microsoft
diff --git a/‎cmd/modern/root/config/add-user.go
+65-34 b/‎cmd/modern/root/config/add-user.go
+65-34
diff --git a/‎cmd/modern/root/config/add-user_darwin.go
-8 b/‎cmd/modern/root/config/add-user_darwin.go
-8
diff --git a/‎cmd/modern/root/config/add-user_linux.go
-8 b/‎cmd/modern/root/config/add-user_linux.go
-8
diff --git a/‎cmd/modern/root/config/add-user_test.go
+64-5 b/‎cmd/modern/root/config/add-user_test.go
+64-5
diff --git a/‎cmd/modern/root/config/add-user_windows.go
-14 b/‎cmd/modern/root/config/add-user_windows.go
-14
diff --git a/‎cmd/modern/root/config/connection-strings.go
+3-3 b/‎cmd/modern/root/config/connection-strings.go
+3-3
diff --git a/‎cmd/modern/root/config/connection-strings_test.go
+4-3 b/‎cmd/modern/root/config/connection-strings_test.go
+4-3
diff --git a/‎cmd/modern/root/config/delete-context_test.go
+2-2 b/‎cmd/modern/root/config/delete-context_test.go
+2-2
diff --git a/‎cmd/modern/root/config/delete-user.go
+15-2 b/‎cmd/modern/root/config/delete-user.go
+15-2
@@ -8,6 +8,7 @@ import (
 	"github.com/microsoft/go-sqlcmd/cmd/modern/sqlconfig"
 	"github.com/microsoft/go-sqlcmd/internal/pal"
 	"os"
+	"runtime"
 
 	"github.com/microsoft/go-sqlcmd/internal/cmdparser"
 	"github.com/microsoft/go-sqlcmd/internal/config"
@@ -18,35 +19,48 @@ import (
 type AddUser struct {
 	cmdparser.Cmd
 
-	name            string
-	authType        string
-	username        string
-	encryptPassword bool
+	name               string
+	authType           string
+	username           string
+	passwordEncryption string
 }
 
 func (c *AddUser) DefineCommand(...cmdparser.CommandOptions) {
-	options := cmdparser.CommandOptions{
-		Use:   "add-user",
-		Short: "Add a user",
-		Examples: []cmdparser.ExampleOptions{
-			{
-				Description: "Add a user (using the SQLCMD_PASSWORD environment variable)",
-				Steps: []string{
-					fmt.Sprintf(`%s SQLCMD_PASSWORD=<placeholderpassword>`, pal.CreateEnvVarKeyword()),
-					"sqlcmd config add-user --name my-user --username user1",
-					fmt.Sprintf(`%s SQLCMD_PASSWORD=`, pal.CreateEnvVarKeyword()),
-				},
+	examples := []cmdparser.ExampleOptions{
+		{
+			Description: "Add a user (using the SQLCMD_PASSWORD environment variable)",
+			Steps: []string{
+				fmt.Sprintf(`%s SQLCMD_PASSWORD=<placeholderpassword>`, pal.CreateEnvVarKeyword()),
+				"sqlcmd config add-user --name my-user --username user1 --password-encryption none",
+				fmt.Sprintf(`%s SQLCMD_PASSWORD=`, pal.CreateEnvVarKeyword()),
 			},
-			{
-				Description: "Add a user (using the SQLCMDPASSWORD environment variable)",
-				Steps: []string{
-					fmt.Sprintf(`%s SQLCMDPASSWORD=<placeholderpassword>`, pal.CreateEnvVarKeyword()),
-					"sqlcmd config add-user --name my-user --username user1",
-					fmt.Sprintf(`%s SQLCMDPASSWORD=`, pal.CreateEnvVarKeyword()),
-				},
+		},
+		{
+			Description: "Add a user (using the SQLCMDPASSWORD environment variable)",
+			Steps: []string{
+				fmt.Sprintf(`%s SQLCMDPASSWORD=<placeholderpassword>`, pal.CreateEnvVarKeyword()),
+				"sqlcmd config add-user --name my-user --username user1 --password-encryption none",
+				fmt.Sprintf(`%s SQLCMDPASSWORD=`, pal.CreateEnvVarKeyword()),
 			},
 		},
-		Run: c.run}
+	}
+
+	if runtime.GOOS == "windows" {
+		examples = append(examples, cmdparser.ExampleOptions{
+			Description: "Add a user using Windows Data Protection API to encrypt password in sqlconfig",
+			Steps: []string{
+				fmt.Sprintf(`%s SQLCMD_PASSWORD=<placeholderpassword>`, pal.CreateEnvVarKeyword()),
+				"sqlcmd config add-user --name my-user --username user1 --password-encryption dpapi",
+				fmt.Sprintf(`%s SQLCMD_PASSWORD=`, pal.CreateEnvVarKeyword()),
+			},
+		})
+	}
+
+	options := cmdparser.CommandOptions{
+		Use:      "add-user",
+		Short:    "Add a user",
+		Examples: examples,
+		Run:      c.run}
 
 	c.Cmd.DefineCommand(options)
 
@@ -70,14 +84,19 @@ func (c *AddUser) DefineCommand(...cmdparser.CommandOptions) {
 		Usage:  "The username (provide password in SQLCMD_PASSWORD or SQLCMDPASSWORD environment variable)",
 	})
 
-	c.encryptPasswordFlag()
+	c.AddFlag(cmdparser.FlagOptions{
+		String: &c.passwordEncryption,
+		Name:   "password-encryption",
+		Usage: fmt.Sprintf("Password encryption method (%s) in sqlconfig file",
+			secret.EncryptionMethodsForUsage()),
+	})
 }
 
 // run a user to the configuration. It sets the user's name and
 // authentication type, and, if the authentication type is 'basic', it sets the
 // user's username and password (either in plain text or encrypted, depending
-// on the --encrypt-password flag). If the user's authentication type is not 'basic'
-// or 'other', an error is thrown. If the --encrypt-password flag is set but the
+// on the --password-encryption flag). If the user's authentication type is not 'basic'
+// or 'other', an error is thrown. If the --password-encryption flag is set but the
 // authentication type is not 'basic', an error is thrown. If the authentication
 // type is 'basic' but the username or password is not provided, an error is thrown.
 // If the username is provided but the password is not, an error is thrown.
@@ -90,11 +109,17 @@ func (c *AddUser) run() {
 			"Authentication type '' is not valid %v'", c.authType)
 	}
 
-	if c.authType != "basic" && c.encryptPassword {
+	if c.authType != "basic" && c.passwordEncryption != "" {
 		output.FatalWithHints([]string{
-			"Remove the --encrypt-password flag",
+			"Remove the --password-encryption flag",
 			"Pass in the --auth-type basic"},
-			"The --encrypt-password flag can only be used when authentication type is 'basic'")
+			"The --password-encryption flag can only be used when authentication type is 'basic'")
+	}
+
+	if c.authType == "basic" && c.passwordEncryption == "" {
+		output.FatalWithHints([]string{
+			"Add the --password-encryption flag"},
+			"The --password-encryption flag must be set when authentication type is 'basic'")
 	}
 
 	user := sqlconfig.User{
@@ -117,6 +142,12 @@ func (c *AddUser) run() {
 				"Username not provided")
 		}
 
+		if !secret.IsValidEncryptionMethod(c.passwordEncryption) {
+			output.FatalfWithHints([]string{
+				fmt.Sprintf("Provide a valid encryption method (%s) with the --password-encryption flag", secret.EncryptionMethodsForUsage())},
+				"Encryption method '%v' is not valid", c.passwordEncryption)
+		}
+
 		if os.Getenv("SQLCMD_PASSWORD") != "" &&
 			os.Getenv("SQLCMDPASSWORD") != "" {
 			output.FatalWithHints([]string{
@@ -129,12 +160,12 @@ func (c *AddUser) run() {
 			password = os.Getenv("SQLCMDPASSWORD")
 		}
 		user.BasicAuth = &sqlconfig.BasicAuthDetails{
-			Username:          c.username,
-			PasswordEncrypted: c.encryptPassword,
-			Password:          secret.Encode(password, c.encryptPassword),
+			Username:           c.username,
+			PasswordEncryption: c.passwordEncryption,
+			Password:           secret.Encode(password, c.passwordEncryption),
 		}
 	}
 
-	config.AddUser(user)
-	output.Infof("User '%v' added", user.Name)
+	uniqueUserName := config.AddUser(user)
+	output.Infof("User '%v' added", uniqueUserName)
 }
@@ -18,9 +18,10 @@ func TestAddUser(t *testing.T) {
 	// overwrite it here.
 	if os.Getenv("SQLCMDPASSWORD") == "" {
 		os.Setenv("SQLCMDPASSWORD", "it's-a-secret")
+		defer os.Setenv("SQLCMDPASSWORD", "")
 	}
 	cmdparser.TestSetup(t)
-	cmdparser.TestCmd[*AddUser]("--username user1")
+	cmdparser.TestCmd[*AddUser]("--username user1 --password-encryption none")
 }
 
 // TestNegAddUser tests that the `sqlcmd config add-user` command
@@ -33,11 +34,11 @@ func TestNegAddUser(t *testing.T) {
 }
 
 // TestNegAddUser2 tests that the `sqlcmd config add-user` command
-// fails when the auth-type is not basic and --encrypt-password is set
+// fails when the auth-type is not basic and --password-encryption is set
 func TestNegAddUser2(t *testing.T) {
 	cmdparser.TestSetup(t)
 	assert.Panics(t, func() {
-		cmdparser.TestCmd[*AddUser]("--username user1 --auth-type other --encrypt-password")
+		cmdparser.TestCmd[*AddUser]("--username user1 --auth-type other --password-encryption dpapi")
 	})
 }
 
@@ -57,10 +58,68 @@ func TestNegAddUser3(t *testing.T) {
 // TestNegAddUser4 tests that the `sqlcmd config add-user` command
 // when username is not set
 func TestNegAddUser4(t *testing.T) {
-	os.Setenv("SQLCMD_PASSWORD", "whatever")
-
+	if os.Getenv("SQLCMD_PASSWORD") == "" {
+		os.Setenv("SQLCMD_PASSWORD", "it's-a-secret")
+		defer os.Setenv("SQLCMD_PASSWORD", "")
+	}
 	cmdparser.TestSetup(t)
 	assert.Panics(t, func() {
 		cmdparser.TestCmd[*AddUser]()
 	})
 }
+
+// TestNegAddUserNoUserName tests that the `sqlcmd config add-user` command
+// when username is not set
+func TestNegAddUserNoUserName(t *testing.T) {
+	if os.Getenv("SQLCMD_PASSWORD") == "" {
+		os.Setenv("SQLCMD_PASSWORD", "it's-a-secret")
+		defer os.Setenv("SQLCMD_PASSWORD", "")
+	}
+	cmdparser.TestSetup(t)
+	assert.Panics(t, func() {
+		cmdparser.TestCmd[*AddUser]("--password-encryption none")
+	})
+}
+
+// TestNegAddUserBadEncryptionMethod tests that the `sqlcmd config add-user` command
+// when encryption method is not valid
+func TestNegAddUserBadEncryptionMethod(t *testing.T) {
+	if os.Getenv("SQLCMD_PASSWORD") == "" {
+		os.Setenv("SQLCMD_PASSWORD", "it's-a-secret")
+		defer os.Setenv("SQLCMD_PASSWORD", "")
+	}
+	cmdparser.TestSetup(t)
+	assert.Panics(t, func() {
+		cmdparser.TestCmd[*AddUser]("--username sa --password-encryption bad-bad")
+	})
+}
+
+func TestNegBothPasswordEnvVarsSet(t *testing.T) {
+	if os.Getenv("SQLCMD_PASSWORD") == "" {
+		os.Setenv("SQLCMD_PASSWORD", "whatever")
+		defer os.Setenv("SQLCMD_PASSWORD", "")
+	}
+
+	if os.Getenv("SQLCMDPASSWORD") == "" {
+		os.Setenv("SQLCMDPASSWORD", "whatever")
+		defer os.Setenv("SQLCMDPASSWORD", "")
+	}
+
+	cmdparser.TestSetup(t)
+	assert.Panics(t, func() {
+		cmdparser.TestCmd[*AddUser]("--username sa --password-encryption none")
+	})
+}
+
+func TestNegNoPasswordEnvVarsSet(t *testing.T) {
+	if os.Getenv("SQLCMD_PASSWORD") != "" ||
+		os.Getenv("SQLCMDPASSWORD") != "" {
+		os.Setenv("SQLCMD_PASSWORD", "whatever")
+		defer os.Setenv("SQLCMD_PASSWORD", "")
+	}
+
+	cmdparser.TestSetup(t)
+	assert.Panics(t, func() {
+		cmdparser.TestCmd[*AddUser]("--username sa --password-encryption none")
+	})
+}
@@ -86,7 +86,7 @@ func (c *ConnectionStrings) run() {
 				connectionStringFormats[k] = fmt.Sprintf(
 					v,
 					user.BasicAuth.Username,
-					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncrypted),
+					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncryption),
 					endpoint.EndpointDetails.Address,
 					endpoint.EndpointDetails.Port,
 					c.database,
@@ -98,7 +98,7 @@ func (c *ConnectionStrings) run() {
 				)
 
 				connectionStringFormats[k] = fmt.Sprintf(format,
-					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncrypted),
+					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncryption),
 					endpoint.EndpointDetails.Address,
 					endpoint.EndpointDetails.Port,
 					user.BasicAuth.Username,
@@ -109,7 +109,7 @@ func (c *ConnectionStrings) run() {
 					endpoint.EndpointDetails.Port,
 					c.database,
 					user.BasicAuth.Username,
-					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncrypted),
+					secret.Decode(user.BasicAuth.Password, user.BasicAuth.PasswordEncryption),
 					c.stringForBoolean(c.trustServerCertificate(endpoint), k))
 			}
 		}
 
@@ -32,11 +32,12 @@ func TestConnectionStrings(t *testing.T) {
 
 	if os.Getenv("SQLCMDPASSWORD") == "" &&
 		os.Getenv("SQLCMD_PASSWORD") == "" {
-		os.Setenv("SQLCMD_PASSWORD", "it's-a-secret")
+		os.Setenv("SQLCMDPASSWORD", "it's-a-secret")
+		defer os.Setenv("SQLCMDPASSWORD", "")
 	}
 
 	cmdparser.TestCmd[*AddEndpoint]()
-	cmdparser.TestCmd[*AddUser]("--username user")
+	cmdparser.TestCmd[*AddUser]("--username user --password-encryption none")
 	cmdparser.TestCmd[*AddContext]("--endpoint endpoint --user user")
 	cmdparser.TestCmd[*ConnectionStrings]()
 
@@ -46,7 +47,7 @@ func TestConnectionStrings(t *testing.T) {
 
 	// Add endpoint to Azure SQL (connection strings won't Trust server cert)
 	cmdparser.TestCmd[*AddEndpoint]("--address server.database.windows.net")
-	cmdparser.TestCmd[*AddUser]("--username user")
+	cmdparser.TestCmd[*AddUser]("--username user  --password-encryption none")
 	cmdparser.TestCmd[*AddContext]("--endpoint endpoint2 --user user")
 
 	result := cmdparser.TestCmd[*ConnectionStrings]()
 
@@ -11,9 +11,9 @@ import (
 
 func TestDeleteContext(t *testing.T) {
 	cmdparser.TestSetup(t)
-	cmdparser.TestCmd[*AddUser]("--username user --auth-type other")
+	cmdparser.TestCmd[*AddUser]("--name delete-test --username user --auth-type other")
 	cmdparser.TestCmd[*AddEndpoint]()
-	cmdparser.TestCmd[*AddContext]("--endpoint endpoint --user user")
+	cmdparser.TestCmd[*AddContext]("--endpoint endpoint --user delete-test")
 	cmdparser.TestCmd[*DeleteContext]("--name context")
 }
 
 
@@ -4,6 +4,7 @@
 package config
 
 import (
+	"fmt"
 	"github.com/microsoft/go-sqlcmd/internal/cmdparser"
 	"github.com/microsoft/go-sqlcmd/internal/config"
 )
@@ -43,6 +44,18 @@ func (c *DeleteUser) DefineCommand(...cmdparser.CommandOptions) {
 func (c *DeleteUser) run() {
 	output := c.Output()
 
-	config.DeleteUser(c.name)
-	output.Infof("User '%v' deleted", c.name)
+	if c.name == "" {
+		output.Fatal("User name must be provided.  Provide user name with --name flag")
+	}
+
+	if config.UserNameExists(c.name) {
+		config.DeleteUser(c.name)
+	} else {
+		output.FatalfWithHintExamples([][]string{
+			{"View users", "sqlcmd config get-users"},
+		},
+			fmt.Sprintf("User %q does not exist", c.name))
+	}
+
+	output.Infof("User %q deleted", c.name)
 }