hs.hsadmin.ng/src/main/resources/db/changelog/057-rbac-role-builder.sql

89 lines
2.7 KiB
MySQL
Raw Normal View History

--liquibase formatted sql
-- ============================================================================
-- PERMISSIONS
--changeset rbac-role-builder-to-uuids:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function toPermissionUuids(forObjectUuid uuid, permitOps RbacOp[])
returns uuid[]
2022-07-29 08:46:04 +02:00
language plpgsql
strict as $$
begin
return createPermissions(forObjectUuid, permitOps);
2022-07-29 08:46:04 +02:00
end; $$;
create or replace function toRoleUuids(roleDescriptors RbacRoleDescriptor[])
returns uuid[]
2022-07-29 08:46:04 +02:00
language plpgsql
strict as $$
declare
superRoleDescriptor RbacRoleDescriptor;
2022-07-29 08:46:04 +02:00
superRoleUuids uuid[] := array []::uuid[];
begin
foreach superRoleDescriptor in array roleDescriptors
loop
if superRoleDescriptor is not null then
superRoleUuids := superRoleUuids || getRoleId(superRoleDescriptor, 'fail');
end if;
2022-07-29 08:46:04 +02:00
end loop;
return superRoleUuids;
2022-07-29 08:46:04 +02:00
end; $$;
-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------
create or replace function createRoleWithGrants(
roleDescriptor RbacRoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
userUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null
)
2022-07-29 08:46:04 +02:00
returns uuid
called on null input
language plpgsql as $$
declare
roleUuid uuid;
superRoleUuid uuid;
2022-07-29 08:46:04 +02:00
subRoleUuid uuid;
userUuid uuid;
grantedByRoleUuid uuid;
2022-07-29 08:46:04 +02:00
begin
roleUuid := createRole(roleDescriptor);
if cardinality(permissions) >0 then
call grantPermissionsToRole(roleUuid, toPermissionUuids(roleDescriptor.objectuuid, permissions));
2022-07-29 08:46:04 +02:00
end if;
foreach superRoleUuid in array toRoleUuids(incomingSuperRoles)
loop
call grantRoleToRole(roleUuid, superRoleUuid);
end loop;
2022-07-29 08:46:04 +02:00
foreach subRoleUuid in array toRoleUuids(outgoingSubRoles)
loop
call grantRoleToRole(subRoleUuid, roleUuid);
end loop;
if cardinality(userUuids) > 0 then
if grantedByRole is null then
raise exception 'to directly assign users to roles, grantingRole has to be given';
end if;
grantedByRoleUuid := getRoleId(grantedByRole, 'fail');
foreach userUuid in array userUuids
2022-07-29 08:46:04 +02:00
loop
call grantRoleToUserUnchecked(grantedByRoleUuid, roleUuid, userUuid);
2022-07-29 08:46:04 +02:00
end loop;
end if;
return roleUuid;
end; $$;
--//