Fixes20240722 (#27)

* Fixes to user mapping through MSSQL_LOGIN_** to deal with orphaned users
* Cleanup orphaned users after database restores
* Improved test coverage for user mapping through MSSQL_LOGIN_**

README.md

@@ -30,10 +30,10 @@ $ENV:IMAGE_VERSION = "1.0.32";
 .\buildall.ps1
 
 # Build and push to the registry
-.\buildall.ps1 -Push $true
+.\buildall.ps1 -Push
 
 # Build and run tests
-.\buildall.ps1 -Test $true
+.\buildall.ps1 -Test
 ```
 
 ## Image List

servercore2022/readme.md

@@ -89,15 +89,25 @@ This uses Machine Level DPAPI encryption, and this is just designed to avoid lea
 
 This does NOT protect the information from being decoded by any other process running inside the container. That is totally possible.
 
-## Environment hot reload and K8S config maps
+## Environment hot reload and K8S config maps + secrets
 
-The image can use a JSON file in disk to read the environment from:
+The image can process json configmaps mounted anywhere in:
 
+```powershell
+c:\environment.d\
 ```
-c:\environment.d\**.json
+
+It will parse any file with the JSON, YAML and YML extension, recognizing both JSON and YAML Formats.
+
+You can also mount any secrets as volumes in:
+
+```powershell
+c:\secrets.d\
 ```
 
-Changes to this file are checked every 8 seconds in the entry point, and environment variables updated accordingly. Note that this **does not** mean that whatever this environment variables controls or affects is going to be updated, it depends on each specific setting and how it is used.
+where the secret filename will be the environment variable name, and the file contents the environment variable value.
+
+Changes to these files are checked every 8 seconds in the entry point, and **environment variables updated accordingly**. Note that this **does not** mean that whatever this environment variables controls or affects is going to be updated, it depends on each specific setting and how it is used.
 
 Configuring environment through a Json file has some advantages:
 
@@ -148,10 +158,14 @@ resource "kubernetes_config_map" "env_config" {
 
 When the environment configuration is refreshed, all powershell scripts in the refresh folder will be invoked
 
-```
+```powershell
 c:\entrypoint\refreshenv
 ```
 
+If you want to support hot-reloading of configuration in your application, place your configuration script in refreshenv.
+
+Note that these scripts are **NOT** executed on container initial startup, only after the system detects changes in the configuration values.
+
 ## Memory and CPU footprint
 
 Because the entry point to this image is a powershell script, the minimum memory footprint for this image is **about 80Mb** (doing nothing). That is what powershell.exe plus some other windows services will need.

sqlserver2022k8s/setup/base/assets/Program Files/WindowsPowerShell/Modules/Sbs/Functions/SbsMssqlAddLogin.ps1

@@ -35,8 +35,8 @@ function SbsMssqlAddLogin {
     $password = $parsedLoginConfiguration["Password"];
     $defaultDatabase = $parsedLoginConfiguration["DefaultDatabase"];
     $databasesRegex = $parsedLoginConfiguration["DatabasesRegex"];
-    $permissions = ($parsedLoginConfiguration["Permissions"] -split ",") | Where-Object { $allowedPermissions -contains $_.Trim() }
-    $roles = ($parsedLoginConfiguration["Roles"] -split ",") | Where-Object { $allowedRoles -contains $_ }
+    $permissions = ($parsedLoginConfiguration["Permissions"] -split ",") | ForEach-Object { $_.Trim().ToLower() } | Where-Object { $allowedPermissions -contains $_ }
+    $roles = ($parsedLoginConfiguration["Roles"] -split ",") | ForEach-Object { $_.Trim().ToLower() } | Where-Object { $allowedRoles -contains $_ }
 
     SbsWriteDebug "Setting up MSSQL server login '$($loginName)'";
 
@@ -70,11 +70,7 @@ function SbsMssqlAddLogin {
     } | Select-Object -ExpandProperty Name;
 
     foreach ($db in $databases) {
-        SbsWriteDebug "Processing roles for '$($db)'"
-        $user = Get-DbaDbUser -SqlInstance $instance -Database $db -User $loginName;
-        if ($user) {
-            Remove-DbaDbOrphanUser -SqlInstance $instance -Database $db -User $user;
-        }
+        Repair-DbaDbOrphanUser -SqlInstance $instance -Database $db -User $loginName -Confirm:$false;
         $user = Get-DbaDbUser -SqlInstance $instance -Database $db -User $loginName;
         if (-not $user) {
             SbsWriteDebug "Creating database user $loginName for '$($db)'"
@@ -95,5 +91,17 @@ function SbsMssqlAddLogin {
 
         SbsWriteHost "Adding roles '$($roles -Join ", ")' to '$($loginName)' in '$($db)'"
         Add-DbaDbRoleMember @addDbaRolesArguments;
+
+        # Now remove roles
+        $rolesToDelete = Get-DbaDbRoleMember -SqlInstance $instance -Database $db -ExcludeRole $roles | Where-Object { 
+            $_.Login -eq $loginName
+        } | Select-object -ExpandProperty "Role" | Where-Object { 
+            -not($roles -contains $_.Role) 
+        };
+
+        if ($rolesToDelete) {
+            SbsWriteWarning "Removing roles '$($rolesToDelete -Join ", ")' to '$($loginName)' in '$($db)'"
+            Remove-DbaDbRoleMember -SqlInstance $instance -Database $db -User $loginName -Role $rolesToDelete -Confirm:$false;
+        }
     }
 }

sqlserver2022k8s/setup/base/assets/Program Files/WindowsPowerShell/Modules/Sbs/Functions/SbsRestoreDatabase.ps1

@@ -36,5 +36,8 @@ function SbsRestoreDatabase {
     }
 
     SbsWriteHost "Database $($databaseName) restored successfully."
+
+    Repair-DbaDbOrphanUser -SqlInstance $SqlInstance -Database $databaseName -RemoveNotExisting -Confirm:$false;
+
     return $true
 }

sqlserver2022k8s/tests/Compose.Tests.ps1

@@ -5,6 +5,9 @@ Describe 'compose.yaml' {
         Remove-Item -Path "$env:BUILD_TEMP\datavolume\data\*", "$env:BUILD_TEMP\datavolume\log\*", "$env:BUILD_TEMP\datavolume\backup\*" -Recurse -Force
         $Env:connectionString = "Server=172.18.8.8;User Id=sa;Password=sapwd;";
         $Env:containerName = "sqlserver2022k8s-mssql-1"
+    }
+
+    It 'Server starts' {
         docker compose -f sqlserver2022k8s/compose.yaml up -d;
         WaitForLog $Env:containerName "Initialization Completed" -extendedTimeout
     }
@@ -53,6 +56,31 @@ CREATE TABLE dbo.TestTableNotAllowed (
         (Invoke-DbaQuery -SqlInstance $instance -Database mydatabase -Query "SELECT OBJECT_ID('dbo.TestTableNotAllowed')").Column1 | Should -BeNullOrEmpty
     }
 
+    It 'Create a user from configuration' {
+        $instance = Connect-DbaInstance $Env:connectionString
+        $instance | Should -Not -BeNullOrEmpty;
+
+        $userConfig1 = @{
+            "MSSQL_LOGIN_NEWUSER" = '{"Login":"newuser", "Password":"MyP@assword", "DefaultDatabase":"mydatabase", "DatabasesRegex":"^mydatabase$", "Permissions": "CONNECT SQL", "Roles":"db_datawriter,db_ddladmin,db_datareader"}'
+        } | ConvertTo-Json
+
+        docker exec $Env:containerName powershell "New-Item -ItemType Directory -Force -Path 'C:\environment.d'; Set-Content -Path 'C:\environment.d\testuser.json' -Value '$userConfig1'"
+
+        Get-DbaDbUser -SqlInstance $instance | Should -Not -BeNullOrEmpty
+
+        # User should be automatically created
+        WaitForLog $Env:containerName "Creating database user newuser"
+
+        # Remove a role
+        $userConfig1 = @{
+            "MSSQL_LOGIN_NEWUSER" = '{"Login":"newuser", "Password":"MyP@assword", "DefaultDatabase":"mydatabase", "DatabasesRegex":"^mydatabase$", "Permissions": "CONNECT SQL", "Roles":"db_datawriter,db_datareader"}'
+        } | ConvertTo-Json
+
+        docker exec $Env:containerName powershell "New-Item -ItemType Directory -Force -Path 'C:\environment.d'; Set-Content -Path 'C:\environment.d\testuser.json' -Value '$userConfig1'"
+
+        WaitForLog $Env:containerName "Removing roles 'db_ddladmin'"
+    }
+
     AfterAll {
         docker compose -f sqlserver2022k8s/compose.yaml down;
         Remove-Item -Path "$env:BUILD_TEMP\datavolume\data\*", "$env:BUILD_TEMP\datavolume\backup\*" -Recurse -Force