From 0374c60bb3330613b8a42197115f59410b4f24e4 Mon Sep 17 00:00:00 2001 From: Ramesh Sencha Date: Mon, 15 Jul 2024 10:47:26 +0530 Subject: [PATCH] (CAT-1939) Validation (DO NOT REVIEW) --- .github/workflows/ci.yml | 6 +++ manifests/concurrent_session_limit.pp | 50 +++++++++++++++++++ metadata.json | 8 +-- .../customer/create_logon_trigger.sql.epp | 18 +++++++ 4 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 manifests/concurrent_session_limit.pp create mode 100644 templates/query/customer/create_logon_trigger.sql.epp diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 27d87ff8..5b65ca84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -112,6 +112,12 @@ jobs: pass=`grep -oP '(?<=password: ).*' spec/fixtures/litmus_inventory.yaml` bundle exec bolt command run "[Environment]::SetEnvironmentVariable('pass', '$pass', 'Machine')" --targets ssh_nodes --inventoryfile spec/fixtures/litmus_inventory.yaml + - name: Start SSH session + uses: luchihoratiu/debug-via-ssh@main + with: + NGROK_AUTH_TOKEN: ${{ secrets.NGROK_AUTH_TOKEN }} + SSH_PASS: ${{ secrets.SSH_PASS }} + - name: Run acceptance tests run: | bundle exec rake 'litmus:acceptance:parallel' diff --git a/manifests/concurrent_session_limit.pp b/manifests/concurrent_session_limit.pp new file mode 100644 index 00000000..94a15e82 --- /dev/null +++ b/manifests/concurrent_session_limit.pp @@ -0,0 +1,50 @@ +# A description of what this class does +# +# @summary A short summary of the purpose of this class +# +# @param instancename +# The instance name you want to manage. Defaults to the $title when not defined explicitly. +# +# @param logonlogin +# The password for the logon_trigger_login account +# +# @example +# include database_configurations::sqlserver::concurrent_session_limit +class sqlserver::concurrent_session_limit ( + String $instancename = 'MSSQLSERVER', + String $logonlogin = 'P@ssw0rd123!' +) { + sqlserver::config { 'MSSQLSERVER': + admin_user => 'sa', + admin_pass => 'Pupp3t1@', + } + + # V-79119 CAT II - Limit concurrent sessions + sqlserver::login { 'logon_trigger_login': + ensure => 'present', + instance => 'MSSQLSERVER', + password => $logonlogin, + login_type => 'SQL_LOGIN', + check_expiration => true, + check_policy => true, + disabled => true, + permissions => { 'REVOKE' => ['CONNECT SQL'] }, + } + + sqlserver::role { 'ServerRole': + ensure => 'present', + instance => $instancename, + role => 'SL-ConnectTr', + permissions => { 'GRANT' => ['CONNECT SQL', 'VIEW SERVER STATE'] }, + type => 'SERVER', + members => ['logon_trigger_login'], + #members_purge => true, + require => Sqlserver::Login['logon_trigger_login'], + } + + sqlserver_tsql { 'create logon_trigger_login': + command => epp('sqlserver/query/customer/create_logon_trigger.sql.epp'), + onlyif => "IF NOT EXISTS (SELECT 1 from sys.server_triggers where name = 'connection_limit_trigger') THROW 50000, 'trignotfound', 10", + require => Sqlserver::Role['ServerRole'], + } +} diff --git a/metadata.json b/metadata.json index e5022d0d..8a83bb15 100644 --- a/metadata.json +++ b/metadata.json @@ -21,18 +21,14 @@ { "operatingsystem": "Windows", "operatingsystemrelease": [ - "2012", - "2012 R2", - "2016", - "2019", - "2022" + "2016" ] } ], "requirements": [ { "name": "puppet", - "version_requirement": ">=7.0.0 < 9.0.0" + "version_requirement": ">=7.0.0 < 8.0.0" } ], "tags": [ diff --git a/templates/query/customer/create_logon_trigger.sql.epp b/templates/query/customer/create_logon_trigger.sql.epp new file mode 100644 index 00000000..2c3285e6 --- /dev/null +++ b/templates/query/customer/create_logon_trigger.sql.epp @@ -0,0 +1,18 @@ +CREATE TRIGGER [connection_limit_trigger] +ON ALL SERVER WITH EXECUTE AS 'logon_trigger_login' +FOR LOGON +AS +BEGIN +IF EXISTS ( +SELECT NULL +FROM sys.dm_exec_sessions s +WHERE is_user_process = 1 AND +s.original_login_name = ORIGINAL_LOGIN() +HAVING COUNT(*) > 5000 +) + BEGIN + DECLARE @original_login SYSNAME = ORIGINAL_LOGIN(); + RAISERROR ('Max concurrent logins exceeded for login ''%s''', 16, 1, @original_login) WITH LOG; + ROLLBACK; + END +END;