 (Read only) commit together — partial failure rolls everything back so the tenant never lands without its identity-provider binding, starter roles, or starter grants. Throws: std::invalid_argument when validation rejects the request (tenant/display_name empty, OIDC missing, issuer/audience empty, uuid override malformed). |
- |
[[nodiscard]] static UpdateTenantOperation MakeUpdateTenantOperation( const tenant::v1::TenantUpdateRequest &request ); |
Builds a write operation that updates one tenant row and its per-tenant OIDC connection atomically. The returned callback updates t_tenants (tenant, display_name, valid_until) and t_identity_provider_oidcs (every connection field) in one transaction. The introspection client secret follows the blank-keeps-existing convention used by the global ADMIN-scope OIDC update path. Throws: std::invalid_argument when the tenant uuid does not exist or validation rejects the request. |
- |
[[nodiscard]] static RetireTenantsOperation MakeRetireTenantsOperation( const tenant::v1::TenantRetireRequest &request ); |
Builds a write operation that soft-retires tenants by flipping their valid_until to now(). Returns the list of retired uuids; throws when one or more uuids did not match a row. |
- |
[[nodiscard]] static DeleteTenantsOperation MakeDeleteTenantsOperation( const tenant::v1::TenantDeleteRequest &request ); |
Builds a write operation that hard-deletes tenants by uuid. Relies on the schema's ON DELETE CASCADE on t_identity_providers.tenant_id and t_roles.tenant_id so the per-tenant OIDC binding, seed roles, and any role-grants are removed in the same transaction. Returns the list of deleted uuids; throws when one or more uuids did not match a row. |
- |