--liquibase formatted sql


-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
-- -----------------------------------------------------------------

-- TODO: rename to defineRoleWithGrants because it does not complain if the role already exists
create or replace function createRoleWithGrants(
    roleDescriptor RbacRoleDescriptor,
    permissions RbacOp[] = array[]::RbacOp[],
    incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
    outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
    userUuids uuid[] = array[]::uuid[],
    grantedByRole RbacRoleDescriptor = null
)
    returns uuid
    called on null input
    language plpgsql as $$
declare
    roleUuid                uuid;
    permission              RbacOp;
    permissionUuid          uuid;
    subRoleDesc             RbacRoleDescriptor;
    superRoleDesc           RbacRoleDescriptor;
    subRoleUuid             uuid;
    superRoleUuid           uuid;
    userUuid                uuid;
    userGrantsByRoleUuid    uuid;
begin
    roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));

    foreach permission in array permissions
        loop
            permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
            call grantPermissionToRole(permissionUuid, roleUuid);
        end loop;

    foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
        loop
            superRoleUuid := getRoleId(superRoleDesc);
            call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
        end loop;

    foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
        loop
            subRoleUuid := getRoleId(subRoleDesc);
            call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
        end loop;

    if cardinality(userUuids) > 0 then
        -- direct grants to users need a grantedByRole which can revoke the grant
        if grantedByRole is null then
            userGrantsByRoleUuid := roleUuid; -- TODO.spec: or do we want to require an explicit userGrantsByRoleUuid?
        else
            userGrantsByRoleUuid := getRoleId(grantedByRole);
        end if;
        foreach userUuid in array userUuids
            loop
                call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
            end loop;
    end if;

    return roleUuid;
end; $$;
--//