--liquibase formatted sql -- ============================================================================ -- PERMISSIONS --changeset rbac-role-builder-permissions:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* */ create type RbacPermissions as ( permissionUuids uuid[] ); create or replace function grantingPermissions(forObjectUuid uuid, permitOps RbacOp[]) returns RbacPermissions language plpgsql strict as $$ begin return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions; end; $$; create or replace function withoutPermissions() returns RbacPermissions language plpgsql strict as $$ begin return row (array []::uuid[]); end; $$; --// --changeset rbac-role-builder-super-roles:1 endDelimiter:--// /* */ create type RbacSuperRoles as ( roleUuids uuid[] ); create or replace function beneathRoles(roleDescriptors RbacRoleDescriptor[]) returns RbacSuperRoles language plpgsql strict as $$ declare superRoleDescriptor RbacRoleDescriptor; superRoleUuids uuid[] := array []::uuid[]; begin foreach superRoleDescriptor in array roleDescriptors loop if superRoleDescriptor is not null then superRoleUuids := superRoleUuids || getRoleId(superRoleDescriptor, 'fail'); end if; end loop; return row (superRoleUuids)::RbacSuperRoles; end; $$; create or replace function beneathRole(roleDescriptor RbacRoleDescriptor) returns RbacSuperRoles language plpgsql strict as $$ begin return beneathRoles(array [roleDescriptor]); end; $$; create or replace function beneathRole(roleUuid uuid) returns RbacSuperRoles language plpgsql strict as $$ begin return row (array [roleUuid]::uuid[])::RbacSuperRoles; end; $$; create or replace function asTopLevelRole() returns RbacSuperRoles language plpgsql strict as $$ begin return row (array []::uuid[])::RbacSuperRoles; end; $$; --// -- ================================================================= -- SUB ROLES --changeset rbac-role-builder-sub-roles:1 endDelimiter:--// -- ----------------------------------------------------------------- /* */ create type RbacSubRoles as ( roleUuids uuid[] ); create or replace function beingItselfA(roleUuid uuid) returns RbacSubRoles language plpgsql strict as $$ begin return row (array [roleUuid]::uuid[])::RbacSubRoles; end; $$; create or replace function beingItselfA(roleDescriptor RbacRoleDescriptor) returns RbacSubRoles language plpgsql strict as $$ begin return beingItselfA(getRoleId(roleDescriptor, 'fail')); end; $$; create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[]) returns RbacSubRoles language plpgsql strict as $$ declare subRoleDescriptor RbacRoleDescriptor; subRoleUuids uuid[] := array []::uuid[]; begin foreach subRoleDescriptor in array roleDescriptors loop if subRoleDescriptor is not null then subRoleUuids := subRoleUuids || getRoleId(subRoleDescriptor, 'fail'); end if; end loop; return row (subRoleUuids)::RbacSubRoles; end; $$; create or replace function withoutSubRoles() returns RbacSubRoles language plpgsql strict as $$ begin return row (array []::uuid[]); end; $$; --// -- ================================================================= -- USERS --changeset rbac-role-builder-users:1 endDelimiter:--// -- ----------------------------------------------------------------- /* */ create type RbacUsers as ( userUuids uuid[] ); create or replace function withUsers(userNames varchar[]) returns RbacUsers language plpgsql strict as $$ declare userName varchar; userUuids uuid[] := array []::uuid[]; begin foreach userName in array userNames loop userUuids := userUuids || getRbacUserId(userName, 'fail'); end loop; return row (userUuids)::RbacUsers; end; $$; create or replace function withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail') returns RbacUsers returns null on null input language plpgsql as $$ begin return row (array [getRbacUserId(userName, whenNotExists)]); end; $$; --// -- ================================================================= -- CREATE ROLE --changeset rbac-role-builder-create-role:1 endDelimiter:--// -- ----------------------------------------------------------------- /* */ create or replace function createRole( roleDescriptor RbacRoleDescriptor, permissions RbacPermissions, superRoles RbacSuperRoles, subRoles RbacSubRoles = null, users RbacUsers = null, grantingRoleUuid uuid = null ) returns uuid called on null input language plpgsql as $$ declare roleUuid uuid; superRoleUuid uuid; subRoleUuid uuid; userUuid uuid; begin raise notice 'will createRole for %', roleDescriptor; roleUuid = createRole(roleDescriptor); call grantPermissionsToRole(roleUuid, permissions.permissionUuids); if superRoles is not null then foreach superRoleUuid in array superRoles.roleuUids loop call grantRoleToRole(roleUuid, superRoleUuid); end loop; end if; if subRoles is not null then foreach subRoleUuid in array subRoles.roleuUids loop call grantRoleToRole(subRoleUuid, roleUuid); end loop; end if; if users is not null then foreach userUuid in array users.useruUids loop call grantRoleToUserUnchecked(grantingRoleUuid, roleUuid, userUuid); end loop; end if; return roleUuid; end; $$; create or replace function createRole( roleDescriptor RbacRoleDescriptor, permissions RbacPermissions, users RbacUsers = null, grantingRoleUuid uuid = null ) returns uuid called on null input language plpgsql as $$ begin return createRole(roleDescriptor, permissions, null, null, users, grantingRoleUuid); end; $$; create or replace function createRole( roleDescriptor RbacRoleDescriptor, permissions RbacPermissions, subRoles RbacSubRoles, users RbacUsers = null, grantingRoleUuid uuid = null ) returns uuid called on null input language plpgsql as $$ begin return createRole(roleDescriptor, permissions, null, subRoles, users, grantingRoleUuid); end; $$; --// -- ================================================================= -- CREATE ROLE --changeset rbac-role-builder-GRANTED-BY-ROLE:1 endDelimiter:--// -- ----------------------------------------------------------------- /* Used in role-builder-DSL to convert a role descriptor to it's uuid for use as `grantedByRoleUuid`. */ create or replace function grantedByRole(roleDescriptor RbacRoleDescriptor) returns uuid strict leakproof language plpgsql as $$ begin return getRoleId(roledescriptor, 'fail'); end; $$; --//