[Storage] Support Encryption Scope (Azure#13610)

Author: blueww

src/Storage/Storage.Management.Test/ScenarioTests/StorageBlobTests.cs

@@ -45,6 +45,13 @@ public void TestStorageBlobContainer()
             TestController.NewInstance.RunPsTest(_logger, "Test-StorageBlobContainer");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestStorageBlobContainerEncryptionScope()
+        {
+            TestController.NewInstance.RunPsTest(_logger, "Test-StorageBlobContainerEncryptionScope");
+        }        
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestStorageBlobContainerLegalHold()

src/Storage/Storage.Management.Test/ScenarioTests/StorageBlobTests.ps1

@@ -143,6 +143,78 @@ function Test-StorageBlobContainer
     }
 }
 
+<#
+.SYNOPSIS
+Test StorageAccount container with Encryption Scope
+.DESCRIPTION
+SmokeTest
+#>
+function Test-StorageBlobContainerEncryptionScope
+{
+    # Setup
+    $rgname = Get-StorageManagementTestResourceName;
+
+    try
+    {
+        # Test
+        $stoname = 'sto' + $rgname;
+        $stotype = 'Standard_LRS';
+        $loc = Get-ProviderLocation ResourceManagement;
+        $kind = 'StorageV2'
+		$containerName = "container"+ $rgname
+		$containerName2 = "container2"+ $rgname
+		$scopeName = "testscope"
+		$scopeName2 = "testscope2"
+
+        Write-Verbose "RGName: $rgname | Loc: $loc"
+        New-AzResourceGroup -Name $rgname -Location $loc;
+
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype -Kind $kind 
+        $stos = Get-AzStorageAccount -ResourceGroupName $rgname;
+		
+		# create Scope
+		New-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -StorageEncryption
+		$scope = Get-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName
+		Assert-AreEqual $rgname $scope.ResourceGroupName
+		Assert-AreEqual $stoname $scope.StorageAccountName
+		Assert-AreEqual $scopeName $scope.Name
+		Assert-AreEqual "Microsoft.Storage" $scope.Source
+		Assert-AreEqual "Enabled" $scope.State
+		
+		# update Scope
+		$scope = Update-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -State Disabled 
+		Assert-AreEqual "Disabled" $scope.State
+		$scope = Update-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -State Enabled
+		Assert-AreEqual "Enabled" $scope.State
+		
+		#List Scope
+		New-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName2 -StorageEncryption
+		$scopes = Get-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname 
+		Assert-AreEqual 2 $scopes.Count
+
+		#create container
+		New-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName -DefaultEncryptionScope $scopename -PreventEncryptionScopeOverride $true 
+		$container = Get-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName
+		Assert-AreEqual $rgname $container.ResourceGroupName
+		Assert-AreEqual $stoname $container.StorageAccountName
+		Assert-AreEqual $containerName $container.Name
+		Assert-AreEqual $scopename $container.DefaultEncryptionScope
+		Assert-AreEqual $true $container.DenyEncryptionScopeOverride
+		New-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName2 -DefaultEncryptionScope $scopename2 -PreventEncryptionScopeOverride $false 
+		$container2 = Get-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName2
+		Assert-AreEqual $rgname $container2.ResourceGroupName
+		Assert-AreEqual $stoname $container2.StorageAccountName
+		Assert-AreEqual $containerName2 $container2.Name
+		Assert-AreEqual $scopename2 $container2.DefaultEncryptionScope
+		Assert-AreEqual false $container2.DenyEncryptionScopeOverride
+		
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
 
 function Test-StorageBlobContainerLegalHold
 {

src/Storage/Storage.Management.Test/ScenarioTests/StorageDataPlaneTests.ps1

@@ -286,6 +286,17 @@ function Test-Blob
 		$immutabilityPolicy = Get-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ContainerName $containerName
 		Remove-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ContainerName $containerName -Etag $immutabilityPolicy.Etag
 
+		# Encryption Scope Test
+		$scopename = "testscope"
+		$containerName2 = "testscopecontainer"
+		New-AzStorageEncryptionScope -ResourceGroupName $ResourceGroupName -StorageAccountName $storageAccountName -EncryptionScopeName $scopename -StorageEncryption
+		$container = New-AzStorageContainer -Name $containerName2 -Context $storageContext -DefaultEncryptionScope $scopeName2 -PreventEncryptionScopeOverride $true
+		Assert-AreEqual $scopename $container.BlobContainerProperties.DefaultEncryptionScope
+		Assert-AreEqual $true $container.BlobContainerProperties.PreventEncryptionScopeOverride
+		$blob = Set-AzStorageBlobContent -Context $storageContext -File $localSrcFile -Container $containerName -Blob encryscopetest  -EncryptionScope $scopename
+		Assert-AreEqual $scopename $blob.BlobProperties.EncryptionScope
+		Remove-AzStorageContainer -Name $containerName2 -Force -Context $storageContext
+
         # Clean Storage Account
         Remove-AzStorageContainer -Name $containerName -Force -Context $storageContext
 

src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageBlobTests/TestStorageBlobContainerEncryptionScope.json

@@ -178,7 +178,9 @@ CmdletsToExport = 'Get-AzStorageAccount', 'Get-AzStorageAccountKey',
                'New-AzStorageBlobRangeToRestore', 'Restore-AzStorageBlobRange', 
                'Set-AzDataLakeGen2AclRecursive', 
                'Update-AzDataLakeGen2AclRecursive', 
-               'Remove-AzDataLakeGen2AclRecursive'
+               'Remove-AzDataLakeGen2AclRecursive',
+               'New-AzStorageEncryptionScope','Update-AzStorageEncryptionScope',
+               'Get-AzStorageEncryptionScope'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/Storage/Storage.Management/Az.Storage.psd1

@@ -35,12 +35,28 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
         /// </summary>
         private const string AccountObjectParameterSet = "AccountObject";
 
+        /// <summary>
+        /// AccountName EncryptionScope Parameter Set
+        /// </summary>
+        private const string AccountNameEncryptionScopeParameterSet = "AccountNameEncryptionScope";
+
+        /// <summary>
+        /// Account object EncryptionScope parameter set 
+        /// </summary>
+        private const string AccountObjectEncryptionScopeParameterSet = "AccountObjectEncryptionScope";
+
         [Parameter(
             Position = 0,
             Mandatory = true,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Resource Group Name.",
             ParameterSetName = AccountNameParameterSet)]
+        [Parameter(
+            Position = 0,
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Resource Group Name.",
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
         [ValidateNotNullOrEmpty]
         public string ResourceGroupName { get; set; }
 
@@ -50,6 +66,12 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Storage Account Name.",
             ParameterSetName = AccountNameParameterSet)]
+        [Parameter(
+            Position = 1,
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Storage Account Name.",
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
         [Alias(AccountNameAlias)]
         [ValidateNotNullOrEmpty]
         public string StorageAccountName { get; set; }
@@ -59,6 +81,11 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
             ValueFromPipeline = true,
             ValueFromPipelineByPropertyName = true,
             ParameterSetName = AccountObjectParameterSet)]
+        [Parameter(Mandatory = true,
+            HelpMessage = "Storage account object",
+            ValueFromPipeline = true,
+            ValueFromPipelineByPropertyName = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
         [ValidateNotNullOrEmpty]
         public PSStorageAccount StorageAccount { get; set; }
 
@@ -70,6 +97,35 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
         [ValidateNotNullOrEmpty]
         public string Name { get; set; }
 
+        [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
+            Mandatory = true,
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
+        [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
+            Mandatory = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
+        public string DefaultEncryptionScope { get; set; }
+
+        [Parameter(HelpMessage = "Block override of encryption scope from the container default.",
+            Mandatory = true,
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
+        [Parameter(HelpMessage = "Block override of encryption scope from the container default.",
+            Mandatory = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
+        public bool PreventEncryptionScopeOverride
+        {
+            get
+            {
+                return preventEncryptionScopeOverride is null ? false : preventEncryptionScopeOverride.Value;
+            }
+            set
+            {
+                preventEncryptionScopeOverride = value;
+            }
+        }
+        private bool? preventEncryptionScopeOverride;
+
         [Parameter(HelpMessage = "Container PublicAccess", Mandatory = false)]
         [ValidateNotNullOrEmpty]
         public PSPublicAccess PublicAccess
@@ -112,6 +168,8 @@ public override void ExecuteCmdlet()
                             this.StorageAccountName,
                             this.Name,
                             new BlobContainer(
+                                defaultEncryptionScope: this.DefaultEncryptionScope,
+                                denyEncryptionScopeOverride: this.preventEncryptionScopeOverride,
                                 publicAccess: (PublicAccess?)this.publicAccess,
                                 metadata: MetadataDictionary));
 

src/Storage/Storage.Management/Blob/NewAzureStorageContainer.cs

@@ -18,6 +18,14 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Support create/update/get/list EncryptionScope of a Storage account
+    - `New-AzStorageEncryptionScope`
+    - `Update-AzStorageEncryptionScope`
+    - `Get-AzStorageEncryptionScope`
+* Supported create container and upload blob with Encryption Scope setting
+    - `New-AzRmStorageContainer`
+    - `New-AzStorageContainer`
+    - `Set-AzStorageBlobContent`
 
 ## Version 3.1.0
 * Supported upload Azure File size up to 4 TiB

src/Storage/Storage.Management/ChangeLog.md

@@ -45,6 +45,8 @@ public PSContainer(StorageModels.ListContainerItem container)
             this.LeaseDuration = container.LeaseDuration;
             this.HasLegalHold = container.HasLegalHold;
             this.HasImmutabilityPolicy = container.HasImmutabilityPolicy;
+            this.DefaultEncryptionScope = container.DefaultEncryptionScope;
+            this.DenyEncryptionScopeOverride = container.DenyEncryptionScopeOverride;
         }
 
         public PSContainer(BlobContainer container)
@@ -65,6 +67,8 @@ public PSContainer(BlobContainer container)
             this.LeaseDuration = container.LeaseDuration;
             this.HasLegalHold = container.HasLegalHold;
             this.HasImmutabilityPolicy = container.HasImmutabilityPolicy;
+            this.DefaultEncryptionScope = container.DefaultEncryptionScope;
+            this.DenyEncryptionScopeOverride = container.DenyEncryptionScopeOverride;
         }
 
         [Ps1Xml(Label = "ResourceGroupName", Target = ViewControl.List, Position = 0)]
@@ -106,6 +110,10 @@ public PSContainer(BlobContainer container)
         [Ps1Xml(Label = "HasImmutabilityPolicy", Target = ViewControl.List, Position = 6)]
         public bool? HasImmutabilityPolicy { get; set; }
 
+        public string DefaultEncryptionScope { get; set; }
+        
+        public bool? DenyEncryptionScopeOverride { get; set; }
+
 
         public static string ParseResourceGroupFromId(string idFromServer)
         {

src/Storage/Storage.Management/Models/PSContainer.cs

@@ -0,0 +1,110 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Management.Storage;
+using Microsoft.Azure.Management.Storage.Models;
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+using Microsoft.WindowsAzure.Commands.Common.Storage;
+using Microsoft.WindowsAzure.Commands.Storage.Adapters;
+using Microsoft.Azure.Storage;
+using System;
+using System.Collections.Generic;
+using StorageModels = Microsoft.Azure.Management.Storage.Models;
+
+namespace Microsoft.Azure.Commands.Management.Storage.Models
+{
+    // wrapper of EncryptionScope
+    public class PSEncryptionScope
+    {
+        public PSEncryptionScope(StorageModels.EncryptionScope scope)
+        {
+            this.ResourceGroupName = ParseResourceGroupFromId(scope.Id);
+            this.StorageAccountName = ParseStorageAccountNameFromId(scope.Id);
+            this.Id = scope.Id;
+            this.Name = scope.Name;
+            this.Type = scope.Type;
+            this.LastModifiedTime = scope.LastModifiedTime;
+            this.CreationTime = scope.CreationTime;
+            this.Source = scope.Source;
+            this.State = scope.State;
+            this.KeyVaultProperties = scope.KeyVaultProperties is null ? null : new PSEncryptionScopeKeyVaultProperties(scope.KeyVaultProperties);
+        }
+
+        [Ps1Xml(Label = "ResourceGroupName", Target = ViewControl.List, Position = 0)]
+        public string ResourceGroupName { get; set; }
+
+        [Ps1Xml(Label = "StorageAccountName", Target = ViewControl.List, Position = 1)]
+        public string StorageAccountName { get; set; }
+
+        public string Id { get; set; }
+
+        [Ps1Xml(Label = "Name", Target = ViewControl.List, Position = 2)]
+        public string Name { get; set; }
+
+        public string Type { get; set; }
+
+        public string Source { get; set; }
+
+        public string State { get; set; }
+
+        public PSEncryptionScopeKeyVaultProperties KeyVaultProperties { get; set; }
+
+        [Ps1Xml(Label = "LastModifiedTime", Target = ViewControl.List, Position = 4)]
+        public DateTime? LastModifiedTime { get; set; }
+
+        public DateTime? CreationTime { get; set; }
+
+        public static string ParseResourceGroupFromId(string idFromServer)
+        {
+            if (!string.IsNullOrEmpty(idFromServer))
+            {
+                string[] tokens = idFromServer.Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+
+                return tokens[3];
+            }
+
+            return null;
+        }
+
+        public static string ParseStorageAccountNameFromId(string idFromServer)
+        {
+            if (!string.IsNullOrEmpty(idFromServer))
+            {
+                string[] tokens = idFromServer.Split(new[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
+
+                return tokens[7];
+            }
+
+            return null;
+        }
+
+    }
+
+    //wrapper of EncryptionScopeKeyVaultProperties
+    public class PSEncryptionScopeKeyVaultProperties
+    {
+        public PSEncryptionScopeKeyVaultProperties(StorageModels.EncryptionScopeKeyVaultProperties keyVaultProperties)
+        {
+            if (keyVaultProperties != null)
+            {
+                this.keyUri = keyVaultProperties.KeyUri;
+            }
+        }
+
+        public string keyUri { get; set; }
+    }
+
+  
+}