Skip to content

Commit 76774fc

Browse files
johljujohlju
committed
SqlPermission: Refactor to use new server permission commands
1 parent 78ece95 commit 76774fc

File tree

3 files changed

+185
-60
lines changed

3 files changed

+185
-60
lines changed

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
2121

2222
### Changed
2323

24+
- `SqlPermission`
25+
- Refactored to use the new object-based server permission commands
26+
(`Grant-SqlDscServerPermission`, `Deny-SqlDscServerPermission`,
27+
`Revoke-SqlDscServerPermission`, and `Get-SqlDscServerPermission`)
28+
instead of the deprecated `Set-SqlDscServerPermission` command
29+
([issue #2159](https://github.com/dsccommunity/SqlServerDsc/issues/2159)).
2430
- Updated comment-based help `.INPUTS` and `.OUTPUTS` sections across all public
2531
commands and private functions to comply with DSC community style guidelines
2632
([issue #2103](https://github.com/dsccommunity/SqlServerDsc/issues/2103)).

source/Classes/020.SqlPermission.ps1

Lines changed: 90 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -371,6 +371,18 @@ class SqlPermission : SqlResourceBase
371371
New-InvalidOperationException -Message $missingPrincipalMessage
372372
}
373373

374+
# Get the principal object (Login or ServerRole)
375+
$principalObject = $null
376+
377+
if ($isLogin)
378+
{
379+
$principalObject = $serverObject | Get-SqlDscLogin -Name $this.Name -ErrorAction 'Stop'
380+
}
381+
else
382+
{
383+
$principalObject = $serverObject | Get-SqlDscRole -Name $this.Name -ErrorAction 'Stop'
384+
}
385+
374386
# This holds each state and their permissions to be revoked.
375387
[ServerPermission[]] $permissionsToRevoke = @()
376388
[ServerPermission[]] $permissionsToGrantOrDeny = @()
@@ -455,32 +467,41 @@ class SqlPermission : SqlResourceBase
455467
#>
456468
foreach ($currentStateToRevoke in $permissionsToRevoke)
457469
{
458-
$revokePermissionSet = $currentStateToRevoke | ConvertFrom-SqlDscServerPermission
459-
460-
$setSqlDscServerPermissionParameters = @{
461-
ServerObject = $serverObject
462-
Name = $this.Name
463-
Permission = $revokePermissionSet
464-
State = 'Revoke'
465-
Force = $true
466-
}
470+
# Convert ServerPermission to array of SqlServerPermission enum values
471+
$permissionsToRevokeArray = $currentStateToRevoke.Permission
467472

468-
if ($currentStateToRevoke.State -eq 'GrantWithGrant')
473+
# Only revoke if there are permissions to revoke
474+
if ($permissionsToRevokeArray.Count -gt 0)
469475
{
470-
$setSqlDscServerPermissionParameters.WithGrant = $true
471-
}
476+
$revokeSqlDscServerPermissionParameters = @{
477+
Permission = $permissionsToRevokeArray
478+
Force = $true
479+
}
472480

473-
try
474-
{
475-
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters
476-
}
477-
catch
478-
{
479-
$errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
480-
$this.Name
481-
)
481+
if ($currentStateToRevoke.State -eq 'GrantWithGrant')
482+
{
483+
$revokeSqlDscServerPermissionParameters.WithGrant = $true
484+
}
485+
486+
try
487+
{
488+
if ($isLogin)
489+
{
490+
Revoke-SqlDscServerPermission -Login $principalObject @revokeSqlDscServerPermissionParameters
491+
}
492+
else
493+
{
494+
Revoke-SqlDscServerPermission -ServerRole $principalObject @revokeSqlDscServerPermissionParameters
495+
}
496+
}
497+
catch
498+
{
499+
$errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
500+
$this.Name
501+
)
482502

483-
New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
503+
New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
504+
}
484505
}
485506
}
486507
}
@@ -496,27 +517,63 @@ class SqlPermission : SqlResourceBase
496517
# If there is not an empty array, change permissions.
497518
if (-not [System.String]::IsNullOrEmpty($currentDesiredPermissionState.Permission))
498519
{
499-
$permissionSet = $currentDesiredPermissionState | ConvertFrom-SqlDscServerPermission
500-
501-
$setSqlDscServerPermissionParameters = @{
502-
ServerObject = $serverObject
503-
Name = $this.Name
504-
Permission = $permissionSet
505-
Force = $true
506-
}
520+
# Convert ServerPermission to array of SqlServerPermission enum values
521+
$permissionsArray = $currentDesiredPermissionState.Permission
507522

508523
try
509524
{
510525
switch ($currentDesiredPermissionState.State)
511526
{
527+
'Grant'
528+
{
529+
$grantParameters = @{
530+
Permission = $permissionsArray
531+
Force = $true
532+
}
533+
534+
if ($isLogin)
535+
{
536+
Grant-SqlDscServerPermission -Login $principalObject @grantParameters
537+
}
538+
else
539+
{
540+
Grant-SqlDscServerPermission -ServerRole $principalObject @grantParameters
541+
}
542+
}
543+
512544
'GrantWithGrant'
513545
{
514-
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State 'Grant' -WithGrant
546+
$grantParameters = @{
547+
Permission = $permissionsArray
548+
WithGrant = $true
549+
Force = $true
550+
}
551+
552+
if ($isLogin)
553+
{
554+
Grant-SqlDscServerPermission -Login $principalObject @grantParameters
555+
}
556+
else
557+
{
558+
Grant-SqlDscServerPermission -ServerRole $principalObject @grantParameters
559+
}
515560
}
516561

517-
default
562+
'Deny'
518563
{
519-
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State $currentDesiredPermissionState.State
564+
$denyParameters = @{
565+
Permission = $permissionsArray
566+
Force = $true
567+
}
568+
569+
if ($isLogin)
570+
{
571+
Deny-SqlDscServerPermission -Login $principalObject @denyParameters
572+
}
573+
else
574+
{
575+
Deny-SqlDscServerPermission -ServerRole $principalObject @denyParameters
576+
}
520577
}
521578
}
522579
}

tests/Unit/Classes/SqlPermission.Tests.ps1

Lines changed: 89 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1147,7 +1147,16 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
11471147
return $true
11481148
}
11491149

1150-
Mock -CommandName Set-SqlDscServerPermission
1150+
Mock -CommandName Get-SqlDscLogin -MockWith {
1151+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1152+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1153+
'MockUserName'
1154+
)
1155+
}
1156+
1157+
Mock -CommandName Grant-SqlDscServerPermission
1158+
Mock -CommandName Deny-SqlDscServerPermission
1159+
Mock -CommandName Revoke-SqlDscServerPermission
11511160
}
11521161

11531162
It 'Should call the correct mock with the correct parameter values' {
@@ -1171,13 +1180,13 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
11711180
}
11721181

11731182
# Grants
1174-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1175-
$State -eq 'Grant' -and $Permission.ConnectSql -eq $true
1183+
Should -Invoke -CommandName Grant-SqlDscServerPermission -ParameterFilter {
1184+
$Permission -contains 'ConnectSql' -and -not $PSBoundParameters.ContainsKey('WithGrant')
11761185
} -Exactly -Times 1 -Scope It
11771186

11781187
# GrantWithGrants
1179-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1180-
$State -eq 'Grant' -and $Permission.AlterAnyEndpoint -eq $true
1188+
Should -Invoke -CommandName Grant-SqlDscServerPermission -ParameterFilter {
1189+
$Permission -contains 'AlterAnyEndpoint' -and $WithGrant -eq $true
11811190
} -Exactly -Times 1 -Scope It
11821191
}
11831192
}
@@ -1234,7 +1243,16 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
12341243
return $true
12351244
}
12361245

1237-
Mock -CommandName Set-SqlDscServerPermission
1246+
Mock -CommandName Get-SqlDscLogin -MockWith {
1247+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1248+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1249+
'MockUserName'
1250+
)
1251+
}
1252+
1253+
Mock -CommandName Grant-SqlDscServerPermission
1254+
Mock -CommandName Deny-SqlDscServerPermission
1255+
Mock -CommandName Revoke-SqlDscServerPermission
12381256
}
12391257

12401258
It 'Should call the correct mock with the correct parameter values' {
@@ -1258,23 +1276,23 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
12581276
}
12591277

12601278
# Revoking Grants
1261-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1262-
$State -eq 'Revoke' -and $Permission.AlterAnyAvailabilityGroup -eq $true -and $Permission.ViewServerState -eq $true
1279+
Should -Invoke -CommandName Revoke-SqlDscServerPermission -ParameterFilter {
1280+
$Permission -contains 'AlterAnyAvailabilityGroup' -and $Permission -contains 'ViewServerState' -and -not $PSBoundParameters.ContainsKey('WithGrant')
12631281
} -Exactly -Times 1 -Scope It
12641282

12651283
# Revoking GrantWithGrants
1266-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1267-
$State -eq 'Revoke' -and $Permission.ControlServer -eq $true
1284+
Should -Invoke -CommandName Revoke-SqlDscServerPermission -ParameterFilter {
1285+
$Permission -contains 'ControlServer' -and $WithGrant -eq $true
12681286
} -Exactly -Times 1 -Scope It
12691287

12701288
# Revoking Denies
1271-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1272-
$State -eq 'Revoke' -and $Permission.CreateEndpoint -eq $true
1289+
Should -Invoke -CommandName Revoke-SqlDscServerPermission -ParameterFilter {
1290+
$Permission -contains 'CreateEndpoint' -and -not $PSBoundParameters.ContainsKey('WithGrant')
12731291
} -Exactly -Times 1 -Scope It
12741292

12751293
# Adding new Grant
1276-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1277-
$State -eq 'Grant' -and $Permission.ConnectSql -eq $true
1294+
Should -Invoke -CommandName Grant-SqlDscServerPermission -ParameterFilter {
1295+
$Permission -contains 'ConnectSql' -and -not $PSBoundParameters.ContainsKey('WithGrant')
12781296
} -Exactly -Times 1 -Scope It
12791297
}
12801298
}
@@ -1333,7 +1351,16 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
13331351
return $true
13341352
}
13351353

1336-
Mock -CommandName Set-SqlDscServerPermission
1354+
Mock -CommandName Get-SqlDscLogin -MockWith {
1355+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1356+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1357+
'MockUserName'
1358+
)
1359+
}
1360+
1361+
Mock -CommandName Grant-SqlDscServerPermission
1362+
Mock -CommandName Deny-SqlDscServerPermission
1363+
Mock -CommandName Revoke-SqlDscServerPermission
13371364
}
13381365

13391366
It 'Should call the correct mock with the correct parameter values' {
@@ -1357,13 +1384,13 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
13571384
}
13581385

13591386
# Grants
1360-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1361-
$State -eq 'Grant' -and $Permission.ConnectSql -eq $true
1387+
Should -Invoke -CommandName Grant-SqlDscServerPermission -ParameterFilter {
1388+
$Permission -contains 'ConnectSql' -and -not $PSBoundParameters.ContainsKey('WithGrant')
13621389
} -Exactly -Times 1 -Scope It
13631390

13641391
# GrantWithGrants
1365-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1366-
$State -eq 'Grant' -and $Permission.AlterAnyEndpoint -eq $true
1392+
Should -Invoke -CommandName Grant-SqlDscServerPermission -ParameterFilter {
1393+
$Permission -contains 'AlterAnyEndpoint' -and $WithGrant -eq $true
13671394
} -Exactly -Times 1 -Scope It
13681395
}
13691396
}
@@ -1422,7 +1449,16 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
14221449
return $true
14231450
}
14241451

1425-
Mock -CommandName Set-SqlDscServerPermission
1452+
Mock -CommandName Get-SqlDscLogin -MockWith {
1453+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1454+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1455+
'MockUserName'
1456+
)
1457+
}
1458+
1459+
Mock -CommandName Grant-SqlDscServerPermission
1460+
Mock -CommandName Deny-SqlDscServerPermission
1461+
Mock -CommandName Revoke-SqlDscServerPermission
14261462
}
14271463

14281464
It 'Should call the correct mock with the correct parameter values' {
@@ -1446,19 +1482,19 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
14461482
}
14471483

14481484
# Revoking Grants
1449-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1450-
$State -eq 'Revoke' -and $Permission.ConnectSql -eq $true
1485+
Should -Invoke -CommandName Revoke-SqlDscServerPermission -ParameterFilter {
1486+
$Permission -contains 'ConnectSql' -and -not $PSBoundParameters.ContainsKey('WithGrant')
14511487
} -Exactly -Times 1 -Scope It
14521488

14531489
# Revoking GrantWithGrants
1454-
Should -Invoke -CommandName Set-SqlDscServerPermission -ParameterFilter {
1455-
$State -eq 'Revoke' -and $Permission.AlterAnyEndpoint -eq $true
1490+
Should -Invoke -CommandName Revoke-SqlDscServerPermission -ParameterFilter {
1491+
$Permission -contains 'AlterAnyEndpoint' -and $WithGrant -eq $true
14561492
} -Exactly -Times 1 -Scope It
14571493
}
14581494
}
14591495
}
14601496

1461-
Context 'When Set-SqlDscServerPermission fails to change permission' {
1497+
Context 'When Grant/Deny/Revoke commands fail to change permission' {
14621498
Context 'When granting permissions' {
14631499
BeforeAll {
14641500
InModuleScope -ScriptBlock {
@@ -1511,7 +1547,20 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
15111547
return $true
15121548
}
15131549

1514-
Mock -CommandName Set-SqlDscServerPermission -MockWith {
1550+
Mock -CommandName Get-SqlDscLogin -MockWith {
1551+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1552+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1553+
'MockUserName'
1554+
)
1555+
}
1556+
1557+
Mock -CommandName Grant-SqlDscServerPermission -MockWith {
1558+
throw 'Mocked error'
1559+
}
1560+
Mock -CommandName Deny-SqlDscServerPermission -MockWith {
1561+
throw 'Mocked error'
1562+
}
1563+
Mock -CommandName Revoke-SqlDscServerPermission -MockWith {
15151564
throw 'Mocked error'
15161565
}
15171566
}
@@ -1602,7 +1651,20 @@ Describe 'SqlPermission\Modify()' -Tag 'Modify' {
16021651
return $true
16031652
}
16041653

1605-
Mock -CommandName Set-SqlDscServerPermission -MockWith {
1654+
Mock -CommandName Get-SqlDscLogin -MockWith {
1655+
return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
1656+
(New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'),
1657+
'MockUserName'
1658+
)
1659+
}
1660+
1661+
Mock -CommandName Grant-SqlDscServerPermission -MockWith {
1662+
throw 'Mocked error'
1663+
}
1664+
Mock -CommandName Deny-SqlDscServerPermission -MockWith {
1665+
throw 'Mocked error'
1666+
}
1667+
Mock -CommandName Revoke-SqlDscServerPermission -MockWith {
16061668
throw 'Mocked error'
16071669
}
16081670
}

0 commit comments

Comments
 (0)