Skip to content

Commit

Permalink
[dsccommunity#1669] SqlLogin: LoginMustChangePassword, LoginPasswordE…
Browse files Browse the repository at this point in the history
…xpirationEnabled and LoginPasswordPolicyEnforced parameters no longer enforce default values
  • Loading branch information
bozho authored and johlju committed Mar 13, 2022
1 parent 26a7b07 commit f80a41a
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 16 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Bumped Stale task to v5 in the GitHub workflow.
- Wiki
- add introduction and links to DSC technology
- SqlLogin
- `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced`
parameters no longer enforce default values [issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669).

### Fixed

Expand Down
33 changes: 20 additions & 13 deletions source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -163,15 +163,15 @@ function Set-TargetResource

[Parameter()]
[System.Boolean]
$LoginMustChangePassword = $true,
$LoginMustChangePassword,

[Parameter()]
[System.Boolean]
$LoginPasswordExpirationEnabled = $true,
$LoginPasswordExpirationEnabled,

[Parameter()]
[System.Boolean]
$LoginPasswordPolicyEnforced = $true,
$LoginPasswordPolicyEnforced,

[Parameter()]
[System.Boolean]
Expand All @@ -195,15 +195,15 @@ function Set-TargetResource
if ( $login.LoginType -eq 'SqlLogin' )
{
# There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed
if ( $login.MustChangePassword -ne $LoginMustChangePassword )
if ( $PSBoundParameters.ContainsKey('LoginMustChangePassword') -and $login.MustChangePassword -ne $LoginMustChangePassword )
{
$errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged
New-InvalidOperationException -Message $errorMessage
}

# `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state)
if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or
$login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
if ( ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced ) -or
( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) )
{
Write-Verbose -Message (
$script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
Expand All @@ -212,8 +212,15 @@ function Set-TargetResource
$script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
)

$login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
$login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') )
{
$login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
}

if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') )
{
$login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
}

Update-SQLServerLogin -Login $login
}
Expand Down Expand Up @@ -421,15 +428,15 @@ function Test-TargetResource

[Parameter()]
[System.Boolean]
$LoginMustChangePassword = $true,
$LoginMustChangePassword,

[Parameter()]
[System.Boolean]
$LoginPasswordExpirationEnabled = $true,
$LoginPasswordExpirationEnabled,

[Parameter()]
[System.Boolean]
$LoginPasswordPolicyEnforced = $true,
$LoginPasswordPolicyEnforced,

[Parameter()]
[System.Boolean]
Expand Down Expand Up @@ -504,7 +511,7 @@ function Test-TargetResource

if ( $LoginType -eq 'SqlLogin' )
{
if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
{
if ($LoginPasswordExpirationEnabled)
{
Expand All @@ -522,7 +529,7 @@ function Test-TargetResource
$testPassed = $false
}

if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
{
if ($LoginPasswordPolicyEnforced)
{
Expand Down
6 changes: 3 additions & 3 deletions source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ class DSC_SqlLogin : OMI_BaseResource
Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType;
[Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName;
[Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential;
[Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
[Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled;
[Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced;
[Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
[Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordExpirationEnabled;
[Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordPolicyEnforced;
[Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled;
[Write, Description("Specifies the default database name.")] String DefaultDatabase;
};

0 comments on commit f80a41a

Please sign in to comment.