pacs_system/access__control__manager_8h_source.html

// BSD 3-Clause License

// Copyright (c) 2021-2025, 🍀☀🌕🌥 🌊

// See the LICENSE file in the project root for full license information.


#pragma once


#include "permission.h"

#include "security_storage_interface.h"

#include "user.h"

#include "user_context.h"

#include <functional>

#include <map>

#include <memory>

#include <mutex>

#include <optional>

#include <vector>


namespace kcenon::pacs::security {


enum class DicomOperation {

  CStore,

  CFind,

  CMove,

  CGet,

  CEcho,

  NCreate,

  NSet,

  NGet,

  NDelete,

  NAction,

  NEventReport

};


struct AccessCheckResult {

  bool allowed{false};

  std::string reason;


  static AccessCheckResult allow() { return {true, ""}; }


  static AccessCheckResult deny(std::string reason) {

    return {false, std::move(reason)};

  }


  explicit operator bool() const { return allowed; }

};


using AccessAuditCallback =

    std::function<void(const user_context &ctx, DicomOperation op,

                       const AccessCheckResult &result)>;


class access_control_manager {

public:

  access_control_manager();


  // Permission Checks

  [[nodiscard]] bool check_permission(const User &user, ResourceType resource,

                                      std::uint32_t action_mask) const;

  [[nodiscard]] bool has_role(const User &user, Role role) const;


  [[nodiscard]] auto validate_access(const user_context &ctx,

                                     ResourceType resource,

                                     std::uint32_t action_mask)

      -> kcenon::common::VoidResult;


  [[nodiscard]] AccessCheckResult check_dicom_operation(const user_context &ctx,

                                                        DicomOperation op) const;


  [[nodiscard]] std::optional<user_context> get_context_for_ae(

      std::string_view ae_title, const std::string &session_id) const;


  // Configuration

  void set_role_permissions(Role role, std::vector<Permission> permissions);

  [[nodiscard]] const std::vector<Permission> &

  get_role_permissions(Role role) const;


  // Storage Integration

  void set_storage(std::shared_ptr<security_storage_interface> storage);


  // AE Title to User mapping

  void register_ae_title(std::string_view ae_title, std::string_view user_id);

  void unregister_ae_title(std::string_view ae_title);


  // Audit callback

  void set_audit_callback(AccessAuditCallback callback);


  // User Management Facade

  [[nodiscard]] auto create_user(const User &user)

      -> kcenon::common::VoidResult;

  [[nodiscard]] auto assign_role(std::string_view user_id, Role role)

      -> kcenon::common::VoidResult;

  [[nodiscard]] auto get_user(std::string_view id)

      -> kcenon::common::Result<User>;


  [[nodiscard]] auto get_user_by_ae_title(std::string_view ae_title)

      -> std::optional<User>;


private:

  std::map<Role, std::vector<Permission>> role_permissions_;

  std::shared_ptr<security_storage_interface> storage_;

  std::map<std::string, std::string> ae_to_user_id_;

  AccessAuditCallback audit_callback_;

  mutable std::mutex mutex_;


  void initialize_default_permissions();


  static std::pair<ResourceType, std::uint32_t>

  map_dicom_operation(DicomOperation op);

};


} // namespace kcenon::pacs::security


kcenon::common::Result
Definition study_lock_manager.h:36

kcenon::pacs::security::access_control_manager
Manages permissions and access checks.
Definition access_control_manager.h:71

kcenon::pacs::security::access_control_manager::unregister_ae_title
void unregister_ae_title(std::string_view ae_title)
Definition access_control_manager.cpp:248

kcenon::pacs::security::access_control_manager::get_user_by_ae_title
auto get_user_by_ae_title(std::string_view ae_title) -> std::optional< User >
Get user by AE Title.
Definition access_control_manager.cpp:253

kcenon::pacs::security::access_control_manager::create_user
auto create_user(const User &user) -> kcenon::common::VoidResult
Definition access_control_manager.cpp:92

kcenon::pacs::security::access_control_manager::has_role
bool has_role(const User &user, Role role) const
Definition access_control_manager.cpp:147

kcenon::pacs::security::access_control_manager::check_permission
bool check_permission(const User &user, ResourceType resource, std::uint32_t action_mask) const
Definition access_control_manager.cpp:128

kcenon::pacs::security::access_control_manager::map_dicom_operation
static std::pair< ResourceType, std::uint32_t > map_dicom_operation(DicomOperation op)
Map DICOM operation to resource type and action.
Definition access_control_manager.cpp:25

kcenon::pacs::security::access_control_manager::check_dicom_operation
AccessCheckResult check_dicom_operation(const user_context &ctx, DicomOperation op) const
Check if a DICOM operation is allowed.
Definition access_control_manager.cpp:188

kcenon::pacs::security::access_control_manager::set_role_permissions
void set_role_permissions(Role role, std::vector< Permission > permissions)
Definition access_control_manager.cpp:151

kcenon::pacs::security::access_control_manager::mutex_
std::mutex mutex_
Definition access_control_manager.h:146

kcenon::pacs::security::access_control_manager::role_permissions_
std::map< Role, std::vector< Permission > > role_permissions_
Definition access_control_manager.h:142

kcenon::pacs::security::access_control_manager::get_user
auto get_user(std::string_view id) -> kcenon::common::Result< User >
Definition access_control_manager.cpp:100

kcenon::pacs::security::access_control_manager::register_ae_title
void register_ae_title(std::string_view ae_title, std::string_view user_id)
Definition access_control_manager.cpp:242

kcenon::pacs::security::access_control_manager::initialize_default_permissions
void initialize_default_permissions()
Definition access_control_manager.cpp:53

kcenon::pacs::security::access_control_manager::set_storage
void set_storage(std::shared_ptr< security_storage_interface > storage)
Definition access_control_manager.cpp:87

kcenon::pacs::security::access_control_manager::validate_access
auto validate_access(const user_context &ctx, ResourceType resource, std::uint32_t action_mask) -> kcenon::common::VoidResult
Validate access for a user context.
Definition access_control_manager.cpp:170

kcenon::pacs::security::access_control_manager::get_role_permissions
const std::vector< Permission > & get_role_permissions(Role role) const
Definition access_control_manager.cpp:157

kcenon::pacs::security::access_control_manager::storage_
std::shared_ptr< security_storage_interface > storage_
Definition access_control_manager.h:143

kcenon::pacs::security::access_control_manager::access_control_manager
access_control_manager()
Definition access_control_manager.cpp:16

kcenon::pacs::security::access_control_manager::set_audit_callback
void set_audit_callback(AccessAuditCallback callback)
Definition access_control_manager.cpp:278

kcenon::pacs::security::access_control_manager::ae_to_user_id_
std::map< std::string, std::string > ae_to_user_id_
Definition access_control_manager.h:144

kcenon::pacs::security::access_control_manager::assign_role
auto assign_role(std::string_view user_id, Role role) -> kcenon::common::VoidResult
Definition access_control_manager.cpp:108

kcenon::pacs::security::access_control_manager::get_context_for_ae
std::optional< user_context > get_context_for_ae(std::string_view ae_title, const std::string &session_id) const
Get user context for an AE Title.
Definition access_control_manager.cpp:212

kcenon::pacs::security::access_control_manager::audit_callback_
AccessAuditCallback audit_callback_
Definition access_control_manager.h:145

kcenon::pacs::security::user_context
Represents the security context for a user session.
Definition user_context.h:29

kcenon::pacs::security
Definition access_control_manager.h:27

kcenon::pacs::security::Role
Role
User roles in the PACS system.
Definition role.h:25

kcenon::pacs::security::atna_object_role::resource
@ resource

kcenon::pacs::security::AccessAuditCallback
std::function< void(const user_context &ctx, DicomOperation op, const AccessCheckResult &result)> AccessAuditCallback
Callback for audit logging of access attempts.
Definition access_control_manager.h:64

kcenon::pacs::security::ResourceType
ResourceType
Categories of resources requiring protection.
Definition permission.h:25

kcenon::pacs::security::DicomOperation
DicomOperation
DICOM operation types for permission checking.
Definition access_control_manager.h:32

kcenon::pacs::security::DicomOperation::NDelete
@ NDelete
N-DELETE.

kcenon::pacs::security::DicomOperation::NEventReport
@ NEventReport
N-EVENT-REPORT.

kcenon::pacs::security::DicomOperation::NAction
@ NAction
N-ACTION.

kcenon::pacs::security::DicomOperation::CMove
@ CMove
C-MOVE (retrieve/move)

kcenon::pacs::security::DicomOperation::CFind
@ CFind
C-FIND (query)

kcenon::pacs::security::DicomOperation::CGet
@ CGet
C-GET (retrieve)

kcenon::pacs::security::DicomOperation::NCreate
@ NCreate
N-CREATE.

kcenon::pacs::security::DicomOperation::NSet
@ NSet
N-SET.

kcenon::pacs::security::DicomOperation::CStore
@ CStore
C-STORE (storage)

kcenon::pacs::security::DicomOperation::CEcho
@ CEcho
C-ECHO (verification)

kcenon::pacs::security::DicomOperation::NGet
@ NGet
N-GET.

permission.h
Permission definitions for RBAC.

security_storage_interface.h
Storage interface for RBAC persistence.

kcenon::pacs::security::AccessCheckResult
Result of an access check.
Definition access_control_manager.h:49

kcenon::pacs::security::AccessCheckResult::reason
std::string reason
Definition access_control_manager.h:51

kcenon::pacs::security::AccessCheckResult::allow
static AccessCheckResult allow()
Definition access_control_manager.h:53

kcenon::pacs::security::AccessCheckResult::deny
static AccessCheckResult deny(std::string reason)
Definition access_control_manager.h:54

kcenon::pacs::security::AccessCheckResult::allowed
bool allowed
Definition access_control_manager.h:50

kcenon::pacs::security::User
Represents a user in the system.
Definition user.h:26

user.h
User definition for RBAC.

user_context.h
User context for session-based access control.