[Synapse] Add new cmdlets related to SQL rule baseline and sensitivity on Synapse SQL pool (#13759)

* Add 9 DW related cmdlets

* Save current status

* Revert ValueFromPipelineByPropertyName

* Add workspaceName and resourceGroupName to PSSqlPool

* Fix naming

* Update help doc

* update psd1

* Add SqlPoolName alias to basic SQL pool related commands

* Add test cases for new cmdlets

* Remove default parameter for Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline

* Remove default parameter set

* Update CredScan Suppressions and test case names

* Update TestVulnerabilityAssessmentBaseline.json

Co-authored-by: Dongwei Wang <[email protected]>

Author: idear1203

src/Synapse/Synapse.Test/ScenarioTests/Common.ps1

@@ -110,4 +110,30 @@ function Invoke-HandledCmdlet
             throw;
         }
     }
+}
+
+<#
+.SYNOPSIS
+Creates the test environment needed to perform the Sql auditing tests
+#>
+function Create-TestEnvironmentWithParams ($params, $location, $denyAsNetworkRuleDefaultAction = $False)
+{
+	Create-BasicTestEnvironmentWithParams $params $location
+	Wait-Seconds 10
+}
+
+<#
+.SYNOPSIS
+Creates the basic test environment needed to perform the Sql data security tests - resource group, server and database
+#>
+function Create-BasicTestEnvironmentWithParams ($params, $location)
+{
+	New-AzResourceGroup -Name $params.rgname -Location $location
+    New-AzStorageAccount -ResourceGroupName $params.rgname -Name $params.storageAccountName -Location $location -SkuName Standard_GRS -Kind StorageV2 -EnableHierarchicalNamespace $true
+	$workspaceName = $params.workspaceName
+	$workspaceLogin = $params.loginName
+	$workspacePassword = $params.pwd
+	$credentials = new-object System.Management.Automation.PSCredential($workspaceLogin, ($workspacePassword | ConvertTo-SecureString -asPlainText -Force))
+    New-AzSynapseWorkspace -ResourceGroupName  $params.rgname -WorkspaceName $params.workspaceName -Location $location -SqlAdministratorLoginCredential $credentials -DefaultDataLakeStorageAccountName $params.storageAccountName -DefaultDataLakeStorageFilesystem $params.fileSystemName
+	New-AzSynapseSqlPool -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName -PerformanceLevel $params.perfLevel
 }

src/Synapse/Synapse.Test/ScenarioTests/DataClassificationTests.cs

@@ -0,0 +1,49 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.Synapse.Test.ScenarioTests
+{
+    public class DataClassificationTests : SynapseTestBase
+    {
+        public XunitTracingInterceptor _logger;
+
+        public DataClassificationTests(Xunit.Abstractions.ITestOutputHelper output)
+        {
+            _logger = new XunitTracingInterceptor(output);
+            XunitTracingInterceptor.AddToContext(_logger);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestDataClassificationOnSqlPool()
+        {
+            NewInstance.RunPsTest(
+                _logger,
+                "Test-DataClassificationOnSqlPool");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestEnableDisableRecommendationsOnSqlPool()
+        {
+            NewInstance.RunPsTest(
+                _logger,
+                "Test-EnableDisableRecommendationsOnSqlPool");
+        }
+    }
+}

src/Synapse/Synapse.Test/ScenarioTests/DataClassificationTests.ps1

@@ -0,0 +1,42 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.Synapse.Test.ScenarioTests
+{
+    public class VulnerabilityAssessmentTests : SynapseTestBase
+    {
+        public XunitTracingInterceptor _logger;
+
+        public VulnerabilityAssessmentTests(Xunit.Abstractions.ITestOutputHelper output)
+        {
+            _logger = new XunitTracingInterceptor(output);
+            XunitTracingInterceptor.AddToContext(_logger);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestVulnerabilityAssessmentBaseline(){
+            NewInstance.RunPsTest(
+                _logger,
+                "Test-VulnerabilityAssessmentBaseline");
+        }
+    }
+}

src/Synapse/Synapse.Test/ScenarioTests/VulnerabilityAssessmentTests.cs

@@ -0,0 +1,199 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+Tests for vulnerability assessment baseline scenarios 
+#>
+function Test-VulnerabilityAssessmentBaseline
+{
+	# Setup
+	$testSuffix = getAssetName
+	Create-VulnerabilityAssessmentTestEnvironment $testSuffix
+	$params = Get-SqlVulnerabilityAssessmentTestEnvironmentParameters $testSuffix
+
+	try
+	{
+		# Turn on ATP
+		Enable-AzSynapseSqlAdvancedThreatProtection -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -DoNotConfigureVulnerabilityAssessment
+
+		Update-AzSynapseSqlPoolVulnerabilityAssessmentSetting -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+			 -StorageAccountName $params.storageAccountName
+
+		$ruleId = "VA2108"
+
+		# Get and remove baseline for non existing baseline
+		$baselineDoesntExistsErrorMessage = "Baseline does not exist for rule 'VA2108'."
+		Assert-ThrowsContains -script { Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		Assert-ThrowsContains -script { Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		# Set baseline
+		$baselineToSet = @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None'), @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet
+		
+		# Get baseline and compare with what we sent
+		$baseline = Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId
+
+		Assert-AreEqual $params.rgname $baseline.ResourceGroupName
+		Assert-AreEqual $params.workspaceName $baseline.WorkspaceName
+		Assert-AreEqual $params.sqlPoolName $baseline.SqlPoolName
+		Assert-AreEqual $ruleId $baseline.RuleId
+		Assert-AreEqual $false $baseline.RuleAppliesToMaster
+		Assert-AreEqualArray $baselineToSet[0] $baseline.BaselineResult[0].Result
+		Assert-AreEqualArray $baselineToSet[1] $baseline.BaselineResult[1].Result
+
+		# Set baseline
+		$baselineToSet = @( 'Principal3', 'db_ddladmin', 'SQL_USER', 'None'), @( 'Principal4', 'db_ddladmin', 'SQL_USER', 'None')
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet
+		
+		# Get baseline and compare with what we sent
+		$baseline = Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId
+
+		Assert-AreEqual $params.rgname $baseline.ResourceGroupName
+		Assert-AreEqual $params.workspaceName $baseline.WorkspaceName
+		Assert-AreEqual $params.sqlPoolName $baseline.SqlPoolName
+		Assert-AreEqual $ruleId $baseline.RuleId
+		Assert-AreEqual $false $baseline.RuleAppliesToMaster
+		Assert-AreEqualArray $baselineToSet[0] $baseline.BaselineResult[0].Result
+		Assert-AreEqualArray $baselineToSet[1] $baseline.BaselineResult[1].Result
+
+		# Clear baseline
+		Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId
+
+		# Get and remove baseline for non existing baseline
+		Assert-ThrowsContains -script { Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		Assert-ThrowsContains -script { Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		# Test RuleAppliesToMaster parameter
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet
+
+		# We expect no baseline to be found on the master
+		Assert-ThrowsContains -script { Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId -RuleAppliesToMaster } -message $baselineDoesntExistsErrorMessage
+
+		Assert-ThrowsContains -script { Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId -RuleAppliesToMaster} -message $baselineDoesntExistsErrorMessage
+
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -RuleAppliesToMaster -BaselineResult $baselineToSet
+
+		$baseline = Get-AzSynapseSqlPool -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName`
+		| Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -RuleId $ruleId -RuleAppliesToMaster
+		Assert-AreEqual $params.rgname $baseline.ResourceGroupName
+		Assert-AreEqual $params.workspaceName $baseline.WorkspaceName
+		Assert-AreEqual $params.sqlPoolName $baseline.SqlPoolName
+		Assert-AreEqual $ruleId $baseline.RuleId
+		Assert-AreEqual $true $baseline.RuleAppliesToMaster
+		Assert-AreEqualArray $baselineToSet[0] $baseline.BaselineResult[0].Result
+		Assert-AreEqualArray $baselineToSet[1] $baseline.BaselineResult[1].Result
+
+		Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -RuleAppliesToMaster
+
+		# piping scenario
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet
+		
+		Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId | Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline
+
+		$baseline = Get-AzSynapseSqlPool -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName | Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline `
+		-RuleId $ruleId
+		Assert-AreEqual $params.rgname $baseline.ResourceGroupName
+		Assert-AreEqual $params.workspaceName $baseline.WorkspaceName
+		Assert-AreEqual $params.sqlPoolName $baseline.SqlPoolName
+		Assert-AreEqual $ruleId $baseline.RuleId
+		Assert-AreEqual $false $baseline.RuleAppliesToMaster
+		Assert-AreEqualArray $baselineToSet[0] $baseline.BaselineResult[0].Result
+		Assert-AreEqualArray $baselineToSet[1] $baseline.BaselineResult[1].Result
+
+		Get-AzSynapseSqlPool -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName | Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline `
+		-RuleId $ruleId
+		Assert-ThrowsContains -script { Get-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		# Test WhatIf parameter of Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet -WhatIf
+		
+		# See that exception is thrown because set settings was run with WhatIf
+		Assert-ThrowsContains -script { Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId } -message $baselineDoesntExistsErrorMessage
+
+		# Test WhatIf parameter of Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline
+		Set-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId -BaselineResult $baselineToSet
+
+		Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName `
+		-SqlPoolName $params.sqlPoolName -RuleId $ruleId -WhatIf
+		
+		# See no exception is thrown because clear was run with WhatIf
+		Clear-AzSynapseSqlPoolVulnerabilityAssessmentRuleBaseline -ResourceGroupName $params.rgname -WorkspaceName $params.workspaceName -SqlPoolName $params.sqlPoolName `
+		-RuleId $ruleId
+	}
+	finally
+	{
+		# Cleanup
+		Remove-VulnerabilityAssessmentTestEnvironment $testSuffix
+	}
+}
+
+<#
+.SYNOPSIS
+Creates the test environment needed to perform the tests
+#>
+function Create-VulnerabilityAssessmentTestEnvironment ($testSuffix, $location = "West Central US")
+{
+	$params = Get-SqlVulnerabilityAssessmentTestEnvironmentParameters $testSuffix
+	Create-TestEnvironmentWithParams $params $location
+}
+
+<#
+.SYNOPSIS
+Gets the values of the parameters used at the tests
+#>
+function Get-SqlVulnerabilityAssessmentTestEnvironmentParameters ($testSuffix)
+{
+	return @{ rgname = "sql-va-cmdlet-test-rg" +$testSuffix;
+			  workspaceName = "sqlvaws" +$testSuffix;
+			  sqlPoolName = "sqlvapool" + $testSuffix;
+			  storageAccountName = "sqlvastorage" + $testSuffix;
+			  fileSystemName = "sqlvacmdletfs" + $testSuffix;
+			  loginName = "testlogin";
+			  pwd = "testp@ssMakingIt1007Longer";
+			  perfLevel = 'DW200c'
+		}
+}
+
+<#
+.SYNOPSIS
+Removes the test environment that was needed to perform the tests
+#>
+function Remove-VulnerabilityAssessmentTestEnvironment ($testSuffix)
+{
+	$params = Get-SqlVulnerabilityAssessmentTestEnvironmentParameters $testSuffix
+	Remove-AzResourceGroup -Name $params.rgname -Force
+}