FM-2299 Login - Allow for permissions hash

Travis Fields · Travis Fields · commit 71309842cd6c · 2015-03-04T12:42:56.000-08:00
diff --git a/manifests/login.pp b/manifests/login.pp
@@ -45,6 +45,10 @@
 # @see http://technet.microsoft.com/en-us/library/ms189751(v=sql.110).aspx Create Login
 # @see http://technet.microsoft.com/en-us/library/ms189828(v=sql.110).aspx Alter Login
 #
+# [permissions]
+#   A hash of permissions that should be managed for the login.  Valid keys are 'GRANT', 'GRANT_WITH_OPTION', 'DENY' or 'REVOKE'.  Valid values must be an array of Strings i.e. {'GRANT' => ['CONNECT SQL', 'CREATE ANY DATABASE'] }
+#
+##
 define sqlserver::login (
   $login = $title,
   $instance = 'MSSQLSERVER',
@@ -57,6 +61,7 @@
   $check_expiration = false,
   $check_policy = true,
   $disabled = false,
+  $permissions = { },
 ) {
 
   sqlserver_validate_instance_name($instance)
@@ -67,15 +72,52 @@
     fail ('Can not have check expiration enabled when check_policy is disabled')
   }
 
-  $create_delete = $ensure ? {
+  $_create_delete = $ensure ? {
     present => 'create',
     absent  => 'delete',
   }
 
   sqlserver_tsql{ "login-${instance}-${login}":
     instance => $instance,
-    command  => template("sqlserver/${create_delete}/login.sql.erb"),
+    command  => template("sqlserver/${_create_delete}/login.sql.erb"),
     onlyif   => template('sqlserver/query/login_exists.sql.erb'),
     require  => Sqlserver::Config[$instance]
   }
+
+  if $ensure == present {
+    validate_hash($permissions)
+    $_upermissions = sqlserver_upcase($permissions)
+    sqlserver_validate_hash_uniq_values($_upermissions, "Duplicate permissions found for sqlserver::login[${title}]")
+
+    Sqlserver::Login::Permissions{
+      login     => $login,
+      instance  => $instance,
+      require   => Sqlserver_tsql["login-${instance}-${login}"]
+    }
+    if has_key($_upermissions, 'GRANT') and is_array($_upermissions['GRANT']) {
+      sqlserver::login::permissions{ "Sqlserver::Login[${title}]-GRANT-${login}":
+        state       => 'GRANT',
+        permissions => $_upermissions['GRANT'],
+      }
+    }
+    if has_key($_upermissions, 'DENY') and is_array($_upermissions['DENY']) {
+      sqlserver::login::permissions{ "Sqlserver::Login[${title}]-DENY-${login}":
+        state       => 'DENY',
+        permissions => $_upermissions['DENY'],
+      }
+    }
+    if has_key($_upermissions, 'REVOKE') and is_array($_upermissions['REVOKE']) {
+      sqlserver::login::permissions{ "Sqlserver::Login[${title}]-REVOKE-${login}":
+        state       => 'REVOKE',
+        permissions => $_upermissions['REVOKE'],
+      }
+    }
+    if has_key($_upermissions, 'GRANT_WITH_OPTION') and is_array($_upermissions['GRANT_WITH_OPTION']) {
+      sqlserver::login::permissions{ "Sqlserver::Login[${title}]-GRANT-WITH_GRANT_OPTION-${login}":
+        state             => 'GRANT',
+        with_grant_option => true,
+        permissions       => $_upermissions['GRANT_WITH_OPTION'],
+      }
+    }
+  }
 }
diff --git a/manifests/login/permissions.pp b/manifests/login/permissions.pp
@@ -1,5 +1,5 @@
 ##
-# == Define Resource Type: sqlserver::login::permission#
+# == Define Resource Type: sqlserver::login::permissions#
 #
 # === Requirement/Dependencies:
 #
@@ -20,7 +20,7 @@
 #   The name of the instance where the user and database exists. Defaults to 'MSSQLSERVER'
 #
 ##
-define sqlserver::login::permission (
+define sqlserver::login::permissions (
   $login,
   $permissions,
   $state             = 'GRANT',
diff --git a/spec/defines/login/permissions_spec.rb b/spec/defines/login/permissions_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 require File.expand_path(File.join(File.dirname(__FILE__), '..', 'manifest_shared_examples.rb'))
 
-describe 'sqlserver::login::permission' do
+describe 'sqlserver::login::permissions' do
   let(:facts) { {:osfamily => 'windows'} }
   context 'validation errors' do
     include_context 'manifests' do
@@ -10,11 +10,11 @@
     end
     context 'login =>' do
       let(:params) { {
-          :permissions=> ['SELECT'],
+        :permissions => ['SELECT'],
       } }
       let(:raise_error_check) { 'Login must be between 1 and 128 characters' }
       describe 'missing' do
-        let(:raise_error_check) { 'Must pass login to Sqlserver::Login::Permission[myTitle]' }
+        let(:raise_error_check) { 'Must pass login to Sqlserver::Login::Permissions[myTitle]' }
         it_behaves_like 'validation error'
       end
       describe 'empty' do
@@ -28,26 +28,26 @@
     end
     context 'permission' do
       let(:params) { {
-          :login => 'loggingUser',
+        :login => 'loggingUser',
       } }
       let(:raise_error_check) { 'Permission must be between 4 and 128 characters' }
       describe 'empty' do
-        let(:additional_params) { {:permissions=> ['']} }
+        let(:additional_params) { {:permissions => ['']} }
         it_behaves_like 'validation error'
       end
       describe 'under limit' do
-        let(:additional_params) { {:permissions=> [random_string_of_size(3, false)]} }
+        let(:additional_params) { {:permissions => [random_string_of_size(3, false)]} }
         it_behaves_like 'validation error'
       end
       describe 'over limit' do
-        let(:additional_params) { {:permissions=> [random_string_of_size(129, false)]} }
+        let(:additional_params) { {:permissions => [random_string_of_size(129, false)]} }
         it_behaves_like 'validation error'
       end
     end
     context 'state =>' do
       let(:params) { {
-          :permissions=> ['SELECT'],
-          :login => 'loggingUser'
+        :permissions => ['SELECT'],
+        :login => 'loggingUser'
       } }
       describe 'invalid' do
         let(:additional_params) { {:state => 'invalid'} }
@@ -61,8 +61,8 @@
       let(:title) { 'myTitle' }
       let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-GRANT' }
       let(:params) { {
-          :login => 'loggingUser',
-          :permissions=> ['SELECT'],
+        :login => 'loggingUser',
+        :permissions => ['SELECT'],
       } }
     end
     %w(revoke grant deny).each do |state|
@@ -90,7 +90,7 @@
         it_behaves_like 'sqlserver_tsql command'
       end
       describe 'alter' do
-        let(:additional_params) { {:permissions=> ['ALTER']} }
+        let(:additional_params) { {:permissions => ['ALTER']} }
         let(:should_contain_command) { ['USE [master];', 'GRANT ALTER TO [loggingUser];'] }
         let(:sqlserver_tsql_title) { "login-permission-MSSQLSERVER-loggingUser-GRANT" }
         it_behaves_like 'sqlserver_tsql command'
@@ -113,19 +113,19 @@
       let(:title) { 'myTitle' }
       let(:sqlserver_tsql_title) { 'login-permission-MSSQLSERVER-loggingUser-GRANT' }
       let(:params) { {
-          :login => 'loggingUser',
-          :permissions => ['SELECT'],
+        :login => 'loggingUser',
+        :permissions => ['SELECT'],
       } }
       describe '' do
         let(:should_contain_command) { [
-            'USE [master];',
-            'GRANT SELECT TO [loggingUser];',
-            /DECLARE @perm_state varchar\(250\)/,
-            /SET @perm_state = ISNULL\(\n\s+\(SELECT perm.state_desc FROM sys\.server_permissions perm\n\s+JOIN sys\./,
-            /JOIN sys\.server_principals princ ON princ.principal_id = perm\.grantee_principal_id\n\s+WHERE/,
-            /WHERE princ\.type IN \('U','S','G'\)\n\s+ AND princ\.name = 'loggingUser'\n\s+AND perm\.permission_name = @permission\),\n\s+'REVOKE'\)/,
-            /SET @error_msg = 'EXPECTED login \[loggingUser\] to have permission \[' \+ @permission \+ '\] with GRANT but got ' \+ @perm_state;/,
-            /IF @perm_state != 'GRANT'\n\s+THROW 51000, @error_msg, 10/
+          'USE [master];',
+          'GRANT SELECT TO [loggingUser];',
+          /DECLARE @perm_state varchar\(250\)/,
+          /SET @perm_state = ISNULL\(\n\s+\(SELECT perm.state_desc FROM sys\.server_permissions perm\n\s+JOIN sys\./,
+          /JOIN sys\.server_principals princ ON princ.principal_id = perm\.grantee_principal_id\n\s+WHERE/,
+          /WHERE princ\.type IN \('U','S','G'\)\n\s+ AND princ\.name = 'loggingUser'\n\s+AND perm\.permission_name = @permission\),\n\s+'REVOKE'\)/,
+          /SET @error_msg = 'EXPECTED login \[loggingUser\] to have permission \[' \+ @permission \+ '\] with GRANT but got ' \+ @perm_state;/,
+          /IF @perm_state != 'GRANT'\n\s+THROW 51000, @error_msg, 10/
         ] }
         it_behaves_like 'sqlserver_tsql command'
       end
diff --git a/spec/defines/login_spec.rb b/spec/defines/login_spec.rb
@@ -6,8 +6,8 @@
     let(:sqlserver_tsql_title) { 'login-MSSQLSERVER-myTitle' }
     let(:title) { 'myTitle' }
     let(:params) { {
-        :login => 'myTitle',
-        :instance => 'MSSQLSERVER',
+      :login => 'myTitle',
+      :instance => 'MSSQLSERVER',
     } }
   end
 
@@ -18,19 +18,19 @@
   end
   describe 'parameter assignment' do
     let(:should_contain_command) { [
-        "IF exists(select * from sys.sql_logins where name = 'myTitle')",
-        "@login as varchar(255) = 'myTitle'",
-        '@is_disabled as tinyint = 0'
+      "IF exists(select * from sys.sql_logins where name = 'myTitle')",
+      "@login as varchar(255) = 'myTitle'",
+      '@is_disabled as tinyint = 0'
     ] }
     let(:should_contain_onlyif) { [
-        "@login as varchar(255) = 'myTitle'",
-        "@is_disabled as tinyint = 0",
-        "@check_expiration as tinyint = 0",
-        "@check_policy as tinyint = 1",
-        "@type_desc as varchar(50) = 'SQL_LOGIN'",
-        "@default_db as varchar(255) = 'master'",
-        "@default_lang as varchar(50) = 'us_english'",
-        "IF NOT EXISTS(SELECT name FROM sys.server_principals WHERE  name = 'myTitle')"
+      "@login as varchar(255) = 'myTitle'",
+      "@is_disabled as tinyint = 0",
+      "@check_expiration as tinyint = 0",
+      "@check_policy as tinyint = 1",
+      "@type_desc as varchar(50) = 'SQL_LOGIN'",
+      "@default_db as varchar(255) = 'master'",
+      "@default_lang as varchar(50) = 'us_english'",
+      "IF NOT EXISTS(SELECT name FROM sys.server_principals WHERE  name = 'myTitle')"
     ] }
     it_behaves_like 'sqlserver_tsql command'
     it_behaves_like 'sqlserver_tsql onlyif'
@@ -40,4 +40,77 @@
     let(:raise_error_check) { 'Can not have check expiration enabled when check_policy is disabled' }
     it_should_behave_like 'validation error'
   end
+  context 'permissions =>' do
+    let(:title) { 'myTitle' }
+    let(:params) { {
+      :login => 'myLogin',
+    } }
+    let(:permissions) { {} }
+    shared_examples 'sqlserver_permissions exists' do |type|
+      it {
+        params[:permissions] = permissions
+        type_title = (type =~ /GRANT_WITH_OPTION/i ? 'GRANT-WITH_GRANT_OPTION' : type.upcase)
+        should contain_sqlserver__login__permissions("Sqlserver::Login[#{title}]-#{type_title}-myLogin").with(
+                 {
+                   'login' => 'myLogin',
+                   'state' => type == 'GRANT_WITH_OPTION' ? 'GRANT' : type.upcase,
+                   'with_grant_option' => type == 'GRANT_WITH_OPTION',
+                   'permissions' => permissions[type],
+                   'require' => 'Sqlserver_tsql[login-MSSQLSERVER-myLogin]'
+                 }
+               )
+      }
+    end
+
+    shared_examples 'sqlserver_permissions absent' do |type|
+      it {
+        params[:permissions] = permissions
+        type_title = (type =~ /GRANT_WITH_OPTION/i ? 'GRANT-WITH_GRANT_OPTION' : type.upcase)
+        should_not contain_sqlserver__login__permissions("Sqlserver::Login[#{title}]-#{type_title}-myLogin")
+      }
+    end
+
+    describe 'GRANT permissions' do
+      let(:permissions) { {'GRANT' => ['SELECT']} }
+      it_behaves_like 'sqlserver_permissions exists', 'GRANT'
+      it_behaves_like 'sqlserver_permissions absent', 'DENY'
+      it_behaves_like 'sqlserver_permissions absent', 'REVOKE'
+      it_behaves_like 'sqlserver_permissions absent', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'GRANT DENY' do
+      let(:permissions) { {'GRANT' => ['CONNECT SQL'], 'DENY' => ['INSERT']} }
+      it_behaves_like 'sqlserver_permissions exists', 'GRANT'
+      it_behaves_like 'sqlserver_permissions exists', 'DENY'
+      it_behaves_like 'sqlserver_permissions absent', 'REVOKE'
+      it_behaves_like 'sqlserver_permissions absent', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'GRANT_WITH_OPTION' do
+      let(:permissions) { {'GRANT_WITH_OPTION' => ['CONNECT SQL']} }
+      it_behaves_like 'sqlserver_permissions exists', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'REVOKE' do
+      let(:permissions) { {'revoke' => ['CREATE ANY DATABASE']} }
+      it_behaves_like 'sqlserver_permissions exists', 'revoke'
+      it_behaves_like 'sqlserver_permissions absent', 'GRANT'
+      it_behaves_like 'sqlserver_permissions absent', 'DENY'
+      it_behaves_like 'sqlserver_permissions absent', 'GRANT_WITH_OPTION'
+    end
+
+    describe 'empty' do
+      %w(GRANT DENY REVOKE GRANT-WITH_GRANT_OPTION).each do |type|
+        it_behaves_like 'sqlserver_permissions absent', type
+      end
+    end
+
+    describe 'duplicate permissions' do
+      let(:additional_params) { {
+        :permissions => {'GRANT' => ['CONNECT SQL'], 'REVOKE' => ['CONNECT SQL']}
+      } }
+      let(:raise_error_check) { "Duplicate permissions found for sqlserver::login[#{title}" }
+      it_behaves_like 'validation error'
+    end
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`##`
`2`		`-# == Define Resource Type: sqlserver::login::permission#`
	`2`	`+# == Define Resource Type: sqlserver::login::permissions#`
`3`	`3`	`#`
`4`	`4`	`# === Requirement/Dependencies:`
`5`	`5`	`#`
`@@ -20,7 +20,7 @@`
`20`	`20`	`# The name of the instance where the user and database exists. Defaults to 'MSSQLSERVER'`
`21`	`21`	`#`
`22`	`22`	`##`
`23`		`-define sqlserver::login::permission (`
	`23`	`+define sqlserver::login::permissions (`
`24`	`24`	`$login,`
`25`	`25`	`$permissions,`
`26`	`26`	`$state = 'GRANT',`