CREATE ROLE authenticator LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER;
CREATE ROLE anon NOLOGIN;
GRANT anon TO authenticator;

-- reloadable config options
-- these settings will override the values in configs/no-defaults.config, so they must be different
-- ALTER ROLE authenticator SET pgrst.db_aggregates_enabled = 'false';
ALTER ROLE authenticator SET pgrst.db_anon_role = 'anon';
ALTER ROLE authenticator SET pgrst.db_extra_search_path = 'public, extensions';
ALTER ROLE authenticator SET pgrst.db_max_rows = '500';
-- ALTER ROLE authenticator SET pgrst.db_plan_enabled = 'false';
-- ALTER ROLE authenticator SET pgrst.db_pre_config = 'postgrest.preconf';
-- ALTER ROLE authenticator SET pgrst.db_pre_request = 'test.custom_headers';
-- ALTER ROLE authenticator SET pgrst.db_prepared_statements = 'false';
-- ALTER ROLE authenticator SET pgrst.db_root_spec = 'root';
ALTER ROLE authenticator SET pgrst.db_schemas = 'test, tenant1, tenant2';
-- ALTER ROLE authenticator SET pgrst.db_tx_end = 'commit-allow-override';
-- ALTER ROLE authenticator SET pgrst.jwt_aud = 'https://example.org';
-- ALTER ROLE authenticator SET pgrst.jwt_cache_max_lifetime = '3600';
ALTER ROLE authenticator SET pgrst.jwt_role_claim_key = '."role"';
-- ALTER ROLE authenticator SET pgrst.jwt_secret = 'REALLY=REALLY=REALLY=REALLY=VERY=SAFE';
-- ALTER ROLE authenticator SET pgrst.jwt_secret_is_base64 = 'false';
ALTER ROLE authenticator SET pgrst.not_existing = 'should be ignored';
-- ALTER ROLE authenticator SET pgrst.openapi_server_proxy_uri = 'https://example.org/api';
-- ALTER ROLE authenticator SET pgrst.server_cors_allowed_origins = 'http://origin.com';
-- ALTER ROLE authenticator SET pgrst.server_timing_enabled = 'false';
-- ALTER ROLE authenticator SET pgrst.server_trace_header = 'CF-Ray';
-- ALTER ROLE authenticator SET pgrst.db_hoisted_tx_settings = 'autovacuum_work_mem';

-- override with database specific setting
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.db_extra_search_path = 'public, extensions, private';
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.jwt_secret = 'OVERRIDE=REALLY=REALLY=REALLY=REALLY=VERY=SAFE';
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.not_existing = 'should be ignored';

-- other database settings that should be ignored
-- CREATE DATABASE other;
-- ALTER ROLE authenticator IN DATABASE other SET pgrst.db_max_rows = '1111';

-- non-reloadable configs
-- ALTER ROLE authenticator SET pgrst.admin_server_host = 'ignored';
-- ALTER ROLE authenticator SET pgrst.admin_server_port = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_channel = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_channel_enabled = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_config = 'true';
-- ALTER ROLE authenticator SET pgrst.db_pool = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_acquisition_timeout = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_timeout = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_max_idletime = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_max_lifetime = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_uri = 'postgresql://ignored';
-- ALTER ROLE authenticator SET pgrst.log_level = 'ignored';
-- ALTER ROLE authenticator SET pgrst.log_query = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_host = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_port = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_unix_socket = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_unix_socket_mode = 'ignored';

-- other authenticator reloadable config options
-- these settings will override the values in configs/no-defaults.config, so they must be different
-- CREATE ROLE other_authenticator LOGIN NOINHERIT;
-- ALTER ROLE other_authenticator SET pgrst.db_aggregates_enabled = 'false';
-- ALTER ROLE other_authenticator SET pgrst.db_extra_search_path = 'public, extensions, other';
-- ALTER ROLE other_authenticator SET pgrst.db_max_rows = '100';
-- ALTER ROLE other_authenticator SET pgrst.db_plan_enabled = 'true';
-- ALTER ROLE other_authenticator SET pgrst.db_pre_config = 'postgrest.other_preconf';
-- ALTER ROLE other_authenticator SET pgrst.db_pre_request = 'test.other_custom_headers';
-- ALTER ROLE other_authenticator SET pgrst.db_prepared_statements = 'false';
-- ALTER ROLE other_authenticator SET pgrst.db_root_spec = 'other_root';
-- ALTER ROLE other_authenticator SET pgrst.db_schemas = 'test, other_tenant1, other_tenant2';
-- ALTER ROLE other_authenticator SET pgrst.jwt_aud = 'https://otherexample.org';
-- ALTER ROLE other_authenticator SET pgrst.jwt_secret = 'ODERREALLYREALLYREALLYREALLYVERYSAFE';
-- ALTER ROLE other_authenticator SET pgrst.jwt_secret_is_base64 = 'false';
-- ALTER ROLE other_authenticator SET pgrst.jwt_cache_max_lifetime = '7200';
-- ALTER ROLE other_authenticator SET pgrst.openapi_mode = 'disabled';
-- ALTER ROLE other_authenticator SET pgrst.openapi_security_active = 'false';
-- ALTER ROLE other_authenticator SET pgrst.openapi_server_proxy_uri = 'https://otherexample.org/api';
-- ALTER ROLE other_authenticator SET pgrst.server_cors_allowed_origins = 'http://otherorigin.com';
-- ALTER ROLE other_authenticator SET pgrst.server_timing_enabled = 'true';
-- ALTER ROLE other_authenticator SET pgrst.server_trace_header = 'traceparent';
-- ALTER ROLE other_authenticator SET pgrst.db_hoisted_tx_settings = 'maintenance_work_mem';

-- create schema postgrest;
-- grant usage on schema postgrest to authenticator;
-- grant usage on schema postgrest to other_authenticator;

-- -- pre-config hook
-- create or replace function postgrest.pre_config()
-- returns void as $$
-- begin
--   if current_user = 'other_authenticator' then
--     perform
--       set_config('pgrst.jwt_role_claim_key', '."other"."pre_config_role"', true)
--     , set_config('pgrst.db_anon_role', 'pre_config_role', true)
--     , set_config('pgrst.db_schemas', 'will be overriden with the above ALTER ROLE.. db_schemas', true)
--     , set_config('pgrst.db_tx_end', 'rollback-allow-override', true);
--   else
--     null;
--   end if;
-- end $$ language plpgsql;

-- create or replace function postgrest.preconf()
-- returns void as $$
-- begin
--   null;
-- end $$ language plpgsql;

-- create or replace function postgrest.other_preconf()
-- returns void as $$
-- begin
--   perform postgrest.pre_config();
-- end $$ language plpgsql;

-- -- authenticator used for tests that manipulate statement timeout
-- CREATE ROLE timeout_authenticator LOGIN NOINHERIT;

-- create function set_statement_timeout(role text, milliseconds int) returns void as $_$
-- begin
--   execute format($$
--     alter role %I set statement_timeout to %L;
--   $$, role, milliseconds);
-- end $_$ volatile security definer language plpgsql;

-- -- authenticator used for test-independent database manipulation
-- CREATE ROLE meta_authenticator LOGIN NOINHERIT;