--liquibase formatted sql

-- ============================================================================
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the related RbacObject through a BEFORE INSERT TRIGGER.
 */
drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
create trigger createRbacObjectFortest_unixuser_Trigger
    before insert
    on test_unixuser
    for each row
execute procedure createRbacObject();
--//


-- ============================================================================
--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace function testUnixUserOwner(uu test_unixuser)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('test_unixuser', uu.uuid, 'owner');
end; $$;

create or replace function testUnixUserAdmin(uu test_unixuser)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('test_unixuser', uu.uuid, 'admin');
end; $$;

create or replace function testUnixUserTenant(uu test_unixuser)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
end; $$;

create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
    returns uuid
    returns null on null input
    language plpgsql as $$
declare
    unixUserTenantRoleDesc RbacRoleDescriptor;
    unixUserTenantRoleUuid uuid;
begin
    unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
    unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
    if unixUserTenantRoleUuid is not null then
        return unixUserTenantRoleUuid;
    end if;

    return createRole(
        unixUserTenantRoleDesc,
        grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
        beneathRole(testUnixUserAdmin(unixUser))
        );
end; $$;
--//


-- ============================================================================
--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
 */

create or replace function createRbacRulesForTestUnixUser()
    returns trigger
    language plpgsql
    strict as $$
declare
    parentPackage       test_package;
    unixuserOwnerRoleId uuid;
    unixuserAdminRoleId uuid;
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    select * from test_package where uuid = NEW.packageUuid into parentPackage;

    -- an owner role is created and assigned to the package's admin group
    unixuserOwnerRoleId = createRole(
        testUnixUserOwner(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
        beneathRole(testPackageAdmin(parentPackage))
        );

    -- and a unixuser admin role is created and assigned to the unixuser owner as well
    unixuserAdminRoleId = createRole(
        testUnixUserAdmin(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
        beneathRole(unixuserOwnerRoleId),
        beingItselfA(testPackageTenant(parentPackage))
        );

    -- a tenent role is only created on demand

    return NEW;
end; $$;


/*
    An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
 */
drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
create trigger createRbacRulesForTestUnixuser_Trigger
    after insert
    on test_unixuser
    for each row
execute procedure createRbacRulesForTestUnixUser();
--//


-- ============================================================================
--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
 */

create or replace function deleteRbacRulesForTestUnixUser()
    returns trigger
    language plpgsql
    strict as $$
begin
    if TG_OP = 'DELETE' then
        call deleteRole(findRoleId(testUnixUserOwner(OLD)));
        call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
        call deleteRole(findRoleId(testUnixUserTenant(OLD)));
    else
        raise exception 'invalid usage of TRIGGER BEFORE DELETE';
    end if;
end; $$;

/*
    An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
 */

drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
create trigger deleteRbacRulesForTestUnixUser_Trigger
    before delete
    on test_unixuser
    for each row
execute procedure deleteRbacRulesForTestUnixUser();
--//


-- ============================================================================
--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the UnixUser main table which maps the identifying name
    (in this case, actually the column `name`) to the objectUuid.
 */
drop view if exists test_unixuser_iv;
create or replace view test_unixuser_iv as
select distinct target.uuid, target.name as idName
    from test_unixuser as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on test_unixuser_iv to restricted;

/*
    Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
 */
create or replace function test_unixUserUuidByIdName(idName varchar)
    returns uuid
    language sql
    strict as $$
select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
$$;

/*
    Returns the identifying name for a given objectUuid (in this case the name).
 */
create or replace function test_unixUserIdNameByUuid(uuid uuid)
    returns varchar
    stable leakproof
    language sql
    strict as $$
select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
$$;
--//


-- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the customer main table which maps the identifying name
    (in this case, the prefix) to the objectUuid.
 */
drop view if exists test_unixuser_rv;
create or replace view test_unixuser_rv as
select target.*
    from test_unixuser as target
    where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
grant all privileges on test_unixuser_rv to restricted;
--//