hs.hsadmin.ng/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql

68 lines
2.3 KiB
MySQL
Raw Normal View History

--liquibase formatted sql
2022-07-29 08:46:04 +02:00
-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------
create or replace function createRoleWithGrants(
roleDescriptor RbacRoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
userUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null
)
2022-07-29 08:46:04 +02:00
returns uuid
called on null input
language plpgsql as $$
declare
roleUuid uuid;
permission RbacOp;
permissionUuid uuid;
subRoleDesc RbacRoleDescriptor;
superRoleDesc RbacRoleDescriptor;
subRoleUuid uuid;
superRoleUuid uuid;
userUuid uuid;
userGrantsByRoleUuid uuid;
2022-07-29 08:46:04 +02:00
begin
roleUuid := createRole(roleDescriptor);
foreach permission in array permissions
loop
permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
call grantPermissionToRole(permissionUuid, roleUuid);
end loop;
2022-07-29 08:46:04 +02:00
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
loop
superRoleUuid := getRoleId(superRoleDesc);
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
end loop;
2022-07-29 08:46:04 +02:00
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
loop
subRoleUuid := getRoleId(subRoleDesc);
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
end loop;
if cardinality(userUuids) > 0 then
-- direct grants to users need a grantedByRole which can revoke the grant
if grantedByRole is null then
userGrantsByRoleUuid := roleUuid; -- TODO.spec: or do we want to require an explicit userGrantsByRoleUuid?
else
userGrantsByRoleUuid := getRoleId(grantedByRole);
end if;
foreach userUuid in array userUuids
2022-07-29 08:46:04 +02:00
loop
call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
2022-07-29 08:46:04 +02:00
end loop;
end if;
return roleUuid;
end; $$;
--//