[Storage] Support Idenity SAS (Azure#10542)

Author: blueww

src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs

@@ -93,6 +93,13 @@ public void TestSetCurrentStorageAccount()
             TestRunner.RunTestScript("Test-SetAzureRmCurrentStorageAccount");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestRevokeAzStorageAccountUserDelegationKeys()
+        {
+            TestRunner.RunTestScript("Test-RevokeAzStorageAccountUserDelegationKeys");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestSetAzureRmStorageAccountKeySource()

src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1

@@ -507,6 +507,41 @@ function Test-SetAzureRmCurrentStorageAccount
     }
 }
 
+<#
+.SYNOPSIS
+Test Revoke-AzStorageAccountUserDelegationKeys
+.DESCRIPTION
+SmokeTest
+#>
+function Test-RevokeAzStorageAccountUserDelegationKeys
+{
+ # Setup
+    $rgname = Get-StorageManagementTestResourceName
+
+    try
+    {
+        # Test
+        $stoname = 'sto' + $rgname
+        $stotype = 'Standard_LRS'
+        $loc = Get-ProviderLocation ResourceManagement
+
+        New-AzResourceGroup -Name $rgname -Location $loc
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype
+		
+		# revoke with storage account name and resoruce group name
+		Revoke-AzStorageAccountUserDelegationKeys -ResourceGroupName $rgname  -Name $stoname
+
+		# revoke with pipeline
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname  -Name $stoname }
+        $global:sto | Revoke-AzStorageAccountUserDelegationKeys
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
 <#
 .SYNOPSIS
 Test NetworkRule

src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestRevokeAzStorageAccountUserDelegationKeys.json

@@ -155,6 +155,7 @@ CmdletsToExport = 'Get-AzStorageAccount', 'Get-AzStorageAccountKey',
                'Get-AzStorageBlobServiceProperty', 
                'Enable-AzStorageBlobDeleteRetentionPolicy', 
                'Disable-AzStorageBlobDeleteRetentionPolicy', 
+               'Revoke-AzStorageAccountUserDelegationKeys',
                'Get-AzStorageFileHandle', 'Close-AzStorageFileHandle', 
                'New-AzRmStorageShare', 'Remove-AzRmStorageShare', 
                'Get-AzRmStorageShare', 'Update-AzRmStorageShare'
@@ -194,12 +195,11 @@ PrivateData = @{
         # IconUri = ''
 
         # ReleaseNotes of this module
-        ReleaseNotes = '* Support enable Large File share when create or update Storage account
-    -  New-AzStorageAccount
-    -  Set-AzStorageAccount
-* When close/get File handle, skip check the input path is File directory or File, to avoid failure with object in DeletePending status
-    -  Get-AzStorageFileHandle
-    -  Close-AzStorageFileHandle'
+        ReleaseNotes = '* Support generate Blob/Constainer Idenity based SAS token with Storage Context based on Oauth authentication
+    - New-AzStorageContainerSASToken
+    - New-AzStorageBlobSASToken
+* Support revoke Storage Account User Delegation Keys, so all Idenity SAS tokens are revoked
+    - Revoke-AzStorageAccountUserDelegationKeys'
 
         # Prerelease string of this module
         # Prerelease = ''

src/Storage/Storage.Management/Az.Storage.psd1

@@ -18,6 +18,11 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Support generate Blob/Constainer Idenity based SAS token with Storage Context based on Oauth authentication
+    - New-AzStorageContainerSASToken
+    - New-AzStorageBlobSASToken
+* Support revoke Storage Account User Delegation Keys, so all Idenity SAS tokens are revoked
+    - Revoke-AzStorageAccountUserDelegationKeys
 
 ## Version 1.9.0
 * Support enable Large File share when create or update Storage account

src/Storage/Storage.Management/ChangeLog.md

@@ -0,0 +1,114 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Management.Storage.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.Azure.Management.Storage;
+using Microsoft.Azure.Management.Storage.Models;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Management.Storage
+{
+    [Cmdlet("Revoke", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "StorageAccountUserDelegationKeys", SupportsShouldProcess = true, DefaultParameterSetName = AccountNameParameterSet), OutputType(typeof(bool))]
+    public class RevokeAzureStorageAccountUserDelegationKeysCommand : StorageAccountBaseCmdlet
+    {
+        /// <summary>
+        /// AccountName Parameter Set
+        /// </summary>
+        private const string AccountNameParameterSet = "AccountName";
+
+        /// <summary>
+        /// Account object parameter set 
+        /// </summary>
+        private const string AccountObjectParameterSet = "AccountObject";
+
+        /// <summary>
+        /// Account ResourceId  parameter set 
+        /// </summary>
+        private const string AccountResourceIdParameterSet = "AccountResourceId";
+
+        [Parameter(
+          Position = 0,
+          Mandatory = true,
+          HelpMessage = "The resource group name containing the storage account resource.",
+         ParameterSetName = AccountNameParameterSet)]
+        [ResourceGroupCompleter]
+        [ValidateNotNullOrEmpty]
+        public string ResourceGroupName { get; set; }
+
+        [Parameter(
+            Position = 1,
+            Mandatory = true,
+            HelpMessage = "The name of the storage account resource.",
+           ParameterSetName = AccountNameParameterSet)]
+        [ResourceNameCompleter("Microsoft.Storage/storageAccounts", nameof(ResourceGroupName))]
+        [Alias(AccountNameAlias, NameAlias)]
+        [ValidateNotNullOrEmpty]
+        public string StorageAccountName { get; set; }
+
+        [Parameter(Mandatory = true,
+            HelpMessage = "A storage account object, returned by Get_AzStorageAccount, New-AzStorageAccount.",
+            ValueFromPipeline = true,
+            ParameterSetName = AccountObjectParameterSet)]
+        [Alias("StorageAccount")]        
+        [ValidateNotNullOrEmpty]
+        public PSStorageAccount InputObject { get; set; }
+
+        [Parameter(
+            Position = 0,
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Storage Account Resource Id.",
+           ParameterSetName = AccountResourceIdParameterSet)]
+        [Alias("StorageAccountResourceId")]
+        [ValidateNotNullOrEmpty]
+        public string ResourceId { get; set; }
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter PassThru { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+            if (ShouldProcess(this.StorageAccountName, "Remove Storage Account user delegation keys"))
+            {
+                switch (ParameterSetName)
+                {
+                    case AccountObjectParameterSet:
+                        this.ResourceGroupName = InputObject.ResourceGroupName;
+                        this.StorageAccountName = InputObject.StorageAccountName;
+                        break;
+                    case AccountResourceIdParameterSet:
+                        ResourceIdentifier accountResource = new ResourceIdentifier(ResourceId);
+                        this.ResourceGroupName = accountResource.ResourceGroupName;
+                        this.StorageAccountName = accountResource.ResourceName;
+                        break;
+                    default:
+                        // For AccountNameParameterSet, the ResourceGroupName and StorageAccountName can get from input directly
+                        break;
+                }
+
+                this.StorageClient.StorageAccounts.RevokeUserDelegationKeys(
+                    this.ResourceGroupName,
+                    this.StorageAccountName);
+
+                if (PassThru.IsPresent)
+                {
+                    WriteObject(true);
+                }
+            }
+        }
+    }
+}

src/Storage/Storage.Management/StorageAccount/RevokeAzStorageAccountUserDelegationKeys.cs

@@ -34,6 +34,7 @@ public abstract class StorageAccountBaseCmdlet : AzureRMCmdlet
 
         protected const string StorageAccountNameAlias = "StorageAccountName";
         protected const string AccountNameAlias = "AccountName";
+        protected const string NameAlias = "Name";
 
         protected const string StorageAccountTypeAlias = "StorageAccountType";
         protected const string AccountTypeAlias = "AccountType";

src/Storage/Storage.Management/StorageAccount/StorageAccountBaseCmdlet.cs

@@ -257,6 +257,9 @@ Removes a storage table.
 ### [Remove-AzStorageTableStoredAccessPolicy](Remove-AzStorageTableStoredAccessPolicy.md)
 Removes a stored access policy from an Azure storage table.
 
+### [Revoke-AzStorageAccountUserDelegationKeys](Revoke-AzStorageAccountUserDelegationKeys.md)
+Revoke all User Delegation keys of a Storage account.
+
 ### [Set-AzCurrentStorageAccount](Set-AzCurrentStorageAccount.md)
 Modifies the current Storage account of the specified subscription.
 

src/Storage/Storage.Management/help/Az.Storage.md

@@ -18,29 +18,31 @@ Generates a SAS token for an Azure storage blob.
 New-AzStorageBlobSASToken [-Container] <String> [-Blob] <String> [-Permission <String>]
  [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
  [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### BlobPipelineWithPolicy
 ```
 New-AzStorageBlobSASToken -CloudBlob <CloudBlob> -Policy <String> [-Protocol <SharedAccessProtocol>]
  [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### BlobPipelineWithPermission
 ```
 New-AzStorageBlobSASToken -CloudBlob <CloudBlob> [-Permission <String>] [-Protocol <SharedAccessProtocol>]
  [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### BlobNameWithPolicy
 ```
 New-AzStorageBlobSASToken [-Container] <String> [-Blob] <String> -Policy <String>
  [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
  [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -64,6 +66,16 @@ PS C:\> New-AzStorageBlobSASToken -Container "ContainerName" -Blob "BlobName" -P
 
 This example generates a blob SAS token with life time.
 
+### Example 3: Generate a User Identity SAS token with storage context based on OAuth authentication
+```
+PS C:\> $ctx = New-AzStorageContext -StorageAccountName $accountName -UseConnectedAccount
+PS C:\> $StartTime = Get-Date
+PS C:\> $EndTime = $startTime.AddDays(6)
+PS C:\> New-AzStorageBlobSASToken -Container "ContainerName" -Blob "BlobName" -Permission rwd -StartTime $StartTime -ExpiryTime $EndTime -context $ctx
+```
+
+This example generates a User Identity blob SAS token with storage context based on OAuth authentication
+
 ## PARAMETERS
 
 ### -Blob
@@ -114,6 +126,7 @@ Accept wildcard characters: False
 
 ### -Context
 Specifies the storage context.
+When the storage context is based on OAuth authentication, will generates a User Identity blob SAS token.
 
 ```yaml
 Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.IStorageContext
@@ -144,6 +157,7 @@ Accept wildcard characters: False
 
 ### -ExpiryTime
 Specifies when the shared access signature expires.
+When the storage context is based on OAuth authentication, the expire time must be in 7 days from current time, and must not be earlier than current time.
 
 ```yaml
 Type: System.Nullable`1[System.DateTime]
@@ -254,6 +268,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).