-- Track which accounts own each set of pg_credentials and which other
-- accounts have been granted read access to them.
--
-- owner_id: the account that administers the credentials and may grant/revoke
--           access.  Defaults to the system account itself.  This column is
--           nullable so that rows created before migration 5 are not broken.
ALTER TABLE pg_credentials ADD COLUMN owner_id INTEGER REFERENCES accounts(id);

-- pg_credential_access records an explicit "all-or-nothing" read grant from
-- the credential owner to another account.  Grantees may view connection
-- metadata (host, port, database, username) but the password is never
-- decrypted for them in the UI.  Only the owner may update or delete the
-- credential set.
CREATE TABLE IF NOT EXISTS pg_credential_access (
    id              INTEGER PRIMARY KEY,
    credential_id   INTEGER NOT NULL REFERENCES pg_credentials(id) ON DELETE CASCADE,
    grantee_id      INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    granted_by      INTEGER REFERENCES accounts(id),
    granted_at      TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    UNIQUE (credential_id, grantee_id)
);

CREATE INDEX IF NOT EXISTS idx_pgcred_access_cred    ON pg_credential_access (credential_id);
CREATE INDEX IF NOT EXISTS idx_pgcred_access_grantee ON pg_credential_access (grantee_id);