hs.hsadmin.ng/src/main/resources/db/changelog/057-rbac-role-builder.sql

--liquibase formatted sql

-- ============================================================================
-- PERMISSIONS
--changeset rbac-role-builder-permissions:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*

 */

create type RbacPermissions as
(
    permissionUuids uuid[]
);

create or replace function grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])
    returns RbacPermissions
    language plpgsql
    strict as $$
begin
    return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions;
end; $$;

create or replace function withoutPermissions()
    returns RbacPermissions
    language plpgsql
    strict as $$
begin
    return row (array []::uuid[]);
end; $$;

--//

--changeset rbac-role-builder-super-roles:1 endDelimiter:--//

/*

 */
create type RbacSuperRoles as
(
    roleUuids uuid[]
);

create or replace function beneathRoles(roleDescriptors RbacRoleDescriptor[])
    returns RbacSuperRoles
    language plpgsql
    strict as $$
declare
    superRoleDescriptor RbacRoleDescriptor;
    superRoleUuids      uuid[] := array []::uuid[];
begin
    foreach superRoleDescriptor in array roleDescriptors
        loop
            superRoleUuids := superRoleUuids || getRoleId(superRoleDescriptor, 'fail');
        end loop;

    return row (superRoleUuids)::RbacSuperRoles;
end; $$;

create or replace function beneathRole(roleDescriptor RbacRoleDescriptor)
    returns RbacSuperRoles
    language plpgsql
    strict as $$
begin
    return beneathRoles(array [roleDescriptor]);
end; $$;

create or replace function beneathRole(roleUuid uuid)
    returns RbacSuperRoles
    language plpgsql
    strict as $$
begin
    return row (array [roleUuid]::uuid[])::RbacSuperRoles;
end; $$;

create or replace function asTopLevelRole()
    returns RbacSuperRoles
    language plpgsql
    strict as $$
begin
    return row (array []::uuid[])::RbacSuperRoles;
end; $$;

--//

-- =================================================================
-- SUB ROLES
--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*

 */
create type RbacSubRoles as
(
    roleUuids uuid[]
);

-- drop FUNCTION beingItselfA(roleUuid uuid)
create or replace function beingItselfA(roleUuid uuid)
    returns RbacSubRoles
    language plpgsql
    strict as $$
begin
    return row (array [roleUuid]::uuid[])::RbacSubRoles;
end; $$;

-- drop FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)
create or replace function beingItselfA(roleDescriptor RbacRoleDescriptor)
    returns RbacSubRoles
    language plpgsql
    strict as $$
begin
    return beingItselfA(getRoleId(roleDescriptor, 'fail'));
end; $$;

create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[])
    returns RbacSubRoles
    language plpgsql
    strict as $$
declare
    subRoleDescriptor RbacRoleDescriptor;
    subRoleUuids      uuid[] := array []::uuid[];
begin
    foreach subRoleDescriptor in array roleDescriptors
        loop
            subRoleUuids := subRoleUuids || getRoleId(subRoleDescriptor, 'fail');
        end loop;

    return row (subRoleUuids)::RbacSubRoles;
end; $$;

create or replace function withoutSubRoles()
    returns RbacSubRoles
    language plpgsql
    strict as $$
begin
    return row (array []::uuid[]);
end; $$;

--//

-- =================================================================
-- USERS
--changeset rbac-role-builder-users:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*
*/
create type RbacUsers as
(
    userUuids uuid[]
);

create or replace function withUsers(userNames varchar[])
    returns RbacUsers
    language plpgsql
    strict as $$
declare
    userName  varchar;
    userUuids uuid[] := array []::uuid[];
begin
    foreach userName in array userNames
        loop
            userUuids := userUuids || getRbacUserId(userName, 'fail');
        end loop;

    return row (userUuids)::RbacUsers;
end; $$;


create or replace function withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')
    returns RbacUsers
    returns null on null input
    language plpgsql as $$
begin
    return row (array [getRbacUserId(userName, whenNotExists)]);
end; $$;

--//

-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*
*/
create or replace function createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    superRoles RbacSuperRoles,
    subRoles RbacSubRoles = null,
    users RbacUsers = null,
    grantingRoleUuid uuid = null
)
    returns uuid
    called on null input
    language plpgsql as $$
declare
    roleUuid      uuid;
    superRoleUuid uuid;
    subRoleUuid   uuid;
    userUuid      uuid;
begin
    raise notice 'will createRole for %', roleDescriptor;
    roleUuid = createRole(roleDescriptor);

    call grantPermissionsToRole(roleUuid, permissions.permissionUuids);

    if superRoles is not null then
        foreach superRoleUuid in array superRoles.roleuUids
            loop
                call grantRoleToRole(roleUuid, superRoleUuid);
            end loop;
    end if;

    if subRoles is not null then
        foreach subRoleUuid in array subRoles.roleuUids
            loop
                call grantRoleToRole(subRoleUuid, roleUuid);
            end loop;
    end if;

    if users is not null then
        foreach userUuid in array users.useruUids
            loop
                call grantRoleToUserUnchecked(grantingRoleUuid, roleUuid, userUuid);
            end loop;
    end if;

    return roleUuid;
end; $$;

create or replace function createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    users RbacUsers = null,
    grantingRoleUuid uuid = null
)
    returns uuid
    called on null input
    language plpgsql as $$
begin
    return createRole(roleDescriptor, permissions, null, null, users, grantingRoleUuid);
end; $$;

create or replace function createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    subRoles RbacSubRoles,
    users RbacUsers = null,
    grantingRoleUuid uuid = null
)
    returns uuid
    called on null input
    language plpgsql as $$
begin
    return createRole(roleDescriptor, permissions, null, subRoles, users, grantingRoleUuid);
end; $$;
--//

-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-GRANTED-BY-ROLE:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*
    Used in role-builder-DSL to convert a role descriptor to it's uuid
    for use as `grantedByRoleUuid`.
*/
create or replace function grantedByRole(roleDescriptor RbacRoleDescriptor)
    returns uuid
    strict leakproof
    language plpgsql as $$
begin
    return getRoleId(roledescriptor, 'fail');
end; $$;
--//
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--liquibase formatted sql`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
cleanup in Liquibase files, header, formatting etc. 2022-07-29 11:38:51 +02:00			`-- ============================================================================`
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- PERMISSIONS`
			`--changeset rbac-role-builder-permissions:1 endDelimiter:--//`
cleanup in Liquibase files, header, formatting etc. 2022-07-29 11:38:51 +02:00			`-- ----------------------------------------------------------------------------`
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`/*`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`create type RbacPermissions as`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`(`
			`permissionUuids uuid[]`
			`);`

formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])`
			`returns RbacPermissions`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions;`
			`end; $$;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`create or replace function withoutPermissions()`
			`returns RbacPermissions`
			`language plpgsql`
			`strict as $$`
			`begin`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`return row (array []::uuid[]);`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`end; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--changeset rbac-role-builder-super-roles:1 endDelimiter:--//`

			`/*`

			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create type RbacSuperRoles as`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`(`
			`roleUuids uuid[]`
			`);`

formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function beneathRoles(roleDescriptors RbacRoleDescriptor[])`
			`returns RbacSuperRoles`
			`language plpgsql`
			`strict as $$`
			`declare`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`superRoleDescriptor RbacRoleDescriptor;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`superRoleUuids uuid[] := array []::uuid[];`
			`begin`
			`foreach superRoleDescriptor in array roleDescriptors`
			`loop`
			`superRoleUuids := superRoleUuids \|\| getRoleId(superRoleDescriptor, 'fail');`
			`end loop;`

			`return row (superRoleUuids)::RbacSuperRoles;`
			`end; $$;`

			`create or replace function beneathRole(roleDescriptor RbacRoleDescriptor)`
			`returns RbacSuperRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return beneathRoles(array [roleDescriptor]);`
			`end; $$;`

			`create or replace function beneathRole(roleUuid uuid)`
			`returns RbacSuperRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return row (array [roleUuid]::uuid[])::RbacSuperRoles;`
			`end; $$;`

			`create or replace function asTopLevelRole()`
			`returns RbacSuperRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return row (array []::uuid[])::RbacSuperRoles;`
			`end; $$;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`

			`-- =================================================================`
			`-- SUB ROLES`
			`--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`

			`/*`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create type RbacSubRoles as`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`(`
			`roleUuids uuid[]`
			`);`

			`-- drop FUNCTION beingItselfA(roleUuid uuid)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function beingItselfA(roleUuid uuid)`
			`returns RbacSubRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return row (array [roleUuid]::uuid[])::RbacSubRoles;`
			`end; $$;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`-- drop FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function beingItselfA(roleDescriptor RbacRoleDescriptor)`
			`returns RbacSubRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return beingItselfA(getRoleId(roleDescriptor, 'fail'));`
			`end; $$;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
add partner business object at repo level (WIP) 2022-09-09 17:43:43 +02:00			`create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[])`
			`returns RbacSubRoles`
			`language plpgsql`
			`strict as $$`
			`declare`
			`subRoleDescriptor RbacRoleDescriptor;`
			`subRoleUuids uuid[] := array []::uuid[];`
			`begin`
			`foreach subRoleDescriptor in array roleDescriptors`
			`loop`
			`subRoleUuids := subRoleUuids \|\| getRoleId(subRoleDescriptor, 'fail');`
			`end loop;`

			`return row (subRoleUuids)::RbacSubRoles;`
			`end; $$;`

add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`create or replace function withoutSubRoles()`
			`returns RbacSubRoles`
			`language plpgsql`
			`strict as $$`
			`begin`
			`return row (array []::uuid[]);`
			`end; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- =================================================================`
			`-- USERS`
			`--changeset rbac-role-builder-users:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`

			`/*`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create type RbacUsers as`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`(`
			`userUuids uuid[]`
			`);`

formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function withUsers(userNames varchar[])`
			`returns RbacUsers`
			`language plpgsql`
			`strict as $$`
			`declare`
			`userName varchar;`
			`userUuids uuid[] := array []::uuid[];`
			`begin`
			`foreach userName in array userNames`
			`loop`
			`userUuids := userUuids \|\| getRbacUserId(userName, 'fail');`
			`end loop;`

			`return row (userUuids)::RbacUsers;`
			`end; $$;`


			`create or replace function withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')`
			`returns RbacUsers`
			`returns null on null input`
			`language plpgsql as $$`
			`begin`
			`return row (array [getRbacUserId(userName, whenNotExists)]);`
			`end; $$;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- =================================================================`
			`-- CREATE ROLE`
			`--changeset rbac-role-builder-create-role:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`/*`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
			`superRoles RbacSuperRoles,`
			`subRoles RbacSubRoles = null,`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`users RbacUsers = null,`
			`grantingRoleUuid uuid = null`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns uuid`
			`called on null input`
			`language plpgsql as $$`
			`declare`
			`roleUuid uuid;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`superRoleUuid uuid;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`subRoleUuid uuid;`
			`userUuid uuid;`
			`begin`
			`raise notice 'will createRole for %', roleDescriptor;`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleUuid = createRole(roleDescriptor);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
			`call grantPermissionsToRole(roleUuid, permissions.permissionUuids);`

formatted SQL code 2022-07-29 08:46:04 +02:00			`if superRoles is not null then`
			`foreach superRoleUuid in array superRoles.roleuUids`
			`loop`
			`call grantRoleToRole(roleUuid, superRoleUuid);`
			`end loop;`
			`end if;`

			`if subRoles is not null then`
			`foreach subRoleUuid in array subRoles.roleuUids`
			`loop`
			`call grantRoleToRole(subRoleUuid, roleUuid);`
			`end loop;`
			`end if;`

			`if users is not null then`
			`foreach userUuid in array users.useruUids`
			`loop`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`call grantRoleToUserUnchecked(grantingRoleUuid, roleUuid, userUuid);`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end loop;`
			`end if;`

			`return roleUuid;`
			`end; $$;`

			`create or replace function createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`users RbacUsers = null,`
			`grantingRoleUuid uuid = null`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns uuid`
			`called on null input`
			`language plpgsql as $$`
			`begin`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`return createRole(roleDescriptor, permissions, null, null, users, grantingRoleUuid);`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end; $$;`

			`create or replace function createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
			`subRoles RbacSubRoles,`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`users RbacUsers = null,`
			`grantingRoleUuid uuid = null`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns uuid`
			`called on null input`
			`language plpgsql as $$`
			`begin`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`return createRole(roleDescriptor, permissions, null, subRoles, users, grantingRoleUuid);`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end; $$;`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`-- =================================================================`
			`-- CREATE ROLE`
			`--changeset rbac-role-builder-GRANTED-BY-ROLE:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`

			`/*`
			`Used in role-builder-DSL to convert a role descriptor to it's uuid`
			for use as `grantedByRoleUuid`.
			`*/`
			`create or replace function grantedByRole(roleDescriptor RbacRoleDescriptor)`
			`returns uuid`
			`strict leakproof`
			`language plpgsql as $$`
			`begin`
			`return getRoleId(roledescriptor, 'fail');`
			`end; $$;`
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00