Checks/Users.Tests.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
param (
    [object]$config,
    [string]$SqlInstance,
    [PSCredential]$SqlCredential,
    [String]$Database
)

$dbUsers = Get-DbaDbUser -SqlInstance $SqlInstance -SqlCredential $SqlCredential -Database $database
$dbUserRoles = Get-DbaDbRoleMember -SqlInstance $sqlinstance -SqlCredential $SqlCredential -Database $database -IncludeSystemUser
# $dbRoles = Get-DbaDbRole -SqlInstance $sqlinstance -SqlCredential $SqlCredential -Database $database
Foreach ($case in $config.users) {
    Describe "Checking $($case.username)" {
        It "$($case.username) should exist in database" {
            $case.username | Should -BeIn $dbUsers.Name -Because "User Should exist"
        }
        if ($case.roles.count -gt 0){
            Foreach ($role in $case.roles){
                It "$($case.username) should be a member of $role (Config)" {
                    $role | Should -BeIn $dbUserRoles.Role
                }
            }
        }
        $testRoles = $dbUserRoles | where-Object {$_.UserName -eq $case.UserName}
        ForEach ($role in $testRoles){
            It "$($case.username) Should be in $($role.Role) (DB)" {
                $role.Role | Should -BeIn $case.roles -Because "User should only be in the specified roles"
            }
        }

        if ($case.Permissions.Count -ge 1) {
            $testPermissions =  Get-DbaUserPermission -SqlInstance $SqlInstance -SqlCredential $SqlCredential -Database $database -IncludePublicGuest
            # Go through to check the specified permissions are there
            Foreach($permission in $case.Permissions){
                It "Should have assigned $($case.userName) $($permission.permission) on $($permission.securable)" {
                    ($testPermissions | Where-Object {$_.Grantee -eq $case.username -and $_.Securable -eq $permission.securable -and $_.permission -eq $permission.permission} | Measure-Object).count | Should -Be 1
                }

            }
            # Go through again to make sure no other permissions are there
            #Foreach ($permission in $testPermissions){
            # It "Should not have assigned $($case.userName) $($permission.permission) on $($permission.securable)" {
            # ($testPermissions | Where-Object {$_.Grantee -eq $case.username -and $_.Securable -notin ($case.permissions.securable) -and $_.permission -notin ($case.permissions.permission)} | Measure-Object).Count | Should -Be 0 -Because "Should only have defined permissions"
            # }
            # $testPermissions | Where-Object {$_.Grantee -eq $case.username -and $_.Securable -notin ($case.permissions.securable) -and $_.permission -notin ($case.permissions.permission)}
           # }
        }
    }
}