Skip to content

feat: enable and verify xp_cmdshell for mssql setup and validation#93

Merged
l50 merged 6 commits into
mainfrom
feat/xp-cmdshell-and-acl-fixes
Apr 8, 2026
Merged

feat: enable and verify xp_cmdshell for mssql setup and validation#93
l50 merged 6 commits into
mainfrom
feat/xp-cmdshell-and-acl-fixes

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented Apr 8, 2026
edited
Loading

Key Changes:

  • Added automation to enable xp_cmdshell during MSSQL configuration
  • Improved MSSQL validation to fail if xp_cmdshell is not enabled
  • Updated documentation to reflect new xp_cmdshell steps

Added:

  • Automated step to enable xp_cmdshell as part of the MSSQL setup process,
    including error handling and output logging in the config task
  • Conditional debug logging for xp_cmdshell configuration errors in Ansible

Changed:

  • MSSQL validation logic to treat absence of xp_cmdshell as a failure instead
    of a warning, improving enforcement of security and operational requirements
    in the validation checks
  • Documentation in the MSSQL role README to include the new xp_cmdshell
    enablement and error logging steps

@l50
feat: enable and validate xp_cmdshell for MSSQL role and update valid…
20fad90 
…ator

**Added:**

- Introduced Ansible tasks to enable `xp_cmdshell` in MSSQL, including error
  handling and logging for failures in the role's configuration tasks
- Documented the new `xp_cmdshell` enable and logging steps in the MSSQL role
  README

**Changed:**

- Updated MSSQL validator to treat `xp_cmdshell` not being enabled as a FAIL
  instead of a WARN, making the check stricter for compliance

**Removed:**

- No removals
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added the area/roles Changes made to Ansible roles label Apr 8, 2026
l50 added 5 commits April 8, 2026 11:54
@l50
refactor: simplify mssql config by persisting sysadmin and updating v…
b865735 
…alidator total

**Changed:**

- Updated mssql role to ensure BUILTIN\Administrators has SQL sysadmin, removing
  temporary ssm-user sysadmin grants and revokes for idempotency and simpler
  re-provisioning (config.yml, README.md)
- Removed all unnecessary become/runas SYSTEM usage in mssql config tasks since
  ssm-user retains sysadmin
- Improved documentation in mssql config tasks to clarify privilege rationale and
  bootstrap flow
- Adjusted validator to compute report.Total as sum of Passed, Failed, and
  Warnings for accurate reporting

**Removed:**

- Removed tasks that granted and revoked ssm-user SQL sysadmin in mssql config
  for a simpler, persistent privilege model
- Eliminated redundant become/runas SYSTEM parameters from mssql config tasks
@l50
feat: add concurrent, ordered check execution and introduce test suit…
349883a 
…e for validator

**Added:**

- Introduced `runChecks` method to execute validation checks concurrently with
  bounded parallelism, ensuring each check's output appears in submission order
- Defined `checkFunc` type for uniform check function signatures
- Added tests (`validator_test.go`) for concurrent check execution, output
  ordering, result collection, and semaphore limit enforcement

**Changed:**

- Refactored all check methods in `checks.go` and their invocations to accept
  an `io.Writer` parameter for flexible output (required by `runChecks`)
- Updated `addResult` to write colored status lines to a provided writer,
  improving testability and output control
- Modified `DiscoverHosts` to use `addResult` with `os.Stdout`
- `RunQuickChecks` and `RunAllChecks` now delegate check execution to
  `runChecks`, replacing sequential calls with concurrent, ordered execution
- Added a mutex to `Validator` to protect concurrent mutation of the report
- Improved output handling for status messages (e.g., INFO, SKIP, WARN) for
  consistency and testability

**Removed:**

- Eliminated direct `fmt.Println` and `color.*` calls from check methods in
  favor of writer-based output and the `printHeader` helper
@l50
test: improve stdout capture in tests with error handling
b076d77 
**Added:**

- Introduced a `captureResult` struct to carry both output and error from
  goroutine handling stdout capture

**Changed:**

- Updated stdout capturing logic to use `captureResult`, enabling error
  propagation from the goroutine to the test
- Modified `restore` to fail the test with `t.Fatalf` if an error occurred
  during output capture

**Removed:**

- Removed use of string-only channels for capturing output, ensuring errors are
  not silently ignored
@l50
Merge branch 'main' into feat/xp-cmdshell-and-acl-fixes
ae5651a
@l50
refactor: explicitly ignore fmt and io.Writer return values for clarity
f6d20cb 
Changed:

- Updated all fmt.Fprintf, fmt.Fprint, and os.Stdout.Write calls to explicitly
  ignore returned values by assigning them to blank identifiers, clarifying
  intent to discard errors and comply with static analysis tools
- Modified test code to also explicitly ignore errors from fmt.Fprintf and
  io.Writer Close calls, improving consistency and code readability
@l50 l50 force-pushed the feat/xp-cmdshell-and-acl-fixes branch from 4d51c3a to f6d20cb Compare April 8, 2026 19:27
@l50 l50 merged commit 36fa965 into main Apr 8, 2026
6 checks passed
@l50 l50 deleted the feat/xp-cmdshell-and-acl-fixes branch April 8, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/roles Changes made to Ansible roles

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50