
Import-Module -Name (Join-Path -Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) `
        -ChildPath 'SqlServerDscHelper.psm1') `

    Gets the specified login by name.
    The name of the login to retrieve.
    .PARAMETER ServerName
    Hostname of the SQL Server to retrieve the login from.
    .PARAMETER InstanceName
    Name of the SQL instance to retrieve the login from.

function Get-TargetResource
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    $serverObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName

    Write-Verbose 'Getting SQL logins'
    New-VerboseMessage -Message "Getting the login '$Name' from '$ServerName\$InstanceName'"

    $login = $serverObject.Logins[$Name]

    if ( $login )
        $Ensure = 'Present'
        $Ensure = 'Absent'

    New-VerboseMessage -Message "The login '$Name' is $ensure from the '$ServerName\$InstanceName' instance."

    $returnValue = @{
        Ensure       = $Ensure
        Name         = $Name
        LoginType    = $login.LoginType
        ServerName   = $ServerName
        InstanceName = $InstanceName
        Disabled     = $login.IsDisabled

    if ( $login.LoginType -eq 'SqlLogin' )
        $returnValue.Add('LoginMustChangePassword', $login.MustChangePassword)
        $returnValue.Add('LoginPasswordExpirationEnabled', $login.PasswordExpirationEnabled)
        $returnValue.Add('LoginPasswordPolicyEnforced', $login.PasswordPolicyEnforced)

    return $returnValue

    Creates a login.
    .PARAMETER Ensure
    Specifies if the login to exist. Default is 'Present'.
    The name of the login to retrieve.
    .PARAMETER LoginType
    The type of login to create. Default is 'WindowsUser'
    .PARAMETER ServerName
    Hostname of the SQL Server to create the login on.
    .PARAMETER InstanceName
    Name of the SQL instance to create the login on.
    .PARAMETER LoginCredential
    The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
    .PARAMETER LoginMustChangePassword
    Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Default is $true.
    .PARAMETER LoginPasswordExpirationEnabled
    Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
    .PARAMETER LoginPasswordPolicyEnforced
    Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
    .PARAMETER Disabled
    Specifies if the login is disabled. Default is $false.

function Set-TargetResource
        [ValidateSet('Present', 'Absent')]
        $Ensure = 'Present',

        [Parameter(Mandatory = $true)]

        $LoginType = 'WindowsUser',

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        $LoginMustChangePassword = $true,

        $LoginPasswordExpirationEnabled = $true,

        $LoginPasswordPolicyEnforced = $true,


    $serverObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName

    switch ( $Ensure )
            if ( $serverObject.Logins[$Name] )
                $login = $serverObject.Logins[$Name]

                if ( $login.LoginType -eq 'SqlLogin' )
                    if ( $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
                        New-VerboseMessage -Message "Setting PasswordExpirationEnabled to '$LoginPasswordExpirationEnabled' for the login '$Name' on the '$ServerName\$InstanceName' instance."
                        $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
                        Update-SQLServerLogin -Login $login

                    if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced )
                        New-VerboseMessage -Message "Setting PasswordPolicyEnforced to '$LoginPasswordPolicyEnforced' for the login '$Name' on the '$ServerName\$InstanceName' instance."
                        $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
                        Update-SQLServerLogin -Login $login

                    # Set the password if it is specified
                    if ( $LoginCredential )
                        Set-SQLServerLoginPassword -Login $login -SecureString $LoginCredential.Password

                if ( $PSBoundParameters.ContainsKey('Disabled') -and ($login.IsDisabled -ne $Disabled) )
                    New-VerboseMessage -Message "Setting IsDisabled to '$Disabled' for the login '$Name' on the '$ServerName\$InstanceName' instance."
                    if ( $Disabled )
                # Some login types need additional work. These will need to be fleshed out more in the future
                if ( @('Certificate', 'AsymmetricKey', 'ExternalUser', 'ExternalGroup') -contains $LoginType )
                    throw New-TerminatingError -ErrorType LoginTypeNotImplemented -FormatArgs $LoginType -ErrorCategory NotImplemented

                if ( ( $LoginType -eq 'SqlLogin' ) -and ( -not $LoginCredential ) )
                    throw New-TerminatingError -ErrorType LoginCredentialNotFound -FormatArgs $Name -ErrorCategory ObjectNotFound

                New-VerboseMessage -Message "Adding the login '$Name' to the '$ServerName\$InstanceName' instance."

                $login = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Login -ArgumentList $serverObject, $Name
                $login.LoginType = $LoginType

                switch ($LoginType)
                        # Verify the instance is in Mixed authentication mode
                        if ( $serverObject.LoginMode -notmatch 'Mixed|Normal' )
                            throw New-TerminatingError -ErrorType IncorrectLoginMode -FormatArgs $ServerName, $InstanceName, $serverObject.LoginMode -ErrorCategory NotImplemented

                        $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
                        $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
                        if ( $LoginMustChangePassword )
                            $LoginCreateOptions = [Microsoft.SqlServer.Management.Smo.LoginCreateOptions]::MustChange
                            $LoginCreateOptions = [Microsoft.SqlServer.Management.Smo.LoginCreateOptions]::None

                        New-SQLServerLogin -Login $login -LoginCreateOptions $LoginCreateOptions -SecureString $LoginCredential.Password -ErrorAction Stop

                        New-SQLServerLogin -Login $login

                # we can only disable the login once it's been created
                if ( $Disabled )

            if ( $serverObject.Logins[$Name] )
                New-VerboseMessage -Message "Dropping the login '$Name' from the '$ServerName\$InstanceName' instance."
                Remove-SQLServerLogin -Login $serverObject.Logins[$Name]

    Tests to verify the login exists and the properties are correctly set.
    .PARAMETER Ensure
    Specifies if the login is supposed to exist. Default is 'Present'.
    The name of the login.
    .PARAMETER LoginType
    The type of login. Default is 'WindowsUser'
    .PARAMETER ServerName
    Hostname of the SQL Server.
    .PARAMETER InstanceName
    Name of the SQL instance.
    .PARAMETER LoginCredential
    The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
    .PARAMETER LoginMustChangePassword
    Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Default is $true.
    .PARAMETER LoginPasswordExpirationEnabled
    Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
    .PARAMETER LoginPasswordPolicyEnforced
    Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
    .PARAMETER Disabled
    Specifies if the login is disabled. Default is $false.

function Test-TargetResource
        [ValidateSet('Present', 'Absent')]
        $Ensure = 'Present',

        [Parameter(Mandatory = $true)]

        $LoginType = 'WindowsUser',

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        $LoginMustChangePassword = $true,

        $LoginPasswordExpirationEnabled = $true,

        $LoginPasswordPolicyEnforced = $true,


    # Assume the test will pass
    $testPassed = $true

    $getParams = @{
        Name         = $Name
        ServerName   = $ServerName
        InstanceName = $InstanceName

    $loginInfo = Get-TargetResource @getParams

    if ( $Ensure -ne $loginInfo.Ensure )
        New-VerboseMessage -Message "The login '$Name' on the instance '$ServerName\$InstanceName' is $($loginInfo.Ensure) rather than $Ensure"
        $testPassed = $false

    if ( $Ensure -eq 'Present' -and $($loginInfo.Ensure) -eq 'Present' )
        if ( $LoginType -ne $loginInfo.LoginType )
            New-VerboseMessage -Message "The login '$Name' on the instance '$ServerName\$InstanceName' is a $($loginInfo.LoginType) rather than $LoginType"
            $testPassed = $false

        if ( $PSBoundParameters.ContainsKey('Disabled') -and ($loginInfo.Disabled -ne $Disabled) )
            New-VerboseMessage -Message "The login '$Name' on the instance '$ServerName\$InstanceName' has IsDisabled set to $($loginInfo.Disabled) rather than $Disabled"
            $testPassed = $false

        if ( $LoginType -eq 'SqlLogin' )
            if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
                New-VerboseMessage -Message "The login '$Name' on the instance '$ServerName\$InstanceName' has PasswordExpirationEnabled set to $($loginInfo.LoginPasswordExpirationEnabled) rather than $LoginPasswordExpirationEnabled"
                $testPassed = $false

            if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
                New-VerboseMessage -Message "The login '$Name' on the instance '$ServerName\$InstanceName' has PasswordPolicyEnforced set to $($loginInfo.LoginPasswordPolicyEnforced) rather than $LoginPasswordPolicyEnforced"
                $testPassed = $false

            # If testPassed is still true and a login credential was specified, test the password
            if ( $testPassed -and $LoginCredential )
                $userCredential = [System.Management.Automation.PSCredential]::new($Name, $LoginCredential.Password)

                    Connect-SQL -ServerName $ServerName -InstanceName $InstanceName -SetupCredential $userCredential -LoginType 'SqlLogin' | Out-Null
                    # Check to see if the parameter of $Disabled is true
                    if ($Disabled)
                            An exception occurred and $Disabled is true, we neeed
                            to check the error codes for expected error numbers.
                            Recursively search the Exception variable and inner
                            Exceptions for the specific numbers.
                            18470 - Username and password are correct, but
                            account is disabled.
                            18456 - Login failed for user.

                        if ((Find-ExceptionByNumber -ExceptionToSearch $_.Exception -ErrorNumber 18470))
                            New-VerboseMessage -Message "Password valid, but '$Name' is disabled."                            
                        elseif ((Find-ExceptionByNumber -ExceptionToSearch $_.Exception -ErrorNumber 18456))
                            New-VerboseMessage -Message $_.Exception.message
                            # The password was not correct, password validation failed
                            $testPassed = $false
                            New-VerboseMessage -Message "Unknown error: $($_.Exception.message)"
                            # Something else went wrong, rethrow error
                        New-VerboseMessage -Message "Password validation failed for the login '$Name'."
                        $testPassed = $false

    return $testPassed

    Alters a login.
    .PARAMETER Login
    The Login object to alter.
    This function allows us to more easily write mocks.

function Update-SQLServerLogin
        [Parameter(Mandatory = $true)]

        $originalErrorActionPreference = $ErrorActionPreference
        $ErrorActionPreference = 'Stop'

        throw New-TerminatingError -ErrorType AlterLoginFailed -FormatArgs $Login.Name -ErrorCategory NotSpecified
        $ErrorActionPreference = $originalErrorActionPreference

    Creates a login.
    .PARAMETER Login
    The Login object to create.
    .PARAMETER LoginCreateOptions
    The LoginCreateOptions object to use when creating a SQL login.
    .PARAMETER SecureString
    The SecureString object that contains the password for a SQL login.
    CreateLogin -Login $login -LoginCreateOptions $LoginCreateOptions -SecureString $LoginCredential.Password -ErrorAction Stop
    CreateLogin -Login $login
    This function allows us to more easily write mocks.

function New-SQLServerLogin
    [CmdletBinding(DefaultParameterSetName = 'WindowsLogin')]
        [Parameter(Mandatory = $true, ParameterSetName = 'WindowsLogin')]
        [Parameter(Mandatory = $true, ParameterSetName = 'SqlLogin')]

        [Parameter(Mandatory = $true, ParameterSetName = 'SqlLogin')]

        [Parameter(Mandatory = $true, ParameterSetName = 'SqlLogin')]

    switch ( $PSCmdlet.ParameterSetName )
                $originalErrorActionPreference = $ErrorActionPreference
                $ErrorActionPreference = 'Stop'

                $login.Create($SecureString, $LoginCreateOptions)
            catch [Microsoft.SqlServer.Management.Smo.FailedOperationException]
                if ( $_.Exception.InnerException.InnerException.InnerException -match 'Password validation failed' )
                    throw New-TerminatingError -ErrorType PasswordValidationFailed -FormatArgs $Name, $_.Exception.InnerException.InnerException.InnerException -ErrorCategory SecurityError
                    throw New-TerminatingError -ErrorType LoginCreationFailedFailedOperation -FormatArgs $Name -ErrorCategory NotSpecified
                throw New-TerminatingError -ErrorType LoginCreationFailedSqlNotSpecified -FormatArgs $Name -ErrorCategory NotSpecified
                $ErrorActionPreference = $originalErrorActionPreference

                $originalErrorActionPreference = $ErrorActionPreference
                $ErrorActionPreference = 'Stop'

                throw New-TerminatingError -ErrorType LoginCreationFailedWindowsNotSpecified -FormatArgs $Name -ErrorCategory NotSpecified
                $ErrorActionPreference = $originalErrorActionPreference

    Drops a login.
    .PARAMETER Login
    The Login object to drop.
    This function allows us to more easily write mocks.

function Remove-SQLServerLogin
        [Parameter(Mandatory = $true)]

        $originalErrorActionPreference = $ErrorActionPreference
        $ErrorActionPreference = 'Stop'

        throw New-TerminatingError -ErrorType DropLoginFailed -FormatArgs $Login.Name -ErrorCategory NotSpecified
        $ErrorActionPreference = $originalErrorActionPreference

    Changes the password of a SQL Login.
    .PARAMETER Login
    The Login object to change the password on.
    .PARAMETER SecureString
    The SecureString object that contains the password for a SQL login.
    This function allows us to more easily write mocks.

function Set-SQLServerLoginPassword
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $originalErrorActionPreference = $ErrorActionPreference
        $ErrorActionPreference = 'Stop'

    catch [Microsoft.SqlServer.Management.Smo.FailedOperationException]
        if ( $_.Exception.InnerException.InnerException.InnerException -match 'Password validation failed' )
            throw New-TerminatingError -ErrorType PasswordValidationFailed -FormatArgs $Name, $_.Exception.InnerException.InnerException.InnerException -ErrorCategory SecurityError
            throw New-TerminatingError -ErrorType PasswordChangeFailed -FormatArgs $Name -ErrorCategory NotSpecified
        throw New-TerminatingError -ErrorType PasswordChangeFailed -FormatArgs $Name -ErrorCategory NotSpecified
        $ErrorActionPreference = $originalErrorActionPreference

Export-ModuleMember -Function *-TargetResource