SqlDatabasePermission: Supports roles and application roles (#1558)

- SqlDatabasePermission - Now possible to change permissions for database user-defined roles (e.g. public) and database application roles (issue #1498).
dsccommunity · May 28, 2020 · 3a449f5 · 3a449f5
1 parent c8a7076
commit 3a449f5
Show file tree

Hide file tree

Showing 5 changed files with 255 additions and 163 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -64,9 +64,12 @@ in a future release.
   - Added the properties `NpEnabled` and `TcpEnabled` ([issue #1161](https://github.com/dsccommunity/SqlServerDsc/issues/1161)).
   - Added the property `UseEnglish` ([issue #1473](https://github.com/dsccommunity/SqlServerDsc/issues/1473)).
 - SqlServerReplication
-  - Add integration tests ([issue #755](https://github.com/dsccommunity/SqlServerDsc/issues/755)
+  - Add integration tests ([issue #755](https://github.com/dsccommunity/SqlServerDsc/issues/755).
 - SqlDatabase
   - The property `OwnerName` was added.
+- SqlDatabasePermission
+  - Now possible to change permissions for database user-defined roles
+    (e.g. public) and database application roles ([issue #1498](https://github.com/dsccommunity/SqlServerDsc/issues/1498).
 - SqlServerDsc.Common
   - The helper function `Restart-SqlService` was improved to handle Failover
     Clusters better. Now the SQL Server service will only be taken offline

diff --git a/source/DSCResources/DSC_SqlDatabasePermission/DSC_SqlDatabasePermission.psm1 b/source/DSCResources/DSC_SqlDatabasePermission/DSC_SqlDatabasePermission.psm1
@@ -210,7 +210,19 @@ function Set-TargetResource
 
         if ($sqlDatabaseObject = $sqlServerObject.Databases[$DatabaseName])
         {
-            if ($sqlDatabaseObject.Users[$Name])
+            $nameExist = $sqlDatabaseObject.Users[$Name] `
+                -or (
+                    <#
+                        Skip fixed roles like db_datareader as it is not possible to set
+                        permissions on those.
+                    #>
+                    $sqlDatabaseObject.Roles | Where-Object -FilterScript {
+                        -not $_.IsFixedRole -and $_.Name -eq $Name
+                    }
+                 ) `
+                -or $sqlDatabaseObject.ApplicationRoles[$Name]
+
+            if ($nameExist)
             {
                 try
                 {
@@ -273,7 +285,7 @@ function Set-TargetResource
             }
             else
             {
-                $errorMessage = $script:localizedData.LoginIsNotUser -f $Name, $DatabaseName
+                $errorMessage = $script:localizedData.NameIsMissing -f $Name, $DatabaseName
 
                 New-InvalidOperationException -Message $errorMessage
             }

diff --git a/source/DSCResources/DSC_SqlDatabasePermission/en-US/DSC_SqlDatabasePermission.strings.psd1 b/source/DSCResources/DSC_SqlDatabasePermission/en-US/DSC_SqlDatabasePermission.strings.psd1
@@ -2,7 +2,7 @@ ConvertFrom-StringData @'
     GetDatabasePermission = Get permissions for the user '{0}' in the database '{1}' on the instance '{2}'.
     DatabaseNotFound = The database '{0}' does not exist.
     ChangePermissionForUser = Changing the permission for the user '{0}' in the database '{1}' on the instance '{2}'.
-    LoginIsNotUser = The login '{0}' is not a user in the database '{1}'.
+    NameIsMissing = The name '{0}' is neither a database user, database role (user-defined), or database application role in the database '{1}'.
     AddPermission = {0} the permissions '{1}' to the database '{2}'.
     DropPermission = Revoking the {0} permissions '{1}' from the database '{2}'.
     FailedToSetPermissionDatabase = Failed to set the permissions for the login '{0}' in the database '{1}'.

diff --git a/tests/Integration/DSC_SqlDatabasePermission.config.ps1 b/tests/Integration/DSC_SqlDatabasePermission.config.ps1
@@ -224,3 +224,69 @@ Configuration DSC_SqlDatabasePermission_RemoveGrantGuest_Config
         }
     }
 }
+
+<#
+    .SYNOPSIS
+        Grant rights in a database for the user-defined role 'public'.
+
+    .NOTES
+        Regression test for issue #1498.
+#>
+Configuration DSC_SqlDatabasePermission_GrantPublic_Config
+{
+    Import-DscResource -ModuleName 'SqlServerDsc'
+
+    node $AllNodes.NodeName
+    {
+        SqlDatabasePermission 'Integration_Test'
+        {
+            Ensure               = 'Present'
+            Name                 = 'public'
+            DatabaseName         = $Node.DatabaseName
+            PermissionState      = 'Grant'
+            Permissions          = @(
+                'Select'
+            )
+
+            ServerName           = $Node.ServerName
+            InstanceName         = $Node.InstanceName
+
+            PsDscRunAsCredential = New-Object `
+                -TypeName System.Management.Automation.PSCredential `
+                -ArgumentList @($Node.UserName, (ConvertTo-SecureString -String $Node.Password -AsPlainText -Force))
+        }
+    }
+}
+
+<#
+    .SYNOPSIS
+        Remove the granted rights in a database for the user-defined role 'public'.
+
+    .NOTES
+        Regression test for issue #1498.
+#>
+Configuration DSC_SqlDatabasePermission_RemoveGrantPublic_Config
+{
+    Import-DscResource -ModuleName 'SqlServerDsc'
+
+    node $AllNodes.NodeName
+    {
+        SqlDatabasePermission 'Integration_Test'
+        {
+            Ensure               = 'Absent'
+            Name                 = 'public'
+            DatabaseName         = $Node.DatabaseName
+            PermissionState      = 'Grant'
+            Permissions          = @(
+                'Select'
+            )
+
+            ServerName           = $Node.ServerName
+            InstanceName         = $Node.InstanceName
+
+            PsDscRunAsCredential = New-Object `
+                -TypeName System.Management.Automation.PSCredential `
+                -ArgumentList @($Node.UserName, (ConvertTo-SecureString -String $Node.Password -AsPlainText -Force))
+        }
+    }
+}