2022-07-28 17:17:22 +02:00
|
|
|
--liquibase formatted sql
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
-- =================================================================
|
|
|
|
-- CREATE ROLE
|
|
|
|
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
|
|
|
|
-- -----------------------------------------------------------------
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2024-04-08 11:16:06 +02:00
|
|
|
-- TODO: rename to defineRoleWithGrants because it does not complain if the role already exists
|
2022-10-12 15:48:56 +02:00
|
|
|
create or replace function createRoleWithGrants(
|
2022-07-27 19:54:05 +02:00
|
|
|
roleDescriptor RbacRoleDescriptor,
|
2022-10-12 15:48:56 +02:00
|
|
|
permissions RbacOp[] = array[]::RbacOp[],
|
|
|
|
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
|
|
|
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
|
|
|
userUuids uuid[] = array[]::uuid[],
|
|
|
|
grantedByRole RbacRoleDescriptor = null
|
2022-07-25 16:38:21 +02:00
|
|
|
)
|
2022-07-29 08:46:04 +02:00
|
|
|
returns uuid
|
|
|
|
called on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
declare
|
2024-03-26 11:25:18 +01:00
|
|
|
roleUuid uuid;
|
2024-04-02 13:14:46 +02:00
|
|
|
permission RbacOp;
|
|
|
|
permissionUuid uuid;
|
2024-03-26 11:25:18 +01:00
|
|
|
subRoleDesc RbacRoleDescriptor;
|
|
|
|
superRoleDesc RbacRoleDescriptor;
|
|
|
|
subRoleUuid uuid;
|
|
|
|
superRoleUuid uuid;
|
|
|
|
userUuid uuid;
|
|
|
|
userGrantsByRoleUuid uuid;
|
2022-07-29 08:46:04 +02:00
|
|
|
begin
|
2024-04-08 11:16:06 +02:00
|
|
|
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2024-04-02 13:14:46 +02:00
|
|
|
foreach permission in array permissions
|
|
|
|
loop
|
|
|
|
permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
|
|
|
|
call grantPermissionToRole(permissionUuid, roleUuid);
|
|
|
|
end loop;
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
|
2022-10-12 15:48:56 +02:00
|
|
|
loop
|
2024-03-11 12:30:43 +01:00
|
|
|
superRoleUuid := getRoleId(superRoleDesc);
|
|
|
|
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
2022-10-12 15:48:56 +02:00
|
|
|
end loop;
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
|
2022-10-12 15:48:56 +02:00
|
|
|
loop
|
2024-03-11 12:30:43 +01:00
|
|
|
subRoleUuid := getRoleId(subRoleDesc);
|
|
|
|
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
2022-10-12 15:48:56 +02:00
|
|
|
end loop;
|
|
|
|
|
|
|
|
if cardinality(userUuids) > 0 then
|
2024-03-26 11:25:18 +01:00
|
|
|
-- direct grants to users need a grantedByRole which can revoke the grant
|
2022-10-12 15:48:56 +02:00
|
|
|
if grantedByRole is null then
|
2024-04-02 13:14:46 +02:00
|
|
|
userGrantsByRoleUuid := roleUuid; -- TODO.spec: or do we want to require an explicit userGrantsByRoleUuid?
|
2024-03-11 12:30:43 +01:00
|
|
|
else
|
2024-03-26 11:25:18 +01:00
|
|
|
userGrantsByRoleUuid := getRoleId(grantedByRole);
|
2022-10-12 15:48:56 +02:00
|
|
|
end if;
|
|
|
|
foreach userUuid in array userUuids
|
2022-07-29 08:46:04 +02:00
|
|
|
loop
|
2024-03-26 11:25:18 +01:00
|
|
|
call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
|
2022-07-29 08:46:04 +02:00
|
|
|
end loop;
|
|
|
|
end if;
|
|
|
|
|
|
|
|
return roleUuid;
|
|
|
|
end; $$;
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
2022-08-16 10:46:41 +02:00
|
|
|
|