SqlPermission: Added integration tests for server role permissions (#2362)

johlju · web-flow · commit 11106531cf61 · 2025-12-07T10:06:45.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- `SqlPermission`
+  - Added integration tests for server role permissions to complement the
+    existing login permission tests.
 - `New-SqlDscDatabase`
   - Added comprehensive set of settable database properties that were previously
     only available in `Set-SqlDscDatabaseProperty`
@@ -27,6 +30,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     `Revoke-SqlDscServerPermission`, and `Get-SqlDscServerPermission`)
     instead of the deprecated `Set-SqlDscServerPermission` command
     ([issue #2159](https://github.com/dsccommunity/SqlServerDsc/issues/2159)).
+  - Updated documentation to clarify that the resource supports both logins
+    and server roles as principals.
+  - Added a note in documentation clarifying that if a name exists as both
+    a login and a server role, the login will take precedence.
 - Updated comment-based help `.INPUTS` and `.OUTPUTS` sections across all public
   commands and private functions to comply with DSC community style guidelines
   ([issue #2103](https://github.com/dsccommunity/SqlServerDsc/issues/2103)).
diff --git a/source/Classes/020.SqlPermission.ps1 b/source/Classes/020.SqlPermission.ps1
@@ -1,18 +1,24 @@
 <#
     .SYNOPSIS
         The `SqlPermission` DSC resource is used to grant, deny or revoke
-        server permissions for a login.
+        server permissions for a login or server role.
 
     .DESCRIPTION
         The `SqlPermission` DSC resource is used to grant, deny or revoke
-        Server permissions for a login. For more information about permissions,
-        please read the article [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine).
+        server permissions for a login or server role. For more information about
+        permissions, please read the article [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine).
 
         > [!CAUTION]
         > When revoking permission with PermissionState 'GrantWithGrant', both the
         > grantee and _all the other users the grantee has granted the same permission_
         > _to_, will also get their permission revoked.
 
+        > [!NOTE]
+        > The parameter **Name** can specify either a login or a server role. If
+        > a name exists as both a login and a server role, the login will take
+        > precedence. To avoid ambiguity, use unique names for logins and server
+        > roles.
+
         ## Requirements
 
         * Target machine must be running Windows Server 2012 or later.
@@ -61,7 +67,8 @@
         ```
 
     .PARAMETER Name
-        The name of the user that should be granted or denied the permission.
+        The name of the principal (login or server role) that should be granted
+        or denied the permission.
 
     .PARAMETER Permission
         An array of server permissions to enforce. Any permission that is not
@@ -360,7 +367,13 @@ class SqlPermission : SqlResourceBase
 
         # This will test whether the principal exist.
         $isLogin = Test-SqlDscIsLogin @testSqlDscIsPrincipalParameters
-        $isRole = Test-SqlDscIsRole @testSqlDscIsPrincipalParameters
+        $isRole = $false
+
+        # Only test for role if not already found as a login.
+        if (-not $isLogin)
+        {
+            $isRole = Test-SqlDscIsRole @testSqlDscIsPrincipalParameters
+        }
 
         if (-not $isLogin -and -not $isRole)
         {
diff --git a/tests/Integration/Resources/DSC_SqlPermission.Integration.Tests.ps1 b/tests/Integration/Resources/DSC_SqlPermission.Integration.Tests.ps1
@@ -318,6 +318,253 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
         These tests assumes that only permission left for test user 'User1' is
         a grant for permission 'ConnectSql'.
     #>
+
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_Role_Grant_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterEach {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            $configurationParameters = @{
+                OutputPath           = $TestDrive
+                # The variable $ConfigurationData was dot-sourced above.
+                ConfigurationData    = $ConfigurationData
+            }
+
+            $null = & $configurationName @configurationParameters
+
+            $startDscConfigurationParameters = @{
+                Path         = $TestDrive
+                ComputerName = 'localhost'
+                Wait         = $true
+                Verbose      = $true
+                Force        = $true
+                ErrorAction  = 'Stop'
+            }
+
+            $null = Start-DscConfiguration @startDscConfigurationParameters
+        }
+
+        It 'Should be able to call Get-DscConfiguration without throwing' {
+            $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction 'Stop'
+        }
+
+        It 'Should have set the resource and all the parameters should match' {
+            $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript {
+                $_.ConfigurationName -eq $configurationName `
+                -and $_.ResourceId -eq $resourceId
+            }
+
+            $resourceCurrentState.ServerName | Should -Be $ConfigurationData.AllNodes.ServerName
+            $resourceCurrentState.InstanceName | Should -Be $ConfigurationData.AllNodes.InstanceName
+            $resourceCurrentState.Name | Should -Be $ConfigurationData.AllNodes.Role1_Name
+            $resourceCurrentState.Permission | Should -HaveCount 3
+
+            $grantState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Grant' })
+
+            $grantState.State | Should -Be 'Grant'
+            $grantState.Permission | Should -HaveCount 2
+            $grantState.Permission | Should -Contain 'ViewServerState'
+            $grantState.Permission | Should -Contain 'AlterAnyEndpoint'
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose -ErrorAction 'Stop' | Should -Be 'True'
+        }
+    }
+
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_Role_RemoveGrant_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterEach {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            $configurationParameters = @{
+                OutputPath           = $TestDrive
+                # The variable $ConfigurationData was dot-sourced above.
+                ConfigurationData    = $ConfigurationData
+            }
+
+            $null = & $configurationName @configurationParameters
+
+            $startDscConfigurationParameters = @{
+                Path         = $TestDrive
+                ComputerName = 'localhost'
+                Wait         = $true
+                Verbose      = $true
+                Force        = $true
+                ErrorAction  = 'Stop'
+            }
+
+            $null = Start-DscConfiguration @startDscConfigurationParameters
+        }
+
+        It 'Should be able to call Get-DscConfiguration without throwing' {
+            $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction 'Stop'
+        }
+
+        It 'Should have set the resource and all the parameters should match' {
+            $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript {
+                $_.ConfigurationName -eq $configurationName `
+                -and $_.ResourceId -eq $resourceId
+            }
+
+            $resourceCurrentState.ServerName | Should -Be $ConfigurationData.AllNodes.ServerName
+            $resourceCurrentState.InstanceName | Should -Be $ConfigurationData.AllNodes.InstanceName
+            $resourceCurrentState.Name | Should -Be $ConfigurationData.AllNodes.Role1_Name
+            $resourceCurrentState.Permission | Should -HaveCount 3
+
+            $grantState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Grant' })
+
+            $grantState.State | Should -Be 'Grant'
+            $grantState.Permission | Should -BeNullOrEmpty
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose -ErrorAction 'Stop' | Should -Be 'True'
+        }
+    }
+
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_Role_Deny_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterEach {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            $configurationParameters = @{
+                OutputPath           = $TestDrive
+                # The variable $ConfigurationData was dot-sourced above.
+                ConfigurationData    = $ConfigurationData
+            }
+
+            $null = & $configurationName @configurationParameters
+
+            $startDscConfigurationParameters = @{
+                Path         = $TestDrive
+                ComputerName = 'localhost'
+                Wait         = $true
+                Verbose      = $true
+                Force        = $true
+                ErrorAction  = 'Stop'
+            }
+
+            $null = Start-DscConfiguration @startDscConfigurationParameters
+        }
+
+        It 'Should be able to call Get-DscConfiguration without throwing' {
+            $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction 'Stop'
+        }
+
+        It 'Should have set the resource and all the parameters should match' {
+            $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript {
+                $_.ConfigurationName -eq $configurationName `
+                -and $_.ResourceId -eq $resourceId
+            }
+
+            $resourceCurrentState.ServerName | Should -Be $ConfigurationData.AllNodes.ServerName
+            $resourceCurrentState.InstanceName | Should -Be $ConfigurationData.AllNodes.InstanceName
+            $resourceCurrentState.Name | Should -Be $ConfigurationData.AllNodes.Role1_Name
+            $resourceCurrentState.Permission | Should -HaveCount 3
+
+            $grantState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Grant' })
+
+            $grantState.State | Should -Be 'Grant'
+            $grantState.Permission | Should -BeNullOrEmpty
+
+            $denyState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Deny' })
+
+            $denyState.State | Should -Be 'Deny'
+            $denyState.Permission | Should -HaveCount 2
+            $denyState.Permission | Should -Contain 'ViewServerState'
+            $denyState.Permission | Should -Contain 'AlterAnyEndpoint'
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose -ErrorAction 'Stop' | Should -Be 'True'
+        }
+    }
+
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_Role_RemoveDeny_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterEach {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            $configurationParameters = @{
+                OutputPath           = $TestDrive
+                # The variable $ConfigurationData was dot-sourced above.
+                ConfigurationData    = $ConfigurationData
+            }
+
+            $null = & $configurationName @configurationParameters
+
+            $startDscConfigurationParameters = @{
+                Path         = $TestDrive
+                ComputerName = 'localhost'
+                Wait         = $true
+                Verbose      = $true
+                Force        = $true
+                ErrorAction  = 'Stop'
+            }
+
+            $null = Start-DscConfiguration @startDscConfigurationParameters
+        }
+
+        It 'Should be able to call Get-DscConfiguration without throwing' {
+            $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction 'Stop'
+        }
+
+        It 'Should have set the resource and all the parameters should match' {
+            $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript {
+                $_.ConfigurationName -eq $configurationName `
+                -and $_.ResourceId -eq $resourceId
+            }
+
+            $resourceCurrentState.ServerName | Should -Be $ConfigurationData.AllNodes.ServerName
+            $resourceCurrentState.InstanceName | Should -Be $ConfigurationData.AllNodes.InstanceName
+            $resourceCurrentState.Name | Should -Be $ConfigurationData.AllNodes.Role1_Name
+            $resourceCurrentState.Permission | Should -HaveCount 3
+
+            $grantState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Grant' })
+
+            $grantState.State | Should -Be 'Grant'
+            $grantState.Permission | Should -BeNullOrEmpty
+
+            $denyState = $resourceCurrentState.Permission.Where({ $_.State -eq 'Deny' })
+
+            $denyState.State | Should -Be 'Deny'
+            $denyState.Permission | Should -BeNullOrEmpty
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose -ErrorAction 'Stop' | Should -Be 'True'
+        }
+    }
+
     Context 'When using Invoke-DscResource' {
         BeforeAll {
             <#
diff --git a/tests/Integration/Resources/DSC_SqlPermission.config.ps1 b/tests/Integration/Resources/DSC_SqlPermission.config.ps1
