cameleer-server-app/src/main/resources/db/migration/V2__claim_mapping.sql

-- V2__claim_mapping.sql
-- Add origin tracking to assignment tables

ALTER TABLE user_roles ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';
ALTER TABLE user_roles ADD COLUMN mapping_id UUID;

ALTER TABLE user_groups ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';
ALTER TABLE user_groups ADD COLUMN mapping_id UUID;

-- Drop old primary keys (they don't include origin)
ALTER TABLE user_roles DROP CONSTRAINT user_roles_pkey;
ALTER TABLE user_roles ADD PRIMARY KEY (user_id, role_id, origin);

ALTER TABLE user_groups DROP CONSTRAINT user_groups_pkey;
ALTER TABLE user_groups ADD PRIMARY KEY (user_id, group_id, origin);

-- Claim mapping rules table
CREATE TABLE claim_mapping_rules (
    id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    claim       TEXT NOT NULL,
    match_type  TEXT NOT NULL,
    match_value TEXT NOT NULL,
    action      TEXT NOT NULL,
    target      TEXT NOT NULL,
    priority    INT NOT NULL DEFAULT 0,
    created_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
    CONSTRAINT chk_match_type CHECK (match_type IN ('equals', 'contains', 'regex')),
    CONSTRAINT chk_action CHECK (action IN ('assignRole', 'addToGroup'))
);

-- Foreign key from assignments to mapping rules
ALTER TABLE user_roles ADD CONSTRAINT fk_user_roles_mapping
    FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;
ALTER TABLE user_groups ADD CONSTRAINT fk_user_groups_mapping
    FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;

-- Index for fast managed assignment cleanup
CREATE INDEX idx_user_roles_origin ON user_roles(user_id, origin);
CREATE INDEX idx_user_groups_origin ON user_groups(user_id, origin);
feat: add claim mapping rules table and origin tracking to RBAC assignments - Add origin and mapping_id columns to user_roles and user_groups - Create claim_mapping_rules table with match_type and action constraints - Update primary keys to include origin column - Add indexes for fast managed assignment cleanup Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 23:07:30 +02:00			`-- V2__claim_mapping.sql`
			`-- Add origin tracking to assignment tables`

			`ALTER TABLE user_roles ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';`
			`ALTER TABLE user_roles ADD COLUMN mapping_id UUID;`

			`ALTER TABLE user_groups ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';`
			`ALTER TABLE user_groups ADD COLUMN mapping_id UUID;`

			`-- Drop old primary keys (they don't include origin)`
			`ALTER TABLE user_roles DROP CONSTRAINT user_roles_pkey;`
			`ALTER TABLE user_roles ADD PRIMARY KEY (user_id, role_id, origin);`

			`ALTER TABLE user_groups DROP CONSTRAINT user_groups_pkey;`
			`ALTER TABLE user_groups ADD PRIMARY KEY (user_id, group_id, origin);`

			`-- Claim mapping rules table`
			`CREATE TABLE claim_mapping_rules (`
			`id UUID PRIMARY KEY DEFAULT gen_random_uuid(),`
			`claim TEXT NOT NULL,`
			`match_type TEXT NOT NULL,`
			`match_value TEXT NOT NULL,`
			`action TEXT NOT NULL,`
			`target TEXT NOT NULL,`
			`priority INT NOT NULL DEFAULT 0,`
			`created_at TIMESTAMPTZ NOT NULL DEFAULT now(),`
			`CONSTRAINT chk_match_type CHECK (match_type IN ('equals', 'contains', 'regex')),`
			`CONSTRAINT chk_action CHECK (action IN ('assignRole', 'addToGroup'))`
			`);`

			`-- Foreign key from assignments to mapping rules`
			`ALTER TABLE user_roles ADD CONSTRAINT fk_user_roles_mapping`
			`FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;`
			`ALTER TABLE user_groups ADD CONSTRAINT fk_user_groups_mapping`
			`FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;`

			`-- Index for fast managed assignment cleanup`
			`CREATE INDEX idx_user_roles_origin ON user_roles(user_id, origin);`
			`CREATE INDEX idx_user_groups_origin ON user_groups(user_id, origin);`