[Storage] Support new permission in container access policy (#13119)

* [Storage] Support new permission in container access policy

* [Storage] Upgrade to Track2 SDK for STG74

Author: blueww

src/Accounts/Authentication/Utilities/CustomAssemblyResolver.cs

@@ -10,7 +10,7 @@ public static class CustomAssemblyResolver
         private static IDictionary<string, Version> NetFxPreloadAssemblies =
             new Dictionary<string, Version>(StringComparer.InvariantCultureIgnoreCase)
             {
-                {"Azure.Core", new Version("1.4.1.0")},
+                {"Azure.Core", new Version("1.5.0.0")},
                 {"Microsoft.Bcl.AsyncInterfaces", new Version("1.0.0.0")},
                 {"Microsoft.IdentityModel.Clients.ActiveDirectory", new Version("3.19.2.6005")},
                 {"Microsoft.IdentityModel.Clients.ActiveDirectory.Platform", new Version("3.19.2.6005")},

src/Storage/Storage.Management.Test/Storage.Management.Test.csproj

@@ -11,10 +11,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.5.0-preview.6" />
-    <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.3.0-preview.2" />
-    <PackageReference Include="Azure.Storage.Files.Shares" Version="12.3.0-preview.2" />
-    <PackageReference Include="Azure.Storage.Queues" Version="12.4.0-preview.6" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.7.0-preview.1" />
+    <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.5.0-preview.1" />
+    <PackageReference Include="Azure.Storage.Files.Shares" Version="12.5.0-preview.1" />
+    <PackageReference Include="Azure.Storage.Queues" Version="12.5.0-preview.1" />
     <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.2.0" />
   </ItemGroup>
 

src/Storage/Storage.Management/ChangeLog.md

@@ -18,9 +18,15 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
-* Support create/update file share with access tier
+* Supported create/update file share with access tier
     - `New-AzRmStorageShare`
     - `Update-AzRmStorageShare`
+* Supported Container access policy with new permission x,t
+    -  `New-AzStorageContainerStoredAccessPolicy`
+    -  `Set-AzStorageContainerStoredAccessPolicy`
+* Changed the output of get/set Container/Share/Queue/Table access policy cmdlet, by change the child property Permission type from enum to String
+    -  `Get-AzStorageContainerStoredAccessPolicy`
+    -  `Set-AzStorageContainerStoredAccessPolicy`
 
 ## Version 2.7.0
 * Supported enable/disable/get share soft delete properties on file Service of a Storage account

src/Storage/Storage/Blob/Cmdlet/GetAzureStorageBlob.cs

@@ -378,14 +378,14 @@ internal async Task ListBlobsByTag(long taskId, IStorageBlobManagement localChan
             {
                 requestCount = Math.Min(listCount, MaxListCount);
                 realListCount = 0;
-                IAsyncEnumerator<Page<BlobTagItem>> enumerator = blobServiceClient.FindBlobsByTagsAsync(tagFilterSqlExpression, CmdletCancellationToken)
+                IAsyncEnumerator<Page<TaggedBlobItem>> enumerator = blobServiceClient.FindBlobsByTagsAsync(tagFilterSqlExpression, CmdletCancellationToken)
                     .AsPages(track2ContinuationToken, requestCount)
                     .GetAsyncEnumerator();
 
-                Page<BlobTagItem> page;
+                Page<TaggedBlobItem> page;
                 await enumerator.MoveNextAsync().ConfigureAwait(false);
                 page = enumerator.Current;
-                foreach (BlobTagItem item in page.Values)
+                foreach (TaggedBlobItem item in page.Values)
                 {
                     BlobContainerClient track2container = blobServiceClient.GetBlobContainerClient(item.BlobContainerName);
                     OutputStream.WriteObject(taskId, GetAzureStorageBlob(item, track2container, localChannel.StorageContext, page.ContinuationToken, ClientOptions));
@@ -413,7 +413,7 @@ public static AzureStorageBlob GetAzureStorageBlob(BlobItem blobItem, BlobContai
             return outputblob;
         }
 
-        public static AzureStorageBlob GetAzureStorageBlob(BlobTagItem blobTagItem, BlobContainerClient track2container, AzureStorageContext context, string continuationToken = null, BlobClientOptions options = null)
+        public static AzureStorageBlob GetAzureStorageBlob(TaggedBlobItem blobTagItem, BlobContainerClient track2container, AzureStorageContext context, string continuationToken = null, BlobClientOptions options = null)
         {
             BlobBaseClient blobClient = Util.GetTrack2BlobClient(track2container, blobTagItem.BlobName, context, options: options);
             AzureStorageBlob outputblob = new AzureStorageBlob(blobClient, context, options);

src/Storage/Storage/Blob/Cmdlet/GetAzureStorageContainer.cs

@@ -237,6 +237,8 @@ internal async Task GetContainerPermission(long taskId, IStorageBlobManagement l
             BlobRequestOptions requestOptions = RequestOptions;
             AccessCondition accessCondition = null;
             BlobContainerPermissions permissions = null;
+            bool needUseTrack2 = false;
+
             try
             {
                 permissions = await localChannel.GetContainerPermissionsAsync(container, accessCondition,
@@ -247,7 +249,24 @@ internal async Task GetContainerPermission(long taskId, IStorageBlobManagement l
                 // 404 Not found, or 403 Forbidden means we don't have permission to query the Permission of the specified container.
                 // Just skip return container permission in this case.
             }
-            WriteCloudContainerObject(taskId, localChannel, container, permissions, continuationToken);
+            catch (StorageException e) when (e.IsConflictException())
+            {
+                // 409 Conflict, might caused by the container has an Stored access policy contains a permission that is not supported by Track1 SDK API veresion, so switch to Track2 SDK
+                needUseTrack2 = true;
+            }
+
+            if (!needUseTrack2) // Track1
+            {
+                WriteCloudContainerObject(taskId, localChannel, container, permissions, continuationToken);
+            }
+            else //Track2
+            {
+                AzureStorageContainer azureContainer = new AzureStorageContainer(container, null);
+                azureContainer.Context = localChannel.StorageContext;
+                azureContainer.ContinuationToken = continuationToken;
+                azureContainer.SetTrack2Permission();
+                OutputStream.WriteObject(taskId, azureContainer);
+            }
         }
 
         /// <summary>

src/Storage/Storage/Blob/Cmdlet/GetAzureStorageContainerStoredAccessPolicy.cs

@@ -15,10 +15,13 @@
 namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
 {
     using Common;
+    using global::Azure.Storage.Blobs;
+    using global::Azure.Storage.Blobs.Models;
     using Microsoft.Azure.Storage.Blob;
-    using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+    using Microsoft.WindowsAzure.Commands.Common.Storage.ResourceModel;
     using Model.Contract;
     using System;
+    using System.Collections.Generic;
     using System.Globalization;
     using System.Management.Automation;
     using System.Security.Permissions;
@@ -27,8 +30,7 @@ namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
     /// <summary>
     /// create a new azure container
     /// </summary>
-    [CmdletOutputBreakingChange(typeof(SharedAccessBlobPolicy), ChangeDescription = "The output type will change from 'SharedAccessBlobPolicy' to 'PSObject', with the child property 'Permissions' type change from enum to string in a future release.")]
-    [Cmdlet("Get", Azure.Commands.ResourceManager.Common.AzureRMConstants.AzurePrefix + "StorageContainerStoredAccessPolicy"), OutputType(typeof(SharedAccessBlobPolicy))]
+    [Cmdlet("Get", Azure.Commands.ResourceManager.Common.AzureRMConstants.AzurePrefix + "StorageContainerStoredAccessPolicy"), OutputType(typeof(PSObject))]
     public class GetAzureStorageContainerStoredAccessPolicyCommand : StorageCloudBlobCmdletBase
     {
         [Alias("N", "Name")]
@@ -63,36 +65,40 @@ public GetAzureStorageContainerStoredAccessPolicyCommand(IStorageBlobManagement
 
         internal async Task GetAzureContainerStoredAccessPolicyAsync(long taskId, IStorageBlobManagement localChannel, string containerName, string policyName)
         {
-            SharedAccessBlobPolicies shareAccessPolicies = await GetPoliciesAsync(localChannel, containerName, policyName).ConfigureAwait(false);
+            //Get container instance, Get existing permissions
+            CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
+            BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
+            BlobContainerAccessPolicy accessPolicy = (await container.GetAccessPolicyAsync(BlobRequestConditions, cancellationToken: CmdletCancellationToken).ConfigureAwait(false)).Value;
+            IEnumerable<BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
 
             if (!String.IsNullOrEmpty(policyName))
             {
-                if (shareAccessPolicies.Keys.Contains(policyName))
+                BlobSignedIdentifier signedIdentifier = null;
+                foreach (BlobSignedIdentifier identifier in signedIdentifiers)
                 {
-                    OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject<SharedAccessBlobPolicy>(shareAccessPolicies, policyName));
+                    if (identifier.Id == policyName)
+                    {
+                        signedIdentifier = identifier;
+                    }
                 }
-                else
+                if (signedIdentifier == null)
                 {
                     throw new ResourceNotFoundException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
                 }
+                else
+                {
+                    OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject<BlobSignedIdentifier>(signedIdentifier));
+                }
             }
             else
             {
-                foreach (string key in shareAccessPolicies.Keys)
+                foreach (BlobSignedIdentifier identifier in signedIdentifiers)
                 {
-                    OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject<SharedAccessBlobPolicy>(shareAccessPolicies, key));
+                    OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject<BlobSignedIdentifier>(identifier));
                 }
             }
         }
 
-        internal async Task<SharedAccessBlobPolicies> GetPoliciesAsync(IStorageBlobManagement localChannel, string containerName, string policyName)
-        {
-            CloudBlobContainer container = localChannel.GetContainerReference(containerName);
-            BlobContainerPermissions blobContainerPermissions = await localChannel.GetContainerPermissionsAsync(container, null, null, OperationContext, CmdletCancellationToken).ConfigureAwait(false);
-            return blobContainerPermissions.SharedAccessPolicies;
-        }
-
-
         /// <summary>
         /// execute command
         /// </summary>

src/Storage/Storage/Blob/Cmdlet/NewAzureStorageContainerStoredAccessPolicy.cs

@@ -15,9 +15,13 @@
 namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
 {
     using Common;
+    using global::Azure.Storage.Blobs;
+    using global::Azure.Storage.Blobs.Models;
     using Microsoft.Azure.Storage.Blob;
+    using Microsoft.WindowsAzure.Commands.Common.Storage.ResourceModel;
     using Model.Contract;
     using System;
+    using System.Collections.Generic;
     using System.Globalization;
     using System.Management.Automation;
     using System.Security.Permissions;
@@ -41,7 +45,7 @@ public class NewAzureStorageContainerStoredAccessPolicyCommand : StorageCloudBlo
         [ValidateNotNullOrEmpty]
         public string Policy { get; set; }
 
-        [Parameter(HelpMessage = "Permissions for a container. Permissions can be any subset of \"rwdl\".")]
+        [Parameter(HelpMessage = "Permissions for a container. Permissions can be any subset of \"racwdxlt\", make the permission order also same as it")]
         public string Permission { get; set; }
 
         [Parameter(HelpMessage = "Start Time")]
@@ -50,6 +54,11 @@ public class NewAzureStorageContainerStoredAccessPolicyCommand : StorageCloudBlo
         [Parameter(HelpMessage = "Expiry Time")]
         public DateTime? ExpiryTime { get; set; }
 
+        protected override bool UseTrack2Sdk()
+        {
+            return true;
+        }
+
         /// <summary>
         /// Initializes a new instance of the NewAzureStorageContainerStoredAccessPolicyCommand class.
         /// </summary>
@@ -75,22 +84,37 @@ internal string CreateAzureContainerStoredAccessPolicy(IStorageBlobManagement lo
                 throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName));
             }
 
-            //Get existing permissions
-            CloudBlobContainer container = localChannel.GetContainerReference(containerName);
-            BlobContainerPermissions blobContainerPermissions = localChannel.GetContainerPermissions(container, null, null, OperationContext);
+            //Get container instance, Get existing permissions
+            CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
+            BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
+            BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
+            IEnumerable<BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
 
             //Add new policy
-            if (blobContainerPermissions.SharedAccessPolicies.Keys.Contains(policyName))
+            foreach (BlobSignedIdentifier identifier in signedIdentifiers)
             {
-                throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
+                if (identifier.Id == policyName)
+                {
+                    throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
+                }
             }
-
-            SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy();
-            AccessPolicyHelper.SetupAccessPolicy<SharedAccessBlobPolicy>(policy, startTime, expiryTime, permission);
-            blobContainerPermissions.SharedAccessPolicies.Add(policyName, policy);
+            BlobSignedIdentifier signedIdentifier = new BlobSignedIdentifier();
+            signedIdentifier.Id = policyName;
+            signedIdentifier.AccessPolicy = new BlobAccessPolicy();
+            if (StartTime != null)
+            {
+                signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime();
+            }
+            if (ExpiryTime != null)
+            {
+                signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime();
+            }
+            signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission);
+            var newsignedIdentifiers = new List<BlobSignedIdentifier>(signedIdentifiers);
+            newsignedIdentifiers.Add(signedIdentifier);
 
             //Set permissions back to container
-            localChannel.SetContainerPermissions(container, blobContainerPermissions, null, null, OperationContext);
+            container.SetAccessPolicy(accessPolicy.BlobPublicAccess, newsignedIdentifiers, BlobRequestConditions, CmdletCancellationToken);
             return policyName;
         }
 

src/Storage/Storage/Blob/Cmdlet/RemoveAzureStorageContainerStoredAccessPolicy.cs

@@ -15,9 +15,13 @@
 namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
 {
     using Common;
+    using global::Azure.Storage.Blobs;
+    using global::Azure.Storage.Blobs.Models;
     using Microsoft.Azure.Storage.Blob;
+    using Microsoft.WindowsAzure.Commands.Common.Storage.ResourceModel;
     using Model.Contract;
     using System;
+    using System.Collections.Generic;
     using System.Globalization;
     using System.Management.Automation;
     using System.Security.Permissions;
@@ -67,20 +71,34 @@ internal bool RemoveAzureContainerStoredAccessPolicy(IStorageBlobManagement loca
             bool success = false;
             string result = string.Empty;
 
-            //Get existing permissions
-            CloudBlobContainer container = localChannel.GetContainerReference(containerName);
-            BlobContainerPermissions blobContainerPermissions = localChannel.GetContainerPermissions(container, null, null, OperationContext);
+            //Get container instance, Get existing permissions
+            CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
+            BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
+            BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
+            IEnumerable<BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
 
-            //remove the specified policy
-            if (!blobContainerPermissions.SharedAccessPolicies.Keys.Contains(policyName))
+            //remove policy
+            BlobSignedIdentifier signedIdentifier = null;
+            foreach (BlobSignedIdentifier identifier in signedIdentifiers)
             {
-                throw new ResourceNotFoundException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
+                if (identifier.Id == policyName)
+                {
+                    signedIdentifier = identifier;
+                }
+            }
+
+            if (signedIdentifier == null)
+            {
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
             }
 
             if (ShouldProcess(policyName, "Remove policy"))
             {
-                blobContainerPermissions.SharedAccessPolicies.Remove(policyName);
-                localChannel.SetContainerPermissions(container, blobContainerPermissions, null, null, OperationContext);
+                List<BlobSignedIdentifier> policyList = new List<BlobSignedIdentifier>(signedIdentifiers);
+                policyList.Remove(signedIdentifier);           
+                
+                //Set permissions back to container
+                container.SetAccessPolicy(accessPolicy.BlobPublicAccess, policyList, BlobRequestConditions, CmdletCancellationToken);
                 success = true;
             }