boundary/internal/db/schema/migrations/postgres/10/06_session.up.sql

begin;

  create table session_credential_dynamic (
    session_id wt_public_id not null
      constraint session_fkey
        references session (public_id)
        on delete cascade
        on update cascade,
    library_id wt_public_id not null
      constraint credential_library_fkey
        references credential_library (public_id)
        on delete cascade
        on update cascade,
    credential_id wt_public_id
      constraint credential_dynamic_fkey
        references credential_dynamic (public_id)
        on delete cascade
        on update cascade,
    credential_purpose text not null
      constraint credential_purpose_fkey
        references credential_purpose_enm (name)
        on delete restrict
        on update cascade,
    primary key(session_id, library_id, credential_purpose),
    create_time wt_timestamp,
    constraint session_credential_dynamic_credential_id_uq
      unique(credential_id)
  );
  comment on table session_credential_dynamic is
    'session_credential_dynamic is a join table between the session and dynamic credential tables. '
    'It also contains the credential purpose the relationship represents.';

  create trigger default_create_time_column before insert on session_credential_dynamic
    for each row execute procedure default_create_time();

  create trigger immutable_columns before update on session_credential_dynamic
    for each row execute procedure immutable_columns('session_id', 'library_id', 'credential_purpose', 'create_time');

  -- revoke_credentials revokes any active credentials for a session when the
  -- session enters the canceling or terminated states.
  create function revoke_credentials()
    returns trigger
  as $$
  begin
    if new.state in ('canceling', 'terminated') then
      update credential_vault_credential
         set status = 'revoke'
       where session_id = new.session_id
         and status = 'active';
    end if;
    return new;
  end;
  $$ language plpgsql;
  create trigger revoke_credentials after insert on session_state
    for each row execute procedure revoke_credentials();

commit;