Add permission-controlled SqlSrv database manager (#17)

* Add permission controleld MSSQL DB manager * Fix code style (php-cs-fixer) * Fix manager * Don't change databases when creating MSSQL user * Test permission controlled MSSQL DB manager * Fix code style (php-cs-fixer) * Delete redundant config resetting in tests * Grant user permissions insteead of making the user the database owner * Test that user gets created in the tenant DB * Test that the correct permissions are granted to the DB users * Fix code style (php-cs-fixer) * Update config comment * Fix typo * Add perm controlled sqlsr db manager to test dataset * Close all connections before deleting MSSQL DBs * Fix code style (php-cs-fixer) * Add explanation to deleteDatabase() * Update tests/DatabaseUsersTest.php Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com> * Fix code style (php-cs-fixer) --------- Co-authored-by: PHP CS Fixer <phpcsfixer@example.com> Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com>
2025-12-12 13:54:03 +00:00 · 2024-01-08 04:07:43 +01:00 · 2024-01-08 04:07:43 +01:00 · cf3d06c8ec
commit cf3d06c8ec
parent 9e4f33e5c5
4 changed files with 167 additions and 28 deletions
--- a/assets/config.php
+++ b/assets/config.php
@ -187,10 +187,11 @@ return [
            'sqlsrv' => Stancl\Tenancy\Database\TenantDatabaseManagers\MicrosoftSQLDatabaseManager::class,
            /**
-             * Use this database manager for MySQL to have a DB user created for each tenant database.
+             * Use these database managers to have a DB user created for each tenant database.
             * You can customize the grants given to these users by changing the $grants property.
             */
            // 'mysql' => Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMySQLDatabaseManager::class,
            // 'sqlsrv' => Stancl\Tenancy\TenantDatabaseManagers\PermissionControlledMicrosoftSQLServerDatabaseManager::class,
            /**
             * Disable the pgsql manager above, and enable the one below if you
--- a/src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php
@ -0,0 +1,65 @@
 <?php
 declare(strict_types=1);
 namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
 use Stancl\Tenancy\Database\Concerns\CreatesDatabaseUsers;
 use Stancl\Tenancy\Database\Contracts\ManagesDatabaseUsers;
 use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
 use Stancl\Tenancy\Database\DatabaseConfig;
 class PermissionControlledMicrosoftSQLServerDatabaseManager extends MicrosoftSQLDatabaseManager implements ManagesDatabaseUsers
 {
    use CreatesDatabaseUsers;
    /** @var string[] */
    public static array $grants = [
        'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'EXECUTE',
    ];
    public function createUser(DatabaseConfig $databaseConfig): bool
    {
        $database = $databaseConfig->getName();
        $username = $databaseConfig->getUsername();
        $password = $databaseConfig->getPassword();
        // Create login
        $this->database()->statement("CREATE LOGIN [$username] WITH PASSWORD = '$password'");
        // Create user in the database
        // Grant the user permissions specified in the $grants array
        // The 'CONNECT' permission is granted automatically
        $grants = implode(', ', static::$grants);
        return $this->database()->statement("USE [$database]; CREATE USER [$username] FOR LOGIN [$username]; GRANT $grants TO [$username]");
    }
    public function deleteUser(DatabaseConfig $databaseConfig): bool
    {
        return $this->database()->statement("DROP LOGIN [{$databaseConfig->getUsername()}]");
    }
    public function userExists(string $username): bool
    {
        return (bool) $this->database()->select("SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = '{$username}'");
    }
    public function makeConnectionConfig(array $baseConfig, string $databaseName): array
    {
        $baseConfig['database'] = $databaseName;
        return $baseConfig;
    }
    public function deleteDatabase(TenantWithDatabase $tenant): bool
    {
        // Close all connections to the database before deleting it
        // Set the database to SINGLE_USER mode to ensure that
        // No other connections are using the database while we're trying to delete it
        // Rollback all active transactions
        $this->database()->statement("ALTER DATABASE [{$tenant->database()->getName()}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;");
        return parent::deleteDatabase($tenant);
    }
 }
--- a/tests/DatabaseUsersTest.php
+++ b/tests/DatabaseUsersTest.php
@ -2,25 +2,29 @@
 declare(strict_types=1);
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Str;
 use Illuminate\Support\Facades\DB;
 use Stancl\JobPipeline\JobPipeline;
 use Stancl\Tenancy\Bootstrappers\DatabaseTenancyBootstrapper;
 use Stancl\Tenancy\Contracts\ManagesDatabaseUsers;
 use Stancl\Tenancy\Events\DatabaseCreated;
 use Stancl\Tenancy\Events\TenancyInitialized;
 use Stancl\Tenancy\Events\TenantCreated;
 use Stancl\Tenancy\Database\Exceptions\TenantDatabaseUserAlreadyExistsException;
 use Stancl\Tenancy\Jobs\CreateDatabase;
 use Stancl\Tenancy\Listeners\BootstrapTenancy;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\MySQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMySQLDatabaseManager;
 use Stancl\Tenancy\Tests\Etc\Tenant;
 use Illuminate\Support\Facades\Event;
 use Stancl\Tenancy\Jobs\CreateDatabase;
 use Stancl\Tenancy\Events\TenantCreated;
 use Stancl\Tenancy\Events\DatabaseCreated;
 use Stancl\Tenancy\Database\DatabaseManager;
 use Stancl\Tenancy\Events\TenancyInitialized;
 use Stancl\Tenancy\Listeners\BootstrapTenancy;
 use Stancl\Tenancy\Contracts\ManagesDatabaseUsers;
 use Stancl\Tenancy\Bootstrappers\DatabaseTenancyBootstrapper;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\MySQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\MicrosoftSQLDatabaseManager;
 use Stancl\Tenancy\Database\Exceptions\TenantDatabaseUserAlreadyExistsException;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMySQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMicrosoftSQLServerDatabaseManager;
 beforeEach(function () {
    config([
        'tenancy.database.managers.mysql' => PermissionControlledMySQLDatabaseManager::class,
        'tenancy.database.managers.sqlsrv' => PermissionControlledMicrosoftSQLServerDatabaseManager::class,
        'tenancy.database.suffix' => '',
        'tenancy.database.template_tenant_connection' => 'mysql',
    ]);
@ -37,22 +41,44 @@ beforeEach(function () {
    })->toListener());
 });
-test('users are created when permission controlled mysql manager is used', function () {
+test('users are created when permission controlled manager is used', function (string $connection) {
    config([
        'database.default' => $connection,
        'tenancy.database.template_tenant_connection' => $connection,
    ]);
    $tenant = new Tenant([
        'id' => 'foo' . Str::random(10),
    ]);
    $tenant->database()->makeCredentials();
    /** @var ManagesDatabaseUsers $manager */
    $manager = $tenant->database()->manager();
-    expect($manager->userExists($tenant->database()->getUsername()))->toBeFalse();
+    $username = $tenant->database()->getUsername();
    expect($manager->userExists($username))->toBeFalse();
    $tenant->save();
-    expect($manager->userExists($tenant->database()->getUsername()))->toBeTrue();
+    expect($manager->userExists($username))->toBeTrue();
-});
+
    if ($connection === 'sqlsrv') {
        app(DatabaseManager::class)->connectToTenant($tenant);
        expect((bool) DB::select("SELECT dp.name as username FROM sys.database_principals dp WHERE dp.name = '{$username}'"))->toBeTrue();
    }
 })->with([
    'mysql',
    'sqlsrv',
 ]);
 test('a tenants database cannot be created when the user already exists', function (string $connection) {
    config([
        'database.default' => $connection,
        'tenancy.database.template_tenant_connection' => $connection,
    ]);
 test('a tenants database cannot be created when the user already exists', function () {
    $username = 'foo' . Str::random(8);
    $tenant = Tenant::create([
        'tenancy_db_username' => $username,
@ -76,9 +102,12 @@ test('a tenants database cannot be created when the user already exists', functi
    // database was not created because of DB transaction
    expect($manager2->databaseExists($tenant2->database()->getName()))->toBeFalse();
    Event::assertNotDispatched(DatabaseCreated::class);
-});
+})->with([
    'mysql',
    'sqlsrv',
 ]);
-test('correct grants are given to users', function () {
+test('correct grants are given to users using mysql', function () {
    PermissionControlledMySQLDatabaseManager::$grants = [
        'ALTER', 'ALTER ROUTINE', 'CREATE',
    ];
@ -89,19 +118,32 @@ test('correct grants are given to users', function () {
    $query = DB::connection('mysql')->select("SHOW GRANTS FOR `{$tenant->database()->getUsername()}`@`%`")[1];
    expect($query->{"Grants for {$user}@%"})->toStartWith('GRANT CREATE, ALTER, ALTER ROUTINE ON'); // @mysql because that's the hostname within the docker network
 });
-    // Reset static property
+test('correct grants are given to users using sqlsrv', function () {
-    PermissionControlledMySQLDatabaseManager::$grants = [
+    config([
-        'ALTER', 'ALTER ROUTINE', 'CREATE', 'CREATE ROUTINE', 'CREATE TEMPORARY TABLES', 'CREATE VIEW',
+        'database.default' => 'sqlsrv',
-        'DELETE', 'DROP', 'EVENT', 'EXECUTE', 'INDEX', 'INSERT', 'LOCK TABLES', 'REFERENCES', 'SELECT',
+        'tenancy.database.template_tenant_connection' => 'sqlsrv',
-        'SHOW VIEW', 'TRIGGER', 'UPDATE',
+    ]);
-    ];
+
    PermissionControlledMicrosoftSQLServerDatabaseManager::$grants = ['SELECT'];
    $tenant = Tenant::create(['tenancy_db_username' => $user = 'tenant_user' . Str::random(8)]);
    // Connect to the tenant database to access tenant database user's permissions
    app(DatabaseManager::class)->connectToTenant($tenant);
    $userGrants = DB::select("SELECT dp.permission_name as name FROM sys.database_permissions dp WHERE USER_NAME(dp.grantee_principal_id) = '$user'");
    expect(array_map(fn ($grant) => $grant->name, $userGrants))->toEqual(array_merge(
        ['CONNECT'], // Granted automatically
        PermissionControlledMicrosoftSQLServerDatabaseManager::$grants
    ));
 });
 test('having existing databases without users and switching to permission controlled mysql manager doesnt break existing dbs', function () {
    config([
        'tenancy.database.managers.mysql' => MySQLDatabaseManager::class,
        'tenancy.database.suffix' => '',
        'tenancy.database.template_tenant_connection' => 'mysql',
        'tenancy.bootstrappers' => [
            DatabaseTenancyBootstrapper::class,
@ -126,3 +168,32 @@ test('having existing databases without users and switching to permission contro
    expect($tenant->database()->manager() instanceof PermissionControlledMySQLDatabaseManager)->toBeTrue();
    expect(config('database.connections.tenant.username'))->toBe('root');
 });
 test('having existing databases without users and switching to permission controlled sqlsrv manager doesnt break existing dbs', function () {
    config([
        'database.default' => 'sqlsrv',
        'tenancy.database.managers.sqlsrv' => MicrosoftSQLDatabaseManager::class,
        'tenancy.database.template_tenant_connection' => 'sqlsrv',
        'tenancy.bootstrappers' => [
            DatabaseTenancyBootstrapper::class,
        ],
    ]);
    Event::listen(TenancyInitialized::class, BootstrapTenancy::class);
    $tenant = Tenant::create([
        'id' => 'foo' . Str::random(10),
    ]);
    expect($tenant->database()->manager() instanceof MicrosoftSQLDatabaseManager)->toBeTrue();
    tenancy()->initialize($tenant); // check if everything works
    tenancy()->end();
    config(['tenancy.database.managers.sqlsrv' => PermissionControlledMicrosoftSQLServerDatabaseManager::class]);
    tenancy()->initialize($tenant); // check if everything works
    expect($tenant->database()->manager() instanceof PermissionControlledMicrosoftSQLServerDatabaseManager)->toBeTrue();
    expect(config('database.connections.tenant.username'))->toBe('sa'); // default user for the sqlsrv connection
 });
--- a/tests/TenantDatabaseManagerTest.php
+++ b/tests/TenantDatabaseManagerTest.php
@ -21,6 +21,7 @@ use Stancl\Tenancy\Listeners\RevertToCentralContext;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\MicrosoftSQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\MySQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMySQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PermissionControlledMicrosoftSQLServerDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PostgreSQLDatabaseManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\PostgreSQLSchemaManager;
 use Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager;
@ -478,7 +479,8 @@ dataset('database_managers', [
    ['sqlite', SQLiteDatabaseManager::class],
    ['pgsql', PostgreSQLDatabaseManager::class],
    ['pgsql', PostgreSQLSchemaManager::class],
-    ['sqlsrv', MicrosoftSQLDatabaseManager::class]
+    ['sqlsrv', MicrosoftSQLDatabaseManager::class],
    ['sqlsrv', PermissionControlledMicrosoftSQLServerDatabaseManager::class]
 ]);
 function createUsersTable()