Skip to content

Namespace reeflogic::server_admin C++ API Reference

Headers at a Glance

Header Classes Functions Macros
server_admin/cmd/admin_grant_command_handler.h 1 0 0
server_admin/cmd/admin_oidc_provider_command_handler.h 1 0 0
server_admin/cmd/admin_permission_command_handler.h 1 0 0
server_admin/cmd/admin_role_command_handler.h 1 0 0
server_admin/cmd/admin_tenant_command_handler.h 1 0 0
server_admin/command_handler.h 1 0 0
server_admin/db_operation_utility.h 1 0 0
server_admin/exceptions.h 5 0 0
server_admin/reef_admin_authn_filter.h 0 2 0
server_admin/reef_admin_service_impl.h 1 0 0
server_admin/reef_init_authn_filter.h 0 1 0
server_admin/reef_init_service_impl.h 1 0 0
server_admin/reef_status_service_impl.h 1 0 0

Header server_admin/cmd/admin_grant_command_handler.h

Command-handler for ADMIN-scope role-permission grant CRUD over t_role_grants.

Declares AdminGrantCommandHandler, the dispatch target used by server_admin::CommandHandler for the four ADMIN_COMMAND_GRANT_* envelopes defined in common/grant.proto. Each Handle() overload validates the request, delegates to the matching DbOperationUtility factory so writes execute within one pqxx::work transaction, and maps the t_role_grants row back to grant::v1::Grant. The handler refuses changes to grants owned by TEMPLATE-origin roles and runs the self-assigned-role guard via LookupGrantOwnerRolesOperation before mutating grants the caller themselves currently holds.

See also: common/grant.proto, server_admin/db_operation_utility.h

Classes

AdminGrantCommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static grpc::Status Handle( const grant::v1::GrantQueryRequest &request, cmd::v1::AdminExecuteReply *response ); - -
[[nodiscard]] static grpc::Status Handle( const grant::v1::GrantCreateRequest &request, cmd::v1::AdminExecuteReply *response, const std::shared_ptr<const commons::Subject> &subject ); - -
[[nodiscard]] static grpc::Status Handle( const grant::v1::GrantUpdateRequest &request, cmd::v1::AdminExecuteReply *response, const std::shared_ptr<const commons::Subject> &subject ); - -
[[nodiscard]] static grpc::Status Handle( const grant::v1::GrantDeleteRequest &request, cmd::v1::AdminExecuteReply *response, const std::shared_ptr<const commons::Subject> &subject ); - -

Header server_admin/cmd/admin_oidc_provider_command_handler.h

Command-handler for the singleton ADMIN-scope OIDC provider VIEW/UPDATE flow.

Declares AdminOidcProviderCommandHandler, dispatched by server_admin::CommandHandler for ADMIN_COMMAND_OIDC_PROVIDER_VIEW and ADMIN_COMMAND_OIDC_PROVIDER_UPDATE envelopes from common/oidc.proto. The ADMIN row in t_identity_providers / t_identity_provider_oidcs is seeded once by ReefInitServiceImpl::initialize and never created or deleted via this surface; UPDATE only mutates connection fields, while scope and tenant_uuid remain immutable. The persisted introspection_client_secret is encrypted at rest under commons::ProcessContext::GlobalSecretKey(); absent secrets on UPDATE preserve the existing ciphertext, and VIEW replies always omit it.

so the next request rebuilds the cached OidcTokenValidator.

Note: Successful UPDATE callers should invoke ResetAdminAuthnCaches()

See also: common/oidc.proto, server_admin/reef_admin_authn_filter.h

Classes

AdminOidcProviderCommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static grpc::Status Handle( const oidc::v1::OidcProviderQueryRequest &request, cmd::v1::AdminExecuteReply *response ); - -
[[nodiscard]] static grpc::Status Handle( const oidc::v1::OidcProviderUpdateRequest &request, cmd::v1::AdminExecuteReply *response ); - -

Header server_admin/cmd/admin_permission_command_handler.h

Command-handler for the read-only ADMIN permission catalog query.

Declares AdminPermissionCommandHandler, dispatched by server_admin::CommandHandler for the ADMIN_COMMAND_PERMISSION_VIEW envelope from common/permission.proto. The single Handle() overload validates the paged PermissionQueryRequest, runs DbOperationUtility::MakeReadPermissionQueryOperation through the process-global PgUtility, and writes the permission_view payload back into AdminExecuteReply. Backed by the t_permission_definitions catalog, which is platform-seeded and read-only from the admin command surface.

See also: common/permission.proto, server_admin/db/permission_query.h

Classes

AdminPermissionCommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static grpc::Status Handle( const permission::v1::PermissionQueryRequest &request, cmd::v1::AdminExecuteReply *response ); Executes the permission query request and writes reply payload. request: Permission query request payload. response: Reply output populated on success. Returns: grpc::Status::OK on success; otherwise a transport-neutral error that CommandHandler copies into reply.status. -

Header server_admin/cmd/admin_role_command_handler.h

Command-handler for ADMIN-scope role CRUD over t_roles.

Declares AdminRoleCommandHandler, dispatched by server_admin::CommandHandler for the ADMIN_COMMAND_ROLE_* family of envelopes (VIEW, CREATE, UPDATE, DELETE, COPY) from common/role.proto. Each Handle() overload validates the request, delegates to the matching DbOperationUtility factory so writes run inside one pqxx::work transaction, and translates between proto wire types and t_roles / t_role_grants rows. Writes filter to origin='CUSTOM' and tenantless rows so TEMPLATE seeds remain immutable.

or DELETE targets a TEMPLATE-origin row; the envelope plumbing in reef_server_common::command_envelope maps it to gRPC FAILED_PRECONDITION.

Note: Handlers raise AdminRoleTemplateProtectedError when an UPDATE

See also: common/role.proto, server_admin/exceptions.h

Classes

AdminRoleCommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static grpc::Status Handle( const role::v1::RoleQueryRequest &request, cmd::v1::AdminExecuteReply *response ); - -
[[nodiscard]] static grpc::Status Handle( const role::v1::RoleCreateRequest &request, cmd::v1::AdminExecuteReply *response ); - -
[[nodiscard]] static grpc::Status Handle( const role::v1::RoleDeleteRequest &request, cmd::v1::AdminExecuteReply *response, const std::shared_ptr<const commons::Subject>& subject ); - -
[[nodiscard]] static grpc::Status Handle( const role::v1::RoleUpdateRequest &request, cmd::v1::AdminExecuteReply *response ); - -
[[nodiscard]] static grpc::Status Handle( const role::v1::RoleCopyRequest &request, cmd::v1::AdminExecuteReply *response ); - -

Header server_admin/cmd/admin_tenant_command_handler.h

Command-handler for the tenant lifecycle (VIEW/CREATE/UPDATE/RETIRE/DELETE).

Declares AdminTenantCommandHandler, dispatched by server_admin::CommandHandler for the five ADMIN_COMMAND_TENANT_* envelopes from common/tenant.proto. Each Handle() overload validates the payload, delegates to the matching DbOperationUtility factory, and maps domain exceptions to gRPC status. CREATE atomically seeds t_tenants, the SCOPE_TENANT t_identity_providers row, its t_identity_provider_oidcs connection, and two TEMPLATE t_roles (tenant-super-admin, tenant-auditor) with starter t_role_grants. RETIRE flips valid_until to now() so live sessions can drain. DELETE relies on the schema's ON DELETE CASCADE chain to remove the per-tenant identity-provider binding, roles, and grants in the same transaction.

See also: common/tenant.proto, server_admin/db/tenant_query.h

Classes

AdminTenantCommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static grpc::Status Handle( const tenant::v1::TenantQueryRequest &request, cmd::v1::AdminExecuteReply *response ); Handles ADMIN_COMMAND_TENANT_VIEW. request: Tenant query request (paging + free-text search). response: Populated AdminExecuteReply.tenant_view on success. Returns: gRPC status; INVALID_ARGUMENT on bad payload, INTERNAL on DB or runtime failure. -
[[nodiscard]] static grpc::Status Handle( const tenant::v1::TenantCreateRequest &request, cmd::v1::AdminExecuteReply *response ); Handles ADMIN_COMMAND_TENANT_CREATE. Atomically creates the tenant row, its SCOPE_TENANT identity provider, its OIDC connection, the two TEMPLATE seed roles (tenant-super-admin, tenant-auditor), and their starter grants for every TENANT-allowed permission (CRUDX mask on super-admin, Read-only mask on auditor). The reply carries the inserted tenant with the embedded OidcProvider. -
[[nodiscard]] static grpc::Status Handle( const tenant::v1::TenantUpdateRequest &request, cmd::v1::AdminExecuteReply *response ); Handles ADMIN_COMMAND_TENANT_UPDATE. Atomically updates the tenant row and its per-tenant OIDC connection. The reply carries the updated tenant with the embedded OidcProvider. -
[[nodiscard]] static grpc::Status Handle( const tenant::v1::TenantRetireRequest &request, cmd::v1::AdminExecuteReply *response ); Handles ADMIN_COMMAND_TENANT_RETIRE. Soft-retires one or more tenants by setting their valid_until to now(). Per-tenant OIDC bindings are left intact so active sessions can finish their windowed work. Routes through the Update permission bit so operators with edit rights can retire without holding the destructive Delete bit. -
[[nodiscard]] static grpc::Status Handle( const tenant::v1::TenantDeleteRequest &request, cmd::v1::AdminExecuteReply *response ); Handles ADMIN_COMMAND_TENANT_DELETE. Hard-deletes one or more tenants. The schema's ON DELETE CASCADE chain removes the per-tenant identity-provider binding, the per-tenant roles (TEMPLATE seeds included), and every role-grant attached to them in the same transaction. -

Header server_admin/command_handler.h

Central dispatcher for AdminExecuteRequest envelopes.

Declares CommandHandler, the entry point invoked by ReefAdminServiceImpl::execute for every admin command. The class resolves permission_label and permission_mask metadata from AdminCommandKind enum options into an AuthorizationPolicy aliased from reef_server_common::command_envelope, verifies that the envelope's kind matches its active oneof, dispatches to one of the concrete handlers in server_admin/cmd/ (AdminGrantCommandHandler, AdminOidcProviderCommandHandler, AdminPermissionCommandHandler, AdminRoleCommandHandler, AdminTenantCommandHandler), and emits an AdminExecuteReply carrying the original request_id plus a google.rpc.Status. Dispatch errors are written into reply.status rather than thrown.

See also: reef_server_common/command_envelope.h, common/cmd.proto, reef_admin_service.proto

Classes

CommandHandler
Public Member Signature Description Referenced Types
[[nodiscard]] static std::optional<grpc::Status> ResolveAdminCommandAuthorizationPolicy( cmd::v1::AdminCommandKind kind, AuthorizationPolicy *policy ); Resolves authorization policy metadata from command kind. kind: Command kind from request. policy: Output policy structure. Returns: Empty optional on success; gRPC status when resolution fails. -
[[nodiscard]] static cmd::v1::AdminExecuteReply *Handle( const cmd::v1::AdminExecuteRequest &request, cmd::v1::AdminExecuteReply *response, const std::shared_ptr<const commons::Subject>& subject ); Handles a validated admin command and writes reply payload/status. The returned reply always echoes request.request_id(). Dispatch errors are encoded in reply.status instead of throwing. Returns: Same response pointer for fluent call sites, or nullptr when response input is null. -

Header server_admin/db_operation_utility.h

Factory hub for every admin-server PostgreSQL read/write callback.

Declares DbOperationUtility, a stateless factory that emits the std::function callbacks consumed by commons::PgUtility::ExecuteRead and ExecuteWrite. The factories cover the permission catalog (t_permission_definitions), the ADMIN role surface (t_roles, t_role_grants), the OIDC identity-provider surface (t_identity_providers, t_identity_provider_oidcs), the tenant lifecycle (t_tenants plus its per-tenant OIDC binding and TEMPLATE seed roles), the bootstrap state machine (t_bootstrap_state, t_subject_profile_escrow), and the validator-config reload path used by reef_admin_authn_filter. Each factory bundles its validation, SQL resolution, AAD-bound encryption of introspection_client_secret, and row-to-proto mapping into a single callable so command handlers stay transport-focused.

writes inside a single pqxx::work so partial-failure cleanup is handled by transaction rollback rather than ad-hoc compensation.

Note: Bootstrap and tenant CREATE callbacks chain multiple table

See also: server_admin/exceptions.h, common/cmd.proto

Classes

DbOperationUtility
Public Member Signature Description Referenced Types
std::function<permission::v1::PermissionQueryReply(pqxx::read_transaction &)>; - -
std::function<role::v1::RoleQueryReply(pqxx::read_transaction &)>; - -
std::function<grant::v1::GrantQueryReply(pqxx::read_transaction &)>; - -
std::function<std::vector<std::string>(pqxx::read_transaction &)>; - -
std::function<oidc::v1::OidcProviderQueryReply(pqxx::read_transaction &)>; - -
std::function<AdminOidcBootstrapResult(pqxx::work &)>; - -
std::function<std::optional<commons::OidcTokenValidator::Config>(pqxx::read_transaction &)>; - -
std::function<std::optional<oidc::v1::OidcProvider>(pqxx::read_transaction &)>; - -
[[nodiscard]] static ReadPermissionQueryOperation MakeReadPermissionQueryOperation( const permission::v1::PermissionQueryRequest *request ); Builds a read operation that searches t_permission_definitions. The returned callback: - validates that request and request.query are present. - validates common paging fields. - resolves SQL by searched protobuf descriptor and QueryMode. - returns PermissionQueryReply populated with query_result metadata and the matching permission rows. request: Permission query request payload. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: std::invalid_argument for null request or invalid query fields. -
[[nodiscard]] static ReadRoleQueryOperation MakeReadRoleQueryOperation( const role::v1::RoleQueryRequest *request ); Builds a read operation that searches global rows in t_roles. The returned callback: - validates that request and request.query are present. - validates common paging fields. - resolves SQL by searched protobuf descriptor and QueryMode. - returns RoleQueryReply populated with query_result metadata and the matching role rows. request: Role query request payload. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: std::invalid_argument for null request or invalid query fields. -
[[nodiscard]] static CreateAdminRoleOperation MakeCreateAdminRoleOperation( const role::v1::RoleCreateRequest &request ); Builds a write operation that inserts one global ADMIN role row. The returned callback: - rejects tenant-scoped role creation - fixes role='ADMIN', origin='CUSTOM', and domain='AUTHZ' at the SQL layer - persists name, description, optional template_key, and optional valid_until - returns the inserted row mapped back into role::v1::Role request: Role creation payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. -
[[nodiscard]] static UpdateAdminRoleOperation MakeUpdateAdminRoleOperation( const role::v1::RoleUpdateRequest &request ); Builds a write operation that updates one global ADMIN role row. The returned callback: - rejects tenant-scoped role updates - requires one target role UUID - filters to origin='CUSTOM' so TEMPLATE rows cannot be edited - fixes role='ADMIN' and domain='AUTHZ' at the SQL layer - updates name, description, optional template_key, and optional valid_until - returns the updated row mapped back into role::v1::Role request: Role update payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. -
[[nodiscard]] static CopyAdminRoleOperation MakeCopyAdminRoleOperation( const role::v1::RoleCopyRequest &request ); Builds a write operation that clones one global ADMIN role row. The returned callback runs inside one pqxx::work so the new row and its copied grants commit together: - resolves the source by source_role_uuid (must be ADMIN/AUTHZ and tenantless; TEMPLATE or CUSTOM) - inserts a new CUSTOM row carrying the caller-supplied name, description, optional template_key, and optional valid_until - copies every t_role_grants row from the source onto the new row - returns the inserted row mapped back into role::v1::Role request: Role copy payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. -
[[nodiscard]] static DeleteAdminRolesOperation MakeDeleteAdminRolesOperation( const role::v1::RoleDeleteRequest &request ); Builds a write operation that deletes global admin roles by UUID. The returned callback: - rejects tenant-scoped deletes - requires at least one non-empty role UUID - filters to origin='CUSTOM' so TEMPLATE rows cannot be deleted - deletes only rows where tenant_id IS NULL - returns the deleted UUID list for post-delete verification/logging request: Role deletion payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. -
[[nodiscard]] static ReadGrantQueryOperation MakeReadGrantQueryOperation( const grant::v1::GrantQueryRequest *request ); Builds a read operation that searches t_role_grants joined with role and permission rows. The returned callback: - validates that request.query is present - filters by request.role_uuid when set (admin-scope rows only) - resolves SQL by searched protobuf descriptor and QueryMode - returns GrantQueryReply populated with query_result metadata and the matching grant rows (role and permission identity resolved server-side for client convenience) Throws: std::invalid_argument for null request or invalid query fields. -
[[nodiscard]] static CreateGrantOperation MakeCreateGrantOperation( const grant::v1::GrantCreateRequest &request ); Builds a write operation that inserts one t_role_grants row. The returned callback: - validates mask in [1, 31] - resolves the role and permission rows by uuid - refuses TEMPLATE-origin role targets (FAILED_PRECONDITION) - persists mask and optional valid_until - returns the inserted row mapped back into grant::v1::Grant Throws: std::invalid_argument for invalid request payloads. -
[[nodiscard]] static UpdateGrantOperation MakeUpdateGrantOperation( const grant::v1::GrantUpdateRequest &request ); Builds a write operation that updates the mutable fields (mask, valid_until) of one t_role_grants row. The returned callback: - validates grant_uuid non-empty - validates mask in [1, 31] - rejects role_uuid / perm_uuid changes on the update path (the pairing is the natural identity of the row) - refuses TEMPLATE-origin role targets (FAILED_PRECONDITION) - returns the updated row mapped back into grant::v1::Grant -
[[nodiscard]] static DeleteGrantsOperation MakeDeleteGrantsOperation( const grant::v1::GrantDeleteRequest &request ); Builds a write operation that deletes t_role_grants rows by uuid. The returned callback: - requires at least one non-empty grant uuid - refuses to delete grants owned by TEMPLATE-origin roles - returns the sorted, deduplicated uuid list for post-delete verification by the handler -
[[nodiscard]] static LookupGrantOwnerRolesOperation MakeLookupGrantOwnerRolesOperation(std::vector<std::string> grant_uuids); Builds a read operation that returns the role uuids that own the supplied grant uuids on admin-scope roles. The returned vector contains one entry per matched grant (rows that don't exist or are tenant-scoped are silently omitted). The handler uses this to decide whether the caller would be mutating a grant on a role they themselves currently hold. -
[[nodiscard]] static ReadOidcProviderQueryOperation MakeReadOidcProviderQueryOperation( const oidc::v1::OidcProviderQueryRequest *request ); Builds a read operation that loads the singleton ADMIN-scope OIDC identity provider + its connection. Joins t_identity_providers with t_identity_provider_oidcs and filters to scope = 'ADMIN'. The persisted introspection_client_secret ciphertext is NOT decrypted by this operation — connection replies leave the secret unset so the admin UI never surfaces it (the operator must retype it to change it). The OidcProvider.connection.uuid is populated from the OIDC row's uuid. Returns: Read operation compatible with PgUtility::ExecuteRead. -
[[nodiscard]] static UpdateOidcProviderOperation MakeUpdateOidcProviderOperation( const oidc::v1::OidcProviderUpdateRequest &request ); Builds a write operation that updates the singleton ADMIN OIDC provider's connection fields. Behaviour: - provider.uuid identifies the row; scope and tenant_uuid are immutable and rejected when changed against the persisted row. - Updates all OIDC connection fields from the request. - When introspection_client_secret is present in the proto, it is re-encrypted under the process SecretKey; when absent, the existing ciphertext is preserved (operator did not retype the secret). request: Update request payload. Returns: Write operation compatible with PgUtility::ExecuteWrite. -
[[nodiscard]] static IsBootstrapInitializedOperation MakeIsBootstrapInitializedOperation(); Builds a read operation that returns whether the system is already initialized. Returns true iff t_bootstrap_state has a row with initialized_on IS NOT NULL. Absent rows are reported as not-initialized. Returns: Read operation compatible with PgUtility::ExecuteRead. -
[[nodiscard]] static BootstrapAdminOidcProviderOperation MakeBootstrapAdminOidcProviderOperation( const oidc::v1::OidcProvider &provider, std::vector<std::uint8_t> subject_id_hash, std::vector<std::uint8_t> install_secret_hash, std::vector<std::uint8_t> client_dek_blob, std::vector<std::uint8_t> client_profile_blob, std::vector<std::uint8_t> recovery_pin_plaintext ); Builds the atomic one-shot ADMIN-scope OIDC bootstrap operation. This operation is invoked exclusively by ReefInitService.initialize. In one pqxx::work transaction it: - Locks t_bootstrap_state rows; fails closed if any row has initialized_on IS NOT NULL. - Inserts the singleton ADMIN row into t_identity_providers (the partial unique index t_identity_providers_admin_scope_uq enforces single-row at the schema level). - Inserts the matching row into t_identity_provider_oidcs with introspection_client_secret encrypted via the process SecretKey and base64-encoded. - When escrow blobs are provided, upserts a row into t_subject_profile_escrow keyed by subject_id_hash. Both dek_ciphertext and profile_ciphertext are wrapped a second time by the process SecretKey (with AAD pinned to subject_id_hash) before storage. - Writes / updates t_bootstrap_state.initialized_on = now() and t_bootstrap_state.initialized_by_subject_hash = $. provider: Validated ADMIN-scope OidcProvider from the init request. subject_id_hash: SHA-256 of iss\|sub extracted from the validated bearer token. client_dek_blob: Optional client-supplied opaque DEK blob; empty disables escrow. client_profile_blob: Optional client-supplied opaque profile blob; required iff DEK is present. recovery_pin_plaintext: Optional plaintext recovery PIN bytes (after KEM-decipher on the server). When non-empty, the operation generates a fresh per-row salt and stores the PIN encrypted under ProcessContext::GlobalSecretKey with the salt bound as AAD. Required for self-service profile recovery; absent when the user opted out of PIN escrow. Returns: Write operation compatible with PgUtility::ExecuteWrite. Throws: std::invalid_argument when the provider is not ADMIN-scoped or fields are missing. Throws: ServerAdminDbOperationError when the bootstrap row indicates the system is already initialized, or when DB invariants are violated. -
[[nodiscard]] static LoadAdminOidcValidatorConfigOperation MakeLoadAdminOidcValidatorConfigOperation(); Builds a read operation that loads the singleton ADMIN-scope OIDC validator configuration from t_identity_provider_oidcs. Returns std::nullopt when the system has not been initialized (no ADMIN row in t_identity_providers). When found, decrypts introspection_client_secret ciphertext using the process SecretKey so the validator can be constructed against any oidc_token_mode. The returned Config is suitable for direct construction of commons::OidcTokenValidator. Returns: Read operation compatible with PgUtility::ExecuteRead. Throws: ServerAdminDbOperationError when the row's token_mode enum value is unrecognized or the introspection secret ciphertext cannot be decrypted. -
[[nodiscard]] static LoadPublicAdminOidcProviderOperation MakeLoadPublicAdminOidcProviderOperation(); Builds a read operation that returns the public ADMIN-scope OIDC provider proto (no introspection client secret). Used by ReefStatusService.is_initialized so a fresh admin client can run a PKCE login against the same IdP without re-typing the issuer/client_id/audience. Returns std::nullopt when the system has not been initialized (no ADMIN row in t_identity_providers). -
std::function<tenant::v1::TenantQueryReply(pqxx::read_transaction &)>; - -
[[nodiscard]] static ReadTenantQueryOperation MakeReadTenantQueryOperation( const tenant::v1::TenantQueryRequest *request ); Builds a read operation that searches t_tenants joined with the per-tenant OIDC binding. The returned callback: - validates that request and request.query are present - validates common paging fields - resolves SQL by searched protobuf descriptor and QueryMode - returns TenantQueryReply populated with query_result metadata and the matching tenant rows Throws: std::invalid_argument for null request or invalid query fields. -
[[nodiscard]] static CreateTenantOperation MakeCreateTenantOperation( const tenant::v1::TenantCreateRequest &request ); Builds a write operation that creates one tenant atomically with its OIDC binding and seed roles. The returned callback runs inside one pqxx::work so: - t_tenants row insert (uuid override applied via COALESCE) - t_identity_providers row insert (scope=TENANT, FK=new tenant id) - t_identity_provider_oidcs row insert (issuer/audience/etc., with introspection client secret encrypted under the process SecretKey) - two t_roles TEMPLATE seeds inserted (tenant-super-admin and tenant-auditor, each with editable=false, domain=AUTHZ) - starter t_role_grants rows: every permission tagged TENANT-allowed in t_permission_allowed_role_types is granted to tenant-super-admin with mask=31 (CRUDX) and to tenant-auditor with mask=2 (Read only) commit together — partial failure rolls everything back so the tenant never lands without its identity-provider binding, starter roles, or starter grants. Throws: std::invalid_argument when validation rejects the request (tenant/display_name empty, OIDC missing, issuer/audience empty, uuid override malformed). -
[[nodiscard]] static UpdateTenantOperation MakeUpdateTenantOperation( const tenant::v1::TenantUpdateRequest &request ); Builds a write operation that updates one tenant row and its per-tenant OIDC connection atomically. The returned callback updates t_tenants (tenant, display_name, valid_until) and t_identity_provider_oidcs (every connection field) in one transaction. The introspection client secret follows the blank-keeps-existing convention used by the global ADMIN-scope OIDC update path. Throws: std::invalid_argument when the tenant uuid does not exist or validation rejects the request. -
[[nodiscard]] static RetireTenantsOperation MakeRetireTenantsOperation( const tenant::v1::TenantRetireRequest &request ); Builds a write operation that soft-retires tenants by flipping their valid_until to now(). Returns the list of retired uuids; throws when one or more uuids did not match a row. -
[[nodiscard]] static DeleteTenantsOperation MakeDeleteTenantsOperation( const tenant::v1::TenantDeleteRequest &request ); Builds a write operation that hard-deletes tenants by uuid. Relies on the schema's ON DELETE CASCADE on t_identity_providers.tenant_id and t_roles.tenant_id so the per-tenant OIDC binding, seed roles, and any role-grants are removed in the same transaction. Returns the list of deleted uuids; throws when one or more uuids did not match a row. -

Header server_admin/exceptions.h

Error-code catalog and ReefLogicRuntimeError subclasses for the admin server.

Declares the error_codes::server_admin numeric catalog (kBootstrap, kConfiguration, kDbOperation, kAdminRoleTemplateProtected) and the matching exception hierarchy rooted at ServerAdminRuntimeError. ServerAdminDbOperationError flags malformed persisted state (used widely by DbOperationUtility and the row-mapping helpers in oidc_row_mapping.h); ServerAdminBootstrapError covers the one-shot t_bootstrap_state flow used by ReefInitServiceImpl; AdminRoleTemplateProtectedError is raised when an UPDATE or DELETE targets a TEMPLATE-origin row in t_roles and is mapped to gRPC FAILED_PRECONDITION by the envelope plumbing in reef_server_common::command_envelope; ServerAdminConfigurationError covers missing or malformed runtime configuration values.

See also: reeflogic/commons/exceptions.h, reef_server_common/command_envelope.h

Classes

ServerAdminRuntimeError

No public method declarations found.

ServerAdminDbOperationError

No public method declarations found.

ServerAdminBootstrapError

No public method declarations found.

AdminRoleTemplateProtectedError

No public method declarations found.

ServerAdminConfigurationError

No public method declarations found.

Header server_admin/reef_admin_authn_filter.h

gRPC interceptor factory and cache reset hook for ReefAdminService AuthN.

Declares BuildReefAdminAuthNInterceptorCreators(), which returns the interceptor factories that authenticate every reeflogic.admin.v1.ReefAdminService RPC. The interceptors read authorization: Bearer <JWT> metadata, lazily build a process-cached commons::OidcTokenValidator from the singleton ADMIN-scope t_identity_provider_oidcs row (with introspection_client_secret decrypted under the process SecretKey), validate the bearer token, resolve the caller through OidcSubjectResolver in kAdmin scope with a 3-minute TTL cache keyed by iss|sub, and stash the resolved commons::Subject in per-RPC context for downstream AuthZ. ResetAdminAuthnCaches() drops the validator and subject cache so the next request rebuilds them from fresh DB state — call it after any write that touches the ADMIN provider, its OIDC connection, or role-grant rows that affect subject resolution.

See also: reef_admin_service.proto, reeflogic/commons/oidc_token_validator.h

Functions

Signature Description Referenced Types
[[nodiscard]] std::vector<std::unique_ptr<grpc::experimental::ServerInterceptorFactoryInterface>> BuildReefAdminAuthNInterceptorCreators(); Builds gRPC interceptor creators for ReefAdminService AuthN. Scope: - Applies only to reeflogic.admin.v1.ReefAdminService RPC methods. - Runs AuthN and stores per-RPC subject context for service-level AuthZ. Current AuthN flow: - Reads authorization: Bearer <JWT> metadata. - Lazily constructs a process-cached OidcTokenValidator from the singleton ADMIN-scope OIDC connection persisted in t_identity_provider_oidcs (introspection client secret is decrypted via the process SecretKey). - Validates the bearer token via OidcTokenValidator::ValidateBearerToken (signature, time, iss, aud, sub). - Resolves the subject via OidcSubjectResolver in kAdmin scope, caching the resolved Subject keyed by iss\|sub for 3 minutes. - Stores resolved Subject in per-RPC context for downstream AuthZ/service use. The cached validator and the resolved-subject cache are bound to the ADMIN OIDC config and the role-membership rows read at request time. After a OIDC_PROVIDER_UPDATE (or any other change to the ADMIN provider / its role grants), call ResetAdminAuthnCaches() so the next AuthN request rebuilds the validator from the fresh DB row. Returns: Interceptor creators for grpc::ServerBuilder::experimental().SetInterceptorCreators(...). -
void ResetAdminAuthnCaches(); Drops the cached OidcTokenValidator and clears the resolved-subject TTL cache so the next request rebuilds both from the current DB state. Call this after any write that mutates the ADMIN OIDC connection or affects subject role resolution. -

Header server_admin/reef_admin_service_impl.h

Async callback gRPC service for the admin command surface.

Declares ReefAdminServiceImpl, the admin::v1::ReefAdminService::CallbackService implementation that backs the execute(AdminExecuteRequest) RPC defined in reef_admin_service.proto. The execute path resolves the AuthorizationPolicy from command metadata via CommandHandler::ResolveAdminCommandAuthorizationPolicy, reads the authenticated commons::Subject set by the interceptor stack from reef_admin_authn_filter, applies the permission check through the cached AdminAuthorizer, and delegates to CommandHandler::Handle for dispatch and reply envelope construction. Application errors are encoded into AdminExecuteReply.status; the gRPC transport status stays OK when the request/response pair is well-formed.

See also: reef_admin_service.proto, server_admin/command_handler.h

Classes

ReefAdminServiceImpl
Public Member Signature Description Referenced Types
grpc::ServerUnaryReactor *execute( grpc::CallbackServerContext *context, const cmd::v1::AdminExecuteRequest *request, cmd::v1::AdminExecuteReply *response ) override; Executes one admin command encoded in AdminExecuteRequest. -

Header server_admin/reef_init_authn_filter.h

gRPC interceptor factory for the one-time ReefInitService AuthN.

Declares BuildReefInitAuthNInterceptorCreators(), the factory used during server startup to gate reeflogic.init.v1.ReefInitService calls. Interceptors verify the authorization: Bearer <JWT> metadata using HS256 against the reef_init_auth_shared_secret from runtime configuration; claim validation is intentionally minimal because the service runs only before bootstrap completes and is paired with the t_bootstrap_state guard inside ReefInitServiceImpl::initialize. The AuthZ phase is currently pass-through; richer subject handling resumes once the admin OIDC provider is seeded and reef_admin_authn_filter takes over.

ReefAdminService or ReefStatusService.

Note: The interceptor stack here must not be installed for

See also: reef_init_service.proto, server_admin/reef_init_service_impl.h

Functions

Signature Description Referenced Types
[[nodiscard]] std::vector<std::unique_ptr<grpc::experimental::ServerInterceptorFactoryInterface> > BuildReefInitAuthNInterceptorCreators(std::string reef_init_auth_shared_secret); Builds shared gRPC interceptor creators for ReefInitService AuthN. Scope: - Applies only to reeflogic.init.v1.ReefInitService methods. - Authentication phase validates authorization: Bearer <JWT> using HS256 signature verification against reef_init_auth_shared_secret. - Authorization phase is currently pass-through allow. Notes: - Signature verification is intentionally claim-agnostic for setup phase. - Detailed claim/identity processing continues in post-init admin flows. reef_init_auth_shared_secret: Bootstrap shared secret from config. Returns: Interceptor creators suitable for grpc::ServerBuilder::experimental().SetInterceptorCreators(...). -

Header server_admin/reef_init_service_impl.h

Async callback gRPC service for one-shot admin bootstrap.

Declares ReefInitServiceImpl, the init::v1::ReefInitService::CallbackService implementation that backs the initialize(ReefInitialize) RPC defined in reef_init_service.proto. The handler executes the atomic DbOperationUtility::MakeBootstrapAdminOidcProviderOperation flow: locking t_bootstrap_state, inserting the singleton ADMIN row in t_identity_providers and its connection in t_identity_provider_oidcs (with introspection_client_secret encrypted under the process SecretKey), optionally writing the client-supplied DEK / profile escrow blobs into t_subject_profile_escrow, and stamping t_bootstrap_state.initialized_on with the caller's subject hash. Subsequent invocations fail closed via ServerAdminBootstrapError.

See also: reef_init_service.proto, server_admin/db_operation_utility.h

Classes

ReefInitServiceImpl
Public Member Signature Description Referenced Types
grpc::ServerUnaryReactor *initialize( grpc::CallbackServerContext *context, const reeflogic::admin::v1::ReefInitialize *request, google::protobuf::Empty *response ) override; - reeflogic::admin::v1::ReefInitialize

Header server_admin/reef_status_service_impl.h

Async callback gRPC service for the unauthenticated status endpoint.

Declares ReefStatusServiceImpl, the status::v1::ReefStatusService::CallbackService implementation that backs the is_initialized() RPC from reef_status_service.proto. The handler runs DbOperationUtility::MakeIsBootstrapInitializedOperation plus MakeLoadPublicAdminOidcProviderOperation to report whether t_bootstrap_state records a completed bootstrap and to return the public ADMIN-scope oidc::v1::OidcProvider (without introspection_client_secret) along with semantic build metadata. This lets a fresh admin client discover the IdP and run a PKCE login without operator re-entry.

reef_admin_authn_filter and reef_init_authn_filter so the endpoint can be reached before any authentication state exists.

Note: This service is deliberately excluded from both

See also: reef_status_service.proto

Classes

ReefStatusServiceImpl
Public Member Signature Description Referenced Types
grpc::ServerUnaryReactor *is_initialized( grpc::CallbackServerContext *context, const google::protobuf::Empty *request, ::reeflogic::admin::v1::ServerStatus *response ) override; Returns initialization state and semantic build/version metadata. reeflogic::admin::v1::ServerStatus