Skip to content

Commit 37b91c8

Browse files
johljujohlju
committed
Enhance integration tests for Set-SqlDscServerPermission to verify revocation of permissions with empty arrays
1 parent 0865063 commit 37b91c8

File tree

1 file changed

+109
-7
lines changed

1 file changed

+109
-7
lines changed

tests/Integration/Commands/Set-SqlDscServerPermission.Integration.Tests.ps1

Lines changed: 109 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -87,15 +87,15 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
8787
Set-SqlDscServerPermission -Login $script:loginObject -GrantWithGrant 'CreateAnyDatabase' -Force -ErrorAction 'Stop'
8888

8989
# Verify the permission was granted with grant option
90-
$result = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
90+
$result = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ExactMatch -ErrorAction 'Stop'
9191
$result | Should -BeTrue
9292
}
9393

9494
It 'Should set exact Deny permissions' {
9595
Set-SqlDscServerPermission -Login $script:loginObject -Deny 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
9696

9797
# Verify the permission was denied
98-
$result = Test-SqlDscServerPermission -Login $script:loginObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
98+
$result = Test-SqlDscServerPermission -Login $script:loginObject -Deny -Permission 'ViewAnyDefinition' -ExactMatch -ErrorAction 'Stop'
9999
$result | Should -BeTrue
100100
}
101101

@@ -130,11 +130,17 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
130130
# Get the login object for testing
131131
$script:loginObject = Get-SqlDscLogin -ServerObject $script:serverObject -Name $script:testLoginName -ErrorAction 'Stop'
132132

133-
# Set up known permissions to revoke
134-
Grant-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
133+
# Clean up any existing permissions before each test
134+
Revoke-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
135+
Revoke-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
136+
Revoke-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
137+
Revoke-SqlDscServerPermission -Login $script:loginObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'SilentlyContinue'
135138
}
136139

137140
It 'Should revoke all Grant permissions when empty Grant array is specified' {
141+
# Set up known Grant permissions to revoke
142+
Grant-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
143+
138144
Set-SqlDscServerPermission -Login $script:loginObject -Grant @() -Force -ErrorAction 'Stop'
139145

140146
# Verify the permissions were revoked
@@ -144,6 +150,50 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
144150
$result2 = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'ViewAnyDatabase' -ErrorAction 'Stop'
145151
$result2 | Should -BeFalse
146152
}
153+
154+
It 'Should revoke all GrantWithGrant permissions when empty GrantWithGrant array is specified' {
155+
# Set up known GrantWithGrant permissions to revoke
156+
Grant-SqlDscServerPermission -Login $script:loginObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'Stop'
157+
158+
Set-SqlDscServerPermission -Login $script:loginObject -GrantWithGrant @() -Force -ErrorAction 'Stop'
159+
160+
# Verify the permission was revoked
161+
$result = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
162+
$result | Should -BeFalse
163+
}
164+
165+
It 'Should revoke all Deny permissions when empty Deny array is specified' {
166+
# Set up known Deny permissions to revoke
167+
Deny-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
168+
169+
Set-SqlDscServerPermission -Login $script:loginObject -Deny @() -Force -ErrorAction 'Stop'
170+
171+
# Verify the permission was revoked
172+
$result = Test-SqlDscServerPermission -Login $script:loginObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
173+
$result | Should -BeFalse
174+
}
175+
176+
It 'Should only affect Grant permissions when empty Grant array is specified with existing GrantWithGrant and Deny' {
177+
# Set up permissions in all categories
178+
Grant-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewServerState' -Force -ErrorAction 'Stop'
179+
Grant-SqlDscServerPermission -Login $script:loginObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'Stop'
180+
Deny-SqlDscServerPermission -Login $script:loginObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
181+
182+
# Revoke only Grant permissions
183+
Set-SqlDscServerPermission -Login $script:loginObject -Grant @() -Force -ErrorAction 'Stop'
184+
185+
# Verify Grant permission was revoked
186+
$grantResult = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
187+
$grantResult | Should -BeFalse
188+
189+
# Verify GrantWithGrant permission still exists
190+
$grantWithGrantResult = Test-SqlDscServerPermission -Login $script:loginObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
191+
$grantWithGrantResult | Should -BeTrue
192+
193+
# Verify Deny permission still exists
194+
$denyResult = Test-SqlDscServerPermission -Login $script:loginObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
195+
$denyResult | Should -BeTrue
196+
}
147197
}
148198

149199
Context 'When replacing existing permissions with new ones' {
@@ -270,18 +320,26 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
270320
# Get the role object for testing
271321
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
272322

273-
# Set up known permissions to revoke
274-
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
323+
# Clean up any existing permissions before each test
324+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
325+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
326+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
327+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'SilentlyContinue'
275328
}
276329

277330
AfterAll {
278331
# Clean up role permissions
279332
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
280333
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
281334
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
335+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
336+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'SilentlyContinue'
282337
}
283338

284339
It 'Should revoke all Grant permissions for role when empty Grant array is specified' {
340+
# Set up known Grant permissions to revoke
341+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
342+
285343
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant @() -Force -ErrorAction 'Stop'
286344

287345
# Verify the permissions were revoked
@@ -291,6 +349,50 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
291349
$result2 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewAnyDatabase' -ErrorAction 'Stop'
292350
$result2 | Should -BeFalse
293351
}
352+
353+
It 'Should revoke all GrantWithGrant permissions for role when empty GrantWithGrant array is specified' {
354+
# Set up known GrantWithGrant permissions to revoke
355+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'Stop'
356+
357+
Set-SqlDscServerPermission -ServerRole $script:roleObject -GrantWithGrant @() -Force -ErrorAction 'Stop'
358+
359+
# Verify the permission was revoked
360+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
361+
$result | Should -BeFalse
362+
}
363+
364+
It 'Should revoke all Deny permissions for role when empty Deny array is specified' {
365+
# Set up known Deny permissions to revoke
366+
Deny-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
367+
368+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Deny @() -Force -ErrorAction 'Stop'
369+
370+
# Verify the permission was revoked
371+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
372+
$result | Should -BeFalse
373+
}
374+
375+
It 'Should only affect Grant permissions for role when empty Grant array is specified with existing GrantWithGrant and Deny' {
376+
# Set up permissions in all categories
377+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'Stop'
378+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'Stop'
379+
Deny-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
380+
381+
# Revoke only Grant permissions
382+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant @() -Force -ErrorAction 'Stop'
383+
384+
# Verify Grant permission was revoked
385+
$grantResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
386+
$grantResult | Should -BeFalse
387+
388+
# Verify GrantWithGrant permission still exists
389+
$grantWithGrantResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
390+
$grantWithGrantResult | Should -BeTrue
391+
392+
# Verify Deny permission still exists
393+
$denyResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
394+
$denyResult | Should -BeTrue
395+
}
294396
}
295397

296398
Context 'When replacing existing permissions with new ones for a server role' {
@@ -374,7 +476,7 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
374476
$tempLoginName = 'TempLoginForErrorTest'
375477
$mockPassword = ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force
376478

377-
New-SqlDscLogin -ServerObject $script:serverObject -Name $tempLoginName -LoginType 'SqlLogin' -SecureString $mockPassword -Force -ErrorAction 'Stop'
479+
New-SqlDscLogin -ServerObject $script:serverObject -Name $tempLoginName -SqlLogin -SecurePassword $mockPassword -Force -ErrorAction 'Stop'
378480

379481
$tempLoginObject = Get-SqlDscLogin -ServerObject $script:serverObject -Name $tempLoginName -ErrorAction 'Stop'
380482

0 commit comments

Comments
 (0)