Skip to content

Commit 59c83ab

Browse files
johljujohlju
committed
Enhance integration tests for Set-SqlDscServerPermission to verify exact permissions for server roles
1 parent 4f9eade commit 59c83ab

File tree

1 file changed

+128
-6
lines changed

1 file changed

+128
-6
lines changed

tests/Integration/Commands/Set-SqlDscServerPermission.Integration.Tests.ps1

Lines changed: 128 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -189,36 +189,158 @@ Describe 'Set-SqlDscServerPermission' -Tag @('Integration_SQL2017', 'Integration
189189
}
190190
}
191191

192-
Context 'When setting permissions for a server role' {
192+
Context 'When setting exact permissions for a server role' {
193193
BeforeEach {
194194
# Get the role object for testing
195195
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
196196

197197
# Clean up any existing permissions
198198
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
199199
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
200+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
201+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'SilentlyContinue'
200202
}
201203

202204
AfterAll {
203205
# Clean up role permissions
204206
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
205207
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
206208
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
209+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
210+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'CreateAnyDatabase' -WithGrant -Force -ErrorAction 'SilentlyContinue'
207211
}
208212

209213
It 'Should set exact Grant permissions for role' {
210-
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant 'ViewServerState' -Force -ErrorAction 'Stop'
214+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
211215

212-
# Verify the permission was granted
213-
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
216+
# Verify the permissions were granted
217+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState', 'ViewAnyDatabase' -ExactMatch -ErrorAction 'Stop'
218+
$result | Should -BeTrue
219+
}
220+
221+
It 'Should set exact GrantWithGrant permissions for role' {
222+
Set-SqlDscServerPermission -ServerRole $script:roleObject -GrantWithGrant 'CreateAnyDatabase' -Force -ErrorAction 'Stop'
223+
224+
# Verify the permission was granted with grant option
225+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
226+
$result | Should -BeTrue
227+
}
228+
229+
It 'Should set exact Deny permissions for role' {
230+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Deny 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
231+
232+
# Verify the permission was denied
233+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
214234
$result | Should -BeTrue
215235
}
216236

237+
It 'Should set combined Grant, GrantWithGrant, and Deny permissions for role' {
238+
Set-SqlDscServerPermission -ServerRole $script:roleObject `
239+
-Grant 'ViewServerState' `
240+
-GrantWithGrant 'CreateAnyDatabase' `
241+
-Deny 'ViewAnyDefinition' `
242+
-Force -ErrorAction 'Stop'
243+
244+
# Verify Grant permission
245+
$grantResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
246+
$grantResult | Should -BeTrue
247+
248+
# Verify GrantWithGrant permission
249+
$grantWithGrantResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'CreateAnyDatabase' -WithGrant -ErrorAction 'Stop'
250+
$grantWithGrantResult | Should -BeTrue
251+
252+
# Verify Deny permission
253+
$denyResult = Test-SqlDscServerPermission -ServerRole $script:roleObject -Deny -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
254+
$denyResult | Should -BeTrue
255+
}
256+
}
257+
258+
Context 'When revoking permissions for a server role by setting empty arrays' {
259+
BeforeEach {
260+
# Get the role object for testing
261+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
262+
263+
# Set up known permissions to revoke
264+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
265+
}
266+
267+
AfterAll {
268+
# Clean up role permissions
269+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
270+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
271+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
272+
}
273+
274+
It 'Should revoke all Grant permissions for role when empty Grant array is specified' {
275+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant @() -Force -ErrorAction 'Stop'
276+
277+
# Verify the permissions were revoked
278+
$result1 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
279+
$result1 | Should -BeFalse
280+
281+
$result2 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewAnyDatabase' -ErrorAction 'Stop'
282+
$result2 | Should -BeFalse
283+
}
284+
}
285+
286+
Context 'When replacing existing permissions with new ones for a server role' {
287+
BeforeEach {
288+
# Get the role object for testing
289+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
290+
291+
# Set up initial permissions
292+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
293+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
294+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
295+
296+
Grant-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState', 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
297+
}
298+
299+
AfterAll {
300+
# Clean up role permissions
301+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
302+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
303+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDatabase' -Force -ErrorAction 'SilentlyContinue'
304+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewAnyDefinition' -Force -ErrorAction 'SilentlyContinue'
305+
}
306+
307+
It 'Should replace existing permissions with new specified permissions for role' {
308+
# Change from ViewServerState,ViewAnyDatabase to ViewAnyDefinition
309+
Set-SqlDscServerPermission -ServerRole $script:roleObject -Grant 'ViewAnyDefinition' -Force -ErrorAction 'Stop'
310+
311+
# Verify old permissions were revoked
312+
$result1 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
313+
$result1 | Should -BeFalse
314+
315+
$result2 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewAnyDatabase' -ErrorAction 'Stop'
316+
$result2 | Should -BeFalse
317+
318+
# Verify new permission was granted
319+
$result3 = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewAnyDefinition' -ErrorAction 'Stop'
320+
$result3 | Should -BeTrue
321+
}
322+
}
323+
324+
Context 'When using pipeline input for a server role' {
325+
BeforeEach {
326+
# Get the role object for testing
327+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
328+
329+
# Clean up
330+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
331+
}
332+
333+
AfterAll {
334+
# Clean up role permissions
335+
$script:roleObject = Get-SqlDscRole -ServerObject $script:serverObject -Name $script:testRoleName -ErrorAction 'Stop'
336+
Revoke-SqlDscServerPermission -ServerRole $script:roleObject -Permission 'ViewServerState' -Force -ErrorAction 'SilentlyContinue'
337+
}
338+
217339
It 'Should accept ServerRole object from pipeline' {
218-
$script:roleObject | Set-SqlDscServerPermission -Grant 'ViewAnyDatabase' -Force -ErrorAction 'Stop'
340+
$script:roleObject | Set-SqlDscServerPermission -Grant 'ViewServerState' -Force -ErrorAction 'Stop'
219341

220342
# Verify the permission was granted
221-
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewAnyDatabase' -ErrorAction 'Stop'
343+
$result = Test-SqlDscServerPermission -ServerRole $script:roleObject -Grant -Permission 'ViewServerState' -ErrorAction 'Stop'
222344
$result | Should -BeTrue
223345
}
224346
}

0 commit comments

Comments
 (0)