DSCResources/DSC_SqlEndpointPermission/DSC_SqlEndpointPermission.psm1

$script:sqlServerDscHelperModulePath = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Modules\SqlServerDsc.Common'
$script:resourceHelperModulePath = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Modules\DscResource.Common'

Import-Module -Name $script:sqlServerDscHelperModulePath
Import-Module -Name $script:resourceHelperModulePath

$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

<#
    .SYNOPSIS
        Returns the current state of the permissions for the principal (login).
 
    .PARAMETER InstanceName
        The name of the SQL instance to be configured.
 
    .PARAMETER ServerName
        The host name of the SQL Server to be configured. Default value is $env:COMPUTERNAME.
 
    .PARAMETER Name
        The name of the endpoint.
 
    .PARAMETER Principal
        The login to which permission will be set.
#>

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $InstanceName,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $ServerName = $env:COMPUTERNAME,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Principal
    )

    Write-Verbose -Message (
        $script:localizedData.GetEndpointPermission -f $EndpointName, $InstanceName
    )

    try
    {
        $sqlServerObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName

        $endpointObject = $sqlServerObject.Endpoints[$Name]
        if ( $null -ne $endpointObject )
        {
            $permissionSet = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.ObjectPermissionSet' -Property @{
                Connect = $true
            }

            $endpointPermission = $endpointObject.EnumObjectPermissions($permissionSet) | Where-Object -FilterScript {
                $_.PermissionState -eq 'Grant' -and $_.Grantee -eq $Principal
            }

            if ($endpointPermission.Count -ne 0)
            {
                $Ensure = 'Present'
                $Permission = 'CONNECT'
            }
            else
            {
                $Ensure = 'Absent'
                $Permission = ''
            }
        }
        else
        {
            $errorMessage = $script:localizedData.EndpointNotFound -f $Name
            New-ObjectNotFoundException -Message $errorMessage
        }
    }
    catch
    {
        $errorMessage = $script:localizedData.UnexpectedErrorFromGet -f $Name
        New-ObjectNotFoundException -Message $errorMessage -ErrorRecord $_
    }

    return @{
        InstanceName = [System.String] $InstanceName
        ServerName   = [System.String] $ServerName
        Ensure       = [System.String] $Ensure
        Name         = [System.String] $Name
        Principal    = [System.String] $Principal
        Permission   = [System.String] $Permission
    }
}

<#
    .SYNOPSIS
        Grants or revokes the permission for the the principal (login).
 
    .PARAMETER InstanceName
        The name of the SQL instance to be configured.
 
    .PARAMETER ServerName
        The host name of the SQL Server to be configured. Default value is $env:COMPUTERNAME.
 
    .PARAMETER Ensure
        If the permission should be present or absent. Default value is 'Present'.
 
    .PARAMETER Name
        The name of the endpoint.
 
    .PARAMETER Permission
        The permission to set for the login. Valid value for permission are only CONNECT.
 
    .PARAMETER Principal
        The permission to set for the login.
#>

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $InstanceName,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $ServerName = $env:COMPUTERNAME,

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present',

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Principal,

        [Parameter()]
        [ValidateSet('CONNECT')]
        [System.String]
        $Permission
    )

    $parameters = @{
        InstanceName = [System.String] $InstanceName
        ServerName   = [System.String] $ServerName
        Name         = [System.String] $Name
        Principal    = [System.String] $Principal
    }

    $getTargetResourceResult = Get-TargetResource @parameters
    if ($getTargetResourceResult.Ensure -ne $Ensure)
    {
        Write-Verbose -Message (
            $script:localizedData.SetEndpointPermission -f $EndpointName, $InstanceName
        )

        $sqlServerObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName

        $endpointObject = $sqlServerObject.Endpoints[$Name]
        if ($null -ne $endpointObject)
        {
            $permissionSet = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.ObjectPermissionSet' -Property @{
                Connect = $true
            }

            if ($Ensure -eq 'Present')
            {
                Write-Verbose -Message (
                    $script:localizedData.GrantPermission -f $Principal
                )

                $endpointObject.Grant($permissionSet, $Principal)
            }
            else
            {
                Write-Verbose -Message (
                    $script:localizedData.RevokePermission -f $Principal
                )

                $endpointObject.Revoke($permissionSet, $Principal)
            }
        }
        else
        {
            $errorMessage = $script:localizedData.EndpointNotFound -f $Name
            New-ObjectNotFoundException -Message $errorMessage
        }
    }
    else
    {
        Write-Verbose -Message (
            $script:localizedData.InDesiredState -f $Name
        )
    }
}

<#
    .SYNOPSIS
        Tests if the principal (login) has the desired permissions.
 
    .PARAMETER InstanceName
        The name of the SQL instance to be configured.
 
    .PARAMETER ServerName
        The host name of the SQL Server to be configured. Default value is $env:COMPUTERNAME.
 
    .PARAMETER Ensure
        If the permission should be present or absent. Default value is 'Present'.
 
    .PARAMETER Name
        The name of the endpoint.
 
    .PARAMETER Permission
        The permission to set for the login. Valid value for permission are only CONNECT.
 
    .PARAMETER Principal
        The permission to set for the login.
#>

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $InstanceName,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $ServerName = $env:COMPUTERNAME,

        [Parameter()]
        [ValidateSet('Present', 'Absent')]
        [System.String]
        $Ensure = 'Present',

        [Parameter(Mandatory = $true)]
        [System.String]
        $Name,

        [Parameter(Mandatory = $true)]
        [System.String]
        $Principal,

        [Parameter()]
        [ValidateSet('CONNECT')]
        [System.String]
        $Permission
    )

    $parameters = @{
        InstanceName = [System.String] $InstanceName
        ServerName   = [System.String] $ServerName
        Name         = [System.String] $Name
        Principal    = [System.String] $Principal
    }

    Write-Verbose -Message (
        $script:localizedData.TestingConfiguration -f $Name, $InstanceName
    )

    $getTargetResourceResult = Get-TargetResource @parameters

    $isInDesiredState = $getTargetResourceResult.Ensure -eq $Ensure

    if ($isInDesiredState)
    {
        Write-Verbose -Message (
            $script:localizedData.InDesiredState -f $Name
        )
    }
    else
    {
        Write-Verbose -Message (
            $script:localizedData.NotInDesiredState -f $Name
        )
    }

    return $isInDesiredState
}