Threat Detection new API + data masking changes

1. Adding Threat Detection new Set() and Get() API
2. Data masking - add PrivilegedUsers parameter and deprecate
PrivilegedLogins parameter

Author: yaakoviyun

ChangeLog.md

@@ -1,4 +1,8 @@
-* Azure Redis Cache
+* Azure SQL Database: new cmdlets for managing database threat detection policies:
+  * Get-AzureRmSqlDatabaseThreatDetectionPolicy
+  * Set-AzureRmSqlDatabaseThreatDetectionPolicy
+
+* Azure Redis Cache
   * Set-AzureRedisCache - Premium and vNet support for redis cache
   * New-AzureRedisCache - Premium and vNet support for redis cache
 

restore.config

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <add key="https://www.nuget.org/api/v2/" value="https://www.nuget.org/api/v2/" />
+    <add key="LocalFeed" value="C:\code\azure-powershell\tools\LocalFeed" />
+  </packageSources>
+  <disabledPackageSources />
+</configuration>

src/ResourceManager/Sql/AzureRM.Sql.psd1

@@ -82,7 +82,9 @@ AliasesToExport = @(
 	'Get-AzureRmSqlDatabaseServerAuditingPolicy',  
     'Remove-AzureRmSqlDatabaseServerAuditing',  
     'Set-AzureRmSqlDatabaseServerAuditingPolicy',  
-    'Use-AzureRmSqlDatabaseServerAuditingPolicy'
+    'Use-AzureRmSqlDatabaseServerAuditingPolicy',
+    'Set-AzureRmSqlDatabaseThreatDetectionPolicy',
+    'Get-AzureRmSqlDatabaseThreatDetectionPolicy' 
 )
 
 # List of all modules packaged with this module  

src/ResourceManager/Sql/Commands.Sql.Test/Commands.Sql.Test.csproj

@@ -73,8 +73,8 @@
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Sql">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Sql.0.39.0-prerelease\lib\net40\Microsoft.Azure.Management.Sql.dll</HintPath>
-    </Reference>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Sql.0.41.0-prerelease\lib\net40\Microsoft.Azure.Management.Sql.dll</HintPath>
+	</Reference>
     <Reference Include="Microsoft.Azure.Management.Storage">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Storage.2.4.0-preview\lib\net40\Microsoft.Azure.Management.Storage.dll</HintPath>
     </Reference>
@@ -189,11 +189,15 @@
       <DesignTime>True</DesignTime>
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
+    <Compile Include="ScenarioTests\ThreatDetectionTests.cs" />
     <Compile Include="ScenarioTests\DatabaseActivationTests.cs" />
     <Compile Include="ScenarioTests\DatabaseBackupTests.cs" />
     <Compile Include="ScenarioTests\DatabaseReplicationTests.cs" />
     <Compile Include="ScenarioTests\DatabaseCrudTests.cs" />
     <Compile Include="ScenarioTests\DataMaskingTests.cs" />
+    <None Include="ScenarioTests\ThreatDetectionTests.ps1">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
     <None Include="ScenarioTests\DatabaseReplicationTests.ps1">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
@@ -445,7 +449,7 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.DataMaskingTests\TestDatabaseDataMaskingNumberRuleLifecycle.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
-    <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.DataMaskingTests\TestDatabaseDataMaskingPrivilegedLoginsChanges.json">
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.DataMaskingTests\TestDatabaseDataMaskingPrivilegedUsersChanges.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.DataMaskingTests\TestDatabaseDataMaskingRuleCreationFailures.json">

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/Common.ps1

@@ -25,6 +25,19 @@ function Get-SqlAuditingTestEnvironmentParameters ($testSuffix)
 			  }
 }
 
+<#
+.SYNOPSIS
+Gets the values of the parameters used at the threat detection tests
+#>
+function Get-SqlThreatDetectionTestEnvironmentParameters ($testSuffix)
+{
+	return @{ rgname = "sql-td-cmdlet-test-rg" +$testSuffix;
+			  serverName = "sql-td-cmdlet-server" +$testSuffix;
+			  databaseName = "sql-td-cmdlet-db" + $testSuffix;
+			  storageAccount = "tdcmdlets" +$testSuffix
+			  }
+}
+
 <#
 .SYNOPSIS
 Gets the values of the parameters used by the data masking tests
@@ -78,6 +91,30 @@ function Create-TestEnvironmentWithStorageV2 ($testSuffix)
 	New-AzureRmStorageAccount -Name $params.storageAccount -Location "West US" -ResourceGroupName $params.rgname -Type "Standard_GRS"
 }
 
+<#
+.SYNOPSIS
+Creates the test environment needed to perform the Sql threat detection tests, while using storage  V2 as the used storage account
+#>
+function Create-ThreatDetectionTestEnvironmentWithStorageV2 ($testSuffix, $serverVersion = "12.0")
+{
+	$params = Get-SqlThreatDetectionTestEnvironmentParameters $testSuffix
+	New-AzureRmResourceGroup -Name $params.rgname -Location "Australia East" -Force
+
+    if ($serverVersion -eq "12.0")
+    {
+        # Sawa server
+        New-AzureRmResourceGroupDeployment -ResourceGroupName $params.rgname -TemplateFile ".\Templates\sql-ddm-test-env-setup.json" -serverName $params.serverName -databaseName $params.databaseName -EnvLocation "Australia East" -Force
+    }
+
+    if ($serverVersion -eq "2.0")
+    {
+        # Sterling server
+        New-AzureRmResourceGroupDeployment -ResourceGroupName $params.rgname -TemplateFile ".\Templates\sql-audit-test-env-setup.json" -serverName $params.serverName -databaseName $params.databaseName -EnvLocation "Australia East" -Force
+    }
+
+	New-AzureRmStorageAccount -Name $params.storageAccount -Location "Australia East" -ResourceGroupName $params.rgname -Type "Standard_GRS"
+}
+
 <#
 .SYNOPSIS
 Creates the test environment needed to perform the Sql data masking tests
@@ -214,8 +251,24 @@ function Remove-TestEnvironment ($testSuffix)
 {
 	try
 	{
-	$params = Get-SqlAuditingTestEnvironmentParameters $testSuffix
-	Azure\Remove-AzureRmStorageAccount -StorageAccountName $params.storageAccount
+	    $params = Get-SqlAuditingTestEnvironmentParameters $testSuffix
+	    Azure\Remove-AzureRmStorageAccount -StorageAccountName $params.storageAccount
+	}
+	catch
+	{
+	}
+}
+
+<#
+.SYNOPSIS
+Removes the test environment that was needed to perform the Sql threat detection tests
+#>
+function Remove-ThreatDetectionTestEnvironment ($testSuffix)
+{
+	try
+	{
+	    $params = Get-SqlThreatDetectionTestEnvironmentParameters $testSuffix
+	    Azure\Remove-AzureRmStorageAccount -StorageAccountName $params.storageAccount
 	}
 	catch
 	{

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/DataMaskingTests.cs

@@ -22,9 +22,9 @@ public class DataMaskingTests : SqlTestsBase
     {
         [Fact]
         [Trait(Category.AcceptanceType, Category.BVT)]
-        public void TestDatabaseDataMaskingPrivilegedLoginsChanges()
+        public void TestDatabaseDataMaskingPrivilegedUsersChanges()
         {
-            RunPowerShellTest("Test-DatabaseDataMaskingPrivilegedLoginsChanges");
+            RunPowerShellTest("Test-DatabaseDataMaskingPrivilegedUsersChanges");
         }
 
         [Fact]

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/DataMaskingTests.ps1

@@ -16,7 +16,7 @@
 .SYNOPSIS
 Tests changes of the privileged logins property of a data masking policy 
 #>
-function Test-DatabaseDataMaskingPrivilegedLoginsChanges
+function Test-DatabaseDataMaskingPrivilegedUsersChanges
 {
 
 	# Setup
@@ -33,40 +33,40 @@ function Test-DatabaseDataMaskingPrivilegedLoginsChanges
 
 
 		# Test adding a privileged login
-		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedLogins "public" -DataMaskingState "Enabled"
+		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedUsers "public" -DataMaskingState "Enabled"
 		$policy = Get-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName
 
 		# Assert
-		Assert-AreEqual "public;" $policy.PrivilegedLogins
+		Assert-AreEqual "public;" $policy.PrivilegedUsers
 		Assert-AreEqual "Enabled" $policy.DataMaskingState
 
 		# Test removing a privileged login while having enabled policy
-		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedLogins "" 
+		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedUsers "" 
 		$policy = Get-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName
 
 		# Assert
-	    Assert-AreEqual "" $policy.PrivilegedLogins
+	    Assert-AreEqual "" $policy.PrivilegedUsers
 
 		# Test disabling a policy
 		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -DataMaskingState "Disabled" 
 		$policy = Get-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName
 
 		# Assert
-	    Assert-AreEqual "" $policy.PrivilegedLogins
+	    Assert-AreEqual "" $policy.PrivilegedUsers
 
 		# Test adding a privileged login while being disabled
-		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedLogins "public" 
+		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedUsers "public" 
 		$policy = Get-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName
 
 		# Assert
-		Assert-AreEqual "" $policy.PrivilegedLogins
+		Assert-AreEqual "" $policy.PrivilegedUsers
 
 		# Test removing a privileged login while being disabled
-		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedLogins ""  
+		Set-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName -PrivilegedUsers ""  
 		$policy = Get-AzureRmSqlDatabaseDataMaskingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName  -DatabaseName $params.databaseName
 
 		# Assert
-		Assert-AreEqual "" $policy.PrivilegedLogins
+		Assert-AreEqual "" $policy.PrivilegedUsers
 	}
 	finally
 	{

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/ThreatDetectionTests.cs

@@ -0,0 +1,81 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest.SqlTests;
+using Microsoft.Azure.Test;
+using Microsoft.Azure.Test.HttpRecorder;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.Sql.Test.ScenarioTests
+{
+    public class ThreatDetectionTests : SqlTestsBase
+    {
+        protected Management.Storage.StorageManagementClient GetStorageV2Client()
+        {
+            var client = TestBase.GetServiceClient<Management.Storage.StorageManagementClient>(new CSMTestEnvironmentFactory());
+            if (HttpMockServer.Mode == HttpRecorderMode.Playback)
+            {
+                client.LongRunningOperationInitialTimeout = 0;
+                client.LongRunningOperationRetryTimeout = 0;
+            }
+            return client;
+        }
+
+        protected override void SetupManagementClients()
+        {
+            var sqlCSMClient = GetSqlClient();
+            var storageClient = GetStorageClient();
+            var storageV2Client = GetStorageV2Client();
+            var resourcesClient = GetResourcesClient();
+            var authorizationClient = GetAuthorizationManagementClient();
+            helper.SetupSomeOfManagementClients(sqlCSMClient, storageClient, storageV2Client, resourcesClient, authorizationClient);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.Sql)]
+        public void ThreatDetectionDatabaseGetDefualtPolicy()
+        {
+            RunPowerShellTest("Test-ThreatDetectionDatabaseGetDefualtPolicy");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.Sql)]
+        public void ThreatDetectionDatabaseUpdatePolicy()
+        {
+            RunPowerShellTest("Test-ThreatDetectionDatabaseUpdatePolicy");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.Sql)]
+        public void DisablingThreatDetection()
+        {
+            RunPowerShellTest("Test-DisablingThreatDetection");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.Sql)]
+        public void InvalidArgumentsThreatDetection()
+        {
+            RunPowerShellTest("Test-InvalidArgumentsThreatDetection");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.Sql)]
+        public void ThreatDetectionOnSawaServer()
+        {
+            RunPowerShellTest("Test-ThreatDetectionOnSawaServer");
+        }
+    }
+}