arazzo: 1.0.1
info:
  title: Azure Web PubSub Grant Permission if Missing
  summary: Check whether a connection already holds a permission, granting it only when absent.
  description: >-
    An idempotent authorization pattern: before granting, the app server checks
    whether the connection already holds the permission so it does not issue a
    redundant grant. When the permission is missing it is granted; when already
    present the flow ends. Each step inlines its request — Authorization bearer
    header, required api-version query, and documented HEAD 200/404 and PUT 200
    status codes — so the flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: webPubSubApi
  url: ../openapi/microsoft-azure-web-pubsub-openapi.yml
  type: openapi
workflows:
- workflowId: grant-permission-if-missing
  summary: Check a connection's permission, then grant it only if not already held.
  description: >-
    Probes a permission with checkPermission and branches: when the HEAD returns
    404 it grants via grantPermission, when it returns 200 it ends.
  inputs:
    type: object
    required:
    - accessToken
    - hub
    - permission
    - connectionId
    properties:
      accessToken:
        type: string
        description: JWT bearer token for the Web PubSub data plane.
      apiVersion:
        type: string
        description: Data plane REST API version.
        default: "2024-01-01"
      hub:
        type: string
        description: Target hub name.
      permission:
        type: string
        description: Permission to check and grant.
        enum:
        - sendToGroup
        - joinLeaveGroup
      connectionId:
        type: string
        description: The connection id to check and grant.
      targetName:
        type: string
        description: Optional target group name the permission applies to.
  steps:
  - stepId: checkPermission
    description: >-
      Probe whether the connection already holds the permission. A 200 means it
      does; a 404 means it does not.
    operationId: webPubSub_checkPermission
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: hub
      in: path
      value: $inputs.hub
    - name: permission
      in: path
      value: $inputs.permission
    - name: connectionId
      in: path
      value: $inputs.connectionId
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200 || $statusCode == 404
    outputs:
      checkStatus: $statusCode
    onSuccess:
    - name: permissionMissing
      type: goto
      stepId: grantPermission
      criteria:
      - condition: $statusCode == 404
    - name: permissionPresent
      type: end
      criteria:
      - condition: $statusCode == 200
  - stepId: grantPermission
    description: >-
      Grant the connection the permission, optionally scoped to a target group
      name.
    operationId: webPubSub_grantPermission
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: hub
      in: path
      value: $inputs.hub
    - name: permission
      in: path
      value: $inputs.permission
    - name: connectionId
      in: path
      value: $inputs.connectionId
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: targetName
      in: query
      value: $inputs.targetName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      grantStatus: $statusCode
  outputs:
    checkStatus: $steps.checkPermission.outputs.checkStatus
    grantStatus: $steps.grantPermission.outputs.grantStatus