FM-2236 Add with_grant_option for user permission

Travis Fields · Travis Fields · commit 461ba1b1ac08 · 2015-02-25T08:23:42.000-08:00
diff --git a/manifests/user/permission.pp b/manifests/user/permission.pp
@@ -19,16 +19,20 @@
 # [state]
 #   The state you would like the permission in.  Accepts 'GRANT', 'DENY', 'REVOKE' Please note that REVOKE equates to absent and will default to database and system level permissions.
 #
+# [with_grant_option]
+#   Whether to give the user the option to grant this permission to other users, accepts true or false, defaults to false
+#
 # [instance]
 #   The name of the instance where the user and database exists. Defaults to 'MSSQLSERVER'
 #
 ##
 define sqlserver::user::permission (
   $user,
   $database,
-  $permission = $title,
-  $state      = 'GRANT',
-  $instance   = 'MSSQLSERVER',
+  $permission        = $title,
+  $state             = 'GRANT',
+  $with_grant_option = false,
+  $instance          = 'MSSQLSERVER',
 ){
   sqlserver_validate_instance_name($instance)
 
@@ -41,16 +45,20 @@
   $_state = upcase($state)
   validate_re($_state,'^(GRANT|REVOKE|DENY)$',"State can only be of 'GRANT', 'REVOKE' or 'DENY' you passed ${state}")
 
+  validate_bool($with_grant_option)
+  if $with_grant_option and $_state != 'GRANT' {
+    fail("Can not use with_grant_option and state ${_state}, must be 'GRANT'")
+  }
+
   sqlserver_validate_range($database, 1, 128, 'Database must be between 1 and 128 characters')
 
   sqlserver_validate_range($user, 1, 128, 'User must be between 1 and 128 characters')
 
   sqlserver_tsql{
-    "user-permissions-${instance}-${database}-${user}-${$_state}-${_permission}":
+    "user-permissions-${instance}-${database}-${user}-${_permission}":
       instance => $instance,
-      command  => template("sqlserver/create/user_permission.sql.erb"),
-      onlyif   => template('sqlserver/query/user_permission_exists.sql.erb'),
+      command  => template("sqlserver/create/user/permission.sql.erb"),
+      onlyif   => template('sqlserver/query/user/permission_exists.sql.erb'),
       require  => Sqlserver::Config[$instance],
   }
-
 }
diff --git a/spec/defines/user/permission_spec.rb b/spec/defines/user/permission_spec.rb
@@ -6,7 +6,7 @@
   context 'validation errors' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-GRANT-SELECT' }
+      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-SELECT' }
     end
     context 'user =>' do
       let(:params) { {
@@ -24,6 +24,7 @@
       end
       describe 'over limit' do
         let(:additional_params) { {:user => random_string_of_size(129)} }
+        it_behaves_like 'validation error'
       end
     end
     context 'permission' do
@@ -57,11 +58,29 @@
         it_behaves_like 'validation error'
       end
     end
+    context 'with_grant_option => ' do
+      let(:params) { {
+          :permission => 'SELECT',
+          :database => 'loggingDb',
+          :user => 'loggingUser',
+
+      } }
+      describe 'true AND state => DENY' do
+        let(:additional_params) { {:with_grant_option => true, :state => 'DENY'} }
+        let(:raise_error_check) { "Can not use with_grant_option and state DENY, must be 'GRANT' " }
+        it_behaves_like 'validation error'
+      end
+      describe 'invalid' do
+        let(:additional_params) { {:with_grant_option => 'invalid'} }
+        let(:raise_error_check) { '"invalid" is not a boolean' }
+        it_behaves_like 'validation error'
+      end
+    end
   end
   context 'successfully' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-GRANT-SELECT' }
+      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-SELECT' }
       let(:params) { {
           :user => 'loggingUser',
           :permission => 'SELECT',
@@ -70,7 +89,7 @@
     end
     %w(revoke grant deny).each do |state|
       context "state => '#{state}'" do
-        let(:sqlserver_tsql_title) { "user-permissions-MSSQLSERVER-loggingDb-loggingUser-#{state.upcase}-SELECT" }
+        let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-SELECT' }
         let(:should_contain_command) { ["#{state.upcase} SELECT TO [loggingUser];", 'USE [loggingDb];'] }
         describe "lowercase #{state}" do
           let(:additional_params) { {:state => state} }
@@ -88,14 +107,14 @@
       describe 'upper limit' do
         permission =random_string_of_size(128, false)
         let(:additional_params) { {:permission => permission} }
-        let(:sqlserver_tsql_title) { "user-permissions-MSSQLSERVER-loggingDb-loggingUser-GRANT-#{permission.upcase}" }
+        let(:sqlserver_tsql_title) { "user-permissions-MSSQLSERVER-loggingDb-loggingUser-#{permission.upcase}" }
         let(:should_contain_command) { ['USE [loggingDb];'] }
         it_behaves_like 'sqlserver_tsql command'
       end
       describe 'alter' do
         let(:additional_params) { {:permission => 'ALTER'} }
         let(:should_contain_command) { ['USE [loggingDb];', 'GRANT ALTER TO [loggingUser];'] }
-        let(:sqlserver_tsql_title) { "user-permissions-MSSQLSERVER-loggingDb-loggingUser-GRANT-ALTER" }
+        let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-ALTER' }
         it_behaves_like 'sqlserver_tsql command'
       end
     end
@@ -110,12 +129,39 @@
       it_behaves_like 'compile'
     end
 
+    context 'with_grant_option =>' do
+      describe 'true' do
+        let(:additional_params) { {:with_grant_option => true} }
+        let(:should_contain_command) { [
+            "IF @perm_state != 'GRANT_WITH_GRANT_OPTION'",
+            'GRANT SELECT TO [loggingUser] WITH GRANT OPTION;',
+        ] }
+        let(:should_not_contain_command) { [
+            'REVOKE GRANT OPTION FOR SELECT FROM [loggingUser];'] }
+        let(:should_contain_onlyif) { ["IF @perm_state != 'GRANT_WITH_GRANT_OPTION'",] }
+        it_behaves_like 'sqlserver_tsql command'
+        it_behaves_like 'sqlserver_tsql without_command'
+        it_behaves_like 'sqlserver_tsql onlyif'
+      end
+      describe 'false' do
+        let(:should_contain_command) { [
+            "IF @perm_state != 'GRANT'",
+            'GRANT SELECT TO [loggingUser];',
+            'REVOKE GRANT OPTION FOR SELECT TO [loggingUser] CASCADE;',
+            "IF 'GRANT_WITH_GRANT_OPTION' = ISNULL(",
+        ] }
+
+        let(:should_contain_onlyif) { ["IF @perm_state != 'GRANT'",] }
+        it_behaves_like 'sqlserver_tsql command'
+        it_behaves_like 'sqlserver_tsql onlyif'
+      end
+    end
   end
 
   context 'command syntax' do
     include_context 'manifests' do
       let(:title) { 'myTitle' }
-      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-GRANT-SELECT' }
+      let(:sqlserver_tsql_title) { 'user-permissions-MSSQLSERVER-loggingDb-loggingUser-SELECT' }
       let(:params) { {
           :user => 'loggingUser',
           :permission => 'SELECT',
@@ -128,7 +174,7 @@
             /DECLARE @perm_state varchar\(250\)/,
             /SET @perm_state = ISNULL\(\n\s+\(SELECT perm.state_desc FROM sys\.database_principals princ\n\s+JOIN sys\./,
             /JOIN sys\.database_permissions perm ON perm\.grantee_principal_id = princ.principal_id\n\s+WHERE/,
-            /WHERE princ\.type in \('U','S','G'\) AND name = 'loggingUser' AND permission_name = 'SELECT' \),\n\s+'REVOKE'\);/,
+            /WHERE princ\.type in \('U','S','G'\) AND name = 'loggingUser' AND permission_name = 'SELECT'\),\n\s+'REVOKE'\)\s+;/,
             /DECLARE @error_msg varchar\(250\);\nSET @error_msg = 'EXPECTED user \[loggingUser\] to have permission \[SELECT\] with GRANT but got ' \+ @perm_state;/,
             /IF @perm_state != 'GRANT'\n\s+THROW 51000, @error_msg, 10/
         ] }
diff --git a/templates/create/user/permission.sql.erb b/templates/create/user/permission.sql.erb
@@ -0,0 +1,11 @@
+BEGIN
+    USE [<%= @database %>];
+    <% if @with_grant_option == false %>
+    IF 'GRANT_WITH_GRANT_OPTION' = <%= scope.function_template(['sqlserver/snippets/user/permission/get_perm_state.sql.erb']) %>
+        REVOKE GRANT OPTION FOR <%= @_permission %> TO [<%= @user %>] CASCADE;
+    <% end %>
+    <%= @_state %> <%= @_permission %> TO [<%= @user %>]<% if @with_grant_option == true %> WITH GRANT OPTION<% end %>;
+END
+BEGIN
+    <%= scope.function_template(['sqlserver/query/user/permission_exists.sql.erb']) %>
+END
diff --git a/templates/create/user_permission.sql.erb b/templates/create/user_permission.sql.erb
diff --git a/templates/query/user/permission_exists.sql.erb b/templates/query/user/permission_exists.sql.erb
@@ -0,0 +1,8 @@
+USE [<%= @database %>];
+DECLARE @perm_state varchar(250);
+SET @perm_state = <%= scope.function_template(['sqlserver/snippets/user/permission/get_perm_state.sql.erb']) %>;
+DECLARE @error_msg varchar(250);
+SET @error_msg = 'EXPECTED user [<%= @user %>] to have permission [<%= @_permission %>] with <%= @_state %> but got ' + @perm_state;
+
+IF @perm_state != '<% if @with_grant_option == true %>GRANT_WITH_GRANT_OPTION<% else %><%= @_state %><% end %>'
+	THROW 51000, @error_msg, 10
diff --git a/templates/query/user_permission_exists.sql.erb b/templates/query/user_permission_exists.sql.erb
diff --git a/templates/snippets/user/permission/get_perm_state.sql.erb b/templates/snippets/user/permission/get_perm_state.sql.erb
@@ -0,0 +1,5 @@
+ISNULL(
+    (SELECT perm.state_desc FROM sys.database_principals princ
+        JOIN sys.database_permissions perm ON perm.grantee_principal_id = princ.principal_id
+        WHERE princ.type in ('U','S','G') AND name = '<%= @user %>' AND permission_name = '<%= @_permission %>'),
+        'REVOKE')
