(CONT-567) allow deferred function for password

Author: Ramesh Sencha

lib/puppet/functions/sqlserver/password.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# This function exists for usage of a role password that is a deferred function
+Puppet::Functions.create_function(:'sqlserver::password') do
+  dispatch :password do
+    optional_param 'Any', :pass
+    return_type 'Any'
+  end
+
+  def password(pass)
+    pass
+  end
+end

manifests/login.pp

@@ -76,9 +76,21 @@
     'absent'  => 'delete',
   }
 
+  $parameters = {
+    'password' => Deferred('sqlserver::password', [$password]),
+    'disabled' => $disabled,
+    'login_type' => $login_type,
+    'login' => $login,
+    'default_language' => $default_language,
+    'default_database' => $default_database,
+    'check_policy' => $check_policy,
+    'check_expiration' => $check_expiration,
+    'svrroles' => $svrroles,
+  }
+
   sqlserver_tsql { "login-${instance}-${login}":
     instance => $instance,
-    command  => template("sqlserver/${_create_delete}/login.sql.erb"),
+    command  => stdlib::deferrable_epp("sqlserver/${_create_delete}/login.sql.epp", $parameters),
     onlyif   => template('sqlserver/query/login_exists.sql.erb'),
     require  => Sqlserver::Config[$instance],
   }

manifests/user.pp

@@ -62,9 +62,17 @@
     'absent'  => 'delete',
   }
 
+  $parameters = {
+    'password' => Deferred('sqlserver::password', [$password]),
+    'database' => $database,
+    'user' => $user,
+    'login' => $login,
+    'default_schema' => $default_schema,
+  }
+
   sqlserver_tsql { "user-${instance}-${database}-${user}":
     instance => $instance,
-    command  => template("sqlserver/${create_delete}/user.sql.erb"),
+    command  => stdlib::deferrable_epp("sqlserver/${create_delete}/user.sql.epp", $parameters),
     onlyif   => template('sqlserver/query/user_exists.sql.erb'),
     require  => Sqlserver::Config[$instance],
   }

metadata.json

@@ -10,7 +10,7 @@
   "dependencies": [
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">= 4.13.1 < 9.0.0"
+      "version_requirement": ">= 8.4.0 < 9.0.0"
     },
     {
       "name": "puppetlabs/powershell",

spec/functions/password_spec.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'sqlserver::password' do
+  it { is_expected.to run.with_params('password').and_return('password') }
+  it { is_expected.to run.with_params(nil).and_return(nil) }
+end

templates/create/login.sql.epp

@@ -0,0 +1,58 @@
+DECLARE
+	@is_disabled as tinyint = <%= if $disabled {1} else {0} %>,
+	@login_type as varchar(255) = NULL;
+
+SET @login_type = (SELECT [type] FROM sys.server_principals where name = '<%= $login %>')
+IF (@login_type IS NULL)
+BEGIN
+    -- Create the login
+	CREATE LOGIN [<%= $login %>]
+	 <% if $login_type !~ /WINDOWS_LOGIN/ { -%>
+	  WITH
+		PASSWORD = '<%= $password %>',
+		CHECK_EXPIRATION = <% if $check_expiration { %>ON<% } else { %>OFF<% } %>,
+		CHECK_POLICY	 = <% if $check_policy { %>ON<% } else { %>OFF<% } %>,
+	<% } else { -%>
+	    FROM WINDOWS WITH
+	<% } -%>
+	    DEFAULT_LANGUAGE = [<%= $default_language %>],
+		DEFAULT_DATABASE = [<%= $default_database %>];
+	-- Fetch the login type
+	SET @login_type = (SELECT [type] FROM sys.server_principals where name = '<%= $login %>')
+END
+
+IF (@login_type = 'G')
+BEGIN
+	-- Windows Group type logins can only be granted/denied connection
+	IF @is_disabled = 0	GRANT CONNECT SQL TO [<%= $login %>]
+	ELSE				DENY CONNECT SQL TO [<%= $login %>]
+END
+ELSE
+BEGIN
+	IF @is_disabled = 0	ALTER LOGIN [<%= $login %>] ENABLE
+	ELSE				ALTER LOGIN [<%= $login %>] DISABLE
+END
+
+ALTER LOGIN [<%= $login %>] WITH
+<% if $login_type != 'WINDOWS_LOGIN' { -%>
+	CHECK_EXPIRATION = <% if $check_expiration { %>ON<% } else { %>OFF<% } %>,
+	CHECK_POLICY	 = <% if $check_policy { %>ON<% } else { %>OFF<% } %>,
+<% } -%>
+	DEFAULT_LANGUAGE = [<%= $default_language %>],
+	DEFAULT_DATABASE = [<%= $default_database %>];
+
+<% $svrroles.each |String $role, Any $enable_bit| { -%>
+IF (SELECT COUNT(me.role_principal_id) from sys.server_role_members me
+	JOIN sys.server_principals rol ON me.role_principal_id = rol.principal_id
+	JOIN sys.server_principals pri ON me.member_principal_id = pri.principal_id
+	WHERE rol.type_desc = 'SERVER_ROLE'
+		AND rol.name = '<%= $role %>'
+		AND pri.name = '<%= $login %>') != <%= $enable_bit %>
+BEGIN
+	<% if ($enable_bit == '1') or ($enable_bit == 1) { -%>
+	ALTER SERVER ROLE [<%= $role %>] ADD MEMBER [<%= $login %>];
+	<% } else { -%>
+	ALTER SERVER ROLE [<%= $role %>] DROP MEMBER [<%= $login %>];
+	<% } -%>
+END
+<% } -%>

templates/create/login.sql.erb

@@ -0,0 +1,18 @@
+USE [<%= $database %>];
+<% if $password { %>
+    IF EXISTS(select containment from sys.databases WHERE name = '<%= $database %>' AND containment = 0)
+	    THROW 51000, 'Database must be contained in order to use passwords', 10
+<% } %>
+CREATE USER [<%= $user %>]
+<% if $login { -%>
+    FROM LOGIN [<%= $login %>]
+<% } else { -%>
+    <% if $password { -%>
+    WITH PASSWORD = '<%= $password %>'
+    <% } -%>
+<% } -%>
+<% if $default_schema { -%>
+    <% if $password { -%>,<% } else { -%>
+    WITH <% } -%>
+    DEFAULT_SCHEMA = <%= $default_schema %>
+<% } -%>

templates/create/user.sql.epp

@@ -1,7 +1,7 @@
 USE master;
-IF exists(select * from sys.server_principals where name = '<%= @login %>')
+IF exists(select * from sys.server_principals where name = '<%= $login %>')
 BEGIN
     -- need to add logic to kill all possible connections if any exists,
     -- possible force flag to prevent from happening during transaction if user would prefer to wait
-    DROP LOGIN [<%= @login %>]
+    DROP LOGIN [<%= $login %>]
 END

templates/create/user.sql.erb

@@ -0,0 +1,4 @@
+USE [<%= $database %>];
+DROP USER [<%= $user %>];
+IF EXISTS(SELECT name FROM sys.database_principals WHERE name = '<%= $user %>')
+    THROW 51000, 'Failed to drop user <%= $user %>', 10