FM-1556 Change permission to permissions and allow for array

Author: Travis Fields

manifests/login/permission.pp

@@ -10,8 +10,8 @@
 # [login]
 #   The login for which the permission will be manage.
 #
-# [permission]
-#   The permission you would like managed. i.e. 'SELECT', 'INSERT', 'UPDATE', 'DELETE'
+# [permissions]
+#   An array of permissions you would like managed. i.e. ['SELECT', 'INSERT', 'UPDATE', 'DELETE']
 #
 # [state]
 #   The state you would like the permission in.  Accepts 'GRANT', 'DENY', 'REVOKE' Please note that REVOKE equates to absent and will default to database and system level permissions.
@@ -22,17 +22,16 @@
 ##
 define sqlserver::login::permission (
   $login,
-  $permission        = $title,
+  $permissions,
   $state             = 'GRANT',
   $with_grant_option = false,
   $instance          = 'MSSQLSERVER',
 ){
   sqlserver_validate_instance_name($instance)
 
 ## Validate Permissions
-  $_permission = upcase($permission)
-  sqlserver_validate_range($_permission, 4, 128, 'Permission must be between 4 and 128 characters')
-  validate_re($_permission, '^([A-Z]|\s)+$', 'Permissions must be alphabetic only')
+  sqlserver_validate_range($permissions, 4, 128, 'Permission must be between 4 and 128 characters')
+  validate_array($permissions)
 
   sqlserver_validate_range($login, 1, 128, 'Login must be between 1 and 128 characters')
 
@@ -41,8 +40,10 @@
   validate_re($_state,'^(GRANT|REVOKE|DENY)$', "State parameter can only be one of 'GRANT', 'REVOKE' or 'DENY', you passed a value of ${state}")
 
   validate_bool($with_grant_option)
-
-  sqlserver_tsql{ "login-permission-${instance}-${login}-${_permission}":
+  if $with_grant_option {
+    $grant_option = "-WITH_GRANT_OPTION"
+  }
+  sqlserver_tsql{ "login-permission-${instance}-${login}-${_state}${grant_option}":
     instance => $instance,
     command  => template('sqlserver/create/login/permission.sql.erb'),
     onlyif   => template('sqlserver/query/login/permission_exists.sql.erb'),

spec/defines/login/permission_spec.rb

@@ -6,11 +6,11 @@
   context 'validation errors' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-SELECT' }
+      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-GRANT' }
     end
     context 'login =>' do
       let(:params) { {
-          :permission => 'SELECT',
+          :permissions=> ['SELECT'],
       } }
       let(:raise_error_check) { 'Login must be between 1 and 128 characters' }
       describe 'missing' do
@@ -32,21 +32,21 @@
       } }
       let(:raise_error_check) { 'Permission must be between 4 and 128 characters' }
       describe 'empty' do
-        let(:additional_params) { {:permission => ''} }
+        let(:additional_params) { {:permissions=> ['']} }
         it_behaves_like 'validation error'
       end
       describe 'under limit' do
-        let(:additional_params) { {:permission => random_string_of_size(3, false)} }
+        let(:additional_params) { {:permissions=> [random_string_of_size(3, false)]} }
         it_behaves_like 'validation error'
       end
       describe 'over limit' do
-        let(:additional_params) { {:permission => random_string_of_size(129, false)} }
+        let(:additional_params) { {:permissions=> [random_string_of_size(129, false)]} }
         it_behaves_like 'validation error'
       end
     end
     context 'state =>' do
       let(:params) { {
-          :permission => 'SELECT',
+          :permissions=> ['SELECT'],
           :login => 'loggingUser'
       } }
       describe 'invalid' do
@@ -59,15 +59,15 @@
   context 'successfully' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-SELECT' }
+      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-GRANT' }
       let(:params) { {
           :login => 'loggingUser',
-          :permission => 'SELECT',
+          :permissions=> ['SELECT'],
       } }
     end
     %w(revoke grant deny).each do |state|
       context "state => '#{state}'" do
-        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-SELECT" }
+        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-#{state.upcase}" }
         let(:should_contain_command) { ["#{state.upcase} SELECT TO [loggingUser];", 'USE [master];'] }
         describe "lowercase #{state}" do
           let(:additional_params) { {:state => state} }
@@ -84,15 +84,15 @@
     context 'permission' do
       describe 'upper limit' do
         permission =random_string_of_size(128, false)
-        let(:additional_params) { {:permission => permission} }
-        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-#{permission.upcase}" }
+        let(:additional_params) { {:permissions => [permission]} }
+        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-GRANT" }
         let(:should_contain_command) { ['USE [master];'] }
         it_behaves_like 'sqlserver_tsql command'
       end
       describe 'alter' do
-        let(:additional_params) { {:permission => 'ALTER'} }
+        let(:additional_params) { {:permissions=> ['ALTER']} }
         let(:should_contain_command) { ['USE [master];', 'GRANT ALTER TO [loggingUser];'] }
-        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-ALTER" }
+        let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-GRANT" }
         it_behaves_like 'sqlserver_tsql command'
       end
     end
@@ -111,10 +111,10 @@
   context 'command syntax' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-SELECT' }
+      let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-GRANT' }
       let(:params) { {
           :login => 'loggingUser',
-          :permission => 'SELECT',
+          :permissions => ['SELECT'],
       } }
       describe '' do
         let(:should_contain_command) { [
@@ -123,8 +123,8 @@
             /DECLARE @perm_state varchar\(250\)/,
             /SET @perm_state = ISNULL\(\n\s+\(SELECT perm.state_desc FROM sys\.server_permissions perm\n\s+JOIN sys\./,
             /JOIN sys\.server_principals princ ON princ.principal_id = perm\.grantee_principal_id\n\s+WHERE/,
-            /WHERE princ\.type IN \('U','S','G'\)\n\s+ AND princ\.name = 'loggingUser'\n\s+AND perm\.permission_name = 'SELECT'\),\n\s+'REVOKE'\)/,
-            /DECLARE @error_msg varchar\(250\);\nSET @error_msg = 'EXPECTED login \[loggingUser\] to have permission \[SELECT\] with GRANT but got ' \+ @perm_state;/,
+            /WHERE princ\.type IN \('U','S','G'\)\n\s+ AND princ\.name = 'loggingUser'\n\s+AND perm\.permission_name = @permission\),\n\s+'REVOKE'\)/,
+            /SET @error_msg = 'EXPECTED login \[loggingUser\] to have permission \[' \+ @permission \+ '\] with GRANT but got ' \+ @perm_state;/,
             /IF @perm_state != 'GRANT'\n\s+THROW 51000, @error_msg, 10/
         ] }
         it_behaves_like 'sqlserver_tsql command'

templates/create/login/permission.sql.erb

@@ -1,11 +1,17 @@
+USE [master];
+DECLARE @perm_state varchar(250), @error_msg varchar(250), @permission varchar(250);
+<% @permissions.each do |permission|
+    permission.upcase!
+%>
+SET @permission = '<%= permission %>'
 BEGIN
-    USE [master];
     <% if @with_grant_option == false %>
     IF 'GRANT_WITH_GRANT_OPTION' = <%= scope.function_template(['sqlserver/snippets/login/get_perm_state.sql.erb']) %>
-        REVOKE GRANT OPTION FOR <%= @_permission %> TO [<%= @login %>] CASCADE;
+        REVOKE GRANT OPTION FOR <%= permission %> TO [<%= @login %>] CASCADE;
     <% end %>
-    <%= @_state %> <%= @_permission %> TO [<%= @login %>]<% if @with_grant_option == true %> WITH GRANT OPTION<% end %>;
+    <%= @_state %> <%= permission %> TO [<%= @login %>]<% if @with_grant_option == true %> WITH GRANT OPTION<% end %>;
 END
 BEGIN
-    <%= scope.function_template(['sqlserver/query/login/permission_exists.sql.erb']) %>
+    <%= scope.function_template(['sqlserver/snippets/login/permission/exists.sql.erb']) %>
 END
+<% end %>

templates/query/login/permission_exists.sql.erb

@@ -1,8 +1,8 @@
 USE [master];
-DECLARE @perm_state varchar(250);
-SET @perm_state = <%= scope.function_template(['sqlserver/snippets/login/get_perm_state.sql.erb']) %>;
-DECLARE @error_msg varchar(250);
-SET @error_msg = 'EXPECTED login [<%= @login %>] to have permission [<%= @_permission %>] with <%= @_state %> but got ' + @perm_state;
-
-IF @perm_state != '<% if @with_grant_option == true %>GRANT_WITH_GRANT_OPTION<% else %><%= @_state %><% end %>'
-	THROW 51000, @error_msg, 10
+DECLARE @perm_state varchar(250), @error_msg varchar(250), @permission varchar(250);
+ <% @permissions.each do |permission|
+  permission.upcase!
+ %>
+SET @permission = '<%= permission %>'
+<%= scope.function_template(['sqlserver/snippets/login/permission/exists.sql.erb']) %>
+<% end %>

templates/snippets/login/get_perm_state.sql.erb

@@ -3,5 +3,5 @@ ISNULL(
 	  JOIN sys.server_principals princ ON princ.principal_id = perm.grantee_principal_id
 	  WHERE princ.type IN ('U','S','G')
 	    AND princ.name = '<%= @login %>'
-        AND perm.permission_name = '<%= @_permission %>'),
+        AND perm.permission_name = @permission),
      'REVOKE')

templates/snippets/login/permission/exists.sql.erb

@@ -0,0 +1,4 @@
+SET @perm_state = <%= scope.function_template(['sqlserver/snippets/login/get_perm_state.sql.erb']) %>;
+SET @error_msg = 'EXPECTED login [<%= @login %>] to have permission [' + @permission + '] with <%= @_state %> but got ' + @perm_state;
+IF @perm_state != '<% if @with_grant_option == true %>GRANT_WITH_GRANT_OPTION<% else %><%= @_state %><% end %>'
+	    THROW 51000, @error_msg, 10;