Add validation for single permission per DSC_DatabaseObjectPermission instance

Co-authored-by: johlju <[email protected]>

Author: Copilot

CHANGELOG.md

@@ -177,9 +177,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - `SqlDatabaseObjectPermission`
-  - Added documentation clarifying that each `DSC_DatabaseObjectPermission`
-    instance can only contain a single permission name. Specifying multiple
-    permissions as a comma-separated string causes an error
+  - Added validation to ensure each `DSC_DatabaseObjectPermission` instance
+    only contains a single permission name. Specifying multiple permissions
+    as a comma-separated string now throws a descriptive error
     ([issue #2020](https://github.com/dsccommunity/SqlServerDsc/issues/2020)).
 - `Get-SqlDscRSSetupConfiguration`
   - Fixed issue where the function doesn't provide an output for SSRS 2016 instances

source/DSCResources/DSC_SqlDatabaseObjectPermission/DSC_SqlDatabaseObjectPermission.psm1

@@ -908,6 +908,14 @@ function Assert-PermissionEnsureProperty
 
     foreach ($desiredPermission in $Permission)
     {
+        # Validate that Permission only contains a single permission name.
+        if ($desiredPermission.Permission -notmatch '^\w+$')
+        {
+            $errorMessage = $script:localizedData.InvalidPermissionValue -f $desiredPermission.Permission
+
+            New-ArgumentException -ArgumentName 'Permission' -Message $errorMessage
+        }
+
         if (-not $desiredPermission.Ensure)
         {
             $desiredPermission.Ensure = 'Present'

source/DSCResources/DSC_SqlDatabaseObjectPermission/README.md

@@ -29,7 +29,10 @@ block. Specifying multiple permissions as a comma-separated string (e.g.,
 `'DELETE,INSERT,SELECT'`) will cause an error similar to:
 
 ```text
-Cannot bind argument to parameter 'ReferenceObject' because it is null.
+The permission value 'DELETE,INSERT,SELECT' is invalid. Each
+DSC_DatabaseObjectPermission instance can only contain a single permission
+name. Specify each permission in a separate DSC_DatabaseObjectPermission
+instance.
 ```
 
 **Incorrect usage:**

source/DSCResources/DSC_SqlDatabaseObjectPermission/en-US/DSC_SqlDatabaseObjectPermission.strings.psd1

@@ -12,4 +12,5 @@ ConvertFrom-StringData @'
     PermissionStateInDesiredState = The permission state '{0}' is already in desired state for database object '{1}'. (SDOP0010)
     RevokePermissionWithGrant = One or more of the permissions was granted with the 'With Grant' permission for the user '{1}' on the database object '{2}' of type '{3}' in the database '{4}'. For the permissions ('{0}') the 'With Grant' permission is revoked, and the revoke is cascaded. (SDOP0011)
     GrantCantBeSetBecauseRevokeIsNotOptedIn = One or more of the permissions was granted with the 'With Grant' permission for the user '{1}' on the database object '{2}' of type '{3}' in the database '{4}'. For the permissions ('{0}') the 'With Grant' permission must be revoked, and the revoke must be cascaded, to enforce the desired state. If this desired state should be enforced then set the parameter Force to $true.
+    InvalidPermissionValue = The permission value '{0}' is invalid. Each DSC_DatabaseObjectPermission instance can only contain a single permission name. Specify each permission in a separate DSC_DatabaseObjectPermission instance. (SDOP0012)
 '@

tests/Unit/DSC_SqlDatabaseObjectPermission.Tests.ps1

@@ -2791,3 +2791,66 @@ Describe 'SqlDatabaseObjectPermission\Get-DatabaseObject' -Tag 'Helper' {
         }
     }
 }
+
+Describe 'SqlDatabaseObjectPermission\Assert-PermissionEnsureProperty' -Tag 'Helper' {
+    Context 'When permission value is valid' {
+        It 'Should not throw an error for a single permission name' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Select'
+                    } `
+                    -ClientOnly
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } | Should -Not -Throw
+            }
+        }
+    }
+
+    Context 'When permission value is invalid' {
+        It 'Should throw an error for comma-separated permissions' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Delete,Insert,Select'
+                    } `
+                    -ClientOnly
+
+                $mockErrorMessage = InModuleScope -ScriptBlock {
+                    $script:localizedData.InvalidPermissionValue
+                }
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } |
+                    Should -Throw -ExpectedMessage '*Delete,Insert,Select*'
+            }
+        }
+
+        It 'Should throw an error for permissions with spaces' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Delete Insert'
+                    } `
+                    -ClientOnly
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } |
+                    Should -Throw -ExpectedMessage '*Delete Insert*'
+            }
+        }
+    }
+}