--liquibase formatted sql

-- ============================================================================
-- PERMISSIONS
--changeset rbac-role-builder-to-uuids:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace function toPermissionUuids(forObjectUuid uuid, permitOps RbacOp[])
    returns uuid[]
    language plpgsql
    strict as $$
begin
    return createPermissions(forObjectUuid, permitOps);
end; $$;


-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------

create or replace function createRoleWithGrants(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacOp[] = array[]::RbacOp[],
    incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
    outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
    userUuids uuid[] = array[]::uuid[],
    grantedByRole RbacRoleDescriptor = null
)
    returns uuid
    called on null input
    language plpgsql as $$
declare
    roleUuid                uuid;
    subRoleDesc             RbacRoleDescriptor;
    superRoleDesc           RbacRoleDescriptor;
    subRoleUuid             uuid;
    superRoleUuid           uuid;
    userUuid                uuid;
    userGrantsByRoleUuid    uuid;
begin
    roleUuid := createRole(roleDescriptor);

    if cardinality(permissions) > 0 then
        call grantPermissionsToRole(roleUuid, toPermissionUuids(roleDescriptor.objectuuid, permissions));
    end if;

    foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
        loop
            superRoleUuid := getRoleId(superRoleDesc);
            call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
        end loop;

    foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
        loop
            subRoleUuid := getRoleId(subRoleDesc);
            call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
        end loop;

    if cardinality(userUuids) > 0 then
        -- direct grants to users need a grantedByRole which can revoke the grant
        if grantedByRole is null then
            userGrantsByRoleUuid := roleUuid; -- TODO: or do we want to require an explicit userGrantsByRoleUuid?
        else
            userGrantsByRoleUuid := getRoleId(grantedByRole);
        end if;
        foreach userUuid in array userUuids
            loop
                call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
            end loop;
    end if;

    return roleUuid;
end; $$;
--//