Skip to content

Commit

Permalink
BREAKING CHANGE: SqlLogin: Parameters no longer enforce default values (
Browse files Browse the repository at this point in the history
#1696)

- SqlLogin
  - BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced`
    parameters no longer enforce default values (issue #1669).
  • Loading branch information
bozho authored Mar 28, 2022
1 parent 26a7b07 commit d8b4d9d
Show file tree
Hide file tree
Showing 6 changed files with 589 additions and 52 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Bumped Stale task to v5 in the GitHub workflow.
- Wiki
- add introduction and links to DSC technology
- SqlLogin
- BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced`
parameters no longer enforce default values ([issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669)).

### Fixed

Expand Down
62 changes: 35 additions & 27 deletions source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -107,13 +107,13 @@ function Get-TargetResource
The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
.PARAMETER LoginMustChangePassword
Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Does not update pre-existing SQL Logins. Default is $true.
Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Does not update pre-existing SQL Logins.
.PARAMETER LoginPasswordExpirationEnabled
Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins.
.PARAMETER LoginPasswordPolicyEnforced
Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins.
.PARAMETER Disabled
Specifies if the login is disabled. Default is $false.
Expand Down Expand Up @@ -163,15 +163,15 @@ function Set-TargetResource

[Parameter()]
[System.Boolean]
$LoginMustChangePassword = $true,
$LoginMustChangePassword,

[Parameter()]
[System.Boolean]
$LoginPasswordExpirationEnabled = $true,
$LoginPasswordExpirationEnabled,

[Parameter()]
[System.Boolean]
$LoginPasswordPolicyEnforced = $true,
$LoginPasswordPolicyEnforced,

[Parameter()]
[System.Boolean]
Expand All @@ -195,25 +195,34 @@ function Set-TargetResource
if ( $login.LoginType -eq 'SqlLogin' )
{
# There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed
if ( $login.MustChangePassword -ne $LoginMustChangePassword )
if ( $PSBoundParameters.ContainsKey('LoginMustChangePassword') -and $login.MustChangePassword -ne $LoginMustChangePassword )
{
$errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged
New-InvalidOperationException -Message $errorMessage
}

# `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state)
if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or
$login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
# Update SQL login data if either `PasswordPolicyEnforced or `PasswordExpirationEnabled` is specified and not in desired state.
# Avoids executing `Update-SQLServerLogin` twice if both are not in desired state.
if ( ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced ) -or
( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) )
{
Write-Verbose -Message (
$script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
)
Write-Verbose -Message (
$script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
)
if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') )
{
Write-Verbose -Message (
$script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
)

$login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
$login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
$login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
}

if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') )
{
Write-Verbose -Message (
$script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
)

$login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
}

Update-SQLServerLogin -Login $login
}
Expand Down Expand Up @@ -365,13 +374,13 @@ function Set-TargetResource
The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
.PARAMETER LoginMustChangePassword
Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Default is $true.
Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins.
.PARAMETER LoginPasswordExpirationEnabled
Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins.
.PARAMETER LoginPasswordPolicyEnforced
Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins.
.PARAMETER Disabled
Specifies if the login is disabled. Default is $false.
Expand Down Expand Up @@ -421,15 +430,15 @@ function Test-TargetResource

[Parameter()]
[System.Boolean]
$LoginMustChangePassword = $true,
$LoginMustChangePassword,

[Parameter()]
[System.Boolean]
$LoginPasswordExpirationEnabled = $true,
$LoginPasswordExpirationEnabled,

[Parameter()]
[System.Boolean]
$LoginPasswordPolicyEnforced = $true,
$LoginPasswordPolicyEnforced,

[Parameter()]
[System.Boolean]
Expand Down Expand Up @@ -504,7 +513,7 @@ function Test-TargetResource

if ( $LoginType -eq 'SqlLogin' )
{
if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
{
if ($LoginPasswordExpirationEnabled)
{
Expand All @@ -522,7 +531,7 @@ function Test-TargetResource
$testPassed = $false
}

if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
{
if ($LoginPasswordPolicyEnforced)
{
Expand Down Expand Up @@ -831,4 +840,3 @@ function Set-SQLServerLoginPassword
$ErrorActionPreference = $originalErrorActionPreference
}
}

6 changes: 3 additions & 3 deletions source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ class DSC_SqlLogin : OMI_BaseResource
Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType;
[Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName;
[Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential;
[Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
[Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled;
[Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced;
[Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
[Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordExpirationEnabled;
[Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordPolicyEnforced;
[Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled;
[Write, Description("Specifies the default database name.")] String DefaultDatabase;
};
Loading

0 comments on commit d8b4d9d

Please sign in to comment.