FM-2298 - User - Add permissions hash to allow user to pass all permissions in one define

Author: Travis Fields

manifests/user.pp

@@ -34,6 +34,9 @@
 # [password]
 #   The password for the user, can only be used when the database is a contained database.
 #
+# [permissions]
+#   A hash of permissions that should be managed for the user.  Valid keys are 'GRANT', 'GRANT_WITH_OPTION', 'DENY' or 'REVOKE'.  Valid values must be an array of Strings i.e. {'GRANT' => ['SELECT', 'INSERT'] }
+#
 ##
 define sqlserver::user (
   $database,
@@ -43,6 +46,7 @@
   $instance       = 'MSSQLSERVER',
   $login          = undef,
   $password       = undef,
+  $permissions    = { },
 )
 {
   sqlserver_validate_instance_name($instance)
@@ -69,4 +73,41 @@
     require  => Sqlserver::Config[$instance]
   }
 
+  if $ensure == present {
+    validate_hash($permissions)
+    $_upermissions = sqlserver_upcase($permissions)
+    sqlserver_validate_hash_uniq_values($_upermissions, "Duplicate permissions found for sqlserver::user[${title}]")
+
+    Sqlserver::User::Permissions{
+      user      => $user,
+      database  => $database,
+      instance  => $instance,
+      require   => Sqlserver_tsql["user-${instance}-${database}-${user}"]
+    }
+    if has_key($_upermissions, 'GRANT') and is_array($_upermissions['GRANT']) {
+      sqlserver::user::permissions{ "Sqlserver::User[${title}]-GRANT-${user}":
+        state       => 'GRANT',
+        permissions => $_upermissions['GRANT'],
+      }
+    }
+    if has_key($_upermissions, 'DENY') and is_array($_upermissions['DENY']) {
+      sqlserver::user::permissions{ "Sqlserver::User[${title}]-DENY-${user}":
+        state       => 'DENY',
+        permissions => $_upermissions['DENY'],
+      }
+    }
+    if has_key($_upermissions, 'REVOKE') and is_array($_upermissions['REVOKE']) {
+      sqlserver::user::permissions{ "Sqlserver::User[${title}]-REVOKE-${user}":
+        state       => 'REVOKE',
+        permissions => $_upermissions['REVOKE'],
+      }
+    }
+    if has_key($_upermissions, 'GRANT_WITH_OPTION') and is_array($_upermissions['GRANT_WITH_OPTION']) {
+      sqlserver::user::permissions{ "Sqlserver::User[${title}]-GRANT-WITH_GRANT_OPTION-${user}":
+        state             => 'GRANT',
+        with_grant_option => true,
+        permissions       => $_upermissions['GRANT_WITH_OPTION'],
+      }
+    }
+  }
 }

manifests/user/permission.pp renamed to manifests/user/permissions.pp

@@ -1,5 +1,5 @@
 ##
-# == Define Resource Type: sqlserver::user::permission#
+# == Define Resource Type: sqlserver::user::permissions
 #
 # === Requirement/Dependencies:
 #
@@ -26,7 +26,7 @@
 #   The name of the instance where the user and database exists. Defaults to 'MSSQLSERVER'
 #
 ##
-define sqlserver::user::permission (
+define sqlserver::user::permissions (
   $user,
   $database,
   $permissions,

spec/defines/user/permission_spec.rb renamed to spec/defines/user/permissions_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 require File.expand_path(File.join(File.dirname(__FILE__), '..', 'manifest_shared_examples.rb'))
 
-describe 'sqlserver::user::permission' do
+describe 'sqlserver::user::permissions' do
   let(:facts) { {:osfamily => 'windows'} }
   context 'validation errors' do
     include_context 'manifests' do
@@ -15,7 +15,7 @@
       } }
       let(:raise_error_check) { 'User must be between 1 and 128 characters' }
       describe 'missing' do
-        let(:raise_error_check) { 'Must pass user to Sqlserver::User::Permission[myTitle]' }
+        let(:raise_error_check) { 'Must pass user to Sqlserver::User::Permissions[myTitle]' }
         it_behaves_like 'validation error'
       end
       describe 'empty' do

spec/defines/user_spec.rb

@@ -27,18 +27,18 @@
 
   describe 'should contain correct sql syntax for check' do
     let(:should_contain_onlyif) { [
-        "USE [myDatabase]",
-        "\nIF NOT EXISTS(SELECT name FROM sys.database_principals WHERE type in ('U','S','G') AND name = 'loggingUser')\n",
-        "THROW 51000, 'User [loggingUser] does not exist for database [myDatabase]', 10\n"
+      "USE [myDatabase]",
+      "\nIF NOT EXISTS(SELECT name FROM sys.database_principals WHERE type in ('U','S','G') AND name = 'loggingUser')\n",
+      "THROW 51000, 'User [loggingUser] does not exist for database [myDatabase]', 10\n"
     ] }
     let(:should_contain_command) { [
-        "USE [myDatabase]",
-        /CREATE USER \[loggingUser\]\n\s+FROM LOGIN \[mySysLogin\]/
+      "USE [myDatabase]",
+      /CREATE USER \[loggingUser\]\n\s+FROM LOGIN \[mySysLogin\]/
     ] }
     let(:should_not_contain_command) { [
-        'PASSWORD',
-        'DEFAULT_SCHEMA',
-        'WITH'
+      'PASSWORD',
+      'DEFAULT_SCHEMA',
+      'WITH'
     ] }
     let(:additional_params) { {:login => 'mySysLogin'} }
     it_should_behave_like 'sqlserver_tsql onlyif'
@@ -50,11 +50,11 @@
     password = 'Pupp3t1@'
     let(:additional_params) { {:password => password} }
     let(:should_contain_command) { [
-        "USE [myDatabase];",
-        /CREATE USER \[loggingUser\]\n\s+WITH PASSWORD = '#{password}'/
+      "USE [myDatabase];",
+      /CREATE USER \[loggingUser\]\n\s+WITH PASSWORD = '#{password}'/
     ] }
     let(:should_not_contain_command) { [
-        'DEFAULT_SCHEMA',
+      'DEFAULT_SCHEMA',
     ] }
     it_should_behave_like 'sqlserver_tsql onlyif'
     it_should_behave_like 'sqlserver_tsql command'
@@ -64,11 +64,11 @@
   describe 'when a default_schema is specified' do
     let(:additional_params) { {:default_schema => 'dbo'} }
     let(:should_contain_command) { [
-        "USE [myDatabase]",
-        /CREATE USER \[loggingUser\]\n\s+WITH\s+DEFAULT_SCHEMA = dbo/
+      "USE [myDatabase]",
+      /CREATE USER \[loggingUser\]\n\s+WITH\s+DEFAULT_SCHEMA = dbo/
     ] }
     let(:should_not_contain_command) { [
-        'PASSWORD',
+      'PASSWORD',
     ] }
     it_should_behave_like 'sqlserver_tsql command'
     it_should_behave_like 'sqlserver_tsql without_command'
@@ -78,8 +78,8 @@
     let(:additional_params) { {:user => 'myMachineName/myUser'} }
     let(:sqlserver_tsql_title) { 'user-MSSQLSERVER-myDatabase-myMachineName/myUser' }
     let(:should_contain_command) { [
-        "USE [myDatabase];",
-        'CREATE USER [myMachineName/myUser]'
+      "USE [myDatabase];",
+      'CREATE USER [myMachineName/myUser]'
     ] }
     it_should_behave_like 'sqlserver_tsql command'
   end
@@ -88,8 +88,8 @@
     let(:additional_params) { {:user => 'myMachineName/myUser', :login => 'myMachineName/myUser'} }
     let(:sqlserver_tsql_title) { 'user-MSSQLSERVER-myDatabase-myMachineName/myUser' }
     let(:should_contain_command) { [
-        "USE [myDatabase]",
-        /CREATE USER \[myMachineName\/myUser\]\n\s+FROM LOGIN \[myMachineName\/myUser\]/
+      "USE [myDatabase]",
+      /CREATE USER \[myMachineName\/myUser\]\n\s+FROM LOGIN \[myMachineName\/myUser\]/
     ] }
     it_should_behave_like 'sqlserver_tsql command'
   end
@@ -103,14 +103,86 @@
   describe 'when ensure => absent' do
     let(:additional_params) { {:ensure => 'absent'} }
     let(:sqlserver_contain_command) { [
-        'USE [loggingDb];\nDROP [loggingUser]',
-        "\nIF EXISTS(SELECT name FROM sys.database_principals WHERE name = 'loggingUser')\n     THROW",
+      'USE [loggingDb];\nDROP [loggingUser]',
+      "\nIF EXISTS(SELECT name FROM sys.database_principals WHERE name = 'loggingUser')\n     THROW",
     ] }
     let(:sqlserver_contain_onlyif) { [
-        "\nIF EXISTS(SELECT name FROM sys.database_principals WHERE type in ('U','S','G') AND name = 'loggingUser')\n",
+      "\nIF EXISTS(SELECT name FROM sys.database_principals WHERE type in ('U','S','G') AND name = 'loggingUser')\n",
     ] }
     it_should_behave_like 'sqlserver_tsql command'
     it_should_behave_like 'sqlserver_tsql onlyif'
   end
+  context 'permissions =>' do
+    let(:title) { 'myTitle' }
+    let(:params) { {:user => 'loggingUser', :database => 'myDatabase'} }
+    let(:permissions) { {} }
+    shared_examples 'sqlserver_user_permissions exists' do |type|
+      it {
+        params[:permissions] = permissions
+        type_title = (type =~ /GRANT_WITH_OPTION/i ? 'GRANT-WITH_GRANT_OPTION' : type.upcase)
+        should contain_sqlserver__user__permissions("Sqlserver::User[#{title}]-#{type_title}-loggingUser").with(
+                 {
+                   'user' => 'loggingUser',
+                   'database' => 'myDatabase',
+                   'state' => type == 'GRANT_WITH_OPTION' ? 'GRANT' : type.upcase,
+                   'with_grant_option' => type == 'GRANT_WITH_OPTION',
+                   'permissions' => permissions[type],
+                   'require' => 'Sqlserver_tsql[user-MSSQLSERVER-myDatabase-loggingUser]'
+                 }
+               )
+      }
+    end
+
+    shared_examples 'sqlserver_user_permissions absent' do |type|
+      it {
+        params[:permissions] = permissions
+        type_title = (type =~ /GRANT_WITH_OPTION/i ? 'GRANT-WITH_GRANT_OPTION' : type.upcase)
+        should_not contain_sqlserver__user__permissions("Sqlserver::User[#{title}]-#{type_title}-loggingUser")
+      }
+    end
+
+    describe 'GRANT permissions' do
+      let(:permissions) { {'GRANT' => ['SELECT']} }
+      it_behaves_like 'sqlserver_user_permissions exists', 'GRANT'
+      it_behaves_like 'sqlserver_user_permissions absent', 'DENY'
+      it_behaves_like 'sqlserver_user_permissions absent', 'REVOKE'
+      it_behaves_like 'sqlserver_user_permissions absent', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'GRANT DENY' do
+      let(:permissions) { {'GRANT' => ['CONNECT SQL'], 'DENY' => ['INSERT']} }
+      it_behaves_like 'sqlserver_user_permissions exists', 'GRANT'
+      it_behaves_like 'sqlserver_user_permissions exists', 'DENY'
+      it_behaves_like 'sqlserver_user_permissions absent', 'REVOKE'
+      it_behaves_like 'sqlserver_user_permissions absent', 'GRANT_WITH_OPTION'
+    end
 
+    describe 'GRANT_WITH_OPTION' do
+      let(:permissions) { {'GRANT_WITH_OPTION' => ['CONNECT SQL']} }
+      it_behaves_like 'sqlserver_user_permissions exists', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'REVOKE' do
+      let(:permissions) { {'revoke' => ['CREATE ANY DATABASE']} }
+      it_behaves_like 'sqlserver_user_permissions exists', 'revoke'
+      it_behaves_like 'sqlserver_user_permissions absent', 'GRANT'
+      it_behaves_like 'sqlserver_user_permissions absent', 'DENY'
+      it_behaves_like 'sqlserver_user_permissions absent', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'empty' do
+      %w(GRANT DENY REVOKE GRANT-WITH_GRANT_OPTION).each do |type|
+        it_behaves_like 'sqlserver_user_permissions absent', type
+      end
+    end
+
+    describe 'duplicate permissions' do
+      let(:additional_params) { {
+        :permissions => {'GRANT' => ['CONNECT SQL'], 'REVOKE' => ['CONNECT SQL']}
+      } }
+      let(:raise_error_check) { "Duplicate permissions found for sqlserver::user[#{title}" }
+      let(:raise_error_check) { "Duplicate permissions found for sqlserver::user[#{title}" }
+      it_behaves_like 'validation error'
+    end
+  end
 end