SqlLogin: add sid parameter

[cai-n]

Pull Request (PR) description

Add the parameter Sid to SqlLogin to allow setting the sid for newly created login of type SqlLogin.

This Pull Request (PR) fixes the following issues

• Fixes SqlLogin: Should support creating viable SqlLogins across a cluster #1470

Task list

• Added an entry to the change log under the Unreleased section of the
  file CHANGELOG.md. Entry should say what was changed and how that
  affects users (if applicable), and reference the issue being resolved
  (if applicable).
• Resource documentation updated in the resource's README.md.
• Resource parameter descriptions updated in schema.mof.
• Comment-based help updated, including parameter descriptions.
• Localization strings updated.
• Examples updated.
• Unit tests updated. See DSC Community Testing Guidelines.
• Integration tests updated (where possible). See DSC Community Testing Guidelines.
• Code changes adheres to DSC Community Style Guidelines.

---

This change is 

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new Sid property/parameter to the SqlLogin DSC resource: schema, Get/Set/Test-TargetResource signatures and logic, localization string, unit tests, example, and SMO test stub to support SID propagation and verification.

Changes

Cohort / File(s)	Summary
Changelog & Schema CHANGELOG.md, source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof	Documented and added new Sid string property to the SqlLogin schema and public surface.
Resource Implementation source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1	Added Sid parameter to Set-TargetResource and Test-TargetResource; Get-TargetResource now returns Sid; apply/verify SID (parse hex to byte[]) during create/update/test flows.
Localization source/DSCResources/DSC_SqlLogin/en-US/DSC_SqlLogin.strings.psd1	Added WrongSid localization string used when SID verification fails.
Unit Tests tests/Unit/DSC_SqlLogin.Tests.ps1	Updated tests and mocks to assert Sid propagation and validation across Get/Set/Test paths; added creation test for specified Sid; corrected test variable usage and typos.
SMO Stub tests/Unit/Stubs/SMO.cs	Added public byte[] Sid; field to the Login stub to support SID handling in unit tests.
Examples source/Examples/Resources/SqlLogin/1-AddSqlLogin.ps1, source/Examples/Resources/SqlLogin/1-AddWindowsUser.ps1	Added example demonstrating use of Sid; updated another example to remove SQL Login block and adjust descriptive text.

Sequence Diagram(s)

sequenceDiagram
    participant Config as DSC Config
    participant Local as Local DSC Engine
    participant Resource as SqlLogin Resource
    participant SMO as SMO (stub / API)
    participant SQL as SQL Server

    Config->>Local: Apply configuration (includes Sid)
    Local->>Resource: Invoke Set-TargetResource(Name, Sid, ...)
    Resource->>SMO: Connect / find existing Login(Name)
    alt Login not present
        Resource->>SMO: Create Login(Name) with parsed Sid (byte[])
    else Login present
        Resource->>SMO: Update Login.Sid if Sid provided
    end
    SMO->>SQL: Execute create/update with supplied SID
    SQL-->>SMO: Confirm creation/update
    Resource->>SMO: Query Login to verify Sid
    SMO-->>Resource: Return Login.Sid (byte[])
    Resource->>Local: Return success/failure

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'SqlLogin: add sid parameter' clearly summarizes the main change: adding a Sid parameter to the SqlLogin resource.
Description check	✅ Passed	The PR description is directly related to the changeset, explaining that the Sid parameter was added to SqlLogin to allow setting the SID for newly created logins.
Linked Issues check	✅ Passed	All coding requirements from issue #1470 are met: Sid parameter added to SqlLogin resource signature, schema.mof updated with Sid property, localization strings added (WrongSid), unit tests updated with Sid validation, and example script provided.
Out of Scope Changes check	✅ Passed	All changes are directly related to adding Sid parameter support to SqlLogin. Minor documentation updates to example files align with the core objective and do not introduce unrelated functionality.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 (1)

447-513: ⚠️ Potential issue | 🟡 Minor

Missing .PARAMETER Sid in Test-TargetResource comment-based help.

The Sid parameter was added to Test-TargetResource (line 511-513) but the comment-based help block (lines 406-446) does not include a .PARAMETER Sid entry. Set-TargetResource has it (line 129), so this is an oversight. As per coding guidelines: "Always add comment-based help to all functions and scripts with SYNOPSIS, DESCRIPTION, PARAMETER, and EXAMPLE sections."

Proposed fix — add after the Language parameter doc

     .PARAMETER Language
         Specifies the default language for the login.
+
+    .PARAMETER Sid
+        Specifies the login Sid.
 #>

🤖 Fix all issues with AI agents

In `@source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1`:
- Around line 348-351: Test-TargetResource detects SID mismatches but
Set-TargetResource only assigns $login.Sid during creation (in the branch that
sets $login.Sid), causing an endless non-convergence for existing logins; update
Set-TargetResource and/or Test-TargetResource to handle this: either (A) in
Set-TargetResource when $PSBoundParameters.ContainsKey('Sid') and the login
already exists, emit a clear warning (via Write-Verbose/Write-Warning or
Write-Error as appropriate) stating SQL Server cannot change a SID on an
existing login and that manual recreate is required (reference:
Set-TargetResource and $login.Sid assignment), or (B) remove/skip SID comparison
for existing logins inside Test-TargetResource so SID mismatches do not force a
false negative for existing accounts (reference: Test-TargetResource SID check);
choose one approach and implement consistent logging/messages so users
understand no automatic SID change will occur.
- Around line 587-597: Rename the local variable $InfoSid to camelCase $infoSid
and add a null-check for $loginInfo.Sid before calling
[System.BitConverter]::ToString to avoid a null-reference; specifically in the
DSC_SqlLogin.psm1 block that compares Sid (inside the Ensure Present branch)
first verify if ($loginInfo.Sid -ne $null) then compute $infoSid = '0x' +
[System.BitConverter]::ToString($loginInfo.Sid).Replace('-', '') and perform the
comparison/Write-Verbose/$testPassed = $false as currently done, otherwise
handle the null case (e.g., Write-Verbose indicating missing Sid and set
$testPassed = $false) so no BitConverter call is made on $null.

In `@source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof`:
- Line 18: Update the Description for the Sid property in
DSC_SqlLogin.schema.mof to use the uppercase acronym "SID", state that it
applies only to SQL Logins, and indicate the expected format (e.g., standard SID
string like "S-1-5-..." or a hexadecimal/binary representation) similar in style
to other properties such as LoginMustChangePassword; modify the Description
attribute on the Sid property (the "String Sid;" declaration) to reflect this
improved, explicit text.

In `@tests/Unit/DSC_SqlLogin.Tests.ps1`:
- Around line 1044-1062: In the Set-TargetResource test block, replace the
incorrect $mockTestTargetResourceParameters reference with
$mockSetTargetResourceParameters when constructing the PSCredential (used in
Set-TargetResource invocation) so the credential uses the correct Name; ensure
the same corrected variable is used consistently in the test scope (the
assertion that New-SQLServerLogin was invoked should continue to compare
$login.Sid against the byte[] representation of the hex literal but keep the
credential argument list as @($mockSetTargetResourceParameters.Name,
$mockPassword)).

🧹 Nitpick comments (2)

CHANGELOG.md (1)

23-24: Align Markdown formatting with repo guidelines (resource + parameter + casing + wrap).

Please format the resource name in italics, the parameter in bold, and capitalize SID. Also wrap the line if it exceeds 80 chars.

Suggested tweak

-- SqlLogin
-  - Added parameter `Sid` to allow setting the sid of the new login. ([issue `#1470`](https://github.com/dsccommunity/SqlServerDsc/issues/1470))
+- _SqlLogin_
+  - Added parameter **Sid** to allow setting the SID of the new login.
+    ([issue `#1470`](https://github.com/dsccommunity/SqlServerDsc/issues/1470))

As per coding guidelines: “Format parameters using bold in Markdown documentation” and “Format resource/module/product names using italic in Markdown documentation.”

tests/Unit/DSC_SqlLogin.Tests.ps1 (1)

1059-1061: Complex Compare-Object assertion in -ParameterFilter is hard to follow.

The SID comparison inside the ParameterFilter works but is dense. Consider extracting the expected byte array and using a simpler comparison, or at minimum adding a brief inline comment.

Also, $login.Sid on line 1060 uses lowercase $login — while PowerShell is case-insensitive, the parameter name is $Login (PascalCase) per the function signature.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 (1)

444-446: ⚠️ Potential issue | 🟡 Minor

Missing .PARAMETER Sid in Test-TargetResource comment-based help.

The Sid parameter was added to Test-TargetResource (line 511–513) but the comment-based help block does not document it. Set-TargetResource already has the corresponding .PARAMETER Sid entry. As per coding guidelines, all parameters must be documented in comment-based help.

Proposed fix — add after `.PARAMETER Language`

     .PARAMETER Language
         Specifies the default language for the login.
+
+    .PARAMETER Sid
+        Specifies the security identifier (SID) for the login. Only applies
+        to SQL Logins.
 #>

🧹 Nitpick comments (2)

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 (2)

128-131: Improve .PARAMETER Sid description to match the MOF schema.

The MOF description uses "security identifier (SID)" with format guidance and SQL Login applicability. The help text here just says "Specifies the login Sid." — keep them consistent.

Suggested improvement

     .PARAMETER Sid
-        Specifies the login Sid.
+        Specifies the security identifier (SID) for the login. Only applies
+        to SQL Logins. The value should be a hexadecimal string (e.g.
+        '0x1234...').

---

348-351: Consider adding input validation for the Sid hex format.

The hex-to-byte parsing on line 350 will produce a cryptic error if $Sid is not a well-formed hex string (e.g., odd length, non-hex characters). A ValidatePattern on the parameter or an early guard with a localized error message would improve the user experience.

Example: add ValidatePattern to the parameter declaration

         [Parameter()]
+        [ValidatePattern('^0x([0-9A-Fa-f]{2})+$')]
         [System.String]
         $Sid

Apply the same to Test-TargetResource's $Sid parameter as well.

[johlju]

Can we also an an example how to provide the sid? Either in an existing example file or preferably a new one.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94%. Comparing base (26616c7) to head (6fc66ae).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #2453   +/-   ##
=====================================
  Coverage     94%     94%           
=====================================
  Files        227     227           
  Lines      10801   10804    +3     
=====================================
+ Hits       10172   10175    +3     
  Misses       629     629           

Flag	Coverage Δ
unit	94% <100%> (+<1%)	⬆️

Files with missing lines	Coverage Δ
source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1	100% <100%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@source/Examples/Resources/SqlLogin/1-AddSqlLogin.ps1`:
- Around line 1-5: Update the .DESCRIPTION block to accurately describe the
example: remove references to the Windows user 'CONTOSO\WindowsUser' and Windows
group 'CONTOSO\WindowsGroup' and instead state that the script demonstrates
creating two SqlLogin resources (one with an explicit SID) — reference the
SqlLogin resources in the file and mention the explicit SID usage so the
description matches the example content.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/Unit/DSC_SqlLogin.Tests.ps1 (1)

522-538: ⚠️ Potential issue | 🟡 Minor

Sid test case reuses a mock not designed for it — the returned hashtable has no Sid key.

The Get-TargetResource mock (lines 528–538) was built for the boolean properties LoginPasswordPolicyEnforced/LoginPasswordExpirationEnabled and flips them with -not $MockPropertyValue. When $MockPropertyValue is the Sid string, -not '0x…' evaluates to $false, which is semantically meaningless for those properties, and the mock never returns a Sid key at all.

This means the test only proves that a missing Sid triggers $false, not that a different Sid triggers $false. Consider a dedicated Context (or adding Sid to the mock return value with a different value) so the comparison is explicit.

#!/bin/bash
# Verify how Test-TargetResource handles Sid comparison in the production code
ast-grep --pattern $'function Test-TargetResource {
  $$$
}'
# Also search for Sid comparison logic
rg -n -C5 'Sid' --type ps1 -g '!*Tests*' -g '*SqlLogin*'

🧹 Nitpick comments (1)

tests/Unit/DSC_SqlLogin.Tests.ps1 (1)

120-120: Inconsistent hex string parsing patterns for Sid.

Line 120 starts with a raw hex string ('B76150A66B38F64FAE9470091789AA66'), while line 205 starts with 0x-prefixed hex ('0xB76150A66B38F64FAE9470091789AA66') and strips it first. Both yield the same byte array, but the inconsistency across test contexts reduces readability. Consider using the same pattern everywhere for clarity.

Also applies to: 205-205

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

source/Examples/Resources/SqlLogin/1-AddWindowsUser.ps1 (1)

15-18: ⚠️ Potential issue | 🟡 Minor

$LoginCredential parameter is unused after removing the SqlLogin resource.

The SqlLogin resource block was moved to 1-AddSqlLogin.ps1, but the $LoginCredential parameter remains. None of the WindowsUser/WindowsGroup resources in this file reference it.

Proposed fix — remove the unused parameter

     param
     (
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $SqlAdministratorCredential,
-
-        [Parameter(Mandatory = $true)]
-        [System.Management.Automation.PSCredential]
-        $LoginCredential
+        $SqlAdministratorCredential
     )

🤖 Fix all issues with AI agents

In `@source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1`:
- Around line 590-607: In Test-TargetResource, when $loginInfo.Sid is $null the
code currently just sets $testPassed = $false; add a Write-Verbose to report the
missing SID so users can diagnose failures. Specifically, in the $null branch
for $loginInfo.Sid emit a verbose message (reuse or create a localized string)
that includes $Name and the expected $Sid (or pass 'null' as the actual SID)
before setting $testPassed = $false so behavior matches other property mismatch
branches.

In `@source/Examples/Resources/SqlLogin/1-AddSqlLogin.ps1`:
- Around line 1-5: The .DESCRIPTION comment-based help block has incorrect
indentation for the description text (the line containing 'SqlLogin2' is
indented 7 spaces); update the description lines inside the .DESCRIPTION block
so the text lines use 8-space indentation per the guideline (adjust the line
with 'SqlLogin2' to match the other description lines), ensuring the
comment-based help keywords remain at 4 spaces and description text at 8 spaces.

[johlju]

@johlju partially reviewed 8 files and all commit messages, made 2 comments, and resolved 2 discussions.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on cai-n).

---

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 line 611 at r6 (raw file):

                    $testPassed = $false
                }
            }

Maybe we can do something like this to not duplicate Write-Verbose?

Suggestion:

            $infoSid = if ($null -ne $loginInfo.Sid)
            {
                '0x' + [System.BitConverter]::ToString($loginInfo.Sid).Replace('-', '')
            }

            if ($null -eq $infoSid -or $infoSid -ne $Sid)
            {
                Write-Verbose -Message (
                    $script:localizedData.WrongSid -f $Name, $infoSid, $Sid
                )

                $testPassed = $false
            }

---

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 line 612 at r6 (raw file):

                }
            }
        }

If we does this it will return $false when sid mismatch on an exist login, but then there is no logic in Set to actually set the correct sid on the login. So either we have to add logic to Set or not enforce Sid in Test.

Code quote:

        if ( $PSBoundParameters.ContainsKey('Sid') )
        {
            if ($null -eq $loginInfo.Sid)
            {
                Write-Verbose -Message (
                    $script:localizedData.WrongSid -f $Name, $null, $Sid
                )
                $testPassed = $false
            }
            else
            {
                $infoSid = '0x' + [System.BitConverter]::ToString($loginInfo.Sid).Replace('-', '')
                if ( $infoSid -ne $Sid )
                {
                    Write-Verbose -Message (
                        $script:localizedData.WrongSid -f $Name, $infoSid, $Sid
                    )
                    $testPassed = $false
                }
            }
        }

[cai-n]

I didn't really know how to tackle the tests, Sid can only be set at the creation of the login, is it alright if I just remove the Sid part in Test-TargetResource ?

[johlju]

Yes, it is okay if we can't enforce Sid without recreating the login. If another contributor need to enforce the Sid then that can be a future PR :)

[johlju]

I was meaning to say that it is okay to remove the Test logic 🙂

[cai-n]

I'm still confused haha, do you mean not set the $testPassed = $false but keep the Write-Verbose -Message ?

[johlju]

I hope this is more clear 🙂

@johlju reviewed 3 files and all commit messages, made 4 comments, and resolved 2 discussions.
Reviewable status: all files reviewed, 6 unresolved discussions (waiting on cai-n).

---

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 line 449 at r8 (raw file):

    .PARAMETER Sid
        Specifies the security identifier (SID) for the login. Only applies to SQL Logins. The value should be a hexadecimal string (e.g. '0x1234...').

Add this too the comment based help.

Suggestion:

    .PARAMETER Sid
        Specifies the security identifier (SID) for the login. Only applies to SQL Logins. The value should be a hexadecimal string (e.g. '0x1234...').
        
        Not currently used in Test-TargetResource to enforce Sid.

---

source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 line 607 at r8 (raw file):

                $testPassed = $false
            }
        }

We can remove this entire block since there is no logic in Set-TargetResource to re-create the login to actually be able to set a Sid that mismatch.

Also remove any logic from the unit tests for Test-TargetResource.

Code quote:

        if ( $PSBoundParameters.ContainsKey('Sid') )
        {
            $infoSid = if ($null -ne $loginInfo.Sid)
            {
                '0x' + [System.BitConverter]::ToString($loginInfo.Sid).Replace('-', '')
            }

            if ($null -eq $infoSid -or $infoSid -ne $Sid)
            {
                Write-Verbose -Message (
                    $script:localizedData.WrongSid -f $Name, $infoSid, $Sid
                )

                $testPassed = $false
            }
        }

---

source/DSCResources/DSC_SqlLogin/en-US/DSC_SqlLogin.strings.psd1 line 23 at r8 (raw file):

    WrongDefaultDatabase = The login '{0}' has the default database '{1}', but expected it to have the default database '{2}'.
    WrongLanguage = The login '{0}' has the default language '{1}', but expected it to have the default language '{2}'.
    WrongSid = The login '{0}' has the Sid '{1}', but expected it to have the Sid '{2}'.

We can remove this as we are about to remove the logic in Test-TargetResource.

Code quote:

WrongSid = The login '{0}' has the Sid '{1}', but expected it to have the Sid '{2}'.

[johlju]

Added a new issue #2455 to track the enhancement to be able to recreate a login if sid mismatch. 🙂

[johlju]

@johlju reviewed 2 files and all commit messages, made 1 comment, and resolved 3 discussions.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on cai-n).

[johlju]

Will merge once all tests passes. There might be intermittent errors, so I will kick off any failing integration tests later.

[cai-n]

Added a new issue #2455 to track the enhancement to be able to recreate a login if sid mismatch. 🙂

Thank you, I might also take that issue since I'm already looking at sid stuff if it's alright