[Storage] Support Encryption Scope dataplane (#11676)

Author: blueww

src/Storage/Storage.Management.Test/ScenarioTests/StorageDataPlaneTests.ps1

@@ -277,6 +277,17 @@ function Test-Blob
 		$immutabilityPolicy = Get-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ContainerName $containerName
 		Remove-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ContainerName $containerName -Etag $immutabilityPolicy.Etag
 
+		# Encryption Scope Test
+		$scopename = "testscope"
+		$containerName2 = "testscopecontainer"
+		New-AzStorageEncryptionScope -ResourceGroupName $ResourceGroupName -StorageAccountName $storageAccountName -EncryptionScopeName $scopename -StorageEncryption
+		$container = New-AzStorageContainer -Name $containerName2 -Context $storageContext -DefaultEncryptionScope $scopeName2 -PreventEncryptionScopeOverride $true
+		Assert-AreEqual $scopename $container.BlobContainerProperties.DefaultEncryptionScope
+		Assert-AreEqual $true $container.BlobContainerProperties.PreventEncryptionScopeOverride
+		$blob = Set-AzStorageBlobContent -Context $storageContext -File $localSrcFile -Container $containerName -Blob encryscopetest  -EncryptionScope $scopename
+		Assert-AreEqual $scopename $blob.BlobProperties.EncryptionScope
+		Remove-AzStorageContainer -Name $containerName2 -Force -Context $storageContext
+
         # Clean Storage Account
         Remove-AzStorageContainer -Name $containerName -Force -Context $storageContext
 

src/Storage/Storage.Management/Blob/NewAzureStorageContainer.cs

@@ -102,6 +102,7 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
         [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
             Mandatory = true,
             ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
         public string DefaultEncryptionScope { get; set; }
 
         [Parameter(HelpMessage = "Block override of encryption scope from the container default.",

src/Storage/Storage.Management/ChangeLog.md

@@ -18,12 +18,15 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported create container and upload blob with Encryption Scope setting
+    - `New-AzStorageContainer`
+    - `Set-AzStorageBlobContent`
 * Add RestorePolicy.LastEnabledTime to cmdlet output
     - `Get-AzStorageBlobServiceProperty`
     - `Enable-AzStorageBlobRestorePolicy`
 * Fixed #9880: Change NetWorkRule DefaultAction value defination to align with swagger.
-	- Update-AzStorageAccountNetworkRuleSet
-	- Get-AzStorageAccountNetworkRuleSet
+    - `Update-AzStorageAccountNetworkRuleSet`
+    - `Get-AzStorageAccountNetworkRuleSet`
 * Fixed #11624: Skip duplicated rules when add NetworkRules, to avoid server failure
     - `Add-AzStorageAccountNetworkRule`
 

src/Storage/Storage.Management/help/New-AzRmStorageContainer.md

@@ -250,7 +250,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

src/Storage/Storage.Management/help/New-AzStorageContainer.md

@@ -13,12 +13,21 @@ Creates an Azure storage container.
 
 ## SYNTAX
 
+### ContainerName (Default)
 ```
 New-AzStorageContainer [-Name] <String> [[-Permission] <BlobContainerPublicAccessType>]
  [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>] [<CommonParameters>]
 ```
 
+### EncryptionScope
+```
+New-AzStorageContainer [-Name] <String> [[-Permission] <BlobContainerPublicAccessType>]
+ -DefaultEncryptionScope <String> -PreventEncryptionScopeOverride <Boolean> [-Context <IStorageContext>]
+ [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
+ [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>] [<CommonParameters>]
+```
+
 ## DESCRIPTION
 The **New-AzStorageContainer** cmdlet creates an Azure storage container.
 
@@ -39,6 +48,19 @@ PS C:\>"container1 container2 container3".split() | New-AzStorageContainer -Perm
 This example creates multiple storage containers.
 It uses the **Split** method of the .NET **String** class and then passes the names on the pipeline.
 
+### Example 3: Create an Azure storage container with Encryption Scope
+```
+PS C:\> $container = New-AzStorageContainer  -Name "mycontainer" -DefaultEncryptionScope "myencryptscope" -PreventEncryptionScopeOverride $true 
+
+PS C:\> $container.BlobContainerProperties.DefaultEncryptionScope
+myencryptscope
+
+PS C:\> $container.BlobContainerProperties.PreventEncryptionScopeOverride
+True
+```
+
+This command creates a storage container, with default Encryption Scope as myencryptscope, and prevert blob upload with different Encryption Scope to this container.
+
 ## PARAMETERS
 
 ### -ClientTimeoutPerRequest
@@ -92,6 +114,21 @@ Accept pipeline input: True (ByPropertyName, ByValue)
 Accept wildcard characters: False
 ```
 
+### -DefaultEncryptionScope
+Default the container to use specified encryption scope for all writes.
+
+```yaml
+Type: System.String
+Parameter Sets: EncryptionScope
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -DefaultProfile
 The credentials, account, tenant, and subscription used for communication with Azure.
 
@@ -150,6 +187,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -PreventEncryptionScopeOverride
+Block override of encryption scope from the container default.
+
+```yaml
+Type: System.Boolean
+Parameter Sets: EncryptionScope
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ServerTimeoutPerRequest
 Specifies the service side time-out interval, in seconds, for a request.
 If the specified interval elapses before the service processes the request, the storage service returns an error.
@@ -167,7 +219,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

src/Storage/Storage.Management/help/Set-AzStorageBlobContent.md

@@ -17,28 +17,29 @@ Uploads a local file to an Azure Storage blob.
 ```
 Set-AzStorageBlobContent [-File] <String> [-Container] <String> [-Blob <String>] [-BlobType <String>]
  [-Properties <Hashtable>] [-Metadata <Hashtable>] [-PremiumPageBlobTier <PremiumPageBlobTier>]
- [-StandardBlobTier <String>] [-Force] [-AsJob] [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>]
- [-ClientTimeoutPerRequest <Int32>] [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-StandardBlobTier <String>] [-EncryptionScope <String>] [-Force] [-AsJob] [-Context <IStorageContext>]
+ [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
+ [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### ContainerPipeline
 ```
 Set-AzStorageBlobContent [-File] <String> [-Blob <String>] -CloudBlobContainer <CloudBlobContainer>
  [-BlobType <String>] [-Properties <Hashtable>] [-Metadata <Hashtable>]
- [-PremiumPageBlobTier <PremiumPageBlobTier>] [-StandardBlobTier <String>] [-Force] [-AsJob]
- [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
+ [-PremiumPageBlobTier <PremiumPageBlobTier>] [-StandardBlobTier <String>] [-EncryptionScope <String>] [-Force]
+ [-AsJob] [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### BlobPipeline
 ```
 Set-AzStorageBlobContent [-File] <String> -CloudBlob <CloudBlob> [-BlobType <String>] [-Properties <Hashtable>]
- [-Metadata <Hashtable>] [-PremiumPageBlobTier <PremiumPageBlobTier>] [-StandardBlobTier <String>] [-Force]
- [-AsJob] [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>] [-ClientTimeoutPerRequest <Int32>]
- [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-Metadata <Hashtable>] [-PremiumPageBlobTier <PremiumPageBlobTier>] [-StandardBlobTier <String>]
+ [-EncryptionScope <String>] [-Force] [-AsJob] [-Context <IStorageContext>] [-ServerTimeoutPerRequest <Int32>]
+ [-ClientTimeoutPerRequest <Int32>] [-DefaultProfile <IAzureContextContainer>] [-ConcurrentTaskCount <Int32>]
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -97,6 +98,16 @@ PS C:\> Set-AzStorageBlobContent -File "ContosoPlanning" -Container "ContosoUplo
 
 This command  uploads the file that is named ContosoPlanning to the container named ContosoUploads with specified blob properties, and set StandardBlobTier as Cool.
 
+### Example 7: Upload a file to a blob with Encryption Scope
+```
+PS C:\> $blob = Set-AzStorageBlobContent  -File "mylocalfile" -Container "mycontainer" -Blob "myblob"  -EncryptionScope "myencryptscope"
+
+PS C:\> $blob.BlobProperties.EncryptionScope
+myencryptscope
+```
+
+This command  uploads a file to a blob with Encryption Scope.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -267,6 +278,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EncryptionScope
+Encryption scope to be used when making requests to the blob.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -File
 Specifies a local file path for a file to upload as blob content.
 
@@ -331,7 +357,7 @@ Page Blob Tier
 Type: Microsoft.Azure.Storage.Blob.PremiumPageBlobTier
 Parameter Sets: (All)
 Aliases:
-Accepted values: Unknown, P4, P6, P10, P20, P30, P40, P50, P60
+Accepted values: Unknown, P4, P6, P10, P20, P30, P40, P50, P60, P70, P80
 
 Required: False
 Position: Named
@@ -380,6 +406,7 @@ See detail in https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-
 Type: System.String
 Parameter Sets: (All)
 Aliases:
+Accepted values: Hot, Cool, Archive
 
 Required: False
 Position: Named
@@ -420,7 +447,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

src/Storage/Storage/Blob/Cmdlet/NewAzureStorageContainer.cs

@@ -22,14 +22,27 @@ namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
     using System.Management.Automation;
     using System.Security.Permissions;
     using System.Threading.Tasks;
+    using global::Azure.Storage.Blobs;
+    using global::Azure.Storage.Blobs.Models;
+    using global::Azure;
 
     /// <summary>
     /// create a new azure container
     /// </summary>
-    [Cmdlet("New", Azure.Commands.ResourceManager.Common.AzureRMConstants.AzurePrefix + "StorageContainer"),OutputType(typeof(AzureStorageContainer))]
+    [Cmdlet("New", Azure.Commands.ResourceManager.Common.AzureRMConstants.AzurePrefix + "StorageContainer", DefaultParameterSetName = ContainerNameParameterSet),OutputType(typeof(AzureStorageContainer))]
     [Alias("New-" + Azure.Commands.ResourceManager.Common.AzureRMConstants.AzurePrefix + "DatalakeGen2FileSystem")]
     public class NewAzureStorageContainerCommand : StorageCloudBlobCmdletBase
     {
+        /// <summary>
+        /// Container Name parameter
+        /// </summary>
+        private const string ContainerNameParameterSet = "ContainerName";
+
+        /// <summary>
+        /// Container create with EncryptionScope parameter
+        /// </summary>
+        private const string EncryptionScopeParameterSet = "EncryptionScope";
+
         [Alias("N", "Container")]
         [Parameter(Position = 0, Mandatory = true, HelpMessage = "Container name",
             ValueFromPipeline = true, ValueFromPipelineByPropertyName = true)]
@@ -47,6 +60,29 @@ public BlobContainerPublicAccessType? Permission
         }
         private BlobContainerPublicAccessType accessLevel = BlobContainerPublicAccessType.Off;
 
+        [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
+            Mandatory = true,
+            ParameterSetName = EncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
+        public string DefaultEncryptionScope { get; set; }
+
+        [Parameter(HelpMessage = "Prevent override of encryption scope from the container default.",
+            Mandatory = true,
+            ParameterSetName = EncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
+        public bool PreventEncryptionScopeOverride
+        {
+            get
+            {
+                return preventEncryptionScopeOverride is null ? false : preventEncryptionScopeOverride.Value;
+            }
+            set
+            {
+                preventEncryptionScopeOverride = value;
+            }
+        }
+        private bool? preventEncryptionScopeOverride;
+
         /// <summary>
         /// Initializes a new instance of the NewAzureStorageContainerCommand class.
         /// </summary>
@@ -77,18 +113,37 @@ internal async Task CreateAzureContainer(long taskId, IStorageBlobManagement loc
 
             BlobRequestOptions requestOptions = RequestOptions;
             CloudBlobContainer container = localChannel.GetContainerReference(name);
+            BlobContainerClient containerClient = AzureStorageContainer.GetTrack2BlobContainerClient(container, localChannel.StorageContext);
 
-            BlobContainerPermissions permissions = new BlobContainerPermissions();
-
-            permissions.PublicAccess = accesslevel;
+            PublicAccessType containerPublicAccess = PublicAccessType.None;
+            if (accesslevel == BlobContainerPublicAccessType.Blob)
+            {
+                containerPublicAccess = PublicAccessType.Blob;
+            }
+            else if (accesslevel == BlobContainerPublicAccessType.Container)
+            {
+                containerPublicAccess = PublicAccessType.BlobContainer;
+            }
 
-            bool created = await localChannel.CreateContainerIfNotExistsAsync(container, permissions.PublicAccess, requestOptions, OperationContext, CmdletCancellationToken).ConfigureAwait(false);
+            BlobContainerEncryptionScopeOptions encryptionScopeOption = null;
+            if (this.DefaultEncryptionScope != null)
+            {
+                encryptionScopeOption = new BlobContainerEncryptionScopeOptions()
+                {
+                    // parameterset can ensure the 2 parameters must be set together.
+                    DefaultEncryptionScope = this.DefaultEncryptionScope,
+                    PreventEncryptionScopeOverride = this.preventEncryptionScopeOverride.Value
+                };
+            }
 
-            if (!created)
+            Response<BlobContainerInfo> responds  = await containerClient.CreateIfNotExistsAsync(containerPublicAccess, null, encryptionScopeOption, CmdletCancellationToken).ConfigureAwait(false);
+            if (responds == null || responds.Value == null) // Container already exist so not created again
             {
                 throw new ResourceAlreadyExistException(String.Format(Resources.ContainerAlreadyExists, name));
             }
 
+            BlobContainerPermissions permissions = new BlobContainerPermissions() { PublicAccess = accesslevel };
+            container.FetchAttributes();
             WriteCloudContainerObject(taskId, localChannel, container, permissions);
         }