add create user for db

MarcusGoldschmidt · MarcusGoldschmidt · commit ccbc0c5fb400 · 2025-04-30T15:19:49.000-03:00
diff --git a/pkg/connector/database.go b/pkg/connector/database.go
@@ -24,80 +24,6 @@ type databaseSyncer struct {
 	client       *mssqldb.Client
 }
 
-var databasePermissions = map[string]string{
-	"AADS": "Alter Any Database Event Session",
-	"AAMK": "Alter Any Mask",
-	"AEDS": "Alter Any External Data Source",
-	"AEFF": "Alter Any External File Format",
-	"AL":   "Alter",
-	"ALAK": "Alter Any Asymmetric Key",
-	"ALAR": "Alter Any Application Role",
-	"ALAS": "Alter Any Assembly",
-	"ALCF": "Alter Any Certificate",
-	"ALDS": "Alter Any Dataspace",
-	"ALED": "Alter Any Database Event Notification",
-	"ALFT": "Alter Any Fulltext Catalog",
-	"ALMT": "Alter Any Message Type",
-	"ALRL": "Alter Any Role",
-	"ALRT": "Alter Any Route",
-	"ALSB": "Alter Any Remote Service Binding",
-	"ALSC": "Alter Any Contract",
-	"ALSK": "Alter Any Symmetric Key",
-	"ALSM": "Alter Any Schema",
-	"ALSV": "Alter Any Service",
-	"ALTG": "Alter Any Database DDL Trigger",
-	"ALUS": "Alter Any User",
-	"AUTH": "Authenticate",
-	"BADB": "Backup Database",
-	"BALO": "Backup Log",
-	"CL":   "Control",
-	"CO":   "Connect",
-	"CORP": "Connect Replication",
-	"CP":   "Checkpoint",
-	"CRAG": "Create Aggregate",
-	"CRAK": "Create Asymmetric Key",
-	"CRAS": "Create Certificate",
-	"CRDB": "Create Fatabase",
-	"CRDF": "Create Default",
-	"CRED": "Create Database DDL Event Notification",
-	"CRFN": "Create Function",
-	"CRFT": "Create Fulltext Catalog",
-	"CRMT": "Create Message Type",
-	"CRPR": "Create Procedure",
-	"CRQU": "Create Queue",
-	"CRRL": "Create Role",
-	"CRRT": "Create Route",
-	"CRRU": "Create Rule",
-	"CRSB": "Create Remote Service Binding",
-	"CRSC": "Create contract",
-	"CRSK": "Create symmetric key",
-	"CRSM": "Create Schema",
-	"CRSN": "Create Synonym",
-	"CRSO": "Create Sequence",
-	"CRSV": "Create Service",
-	"CRTB": "Create Table",
-	"CRTY": "Create Type",
-	"CRVW": "Create View",
-	"CRXS": "Create XML Schema Collection",
-	"DL":   "Delete",
-	"DABO": "Administer Database Bulk Operations",
-	"EAES": "Execute Any External Script",
-	"EX":   "Execute",
-	"IN":   "Insert",
-	"RC":   "Receive Object",
-	"RF":   "References",
-	"SL":   "Select",
-	"SPLN": "Showplan",
-	"SUQN": "Subscribe Query Notifications",
-	"TO":   "Take Ownership",
-	"UP":   "Update",
-	"VW":   "View Definition",
-	"VWCK": "View Any Column Encryption Key Definition",
-	"VWCM": "View Any Column Master Key Definition",
-	"VWCT": "View Change Tracking",
-	"VWDS": "View Database State Database",
-}
-
 func (d *databaseSyncer) ResourceType(ctx context.Context) *v2.ResourceType {
 	return d.resourceType
 }
@@ -137,7 +63,7 @@ func (d *databaseSyncer) List(ctx context.Context, parentResourceID *v2.Resource
 func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource, pToken *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
 	var ret []*v2.Entitlement
 
-	for key, name := range databasePermissions {
+	for key, name := range mssqldb.DatabasePermissions {
 		grantSlug := fmt.Sprintf("%s (With Grant)", name)
 		ret = append(ret,
 			&v2.Entitlement{
@@ -184,7 +110,7 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok
 		perms := strings.Split(p.Permissions, ",")
 		for _, perm := range perms {
 			perm = strings.TrimSpace(perm)
-			if _, ok := databasePermissions[perm]; ok {
+			if _, ok := mssqldb.DatabasePermissions[perm]; ok {
 				rt, err := resourceTypeFromDatabasePrincipal(p.PrincipalType)
 				if err != nil {
 					l.Error("unexpected principal type", zap.String("principal_type", p.PrincipalType))
@@ -235,6 +161,8 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok
 }
 
 func (d *databaseSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
 	if resource.Id.ResourceType != resourceTypeUser.Id {
 		return nil, nil, fmt.Errorf("resource type %s is not supported for granting", resource.Id.ResourceType)
 	}
@@ -260,11 +188,25 @@ func (d *databaseSyncer) Grant(ctx context.Context, resource *v2.Resource, entit
 		return nil, nil, err
 	}
 
-	user, err := d.client.GetUser(ctx, resource.Id.Resource)
+	user, err := d.client.GetUserPrincipal(ctx, resource.Id.Resource)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	dbUser, err := d.client.GetUserFromDb(ctx, database.Name, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if dbUser == nil {
+		l.Info("user not found in database, creating user for principal", zap.String("user", resource.Id.Resource))
+
+		err = d.client.CreateDatabaseUserForPrincipal(ctx, database.Name, user.Name)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
 	err = d.client.GrantPermissionOnDatabase(ctx, permission, database.Name, user.Name)
 	if err != nil {
 		return nil, nil, err
@@ -304,7 +246,7 @@ func (d *databaseSyncer) Revoke(ctx context.Context, grant *v2.Grant) (annotatio
 		return nil, err
 	}
 
-	user, err := d.client.GetUser(ctx, grant.Principal.Id.Resource)
+	user, err := d.client.GetUserPrincipal(ctx, grant.Principal.Id.Resource)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/mssqldb/allowed.go b/pkg/mssqldb/allowed.go
@@ -0,0 +1,75 @@
+package mssqldb
+
+var DatabasePermissions = map[string]string{
+	"AADS": "Alter Any Database Event Session",
+	"AAMK": "Alter Any Mask",
+	"AEDS": "Alter Any External Data Source",
+	"AEFF": "Alter Any External File Format",
+	"AL":   "Alter",
+	"ALAK": "Alter Any Asymmetric Key",
+	"ALAR": "Alter Any Application Role",
+	"ALAS": "Alter Any Assembly",
+	"ALCF": "Alter Any Certificate",
+	"ALDS": "Alter Any Dataspace",
+	"ALED": "Alter Any Database Event Notification",
+	"ALFT": "Alter Any Fulltext Catalog",
+	"ALMT": "Alter Any Message Type",
+	"ALRL": "Alter Any Role",
+	"ALRT": "Alter Any Route",
+	"ALSB": "Alter Any Remote Service Binding",
+	"ALSC": "Alter Any Contract",
+	"ALSK": "Alter Any Symmetric Key",
+	"ALSM": "Alter Any Schema",
+	"ALSV": "Alter Any Service",
+	"ALTG": "Alter Any Database DDL Trigger",
+	"ALUS": "Alter Any User",
+	"AUTH": "Authenticate",
+	"BADB": "Backup Database",
+	"BALO": "Backup Log",
+	"CL":   "Control",
+	"CO":   "Connect",
+	"CORP": "Connect Replication",
+	"CP":   "Checkpoint",
+	"CRAG": "Create Aggregate",
+	"CRAK": "Create Asymmetric Key",
+	"CRAS": "Create Certificate",
+	"CRDB": "Create Fatabase",
+	"CRDF": "Create Default",
+	"CRED": "Create Database DDL Event Notification",
+	"CRFN": "Create Function",
+	"CRFT": "Create Fulltext Catalog",
+	"CRMT": "Create Message Type",
+	"CRPR": "Create Procedure",
+	"CRQU": "Create Queue",
+	"CRRL": "Create Role",
+	"CRRT": "Create Route",
+	"CRRU": "Create Rule",
+	"CRSB": "Create Remote Service Binding",
+	"CRSC": "Create contract",
+	"CRSK": "Create symmetric key",
+	"CRSM": "Create Schema",
+	"CRSN": "Create Synonym",
+	"CRSO": "Create Sequence",
+	"CRSV": "Create Service",
+	"CRTB": "Create Table",
+	"CRTY": "Create Type",
+	"CRVW": "Create View",
+	"CRXS": "Create XML Schema Collection",
+	"DL":   "Delete",
+	"DABO": "Administer Database Bulk Operations",
+	"EAES": "Execute Any External Script",
+	"EX":   "Execute",
+	"IN":   "Insert",
+	"RC":   "Receive Object",
+	"RF":   "References",
+	"SL":   "Select",
+	"SPLN": "Showplan",
+	"SUQN": "Subscribe Query Notifications",
+	"TO":   "Take Ownership",
+	"UP":   "Update",
+	"VW":   "View Definition",
+	"VWCK": "View Any Column Encryption Key Definition",
+	"VWCM": "View Any Column Master Key Definition",
+	"VWCT": "View Change Tracking",
+	"VWDS": "View Database State Database",
+}
diff --git a/pkg/mssqldb/databases.go b/pkg/mssqldb/databases.go
@@ -2,6 +2,7 @@ package mssqldb
 
 import (
 	"context"
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -98,9 +99,23 @@ func (c *Client) GrantPermissionOnDatabase(ctx context.Context, permission, db,
 		zap.String("user", user),
 	)
 
-	command := `
-GRANT @p1 ON DATABASE::@p2 TO @p3;
-`
+	fullPermission, ok := DatabasePermissions[strings.ToUpper(permission)]
+	if !ok {
+		return fmt.Errorf("permission %s is not allowed", permission)
+	}
+
+	if strings.ContainsAny(db, "[]\"';") || strings.ContainsAny(user, "[]\"';") {
+		return fmt.Errorf("invalid characters in dbName or user")
+	}
+
+	command := fmt.Sprintf(
+		"GRANT %s ON DATABASE::[%s] TO [%s];",
+		fullPermission,
+		db,
+		user,
+	)
+
+	l.Debug("SQL QUERY", zap.String("q", command))
 
 	_, err := c.db.ExecContext(ctx, command, permission, db, user)
 	if err != nil {
@@ -113,17 +128,29 @@ GRANT @p1 ON DATABASE::@p2 TO @p3;
 func (c *Client) RevokePermissionOnDatabase(ctx context.Context, permission, db, user string) error {
 	l := ctxzap.Extract(ctx)
 	l.Debug(
-		"granting permission on database",
+		"revoking permission on database",
 		zap.String("permission", permission),
 		zap.String("db", db),
 		zap.String("user", user),
 	)
 
-	command := `
-REVOKE @p1 ON DATABASE::@p2 TO @p3;
-`
+	fullPermission, ok := DatabasePermissions[strings.ToUpper(permission)]
+	if !ok {
+		return fmt.Errorf("permission %s is not allowed", permission)
+	}
 
-	_, err := c.db.ExecContext(ctx, command, permission, db, user)
+	if strings.ContainsAny(db, "[]\"';") || strings.ContainsAny(user, "[]\"';") {
+		return fmt.Errorf("invalid characters in dbName or user")
+	}
+
+	command := fmt.Sprintf(
+		"GRANT %s ON DATABASE::[%s] TO [%s];",
+		fullPermission,
+		db,
+		user,
+	)
+
+	_, err := c.db.ExecContext(ctx, command, fullPermission, db, user)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/mssqldb/users.go b/pkg/mssqldb/users.go
