hs.hsadmin.ng/src/main/resources/db/changelog/2022-07-28-020-rbac-role-builder.sql

--liquibase formatted sql

-- ==================================================================
-- PERMISSIONS
--changeset rbac-role-builder-permissions:1 endDelimiter:--//
-- ------------------------------------------------------------------

/*

 */

CREATE TYPE RbacPermissions AS
(
    permissionUuids uuid[]
);

CREATE OR REPLACE FUNCTION grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])
    RETURNS RbacPermissions
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN ROW(createPermissions(forObjectUuid, permitOps))::RbacPermissions;
END; $$;

--//

--changeset rbac-role-builder-super-roles:1 endDelimiter:--//

/*

 */
CREATE TYPE RbacSuperRoles AS
(
    roleUuids uuid[]
);

CREATE OR REPLACE FUNCTION beneathRoles(roleDescriptors RbacRoleDescriptor[])
    RETURNS RbacSuperRoles
    LANGUAGE plpgsql STRICT AS $$
DECLARE
    superRoleDescriptor RbacRoleDescriptor;
    superRoleUuids uuid[] := ARRAY[]::uuid[];
BEGIN
    FOREACH superRoleDescriptor IN ARRAY roleDescriptors LOOP
        superRoleUuids := superRoleUuids || getRoleId(superRoleDescriptor, 'fail');
    END LOOP;

    RETURN ROW(superRoleUuids)::RbacSuperRoles;
END; $$;

CREATE OR REPLACE FUNCTION beneathRole(roleDescriptor RbacRoleDescriptor)
    RETURNS RbacSuperRoles
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN beneathRoles(ARRAY[roleDescriptor]);
END; $$;

CREATE OR REPLACE FUNCTION beneathRole(roleUuid uuid)
    RETURNS RbacSuperRoles
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN ROW(ARRAY[roleUuid]::uuid[])::RbacSuperRoles;
END; $$;

CREATE OR REPLACE FUNCTION asTopLevelRole()
    RETURNS RbacSuperRoles
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN ROW(ARRAY[]::uuid[])::RbacSuperRoles;
END; $$;

--//

-- =================================================================
-- SUB ROLES
--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*

 */
CREATE TYPE RbacSubRoles AS
(
    roleUuids uuid[]
);

-- drop FUNCTION beingItselfA(roleUuid uuid)
CREATE OR REPLACE FUNCTION beingItselfA(roleUuid uuid)
    RETURNS RbacSubRoles
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN ROW(ARRAY[roleUuid]::uuid[])::RbacSubRoles;
END; $$;

-- drop FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)
CREATE OR REPLACE FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)
    RETURNS RbacSubRoles
    LANGUAGE plpgsql STRICT AS $$
BEGIN
    RETURN beingItselfA(getRoleId(roleDescriptor, 'fail'));
END; $$;

--//

-- =================================================================
-- USERS
--changeset rbac-role-builder-users:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*
*/
CREATE TYPE RbacUsers AS
(
    userUuids uuid[]
);

CREATE OR REPLACE FUNCTION withUsers(userNames varchar[])
    RETURNS RbacUsers
    LANGUAGE plpgsql STRICT AS $$
DECLARE
    userName varchar;
    userUuids uuid[] := ARRAY[]::uuid[];
BEGIN
    FOREACH userName IN ARRAY userNames LOOP
        userUuids := userUuids || getRbacUserId(userName, 'fail');
    END LOOP;

    RETURN ROW(userUuids)::RbacUsers;
END; $$;


CREATE OR REPLACE FUNCTION withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')
    RETURNS RbacUsers
    RETURNS NULL ON NULL INPUT
    LANGUAGE plpgsql AS $$
BEGIN
    RETURN ROW(ARRAY[getRbacUserId(userName, whenNotExists )]);
END; $$;

--//

-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------

/*
*/
CREATE OR REPLACE FUNCTION createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    superRoles RbacSuperRoles,
    subRoles RbacSubRoles = null,
    users RbacUsers = null
)
    RETURNS uuid
    CALLED ON NULL INPUT
    LANGUAGE plpgsql AS $$
DECLARE
    roleUuid uuid;
    superRoleUuid uuid;
    subRoleUuid uuid;
    userUuid uuid;
BEGIN
    RAISE NOTICE 'will createRole for %', roleDescriptor;
    RAISE NOTICE 'will createRole for % % %', roleDescriptor.objecttable, roleDescriptor.objectuuid, roleDescriptor.roletype;
    roleUuid = createRole(roleDescriptor);

    call grantPermissionsToRole(roleUuid, permissions.permissionUuids);

    IF superRoles IS NOT NULL THEN
        FOREACH superRoleUuid IN ARRAY superRoles.roleuUids LOOP
            call grantRoleToRole(roleUuid, superRoleUuid);
        END LOOP;
    END IF;

    IF subRoles IS NOT NULL THEN
        FOREACH subRoleUuid IN ARRAY subRoles.roleuUids LOOP
            call grantRoleToRole(subRoleUuid, roleUuid);
        END LOOP;
    END IF;

    IF users IS NOT NULL THEN
        FOREACH userUuid IN ARRAY users.useruUids LOOP
            call grantRoleToUser(roleUuid, userUuid);
        END LOOP;
    END IF;

    RETURN roleUuid;
END; $$;

CREATE OR REPLACE FUNCTION createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    users RbacUsers = null
)
    RETURNS uuid
    CALLED ON NULL INPUT
    LANGUAGE plpgsql AS $$
BEGIN
    RETURN createRole(roleDescriptor, permissions, null, null, users);
END; $$;

CREATE OR REPLACE FUNCTION createRole(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacPermissions,
    subRoles RbacSubRoles,
    users RbacUsers = null
)
    RETURNS uuid
    CALLED ON NULL INPUT
    LANGUAGE plpgsql AS $$
BEGIN
    RETURN createRole(roleDescriptor, permissions, null, subRoles, users);
END; $$;

--//
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--liquibase formatted sql`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- ==================================================================`
			`-- PERMISSIONS`
			`--changeset rbac-role-builder-permissions:1 endDelimiter:--//`
			`-- ------------------------------------------------------------------`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`/*`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
			`CREATE TYPE RbacPermissions AS`
			`(`
			`permissionUuids uuid[]`
			`);`

			`CREATE OR REPLACE FUNCTION grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])`
			`RETURNS RbacPermissions`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
			`RETURN ROW(createPermissions(forObjectUuid, permitOps))::RbacPermissions;`
			`END; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--changeset rbac-role-builder-super-roles:1 endDelimiter:--//`

			`/*`

			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`CREATE TYPE RbacSuperRoles AS`
			`(`
			`roleUuids uuid[]`
			`);`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`CREATE OR REPLACE FUNCTION beneathRoles(roleDescriptors RbacRoleDescriptor[])`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`RETURNS RbacSuperRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`DECLARE`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`superRoleDescriptor RbacRoleDescriptor;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`superRoleUuids uuid[] := ARRAY[]::uuid[];`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`FOREACH superRoleDescriptor IN ARRAY roleDescriptors LOOP`
			`superRoleUuids := superRoleUuids \|\| getRoleId(superRoleDescriptor, 'fail');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`END LOOP;`

			`RETURN ROW(superRoleUuids)::RbacSuperRoles;`
			`END; $$;`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`CREATE OR REPLACE FUNCTION beneathRole(roleDescriptor RbacRoleDescriptor)`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`RETURNS RbacSuperRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`RETURN beneathRoles(ARRAY[roleDescriptor]);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`END; $$;`

			`CREATE OR REPLACE FUNCTION beneathRole(roleUuid uuid)`
			`RETURNS RbacSuperRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
			`RETURN ROW(ARRAY[roleUuid]::uuid[])::RbacSuperRoles;`
			`END; $$;`

			`CREATE OR REPLACE FUNCTION asTopLevelRole()`
			`RETURNS RbacSuperRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
			`RETURN ROW(ARRAY[]::uuid[])::RbacSuperRoles;`
			`END; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`

			`-- =================================================================`
			`-- SUB ROLES`
			`--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`

			`/*`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`CREATE TYPE RbacSubRoles AS`
			`(`
			`roleUuids uuid[]`
			`);`

			`-- drop FUNCTION beingItselfA(roleUuid uuid)`
			`CREATE OR REPLACE FUNCTION beingItselfA(roleUuid uuid)`
			`RETURNS RbacSubRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
			`RETURN ROW(ARRAY[roleUuid]::uuid[])::RbacSubRoles;`
			`END; $$;`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`-- drop FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)`
			`CREATE OR REPLACE FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`RETURNS RbacSubRoles`
			`LANGUAGE plpgsql STRICT AS $$`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`RETURN beingItselfA(getRoleId(roleDescriptor, 'fail'));`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`END; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- =================================================================`
			`-- USERS`
			`--changeset rbac-role-builder-users:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`

			`/*`
			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`CREATE TYPE RbacUsers AS`
			`(`
			`userUuids uuid[]`
			`);`

			`CREATE OR REPLACE FUNCTION withUsers(userNames varchar[])`
			`RETURNS RbacUsers`
			`LANGUAGE plpgsql STRICT AS $$`
			`DECLARE`
			`userName varchar;`
			`userUuids uuid[] := ARRAY[]::uuid[];`
			`BEGIN`
			`FOREACH userName IN ARRAY userNames LOOP`
			`userUuids := userUuids \|\| getRbacUserId(userName, 'fail');`
			`END LOOP;`

			`RETURN ROW(userUuids)::RbacUsers;`
			`END; $$;`


			`CREATE OR REPLACE FUNCTION withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')`
			`RETURNS RbacUsers`
			`RETURNS NULL ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
			`BEGIN`
			`RETURN ROW(ARRAY[getRbacUserId(userName, whenNotExists )]);`
			`END; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`-- =================================================================`
			`-- CREATE ROLE`
			`--changeset rbac-role-builder-create-role:1 endDelimiter:--//`
			`-- -----------------------------------------------------------------`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`/*`
			`*/`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`CREATE OR REPLACE FUNCTION createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
			`superRoles RbacSuperRoles,`
			`subRoles RbacSubRoles = null,`
			`users RbacUsers = null`
			`)`
			`RETURNS uuid`
			`CALLED ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
			`DECLARE`
			`roleUuid uuid;`
			`superRoleUuid uuid;`
			`subRoleUuid uuid;`
			`userUuid uuid;`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`RAISE NOTICE 'will createRole for %', roleDescriptor;`
			`RAISE NOTICE 'will createRole for % % %', roleDescriptor.objecttable, roleDescriptor.objectuuid, roleDescriptor.roletype;`
			`roleUuid = createRole(roleDescriptor);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
			`call grantPermissionsToRole(roleUuid, permissions.permissionUuids);`

			`IF superRoles IS NOT NULL THEN`
			`FOREACH superRoleUuid IN ARRAY superRoles.roleuUids LOOP`
			`call grantRoleToRole(roleUuid, superRoleUuid);`
			`END LOOP;`
			`END IF;`

			`IF subRoles IS NOT NULL THEN`
			`FOREACH subRoleUuid IN ARRAY subRoles.roleuUids LOOP`
			`call grantRoleToRole(subRoleUuid, roleUuid);`
			`END LOOP;`
			`END IF;`

			`IF users IS NOT NULL THEN`
			`FOREACH userUuid IN ARRAY users.useruUids LOOP`
			`call grantRoleToUser(roleUuid, userUuid);`
			`END LOOP;`
			`END IF;`

			`RETURN roleUuid;`
			`END; $$;`

			`CREATE OR REPLACE FUNCTION createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
			`users RbacUsers = null`
			`)`
			`RETURNS uuid`
			`CALLED ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`RETURN createRole(roleDescriptor, permissions, null, null, users);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`END; $$;`

			`CREATE OR REPLACE FUNCTION createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`roleDescriptor RbacRoleDescriptor,`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`permissions RbacPermissions,`
			`subRoles RbacSubRoles,`
			`users RbacUsers = null`
			`)`
			`RETURNS uuid`
			`CALLED ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
			`BEGIN`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`RETURN createRole(roleDescriptor, permissions, null, subRoles, users);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`END; $$;`

convert rbac-statistics and rbac-role-builder*.sql files to Liquibase changesets 2022-07-28 17:17:22 +02:00			`--//`