From ad627f9dde6dd858c1213fedab61a27e0be37d83 Mon Sep 17 00:00:00 2001
From: subencheng <ben.su@conductorone.com>
Date: Wed, 18 Jun 2025 15:26:55 -0700
Subject: [PATCH 1/2] [BB-906] baton-sql-server: add user deprovisioning

---
 pkg/connector/server_user.go | 15 +++++++++++++++
 pkg/mssqldb/server.go        | 12 ++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/pkg/connector/server_user.go b/pkg/connector/server_user.go
index a891a2d5..69215b48 100644
--- a/pkg/connector/server_user.go
+++ b/pkg/connector/server_user.go
@@ -19,6 +19,8 @@ import (
 	"go.uber.org/zap"
 )
 
+var _ connectorbuilder.ResourceDeleter = (*userPrincipalSyncer)(nil)
+
 // userPrincipalSyncer implements both ResourceSyncer and AccountManager.
 type userPrincipalSyncer struct {
 	resourceType *v2.ResourceType
@@ -217,6 +219,19 @@ func (d *userPrincipalSyncer) CreateAccountCapabilityDetails(
 	}, nil, nil
 }
 
+func (d *userPrincipalSyncer) Delete(ctx context.Context, resourceId *v2.ResourceId) (annotations.Annotations, error) {
+	user, err := d.client.GetUserPrincipal(ctx, resourceId.GetResource())
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.client.DisableUserFromServer(ctx, user.Name)
+	if err != nil {
+		return nil, err
+	}
+	return nil, err
+}
+
 // generateStrongPassword creates a secure random password for SQL Server.
 // The password meets SQL Server complexity requirements:
 // - At least 8 characters in length
diff --git a/pkg/mssqldb/server.go b/pkg/mssqldb/server.go
index b3e9c5b0..c8d387ed 100644
--- a/pkg/mssqldb/server.go
+++ b/pkg/mssqldb/server.go
@@ -2,6 +2,7 @@ package mssqldb
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
@@ -33,3 +34,14 @@ func (c *Client) GetServer(ctx context.Context) (*ServerModel, error) {
 
 	return &ret, nil
 }
+
+func (c *Client) DisableUserFromServer(ctx context.Context, userName string) error {
+	query := fmt.Sprintf(`
+ALTER LOGIN [%s] DISABLE;`, userName)
+
+	_, err := c.db.ExecContext(ctx, query)
+	if err != nil {
+		return err
+	}
+	return nil
+}

From de0baf81faf0042944d6598bde3e510b0e51f3e3 Mon Sep 17 00:00:00 2001
From: subencheng <ben.su@conductorone.com>
Date: Wed, 18 Jun 2025 17:07:35 -0700
Subject: [PATCH 2/2] now

---
 pkg/connector/server_user.go | 2 +-
 pkg/mssqldb/server.go        | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkg/connector/server_user.go b/pkg/connector/server_user.go
index 69215b48..637e64f8 100644
--- a/pkg/connector/server_user.go
+++ b/pkg/connector/server_user.go
@@ -229,7 +229,7 @@ func (d *userPrincipalSyncer) Delete(ctx context.Context, resourceId *v2.Resourc
 	if err != nil {
 		return nil, err
 	}
-	return nil, err
+	return nil, nil
 }
 
 // generateStrongPassword creates a secure random password for SQL Server.
diff --git a/pkg/mssqldb/server.go b/pkg/mssqldb/server.go
index c8d387ed..a3df6844 100644
--- a/pkg/mssqldb/server.go
+++ b/pkg/mssqldb/server.go
@@ -36,6 +36,10 @@ func (c *Client) GetServer(ctx context.Context) (*ServerModel, error) {
 }
 
 func (c *Client) DisableUserFromServer(ctx context.Context, userName string) error {
+	if strings.ContainsAny(userName, "[]\"';") {
+		return fmt.Errorf("invalid characters in userName")
+	}
+
 	query := fmt.Sprintf(`
 ALTER LOGIN [%s] DISABLE;`, userName)