cloud-api/src/iam/router.py

"""
Router endpoints for IAM

Endpoints:
 - [POST](/iam/can_act_on_resource): [API key & user claim]: Service access point to verify user permissions
 - [GET](/iam/group/permissions):  [root user]: Gets list of perms(service, resource, action) the given group(id) has
 - [DELETE](/iam/group/permissions):  [root user]: Removes a given perm(id) from the given group(id)
 - [GET](/iam/group/users):  [root user]: Gets a list of users(id, name, email) that are assigned to the given group(id)
 - [POST](/iam/group):  [root user]: Creates a new group for the given org(id)
 - [PUT](/iam/group/permission):  [root user]: Assigns a perm(id) to the given group(id)
 - [PUT](/iam/group/user):  [root user]: Assigns a user(id) to a group(id)
 - [DELETE](/iam/group/user):  [root user]: Removes a user(id) from the given group(id)
 - [GET](/iam/permissions):  [root user]: Gets a list of all permissions
 - [POST](/iam/permission):  [super admin]: Creates a new permission
 - [DELETE](/iam/permission):  [super admin]: Removes a permission
 - [GET](/iam/permissions/search):  [root user]: Returns a list of permissions matching a filter(service|resource|action)
"""
from fastapi import APIRouter, status
from sqlalchemy.exc import IntegrityError
from psycopg import errors

from src.exceptions import ConflictException
from src.database import db_dependency
from src.schemas import ResourceName
from src.auth.exceptions import UnauthorizedException
from src.auth.service import claims_dependency
from src.auth.dependencies import org_model_root_claim_query_dependency, org_model_root_claim_body_dependency, \
	super_admin_dependency
from src.user.models import User
from src.user.dependencies import user_model_body_dependency
from src.organisation.models import Organisation as Org
from src.service.models import Service

from src.iam.service import service_key_dependency
from src.iam.models import Permission as Perm, GroupPermissions as GPerms, Group, UserGroups
from src.iam.dependencies import group_model_query_dependency, group_model_body_dependency, perm_model_body_dependency
from src.iam.schemas import IAMGetGroupPermissionsResponse, IAMGetGroupUsersResponse, IAMPostGroupRequest, \
	GroupSchema, IAMPostGroupResponse, IAMPutGroupPermissionRequest, IAMPutGroupPermissionResponse, \
	IAMPutGroupUserRequest, IAMPutGroupUserResponse, IAMDeleteGroupPermissionRequest, IAMDeleteGroupPermissionResponse, \
	IAMDeleteGroupUserRequest, IAMDeleteGroupUserResponse, IAMGetPermissionsResponse, IAMPostPermissionRequest, \
	IAMPostPermissionResponse, PermissionSchema, IAMDeletePermissionRequest, IAMGetPermissionsSearchRequest, IAMGetPermissionsSearchResponse

router = APIRouter(
	tags=["IAM"],
	prefix="/iam",
)


@router.post("/can_act_on_resource")
async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependency, user_claims: claims_dependency,
                              rn: ResourceName, action: str) -> bool:
	try:
		user_id = user_claims["db_id"]
		rn_org = rn.organisation
		rn_service = rn.service
		rn_resource = rn.resource

		result = (db.query(Perm)
		          .join(Service, Service.id == Perm.service_id)
		          .join(GPerms, GPerms.permission_id == Perm.id)
		          .join(Group, Group.id == GPerms.group_id)
		          .join(Org, Org.id == Group.org_id)
		          .join(UserGroups, UserGroups.group_id == Group.id)
		          .join(User, User.id == UserGroups.user_id)
		          .filter(User.id == user_id)
				  .filter(Org.name == rn_org)
				  .filter(Service.name == rn_service)
				  .filter(Perm.resource == rn_resource)
				  .filter(Perm.action == action)
		).first()

		if result:
			return True
		else:
			return False
	except Exception:
		raise UnauthorizedException()


@router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse)
async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
	if group_model.org_id != org_model.id:
		raise UnauthorizedException()
	return {"permissions": group_model.permission_rel}


@router.get("/group/users", response_model=IAMGetGroupUsersResponse)
async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
	if group_model.org_id != org_model.id:
		raise UnauthorizedException()
	return {"users": group_model.user_rel}


@router.post("/group", response_model=IAMPostGroupResponse)
async def create_group(db: db_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPostGroupRequest):
	group_model = Group(name=request_model.name, org_id=org_model.id)

	db.add(group_model)
	try:
		db.flush()
	except IntegrityError as e:
		if isinstance(e.orig, errors.UniqueViolation):
			raise ConflictException("Group with this name already exists")
	response = GroupSchema(**group_model.__dict__)
	db.commit()
	return {"group": response}


@router.put("/group/permission", response_model=IAMPutGroupPermissionResponse)
async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest):
	if group_model.org_id == org_model.id:
		raise UnauthorizedException()

	if perm_model in group_model.permission_rel:
		raise ConflictException("Group already has this permission")

	group_model.permission_rel.append(perm_model)

	db.flush()
	response = IAMPutGroupPermissionResponse(group=GroupSchema(**group_model.__dict__), permissions=group_model.permission_rel)
	db.commit()
	return response


@router.put("/group/user")
async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest):
	if group_model.org_id == org_model.id:
		raise UnauthorizedException()

	if user_model in group_model.user_rel:
		raise ConflictException("User already in group")

	group_model.user_rel.append(user_model)
	db.flush()
	response = IAMPutGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)
	db.commit()
	return response


@router.delete("/group/permissions")
async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest):
	if group_model.org_id == org_model.id:
		raise UnauthorizedException()

	group_model.permission_rel.remove(perm_model)
	db.flush()
	response = IAMDeleteGroupPermissionResponse(group=GroupSchema(**group_model.__dict__),
	                                            permissions=group_model.permission_rel)
	db.commit()
	return response


@router.delete("/group/user")
async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest):
	if group_model.org_id == org_model.id:
		raise UnauthorizedException()

	user_model.group_rel.remove(group_model)
	db.flush()
	response = IAMDeleteGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)
	db.commit()

	return response


@router.get("/permissions", response_model=IAMGetPermissionsResponse)
async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency):
	permission_models = db.query(Perm).all()

	return {"permissions": permission_models}


@router.post("/permission")
async def create_new_permission(db: db_dependency, su: super_admin_dependency, request_mode: IAMPostPermissionRequest):
	perm_model = Perm(**request_mode.__dict__)
	try:
		db.add(perm_model)
	except IntegrityError as e:
		if isinstance(e.orig, errors.UniqueViolation):
			raise ConflictException(message="Permission already exists")
	db.flush()
	response = IAMPostPermissionResponse(permission=PermissionSchema(**perm_model.__dict__))
	db.commit()
	return response


@router.delete("/permission", status_code=status.HTTP_204_NO_CONTENT)
async def delete_permission(db: db_dependency, su: super_admin_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeletePermissionRequest):
	db.delete(perm_model)
	db.commit()


@router.get("/permissions/search", response_model=IAMGetPermissionsSearchResponse)
async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency, search: IAMGetPermissionsSearchRequest):
	permission_query = db.query(Perm)

	if search.service_id is not None:
		permission_query = permission_query.filter(Perm.service_id == search.service_id)

	if search.resource is not None:
		permission_query = permission_query.filter(Perm.resource == search.resource)

	if search.action is not None:
		permission_query = permission_query.filter(Perm.action == search. action)

	permission_models = permission_query.all()

	return {"permissions": permission_models}
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`Router endpoints for IAM`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`Endpoints:`
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`- [POST](/iam/can_act_on_resource): [API key & user claim]: Service access point to verify user permissions`
			`- [GET](/iam/group/permissions): [root user]: Gets list of perms(service, resource, action) the given group(id) has`
			`- [DELETE](/iam/group/permissions): [root user]: Removes a given perm(id) from the given group(id)`
			`- [GET](/iam/group/users): [root user]: Gets a list of users(id, name, email) that are assigned to the given group(id)`
			`- [POST](/iam/group): [root user]: Creates a new group for the given org(id)`
			`- [PUT](/iam/group/permission): [root user]: Assigns a perm(id) to the given group(id)`
			`- [PUT](/iam/group/user): [root user]: Assigns a user(id) to a group(id)`
			`- [DELETE](/iam/group/user): [root user]: Removes a user(id) from the given group(id)`
			`- [GET](/iam/permissions): [root user]: Gets a list of all permissions`
			`- [POST](/iam/permission): [super admin]: Creates a new permission`
			`- [DELETE](/iam/permission): [super admin]: Removes a permission`
			`- [GET](/iam/permissions/search): [root user]: Returns a list of permissions matching a filter(service\|resource\|action)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`from fastapi import APIRouter, status`
feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00			`from sqlalchemy.exc import IntegrityError`
			`from psycopg import errors`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
minor: global exception names 2026-05-29 09:50:09 +01:00			`from src.exceptions import ConflictException`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from src.database import db_dependency`
			`from src.schemas import ResourceName`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`from src.auth.exceptions import UnauthorizedException`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from src.auth.service import claims_dependency`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`from src.auth.dependencies import org_model_root_claim_query_dependency, org_model_root_claim_body_dependency, \`
			`super_admin_dependency`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from src.user.models import User`
feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`from src.user.dependencies import user_model_body_dependency`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from src.organisation.models import Organisation as Org`
			`from src.service.models import Service`

			`from src.iam.service import service_key_dependency`
			`from src.iam.models import Permission as Perm, GroupPermissions as GPerms, Group, UserGroups`
feat: iam dependencies IAM endpoints now use dependencies to perform most initial database get requests. Issue #6 2026-05-27 11:11:19 +01:00			`from src.iam.dependencies import group_model_query_dependency, group_model_body_dependency, perm_model_body_dependency`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`from src.iam.schemas import IAMGetGroupPermissionsResponse, IAMGetGroupUsersResponse, IAMPostGroupRequest, \`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`GroupSchema, IAMPostGroupResponse, IAMPutGroupPermissionRequest, IAMPutGroupPermissionResponse, \`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`IAMPutGroupUserRequest, IAMPutGroupUserResponse, IAMDeleteGroupPermissionRequest, IAMDeleteGroupPermissionResponse, \`
			`IAMDeleteGroupUserRequest, IAMDeleteGroupUserResponse, IAMGetPermissionsResponse, IAMPostPermissionRequest, \`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`IAMPostPermissionResponse, PermissionSchema, IAMDeletePermissionRequest, IAMGetPermissionsSearchRequest, IAMGetPermissionsSearchResponse`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`router = APIRouter(`
			`tags=["IAM"],`
			`prefix="/iam",`
			`)`


			`@router.post("/can_act_on_resource")`
			`async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependency, user_claims: claims_dependency,`
			`rn: ResourceName, action: str) -> bool:`
			`try:`
			`user_id = user_claims["db_id"]`
			`rn_org = rn.organisation`
			`rn_service = rn.service`
			`rn_resource = rn.resource`

			`result = (db.query(Perm)`
			`.join(Service, Service.id == Perm.service_id)`
			`.join(GPerms, GPerms.permission_id == Perm.id)`
			`.join(Group, Group.id == GPerms.group_id)`
			`.join(Org, Org.id == Group.org_id)`
			`.join(UserGroups, UserGroups.group_id == Group.id)`
			`.join(User, User.id == UserGroups.user_id)`
			`.filter(User.id == user_id)`
			`.filter(Org.name == rn_org)`
			`.filter(Service.name == rn_service)`
			`.filter(Perm.resource == rn_resource)`
			`.filter(Perm.action == action)`
			`).first()`

			`if result:`
			`return True`
			`else:`
			`return False`
feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`except Exception:`
			`raise UnauthorizedException()`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):`
			`if group_model.org_id != org_model.id:`
			`raise UnauthorizedException()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return {"permissions": group_model.permission_rel}`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.get("/group/users", response_model=IAMGetGroupUsersResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):`
fix: inverted conditional in get group users 2026-06-02 12:22:36 +01:00			`if group_model.org_id != org_model.id:`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`raise UnauthorizedException()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return {"users": group_model.user_rel}`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.post("/group", response_model=IAMPostGroupResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def create_group(db: db_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPostGroupRequest):`
feat: org dependencies Org endpoints use query/body model dependencies to perform initial db lookups. Issue #6 Org ID path params have been replaced with either query params (get endpoints) or body values. Resolves #10 Endpoints in other modules that rely on an org model lookup have also been updated. 2026-05-27 12:21:03 +01:00			`group_model = Group(name=request_model.name, org_id=org_model.id)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`db.add(group_model)`
feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00			`try:`
			`db.flush()`
			`except IntegrityError as e:`
			`if isinstance(e.orig, errors.UniqueViolation):`
minor: global exception names 2026-05-29 09:50:09 +01:00			`raise ConflictException("Group with this name already exists")`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = GroupSchema(**group_model.__dict__)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.commit()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return {"group": response}`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.put("/group/permission", response_model=IAMPutGroupPermissionResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest):`
			`if group_model.org_id == org_model.id:`
			`raise UnauthorizedException()`

feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00			`if perm_model in group_model.permission_rel:`
minor: global exception names 2026-05-29 09:50:09 +01:00			`raise ConflictException("Group already has this permission")`
feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`group_model.permission_rel.append(perm_model)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`db.flush()`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = IAMPutGroupPermissionResponse(group=GroupSchema(**group_model.__dict__), permissions=group_model.permission_rel)`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`db.commit()`
			`return response`


			`@router.put("/group/user")`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest):`
			`if group_model.org_id == org_model.id:`
			`raise UnauthorizedException()`

feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00			`if user_model in group_model.user_rel:`
minor: global exception names 2026-05-29 09:50:09 +01:00			`raise ConflictException("User already in group")`
feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`group_model.user_rel.append(user_model)`
			`db.flush()`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = IAMPutGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.commit()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return response`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

			`@router.delete("/group/permissions")`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest):`
			`if group_model.org_id == org_model.id:`
			`raise UnauthorizedException()`

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`group_model.permission_rel.remove(perm_model)`
			`db.flush()`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = IAMDeleteGroupPermissionResponse(group=GroupSchema(**group_model.__dict__),`
			`permissions=group_model.permission_rel)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.commit()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return response`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

			`@router.delete("/group/user")`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest):`
			`if group_model.org_id == org_model.id:`
			`raise UnauthorizedException()`

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`user_model.group_rel.remove(group_model)`
			`db.flush()`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = IAMDeleteGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.commit()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00
			`return response`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.get("/permissions", response_model=IAMGetPermissionsResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency):`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`permission_models = db.query(Perm).all()`

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return {"permissions": permission_models}`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

			`@router.post("/permission")`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def create_new_permission(db: db_dependency, su: super_admin_dependency, request_mode: IAMPostPermissionRequest):`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`perm_model = Perm(**request_mode.__dict__)`
feat: handling for integrity errors Resolves: #7 2026-05-27 16:26:34 +01:00			`try:`
			`db.add(perm_model)`
			`except IntegrityError as e:`
			`if isinstance(e.orig, errors.UniqueViolation):`
minor: global exception names 2026-05-29 09:50:09 +01:00			`raise ConflictException(message="Permission already exists")`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`db.flush()`
minor: iam schema nomenclature 2026-05-28 13:37:32 +01:00			`response = IAMPostPermissionResponse(permission=PermissionSchema(**perm_model.__dict__))`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.commit()`
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return response`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.delete("/permission", status_code=status.HTTP_204_NO_CONTENT)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def delete_permission(db: db_dependency, su: super_admin_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeletePermissionRequest):`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`db.delete(perm_model)`
			`db.commit()`


feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`@router.get("/permissions/search", response_model=IAMGetPermissionsSearchResponse)`
feat: auth requirements to iam endpoints 2026-05-27 15:35:06 +01:00			`async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency, search: IAMGetPermissionsSearchRequest):`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`permission_query = db.query(Perm)`

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`if search.service_id is not None:`
			`permission_query = permission_query.filter(Perm.service_id == search.service_id)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`if search.resource is not None:`
			`permission_query = permission_query.filter(Perm.resource == search.resource)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`if search.action is not None:`
			`permission_query = permission_query.filter(Perm.action == search. action)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`permission_models = permission_query.all()`

feat: iam endpoint req/res models 2026-05-26 16:25:14 +01:00			`return {"permissions": permission_models}`