Skip to content

Commit b927cd6

Browse files
ayeletshpigelmanayeletshpigelman
committed
Support setting secondary storage key in blob auditing and use the current AuditType for setPolicy if not configured
update tests and add comments
1 parent 1b5d6e5 commit b927cd6

16 files changed

+242
-3576
lines changed

src/ResourceManager/Sql/Commands.Sql.Test/Commands.Sql.Test.csproj

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -474,18 +474,15 @@
474474
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestAuditingUseServerDefault.json">
475475
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
476476
</None>
477-
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestAuditingWithAuditActionsAndAuditActionGroups.json">
478-
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
479-
</None>
480-
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestBlobAuditingDatabaseUpdatePolicyWithAuditActionGroups.json">
481-
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
482-
</None>
483477
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestBlobAuditingOnDatabase.json">
484478
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
485479
</None>
486480
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestBlobAuditingOnServer.json">
487481
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
488482
</None>
483+
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestBlobAuditingWithAuditActionGroups.json">
484+
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
485+
</None>
489486
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestDatatabaseAuditingTypeMigration.json">
490487
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
491488
</None>
@@ -495,6 +492,9 @@
495492
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestServerAuditingTypeMigration.json">
496493
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
497494
</None>
495+
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AuditingTests\TestTableAuditingWithAuditActionsAndAuditActionGroups.json">
496+
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
497+
</None>
498498
<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.DatabaseActivationTests\TestDatabasePauseResume.json">
499499
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
500500
</None>

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/AuditingTests.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -258,9 +258,9 @@ public void TestBlobAuditingWithAuditActionGroups()
258258

259259
[Fact]
260260
[Trait(Category.AcceptanceType, Category.CheckIn)]
261-
public void TestAuditingWithAuditActionsAndAuditActionGroups()
261+
public void TestTableAuditingWithAuditActionsAndAuditActionGroups()
262262
{
263-
RunPowerShellTest("Test-AuditingWithAuditActionsAndAuditActionGroups");
263+
RunPowerShellTest("Test-TableAuditingWithAuditActionsAndAuditActionGroups");
264264
}
265265
}
266266
}

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/AuditingTests.ps1

Lines changed: 51 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,16 @@ function Test-AuditingDatabaseUpdatePolicyWithEventTypes
207207
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Success)}
208208
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Failure)}
209209

210+
# Test - when updating table auditing policy for existing one without event type, the audit event types won't change.
211+
Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount
212+
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
213+
214+
# Assert
215+
Assert-AreEqual $policy.EventType.Length 3
216+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::PlainSQL_Success)}
217+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Success)}
218+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Failure)}
219+
210220
# Test
211221
Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount -EventType "None"
212222
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
@@ -251,6 +261,15 @@ function Test-AuditingServerUpdatePolicyWithEventTypes
251261
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Success)}
252262
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Failure)}
253263

264+
# Test - when updating table auditing policy for existing one without event type, the audit event types won't change.
265+
Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -StorageAccountName $params.storageAccount
266+
$policy = Get-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName
267+
268+
# Assert
269+
Assert-AreEqual $policy.EventType.Length 3
270+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::PlainSQL_Success)}
271+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Success)}
272+
Assert-True {$policy.EventType.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditEventType]::ParameterizedSQL_Failure)}
254273

255274
# Test
256275
Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -StorageAccountName $params.storageAccount -EventType "None"
@@ -887,8 +906,8 @@ function Test-BlobAuditingOnDatabase
887906

888907
try
889908
{
890-
# Test
891-
Set-AzureRmSqlDatabaseAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount -StorageKeyType "Primary" -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -RetentionInDays 8
909+
# Test - Tests that when setting blob auditing policy on database without StorageKeyType parameter, it gets the default value - "Primary".
910+
Set-AzureRmSqlDatabaseAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -RetentionInDays 8
892911
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
893912

894913
# Assert
@@ -899,6 +918,19 @@ function Test-BlobAuditingOnDatabase
899918
Assert-AreEqual $policy.AuditAction.Length 0
900919
Assert-AreEqual $policy.RetentionInDays 8
901920
Assert-True { $policy.StorageKeyType -eq "Primary"}
921+
922+
# Test
923+
Set-AzureRmSqlDatabaseAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount -StorageKeyType "Secondary" -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -RetentionInDays 8
924+
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
925+
926+
# Assert
927+
Assert-AreEqual $policy.AuditState "Enabled"
928+
Assert-AreEqual $policy.AuditActionGroup.Length 2
929+
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)}
930+
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::FAILED_DATABASE_AUTHENTICATION_GROUP)}
931+
Assert-AreEqual $policy.AuditAction.Length 0
932+
Assert-AreEqual $policy.RetentionInDays 8
933+
Assert-True { $policy.StorageKeyType -eq "Secondary"}
902934

903935

904936
# Test
@@ -929,6 +961,19 @@ function Test-BlobAuditingOnServer
929961

930962
try
931963
{
964+
# Test - Tests that when setting blob auditing policy on server without StorageKeyType parameter, it gets the default value - "Primary".
965+
Set-AzureRmSqlServerAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -StorageAccountName $params.storageAccount -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -RetentionInDays 8
966+
$policy = Get-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName
967+
968+
# Assert
969+
Assert-AreEqual $policy.AuditState "Enabled"
970+
Assert-AreEqual $policy.AuditActionGroup.Length 2
971+
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)}
972+
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::FAILED_DATABASE_AUTHENTICATION_GROUP)}
973+
Assert-AreEqual $policy.AuditAction.Length 0
974+
Assert-AreEqual $policy.RetentionInDays 8
975+
Assert-AreEqual $policy.StorageKeyType "Primary"
976+
932977
# Test
933978
Set-AzureRmSqlServerAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -StorageAccountName $params.storageAccount -StorageKeyType "Secondary" -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -RetentionInDays 8
934979
$policy = Get-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName
@@ -1035,7 +1080,7 @@ function Test-DatatabaseAuditingTypeMigration
10351080
# Assert
10361081
Assert-AreEqual $policy.AuditType ([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditType]::Table)
10371082

1038-
# Test
1083+
# Test
10391084
Remove-AzureRmSqlDatabaseAuditing -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
10401085
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
10411086

@@ -1183,7 +1228,7 @@ function Test-BlobAuditingWithAuditActionGroups
11831228
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::FAILED_DATABASE_AUTHENTICATION_GROUP)}
11841229
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::BATCH_COMPLETED_GROUP)}
11851230

1186-
# Test
1231+
# Test - when setting blob auditing policy for database with audit action groups, the default audit action groups is being replaced by the new audit action groups.
11871232
Set-AzureRmSqlDatabaseAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount -AuditActionGroup "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP","DATABASE_OBJECT_PERMISSION_CHANGE_GROUP"
11881233
$policy = Get-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
11891234

@@ -1210,7 +1255,7 @@ function Test-BlobAuditingWithAuditActionGroups
12101255
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::DATABASE_OPERATION_GROUP)}
12111256
Assert-True {$policy.AuditActionGroup.Contains([Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups]::DATABASE_LOGOUT_GROUP)}
12121257

1213-
# Test - when setting new blob auditing policy for server without audit action groups, the default audit action groups is set.
1258+
# Test - when setting new blob auditing policy for server without audit action groups, the default audit action groups is set.
12141259
Set-AzureRmSqlServerAuditingPolicy -AuditType Blob -ResourceGroupName $params.rgname -ServerName $params.serverName -StorageAccountName $params.storageAccount
12151260
$policy = Get-AzureRmSqlServerAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName
12161261

@@ -1258,7 +1303,7 @@ function Test-BlobAuditingWithAuditActionGroups
12581303
.SYNOPSIS
12591304
Tests that trying to configure table auditing with audit actions or action groups fails.
12601305
#>
1261-
function Test-AuditingWithAuditActionsAndAuditActionGroups
1306+
function Test-TableAuditingWithAuditActionsAndAuditActionGroups
12621307
{
12631308
$testSuffix = 50199
12641309
Create-AuditingTestEnvironment $testSuffix

0 commit comments

Comments
 (0)