BREAKING CHANGE: Changes to xSQLServerDatabasePermissions (#140)

- Changes to xSQLServerDatabasePermission - BREAKING CHANGE: Renamed xSQLServerDatabasePermissions to xSQLServerDatabasePermission to align wíth naming convention. - BREAKING CHANGE: The mandatory parameters now include PermissionState, SQLServer, and SQLInstanceName. - Added tests for resources - xSQLServerDatabasePermissions - Examples - xSQLServerDatabasePermission - 1-GrantDatabasePermissions.ps1 - 2-RevokeDatabasePermissions.ps1 - 3-DenyDatabasePermissions.ps1
dsccommunity · Jan 23, 2017 · 1f5b916 · 1f5b916
1 parent c6c0a7c
commit 1f5b916
Show file tree

Hide file tree

Showing 14 changed files with 1,543 additions and 230 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -66,11 +66,19 @@
 - Examples
   - xSQLServerDatabaseRecoveryModel
     - 1-SetDatabaseRecoveryModel.ps1
+  - xSQLServerDatabasePermission
+    - 1-GrantDatabasePermissions.ps1
+    - 2-RevokeDatabasePermissions.ps1
+    - 3-DenyDatabasePermissions.ps1
 - Added tests for resources
   - xSQLServerDatabaseRecoveryModel
+  - xSQLServerDatabasePermissions
 - Changes to xSQLServerDatabaseRecoveryModel
   - BREAKING CHANGE: Renamed xSQLDatabaseRecoveryModel to xSQLServerDatabaseRecoveryModel to align wíth naming convention.
   - BREAKING CHANGE: The mandatory parameters now include SQLServer, and SQLInstanceName.
+- Changes to xSQLServerDatabasePermission
+  - BREAKING CHANGE: Renamed xSQLServerDatabasePermissions to xSQLServerDatabasePermission to align wíth naming convention.
+  - BREAKING CHANGE: The mandatory parameters now include PermissionState, SQLServer, and SQLInstanceName.
 
 ## 4.0.0.0
 

diff --git a/DSCResources/MSFT_xSQLServerDatabasePermission/MSFT_xSQLServerDatabasePermission.psm1 b/DSCResources/MSFT_xSQLServerDatabasePermission/MSFT_xSQLServerDatabasePermission.psm1
@@ -0,0 +1,278 @@
+Import-Module -Name (Join-Path -Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) -ChildPath 'xSQLServerHelper.psm1') -Force
+
+<#
+    .SYNOPSIS
+    Returns the current permissions for the user in the database
+
+    .PARAMETER Ensure
+    This is The Ensure if the permission should be granted (Present) or revoked (Absent)
+    Not used in Get-TargetResource
+
+    .PARAMETER Database
+    This is the SQL database
+
+    .PARAMETER Name
+    This is the name of the SQL login for the permission set
+
+    .PARAMETER PermissionState
+    This is the state of permission set. Valid values are 'Grant' or 'Deny'
+
+    .PARAMETER Permissions
+    This is a list that represents a SQL Server set of database permissions
+
+    .PARAMETER SQLServer
+    This is the SQL Server for the database
+
+    .PARAMETER SQLInstanceName
+    This is the SQL instance for the database
+#>
+function Get-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Collections.Hashtable])]
+    param
+    (
+        [ValidateSet('Present','Absent')]
+        [System.String]
+        $Ensure,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Database,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Name,
+
+        [parameter(Mandatory = $true)]
+        [ValidateSet('Grant','Deny')]
+        [System.String]
+        $PermissionState,
+
+        [parameter(Mandatory = $true)]
+        [System.String[]]
+        $Permissions,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLServer = $env:COMPUTERNAME,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLInstanceName = 'MSSQLSERVER'
+    )
+
+    $sqlServerObject = Connect-SQL -SQLServer $SQLServer -SQLInstanceName $SQLInstanceName
+
+    if ($sqlServerObject)
+    {
+        Write-Verbose -Message "Getting permissions for user '$Name' in database '$Database'"
+        $getSqlDatabasePermissionResult = Get-SqlDatabasePermission -SqlServerObject $sqlServerObject `
+                                                                    -Name $Name `
+                                                                    -Database $Database `
+                                                                    -PermissionState $PermissionState
+
+        if ($getSqlDatabasePermissionResult)
+        {
+            $resultOfPermissionCompare = Compare-Object -ReferenceObject $Permissions `
+                                                        -DifferenceObject $getSqlDatabasePermissionResult
+            if ($null -eq $resultOfPermissionCompare)
+            {
+                $Ensure = 'Present'
+            }
+            else
+            {
+                $Ensure = 'Absent'
+            }
+        }
+        else 
+        {
+            $Ensure = 'Absent'
+        }
+    }
+    else
+    {
+        throw New-TerminatingError -ErrorType ConnectSQLError `
+                                   -FormatArgs @($SQLServer,$SQLInstanceName) `
+                                   -ErrorCategory InvalidOperation
+    }
+
+    $returnValue = @{
+        Ensure          = $Ensure
+        Database        = $Database
+        Name            = $Name
+        PermissionState = $PermissionState
+        Permissions     = $getSqlDatabasePermissionResult
+        SQLServer       = $SQLServer
+        SQLInstanceName = $SQLInstanceName
+    }
+
+    $returnValue
+}
+
+<#
+    .SYNOPSIS
+    Sets the permissions for the user in the database.
+
+    .PARAMETER Ensure
+    This is The Ensure if the permission should be granted (Present) or revoked (Absent)
+
+    .PARAMETER Database
+    This is the SQL database
+
+    .PARAMETER Name
+    This is the name of the SQL login for the permission set
+
+    .PARAMETER PermissionState
+    This is the state of permission set. Valid values are 'Grant' or 'Deny'
+
+    .PARAMETER Permissions
+    This is a list that represents a SQL Server set of database permissions
+
+    .PARAMETER SQLServer
+    This is the SQL Server for the database
+
+    .PARAMETER SQLInstanceName
+    This is the SQL instance for the database
+#>
+function Set-TargetResource
+{
+    [CmdletBinding()]
+    param
+    (
+        [ValidateSet('Present','Absent')]
+        [System.String]
+        $Ensure = 'Present',
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Database,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Name,
+
+        [parameter(Mandatory = $true)]
+        [ValidateSet('Grant','Deny')]
+        [System.String]
+        $PermissionState,
+
+        [parameter(Mandatory = $true)]
+        [System.String[]]
+        $Permissions,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLServer = $env:COMPUTERNAME,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLInstanceName = 'MSSQLSERVER'
+    )
+
+    $sqlServerObject = Connect-SQL -SQLServer $SQLServer -SQLInstanceName $SQLInstanceName
+
+    if ($sqlServerObject)
+    {
+        Write-Verbose -Message "Setting permissions of database '$Database' for login '$Name'"
+
+        if ($Ensure -eq 'Present')
+        {
+            Add-SqlDatabasePermission -SqlServerObject $sqlServerObject `
+                                      -Name $Name `
+                                      -Database $Database `
+                                      -PermissionState $PermissionState `
+                                      -Permissions $Permissions
+
+            New-VerboseMessage -Message "$PermissionState - SQL Permissions for $Name, successfullly added in $Database"
+        }
+        else
+        {
+            Remove-SqlDatabasePermission -SqlServerObject $sqlServerObject `
+                                         -Name $Name `
+                                         -Database $Database `
+                                         -PermissionState $PermissionState `
+                                         -Permissions $Permissions
+
+            New-VerboseMessage -Message "$PermissionState - SQL Permissions for $Name, successfullly removed in $Database"
+        }
+    }
+    else
+    {
+        throw New-TerminatingError -ErrorType ConnectSQLError `
+                                   -FormatArgs @($SQLServer,$SQLInstanceName) `
+                                   -ErrorCategory InvalidOperation
+    }
+}
+
+<#
+    .SYNOPSIS
+    Tests if the permissions is set for the user in the database
+
+    .PARAMETER Ensure
+    This is The Ensure if the permission should be granted (Present) or revoked (Absent)
+
+    .PARAMETER Database
+    This is the SQL database
+
+    .PARAMETER Name
+    This is the name of the SQL login for the permission set
+
+    .PARAMETER PermissionState
+    This is the state of permission set. Valid values are 'Grant' or 'Deny'
+
+    .PARAMETER Permissions
+    This is a list that represents a SQL Server set of database permissions
+
+    .PARAMETER SQLServer
+    This is the SQL Server for the database
+
+    .PARAMETER SQLInstanceName
+    This is the SQL instance for the database
+#>
+function Test-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Boolean])]
+    param
+    (
+        [ValidateSet('Present','Absent')]
+        [System.String]
+        $Ensure = 'Present',
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Database,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $Name,
+
+        [parameter(Mandatory = $true)]
+        [ValidateSet('Grant','Deny')]
+        [System.String]
+        $PermissionState,
+
+        [parameter(Mandatory = $true)]
+        [System.String[]]
+        $Permissions,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLServer = $env:COMPUTERNAME,
+
+        [parameter(Mandatory = $true)]
+        [System.String]
+        $SQLInstanceName = 'MSSQLSERVER'
+    )
+
+    Write-Verbose -Message "Evaluating permissions for user '$Name' in database '$Database'."
+
+    $getTargetResourceResult = Get-TargetResource @PSBoundParameters
+
+    return Test-SQLDscParameterState -CurrentValues $getTargetResourceResult `
+                                     -DesiredValues $PSBoundParameters `
+                                     -ValuesToCheck @('Name', 'Ensure', 'PermissionState', 'Permissions')
+}
+
+Export-ModuleMember -Function *-TargetResource
diff --git a/DSCResources/MSFT_xSQLServerDatabasePermission/MSFT_xSQLServerDatabasePermission.schema.mof b/DSCResources/MSFT_xSQLServerDatabasePermission/MSFT_xSQLServerDatabasePermission.schema.mof
@@ -0,0 +1,11 @@
+[ClassVersion("1.0.0.0"), FriendlyName("xSQLServerDatabasePermission")]
+class MSFT_xSQLServerDatabasePermission : OMI_BaseResource
+{
+    [Write, Description("If the values should be present or absent. Valid values are 'Present' or 'Absent'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
+    [Key, Description("The name of the database.")] String Database;
+    [Key, Description("The name of the user that should be granted or denied the permission.")] String Name;
+    [Key, Description("The state of the permission. Valid values are 'Grant' or 'Deny'."), ValueMap{"Grant","Deny"}, Values{"Grant","Deny"}] String PermissionState;
+    [Required, Description("The set of permissions for the SQL database.")] String Permissions[];
+    [Key, Description("The host name of the SQL Server to be configured.")] String SQLServer;
+    [Key, Description("The name of the SQL instance to be configured.")] String SQLInstanceName;
+};