SqlDatabaseObjectPermission: Add validation for single permission (#2353)

Author: Copilot

CHANGELOG.md

@@ -176,6 +176,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- `SqlDatabaseObjectPermission`
+  - Added validation to ensure each `DSC_DatabaseObjectPermission` instance
+    only contains a single permission name. Specifying multiple permissions
+    as a comma-separated string now throws a descriptive error
+    ([issue #2345](https://github.com/dsccommunity/SqlServerDsc/issues/2345)).
 - `Get-SqlDscRSSetupConfiguration`
   - Fixed issue where the function doesn't provide an output for SSRS 2016 instances
     because registry paths were using `InstanceName` instead of `InstanceId`.

source/DSCResources/DSC_SqlDatabaseObjectPermission/DSC_SqlDatabaseObjectPermission.psm1

@@ -908,6 +908,14 @@ function Assert-PermissionEnsureProperty
 
     foreach ($desiredPermission in $Permission)
     {
+        # Validate that Permission only contains a single permission name.
+        if ($desiredPermission.Permission -notmatch '^\w+$')
+        {
+            $errorMessage = $script:localizedData.InvalidPermissionValue -f $desiredPermission.Permission
+
+            New-ArgumentException -ArgumentName 'Permission' -Message $errorMessage
+        }
+
         if (-not $desiredPermission.Ensure)
         {
             $desiredPermission.Ensure = 'Present'

source/DSCResources/DSC_SqlDatabaseObjectPermission/README.md

@@ -20,4 +20,51 @@ property names of the [ObjectPermissionSet](https://docs.microsoft.com/en-us/dot
 
 ## Known issues
 
+### Only one permission per `DSC_DatabaseObjectPermission` instance
+
+Each `DSC_DatabaseObjectPermission` instance can only contain a single permission
+name. When multiple permissions need to be configured for the same state (e.g.,
+`Grant`), each permission must be specified in a separate `DSC_DatabaseObjectPermission`
+block. Specifying multiple permissions as a comma-separated string (e.g.,
+`'DELETE,INSERT,SELECT'`) will cause an error similar to:
+
+```text
+The permission value 'DELETE,INSERT,SELECT' is invalid. Each
+DSC_DatabaseObjectPermission instance can only contain a single permission
+name. Specify each permission in a separate DSC_DatabaseObjectPermission
+instance.
+```
+
+**Incorrect usage:**
+
+<!-- markdownlint-disable MD013 - Line length -->
+```powershell
+Permission = @(
+    DSC_DatabaseObjectPermission {
+        State      = 'Grant'
+        Permission = 'DELETE,INSERT,SELECT' # This will fail - multiple permissions in single string
+    }
+)
+```
+<!-- markdownlint-enable MD013 - Line length -->
+
+**Correct usage:**
+
+```powershell
+Permission = @(
+    DSC_DatabaseObjectPermission {
+        State      = 'Grant'
+        Permission = 'DELETE'
+    }
+    DSC_DatabaseObjectPermission {
+        State      = 'Grant'
+        Permission = 'INSERT'
+    }
+    DSC_DatabaseObjectPermission {
+        State      = 'Grant'
+        Permission = 'SELECT'
+    }
+)
+```
+
 All issues are not listed here, see [here for all open issues](https://github.com/dsccommunity/SqlServerDsc/issues?q=is%3Aissue+is%3Aopen+in%3Atitle+SqlDatabaseObjectPermission).

source/DSCResources/DSC_SqlDatabaseObjectPermission/en-US/DSC_SqlDatabaseObjectPermission.strings.psd1

@@ -12,4 +12,5 @@ ConvertFrom-StringData @'
     PermissionStateInDesiredState = The permission state '{0}' is already in desired state for database object '{1}'. (SDOP0010)
     RevokePermissionWithGrant = One or more of the permissions was granted with the 'With Grant' permission for the user '{1}' on the database object '{2}' of type '{3}' in the database '{4}'. For the permissions ('{0}') the 'With Grant' permission is revoked, and the revoke is cascaded. (SDOP0011)
     GrantCantBeSetBecauseRevokeIsNotOptedIn = One or more of the permissions was granted with the 'With Grant' permission for the user '{1}' on the database object '{2}' of type '{3}' in the database '{4}'. For the permissions ('{0}') the 'With Grant' permission must be revoked, and the revoke must be cascaded, to enforce the desired state. If this desired state should be enforced then set the parameter Force to $true.
+    InvalidPermissionValue = The permission value '{0}' is invalid. Each DSC_DatabaseObjectPermission instance can only contain a single permission name. Specify each permission in a separate DSC_DatabaseObjectPermission instance. (SDOP0012)
 '@

tests/Unit/DSC_SqlDatabaseObjectPermission.Tests.ps1

@@ -2791,3 +2791,67 @@ Describe 'SqlDatabaseObjectPermission\Get-DatabaseObject' -Tag 'Helper' {
         }
     }
 }
+
+Describe 'SqlDatabaseObjectPermission\Assert-PermissionEnsureProperty' -Tag 'Helper' {
+    Context 'When permission value is valid' {
+        It 'Should not throw an error for a single permission name' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Select'
+                        Ensure     = ''
+                    } `
+                    -ClientOnly
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } | Should -Not -Throw
+            }
+        }
+    }
+
+    Context 'When permission value is invalid' {
+        It 'Should throw an error for comma-separated permissions' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Delete,Insert,Select'
+                        Ensure     = ''
+                    } `
+                    -ClientOnly
+
+                $mockErrorMessage = $script:localizedData.InvalidPermissionValue
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } |
+                    Should -Throw -ExpectedMessage '*Delete,Insert,Select*'
+            }
+        }
+
+        It 'Should throw an error for permissions with spaces' {
+            InModuleScope -ScriptBlock {
+                Set-StrictMode -Version 1.0
+
+                $mockPermission = New-CimInstance `
+                    -ClassName 'DSC_DatabaseObjectPermission' `
+                    -Namespace 'root/microsoft/Windows/DesiredStateConfiguration' `
+                    -Property @{
+                        State      = 'Grant'
+                        Permission = 'Delete Insert'
+                        Ensure     = ''
+                    } `
+                    -ClientOnly
+
+                { Assert-PermissionEnsureProperty -Permission $mockPermission } |
+                    Should -Throw -ExpectedMessage '*Delete Insert*'
+            }
+        }
+    }
+}