Fix SqlLogin after rebase

CHANGELOG.md

@@ -37,8 +37,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Wiki
   - add introduction and links to DSC technology
 - SqlLogin
-  - BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced`
-    parameters no longer enforce default values ([issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669)).
+  - BREAKING CHANGE: The parameters `LoginMustChangePassword`, `LoginPasswordExpirationEnabled`,
+    and `LoginPasswordPolicyEnforced` no longer have a default value of `$true`.
+    This means that when creating a new login, and not specifically setting
+    these parameters to `$true` in the configuration, the login that is created
+    will have these properties set to `$false`.
+  - BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled`,
+    and `LoginPasswordPolicyEnforced` parameters no longer enforce default
+    values ([issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669)).
 - SqlServerDsc
   - All tests have been converted to run in Pester 5 (Pester 4 can no
     longer be supported) ([issue #1654](https://github.com/dsccommunity/SqlServerDsc/issues/1654)).

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1

@@ -302,9 +302,14 @@ function Set-TargetResource
                             New-InvalidOperationException -Message $errorMessage
                         }
 
-                        # `PasswordPolicyEnforced` and `PasswordExpirationEnabled` must be updated together.
+                        <#
+                            PasswordExpirationEnabled can only be set to $true if PasswordPolicyEnforced
+                            is also set to $true. If not the SQL Server will throw the exception
+                            "The CHECK_EXPIRATION option cannot be used when CHECK_POLICY is OFF".
+                        #>
                         $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
                         $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
+
                         if ( $LoginMustChangePassword )
                         {
                             $LoginCreateOptions = [Microsoft.SqlServer.Management.Smo.LoginCreateOptions]::MustChange

tests/Integration/DSC_SqlLogin.Integration.Tests.ps1

@@ -639,7 +639,7 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
     }
 
     Context ('When using configuration <_>') -ForEach @(
-        "$($script:dscResourceName)_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config"
+        "$($script:dscResourceName)_AddLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config"
     ) {
         BeforeAll {
             $configurationName = $_
@@ -742,6 +742,113 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
         }
     }
 
+    ### START - THIS SHOULD THROW AN ERROR ###
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterAll {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            {
+                $configurationParameters = @{
+                    OutputPath                 = $TestDrive
+                    # The variable $ConfigurationData was dot-sourced above.
+                    ConfigurationData          = $ConfigurationData
+                }
+
+                & $configurationName @configurationParameters
+
+                $startDscConfigurationParameters = @{
+                    Path         = $TestDrive
+                    ComputerName = 'localhost'
+                    Wait         = $true
+                    Verbose      = $true
+                    Force        = $true
+                    ErrorAction  = 'Stop'
+                }
+
+                Start-DscConfiguration @startDscConfigurationParameters
+            } | Should -Not -Throw
+        }
+
+        It 'Should be able to call Get-DscConfiguration without throwing' {
+            {
+                $script:currentConfiguration = Get-DscConfiguration -Verbose -ErrorAction Stop
+            } | Should -Not -Throw
+        }
+
+        It 'Should have set the resource and all the parameters should match' {
+            $resourceCurrentState = $script:currentConfiguration | Where-Object -FilterScript {
+                $_.ConfigurationName -eq $configurationName `
+                -and $_.ResourceId -eq $resourceId
+            }
+
+            $resourceCurrentState.Ensure | Should -Be 'Present'
+            $resourceCurrentState.Name | Should -Be $ConfigurationData.AllNodes.DscUser5Name
+            $resourceCurrentState.LoginType | Should -Be $ConfigurationData.AllNodes.DscUser5Type
+            $resourceCurrentState.Disabled | Should -Be $false
+            $resourceCurrentState.LoginMustChangePassword | Should -BeFalse
+            $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeTrue
+            $resourceCurrentState.LoginPasswordPolicyEnforced | Should -BeFalse
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose | Should -Be 'True'
+        }
+    }
+
+    <#
+        Removing the user DscUser5 to be able to re add it with different configuration.
+        At the end of the test it will be removed again permanently, and with a
+        verification of properties from Get-TargetResource.
+    #>
+    Context ('When using configuration <_>') -ForEach @(
+        "$($script:dscResourceName)_RemoveLoginDscUser5_Config"
+    ) {
+        BeforeAll {
+            $configurationName = $_
+        }
+
+        AfterAll {
+            Wait-ForIdleLcm
+        }
+
+        It 'Should compile and apply the MOF without throwing' {
+            {
+                $configurationParameters = @{
+                    OutputPath                 = $TestDrive
+                    # The variable $ConfigurationData was dot-sourced above.
+                    ConfigurationData          = $ConfigurationData
+                }
+
+                & $configurationName @configurationParameters
+
+                $startDscConfigurationParameters = @{
+                    Path         = $TestDrive
+                    ComputerName = 'localhost'
+                    Wait         = $true
+                    Verbose      = $true
+                    Force        = $true
+                    ErrorAction  = 'Stop'
+                }
+
+                Start-DscConfiguration @startDscConfigurationParameters
+            } | Should -Not -Throw
+        }
+
+        It 'Should return $true when Test-DscConfiguration is run' {
+            Test-DscConfiguration -Verbose | Should -Be 'True'
+        }
+    }
+
+    ### END - THIS SHOULD THROW AN ERROR ###
+
     <#
         This adds the user DscUser5 with both LoginPasswordExpirationEnabled and
         LoginPasswordPolicyEnforced set to False. It will be used to test if the
@@ -798,8 +905,8 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
             $resourceCurrentState.LoginType | Should -Be $ConfigurationData.AllNodes.DscUser5Type
             $resourceCurrentState.Disabled | Should -Be $false
             $resourceCurrentState.LoginMustChangePassword | Should -BeFalse
-            $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeFalse
-            $resourceCurrentState.LoginPasswordPolicyEnforced | Should -BeFalse
+            $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeTrue
+            $resourceCurrentState.LoginPasswordPolicyEnforced | Should -BeTrue
         }
 
         It 'Should return $true when Test-DscConfiguration is run' {
@@ -808,7 +915,7 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
     }
 
     Context ('When using configuration <_>') -ForEach @(
-        "$($script:dscResourceName)_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config"
+        "$($script:dscResourceName)_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config"
     ) {
         BeforeAll {
             $configurationName = $_
@@ -859,6 +966,7 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
             $resourceCurrentState.Disabled | Should -Be $false
             $resourceCurrentState.LoginMustChangePassword | Should -BeFalse
             $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeFalse
+            # This was set to true by the previous test.
             $resourceCurrentState.LoginPasswordPolicyEnforced | Should -BeTrue
         }
 
@@ -868,7 +976,7 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
     }
 
     Context ('When using configuration <_>') -ForEach @(
-        "$($script:dscResourceName)_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config"
+        "$($script:dscResourceName)_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config"
     ) {
         BeforeAll {
             $configurationName = $_
@@ -918,8 +1026,7 @@ Describe "$($script:dscResourceName)_Integration" -Tag @('Integration_SQL2016',
             $resourceCurrentState.LoginType | Should -Be $ConfigurationData.AllNodes.DscUser5Type
             $resourceCurrentState.Disabled | Should -Be $false
             $resourceCurrentState.LoginMustChangePassword | Should -BeFalse
-            $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeTrue
-            # This was set to true by the previous test.
+            $resourceCurrentState.LoginPasswordExpirationEnabled | Should -BeFalse
             $resourceCurrentState.LoginPasswordPolicyEnforced | Should -BeTrue
         }
 

tests/Integration/DSC_SqlLogin.config.ps1

@@ -361,10 +361,10 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_DefaultValues_Config
 
 <#
     .SYNOPSIS
-        Adds a second SQL login to test LoginPasswordExpirationEnabled set to False, and
-        LoginPasswordPolicyEnforced using default value.
+        Adds a second SQL login to test LoginPasswordPolicyEnforced set to True, and
+        LoginPasswordExpirationEnabled using default value.
 #>
-Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config
+Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config
 {
     Import-DscResource -ModuleName 'SqlServerDsc'
 
@@ -376,7 +376,7 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_C
             Name                           = $Node.DscUser5Name
             LoginType                      = $Node.DscUser5Type
             LoginMustChangePassword        = $false
-            LoginPasswordExpirationEnabled = $false
+            LoginPasswordPolicyEnforced    = $true
 
             LoginCredential                = New-Object `
                 -TypeName System.Management.Automation.PSCredential `
@@ -401,10 +401,10 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_C
 
 <#
     .SYNOPSIS
-        Adds a second SQL login to test both LoginPasswordExpirationEnabled and
-        LoginPasswordPolicyEnforced set to False.
+        Adds a second SQL login to test LoginPasswordExpirationEnabled set to True, and
+        LoginPasswordPolicyEnforced using default value.
 #>
-Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_LoginPasswordPolicyEnforced_Config
+Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config
 {
     Import-DscResource -ModuleName 'SqlServerDsc'
 
@@ -416,8 +416,7 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_L
             Name                           = $Node.DscUser5Name
             LoginType                      = $Node.DscUser5Type
             LoginMustChangePassword        = $false
-            LoginPasswordPolicyEnforced    = $false
-            LoginPasswordExpirationEnabled = $false
+            LoginPasswordExpirationEnabled = $true
 
             LoginCredential                = New-Object `
                 -TypeName System.Management.Automation.PSCredential `
@@ -442,15 +441,10 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_L
 
 <#
     .SYNOPSIS
-        Updates the second SQL login to test LoginPasswordPolicyEnforced set to True, and
-        LoginPasswordExpirationEnabled using the previous set value.
-
-    .NOTES
-        This test must run before the test that sets LoginPasswordExpirationEnabled
-        to False below;
-        "DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config".
+        Adds a second SQL login to test both LoginPasswordExpirationEnabled and
+        LoginPasswordPolicyEnforced set to False.
 #>
-Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config
+Configuration DSC_SqlLogin_AddLoginDscUser5_Set_LoginPasswordExpirationEnabled_LoginPasswordPolicyEnforced_Config
 {
     Import-DscResource -ModuleName 'SqlServerDsc'
 
@@ -463,6 +457,7 @@ Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_C
             LoginType                      = $Node.DscUser5Type
             LoginMustChangePassword        = $false
             LoginPasswordPolicyEnforced    = $true
+            LoginPasswordExpirationEnabled = $true
 
             LoginCredential                = New-Object `
                 -TypeName System.Management.Automation.PSCredential `
@@ -487,7 +482,7 @@ Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_C
 
 <#
     .SYNOPSIS
-        Updates the second SQL login to test LoginPasswordExpirationEnabled set to True, and
+        Updates the second SQL login to test LoginPasswordExpirationEnabled set to False, and
         LoginPasswordPolicyEnforced using the previous set value.
 #>
 Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config
@@ -502,7 +497,7 @@ Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnable
             Name                           = $Node.DscUser5Name
             LoginType                      = $Node.DscUser5Type
             LoginMustChangePassword        = $false
-            LoginPasswordExpirationEnabled = $true
+            LoginPasswordExpirationEnabled = $false
 
             LoginCredential                = New-Object `
                 -TypeName System.Management.Automation.PSCredential `
@@ -527,9 +522,15 @@ Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnable
 
 <#
     .SYNOPSIS
-        Updates the second SQL login to test LoginPasswordPolicyEnforced
+        Updates the second SQL login to test LoginPasswordPolicyEnforced set to True, and
+        LoginPasswordExpirationEnabled using the previous set value.
+
+    .NOTES
+        This test must run after the test that sets LoginPasswordExpirationEnabled
+        to False above;
+        "DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordExpirationEnabled_Config".
 #>
-Configuration DSC_SqlLogin_AddLoginDscUser5_Config
+Configuration DSC_SqlLogin_UpdateLoginDscUser5_Set_LoginPasswordPolicyEnforced_Config
 {
     Import-DscResource -ModuleName 'SqlServerDsc'
 
@@ -541,15 +542,16 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Config
             Name                           = $Node.DscUser5Name
             LoginType                      = $Node.DscUser5Type
             LoginMustChangePassword        = $false
+            LoginPasswordPolicyEnforced    = $false
 
             LoginCredential                = New-Object `
                 -TypeName System.Management.Automation.PSCredential `
                 -ArgumentList @($Node.DscUser4Name, (ConvertTo-SecureString -String $Node.DscUser4Pass1 -AsPlainText -Force))
 
             <#
                 Must use a database that is available on the server,
-                otherwise the password check will fail since it cannot
-                connect to the database.
+                and to which the login has access, otherwise the password
+                check will fail since it cannot connect to the database.
             #>
             DefaultDatabase                = 'master'
 
@@ -563,7 +565,6 @@ Configuration DSC_SqlLogin_AddLoginDscUser5_Config
     }
 }
 
-
 <#
     .SYNOPSIS
         Adds a Windows Group login.