SqlLogin: Added and amended integration tests for logins of 'SqlLogin…

…' type (#1652) - SqlLogin - Added functionality to throw exception if an update to the `LoginMustChangePassword` value on an existing SQL Login is attempted. This functionality is not supported by referenced, SQL Server Management Object (SMO), libraries and cannot be supported directly by this module. - Added integration tests to ensure that an added (or updated) `SqlLogin` can connect into a SQL instance once added (or updated). - Added integration tests to ensure that the default database connected to by a `SqlLogin` is the same as specified in the resource's `DefaultDatabase` property/parameter. - Reversed order in which `PasswordExpirationEnabled` and `PasswordPolicyEnforced` are updated within `SqlLogin` resource. `PasswordPolicyEnforced` is now updated first. - Added integration tests to assert `LoginPasswordExpirationEnabled`, `LoginPasswordPolicyEnforced` and `LoginMustChangePassword` properties/parameters are applied and updated correctly. Similar integration tests also added to ensure the password of the `SqlLogin` is updated if the password within the `SqlCredential` value/object is changed (issue #361, issue #1032, and issue #1050). - Updated `SqlLogin`, integration tests to make use of amended `Wait-ForIdleLcm`, helper function, `-Clear` switch usage to remove intermittent, integration test failures (issue #1634).
dsccommunity · Jan 12, 2021 · 9130c05 · 9130c05
1 parent 5ab05bd
commit 9130c05
Show file tree

Hide file tree

Showing 10 changed files with 420 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- SqlLogin
+ - Added functionality to throw exception if an update to the `LoginMustChangePassword`
+ value on an existing SQL Login is attempted. This functionality is not supported
+ by referenced, SQL Server Management Object (SMO), libraries and cannot be
+ supported directly by this module.
+ - Added integration tests to ensure that an added (or updated) `SqlLogin` can
+ connect into a SQL instance once added (or updated).
+ - Added integration tests to ensure that the default database connected to by
+ a `SqlLogin` is the same as specified in the resource's `DefaultDatabase`
+ property/parameter.
+ - Reversed order in which `PasswordExpirationEnabled` and `PasswordPolicyEnforced`
+ are updated within `SqlLogin` resource. `PasswordPolicyEnforced` is now updated
+ first.
+
+### Fixed
+
+- SqlLogin
+ - Added integration tests to assert `LoginPasswordExpirationEnabled`,
+ `LoginPasswordPolicyEnforced` and `LoginMustChangePassword` properties/parameters
+ are applied and updated correctly. Similar integration tests also added to ensure
+ the password of the `SqlLogin` is updated if the password within the `SqlCredential`
+ value/object is changed ([issue #361](https://github.com/dsccommunity/SqlServerDsc/issues/361),
+ [issue #1032](https://github.com/dsccommunity/SqlServerDsc/issues/1032) and
+ [issue #1050](https://github.com/dsccommunity/SqlServerDsc/issues/1050)).
+ - Updated `SqlLogin`, integration tests to make use of amended `Wait-ForIdleLcm`,
+ helper function, `-Clear` switch usage to remove intermittent, integration
+ test failures ([issue #1634](https://github.com/dsccommunity/SqlServerDsc/issues/1634)).
+
 ## [15.0.1] - 2021-01-09
 
 ### Changed

diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1
@@ -107,7 +107,7 @@ function Get-TargetResource
  The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
 
  .PARAMETER LoginMustChangePassword
- Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Default is $true.
+ Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Does not update pre-existing SQL Logins. Default is $true.
 
  .PARAMETER LoginPasswordExpirationEnabled
  Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
@@ -194,23 +194,27 @@ function Set-TargetResource
 
  if ( $login.LoginType -eq 'SqlLogin' )
  {
- if ( $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
+ # There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed
+ if ( $login.MustChangePassword -ne $LoginMustChangePassword )
  {
- Write-Verbose -Message (
- $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
- )
-
- $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
- Update-SQLServerLogin -Login $login
+ $errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged
+ New-InvalidOperationException -Message $errorMessage
  }
 
- if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced )
+ # `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state)
+ if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or
+ $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
  {
  Write-Verbose -Message (
  $script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
  )
+ Write-Verbose -Message (
+ $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
+ )
 
  $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
+ $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
+
  Update-SQLServerLogin -Login $login
  }
 

diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof
@@ -9,7 +9,7 @@ class DSC_SqlLogin : OMI_BaseResource
  Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType;
  [Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName;
  [Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential;
- [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginMustChangePassword;
+ [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
  [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled;
  [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced;
  [Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled;

diff --git a/source/DSCResources/DSC_SqlLogin/README.md b/source/DSCResources/DSC_SqlLogin/README.md
@@ -7,9 +7,17 @@ for a SQL Server instance.
 
 * Target machine must be running Windows Server 2012 or later.
 * Target machine must be running SQL Server Database Engine 2012 or later.
-* When the `LoginType` `'SqlLogin'` is used, then the login authentication
+* When the `LoginType` of `'SqlLogin'` is used, then the login authentication
  mode must have been set to `Mixed` or `Normal`. If set to `Integrated`
  and error will be thrown.
+* The `LoginMustChangePassword` property/parameter is only valid on a `SqlLogin`
+ where the `LoginType` property/parameter is set to `'SqlLogin'`.
+* The `LoginMustChangePassword` property/parameter can **not** be used to change
+ this setting on a pre-existing `SqlLogin` - This property/parameter can only
+ be used when creating a new `SqlLogin` and where subsequent updates will
+ not be applied or, alternatively, when the desired state will not change (for example,
+ where `LoginMustChangePassword` is initially set to `$false` and will always
+ be set to `$false`).
 
 ## Known issues
 

diff --git a/source/DSCResources/DSC_SqlLogin/en-US/DSC_SqlLogin.strings.psd1 b/source/DSCResources/DSC_SqlLogin/en-US/DSC_SqlLogin.strings.psd1
@@ -33,4 +33,5 @@ ConvertFrom-StringData @'
  DropLoginFailed = Removal of the login '{0}' failed.
  SetPasswordValidationFailed = Setting the password failed for the login '{0}' because of password validation error.
  SetPasswordFailed = Setting the password failed for the login '{0}'.
+ MustChangePasswordCannotBeChanged = The '(Login)MustChangePassword' parameter cannot be updated on a login that is already present.
 '@