[Storage] Support Storage Account saspolicy new properties SasExpirationAction (#27908)

Author: blueww

src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1

@@ -1692,6 +1692,7 @@ function Test-AzureStorageAccountKeySASPolicy
     {
         # Test
         $stoname = 'sto' + $rgname;
+        $stoname2 = 'sto2' + $rgname;
         $stotype = 'Standard_LRS';
         $loc = Get-ProviderLocation ResourceManagement;
         $kind = 'StorageV2'
@@ -1701,7 +1702,7 @@ function Test-AzureStorageAccountKeySASPolicy
         New-AzResourceGroup -Name $rgname -Location $loc;
         Write-Output ("Resource Group created")
 
-        # new account
+        # new account, default SasExpirationAction is Log
         New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -SkuName $stotype -KeyExpirationPeriodInDay $keyExpirationPeriodInDay -SasExpirationPeriod $sasExpirationPeriod
 
         Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
@@ -1711,21 +1712,88 @@ function Test-AzureStorageAccountKeySASPolicy
         Assert-AreEqual $kind $sto.Kind;
         Assert-AreEqual $keyExpirationPeriodInDay $sto.KeyPolicy.KeyExpirationPeriodInDays;
         Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Log" $sto.SasPolicy.ExpirationAction;
         Assert-NotNull $sto.KeyCreationTime.Key1
         Assert-NotNull $sto.KeyCreationTime.Key2
 
-        # update account		
+        # update account, not set SasExpirationAction, should keep orignal value Log
         $keyExpirationPeriodInDay = 3
-        $sasExpirationPeriod = "50.00:00:00"
+        $sasExpirationPeriod = "50.00:00:12"
         Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -KeyExpirationPeriodInDay $keyExpirationPeriodInDay -SasExpirationPeriod $sasExpirationPeriod -EnableHttpsTrafficOnly $true
 
         Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
         Assert-AreEqual $keyExpirationPeriodInDay $sto.KeyPolicy.KeyExpirationPeriodInDays;
         Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Log" $sto.SasPolicy.ExpirationAction;
         Assert-NotNull $sto.KeyCreationTime.Key1
         Assert-NotNull $sto.KeyCreationTime.Key2
 
-        Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname;
+        # update account, set SasExpirationAction to Block
+        $sasExpirationPeriod = "5.00:00:00"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod -SasExpirationAction Block 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Block" $sto.SasPolicy.ExpirationAction;
+
+        # update account, not set SasExpirationAction, should keep orignal value Block
+        $sasExpirationPeriod = "3.12:00:00"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Block" $sto.SasPolicy.ExpirationAction;
+
+        # update account, set SasExpirationAction to Log
+        $sasExpirationPeriod = "4.00:12:00"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod -SasExpirationAction Log 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Log" $sto.SasPolicy.ExpirationAction;
+
+        # update account, disable sas policy
+        $sasExpirationPeriod = "0.00:00:00"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-Null $sto.SasPolicy
+
+        # update account, enable sas policy with Block
+        $sasExpirationPeriod = "5.00:00:13"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod -SasExpirationAction Block 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Block" $sto.SasPolicy.ExpirationAction;
+
+        # update account, disable sas policy, then enable sas policy with only SasExpirationPeriod, should have default action as log
+        $sasExpirationPeriod = "0.00:00:00"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod 
+
+        $sasExpirationPeriod = "5.11:12:13"
+        Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -SasExpirationPeriod $sasExpirationPeriod
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Log" $sto.SasPolicy.ExpirationAction;
+        
+        # remove account 
+        Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname;        
+        
+        # new account2, with  SasExpirationAction Block
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname2 -Location $loc -SkuName $stotype -SasExpirationAction Block -SasExpirationPeriod $sasExpirationPeriod
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname2; }
+        Assert-AreEqual $stoname2 $sto.StorageAccountName;
+        Assert-AreEqual $stotype $sto.Sku.Name;
+        Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
+        Assert-AreEqual $kind $sto.Kind;
+        Assert-AreEqual $sasExpirationPeriod $sto.SasPolicy.SasExpirationPeriod;
+        Assert-AreEqual "Block" $sto.SasPolicy.ExpirationAction;
+        
+        # remove account 2
+        Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname2;
     }
     finally
     {

src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestAzureStorageAccountKeySASPolicy.json

@@ -18,6 +18,9 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported set SasExpirationAction as Log or Block, together with SasExpirationPeriod
+    - `New-AzStorageAccount`
+    - `Set-AzStorageAccount`
 
 ## Version 9.0.0
 * Removed MD5 from blob and file upload in some scenarios

src/Storage/Storage.Management/ChangeLog.md

@@ -466,6 +466,12 @@ public TimeSpan SasExpirationPeriod
         }
         private TimeSpan? sasExpirationPeriod = null;
 
+        [Parameter(Mandatory = false, HelpMessage = "The action to be performed when SasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period. The default value is 'Log'.")]
+        [PSArgumentCompleter("Log", "Block")]
+        [PSDefaultValue(Help = "Log", Value = StorageModels.ExpirationAction.Log)]
+        [ValidateNotNullOrEmpty]
+        public string SasExpirationAction { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = "The Key expiration period of this account, it is accurate to days.")]
         public int KeyExpirationPeriodInDay
         {
@@ -863,10 +869,31 @@ public override void ExecuteCmdlet()
                     Name = this.EdgeZone
                 };
             }
-            if (sasExpirationPeriod != null)
+            if (sasExpirationPeriod != null || SasExpirationAction != null)
             {
-                createParameters.SasPolicy = new SasPolicy(sasExpirationPeriod.Value.ToString(@"d\.hh\:mm\:ss"), "Log");
+                if (sasExpirationPeriod == null && SasExpirationAction != null)
+                {
+                    throw new ArgumentException("-SasExpirationAction can only be specified together with -SasExpirationPeriod.", "SasExpirationAction");
+                }
+                // Set the default action to Log to be aligned as before PSH release.
+                if (SasExpirationAction == null)
+                {
+                    SasExpirationAction = "Log";
+                }
+                else
+                {
+                    if (String.Equals(SasExpirationAction, ExpirationAction.Log, StringComparison.OrdinalIgnoreCase))
+                    {
+                        SasExpirationAction = ExpirationAction.Log;
+                    }
+                    else if (String.Equals(SasExpirationAction, ExpirationAction.Block, StringComparison.OrdinalIgnoreCase)) 
+                    {
+                        SasExpirationAction = ExpirationAction.Block;
+                    }
+                }
+                createParameters.SasPolicy = new SasPolicy(sasExpirationPeriod.Value.ToString(@"d\.hh\:mm\:ss"), SasExpirationAction);
             }
+
             if (keyExpirationPeriodInDay != null)
             {
                 createParameters.KeyPolicy = new KeyPolicy(keyExpirationPeriodInDay.Value);

src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs

@@ -470,6 +470,12 @@ public TimeSpan SasExpirationPeriod
         }
         private TimeSpan? sasExpirationPeriod = null;
 
+        [Parameter(Mandatory = false, HelpMessage = "The action to be performed when SasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.")]
+        [PSArgumentCompleter("Log", "Block")]
+        [ValidateNotNullOrEmpty]
+        public string SasExpirationAction { get; set; }
+
+
         [Parameter(Mandatory = false, HelpMessage = "The Key expiration period of this account, it is accurate to days.")]
         public int KeyExpirationPeriodInDay
         {
@@ -883,10 +889,33 @@ public override void ExecuteCmdlet()
                     {
                         updateParameters.AllowSharedKeyAccess = allowSharedKeyAccess;
                     }
-                    if (sasExpirationPeriod != null)
+                    if (sasExpirationPeriod != null || SasExpirationAction != null)
                     {
-                        updateParameters.SasPolicy = new SasPolicy(sasExpirationPeriod.Value.ToString(@"d\.hh\:mm\:ss"), "Log");
+                        if (sasExpirationPeriod == null && SasExpirationAction != null)
+                        {
+                            throw new ArgumentException("-SasExpirationAction can only be specified together with -SasExpirationPeriod.", "SasExpirationAction");
+                        }
+                        // If user not set action, and the account not already has the action value, Set the default action to Log to be aligned as before PSH release.
+                        if (SasExpirationAction == null)
+                        {
+                            SasExpirationAction = (this.OriginStorageAccountProperties.SasPolicy != null && this.OriginStorageAccountProperties.SasPolicy.ExpirationAction != null) 
+                                ? this.OriginStorageAccountProperties.SasPolicy.ExpirationAction 
+                                : ExpirationAction.Log;
+                        }
+                        else
+                        {
+                            if (String.Equals(SasExpirationAction, ExpirationAction.Log, StringComparison.OrdinalIgnoreCase))
+                            {
+                                SasExpirationAction = ExpirationAction.Log;
+                            }
+                            else if (String.Equals(SasExpirationAction, ExpirationAction.Block, StringComparison.OrdinalIgnoreCase))
+                            {
+                                SasExpirationAction = ExpirationAction.Block;
+                            }
+                        }
+                        updateParameters.SasPolicy = new SasPolicy(sasExpirationPeriod.Value.ToString(@"d\.hh\:mm\:ss"), SasExpirationAction);
                     }
+
                     if (keyExpirationPeriodInDay != null)
                     {
                         updateParameters.KeyPolicy = new KeyPolicy(keyExpirationPeriodInDay.Value);

src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs

@@ -24,12 +24,12 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
  [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
  [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>] [-AsJob]
  [-EncryptionKeyTypeForTable <String>] [-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption]
- [-SasExpirationPeriod <TimeSpan>] [-KeyExpirationPeriodInDay <Int32>] [-AllowBlobPublicAccess <Boolean>]
- [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>] [-EnableNfsV3 <Boolean>]
- [-AllowCrossTenantReplication <Boolean>] [-DefaultSharePermission <String>] [-EdgeZone <String>]
- [-PublicNetworkAccess <String>] [-EnableAccountLevelImmutability] [-ImmutabilityPeriod <Int32>]
- [-ImmutabilityPolicyState <String>] [-AllowedCopyScope <String>] [-DnsEndpointType <String>]
- [-DefaultProfile <IAzureContextContainer>] [-RoutingChoice <String>]
+ [-SasExpirationPeriod <TimeSpan>] [-SasExpirationAction <String>] [-KeyExpirationPeriodInDay <Int32>]
+ [-AllowBlobPublicAccess <Boolean>] [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>]
+ [-EnableNfsV3 <Boolean>] [-AllowCrossTenantReplication <Boolean>] [-DefaultSharePermission <String>]
+ [-EdgeZone <String>] [-PublicNetworkAccess <String>] [-EnableAccountLevelImmutability]
+ [-ImmutabilityPeriod <Int32>] [-ImmutabilityPolicyState <String>] [-AllowedCopyScope <String>]
+ [-DnsEndpointType <String>] [-DefaultProfile <IAzureContextContainer>] [-RoutingChoice <String>]
  [<CommonParameters>]
 ```
 
@@ -45,12 +45,12 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
  -EnableAzureActiveDirectoryKerberosForFile <Boolean> [-ActiveDirectoryDomainName <String>]
  [-ActiveDirectoryDomainGuid <String>] [-AsJob] [-EncryptionKeyTypeForTable <String>]
  [-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption] [-SasExpirationPeriod <TimeSpan>]
- [-KeyExpirationPeriodInDay <Int32>] [-AllowBlobPublicAccess <Boolean>] [-MinimumTlsVersion <String>]
- [-AllowSharedKeyAccess <Boolean>] [-EnableNfsV3 <Boolean>] [-AllowCrossTenantReplication <Boolean>]
- [-DefaultSharePermission <String>] [-EdgeZone <String>] [-PublicNetworkAccess <String>]
- [-EnableAccountLevelImmutability] [-ImmutabilityPeriod <Int32>] [-ImmutabilityPolicyState <String>]
- [-AllowedCopyScope <String>] [-DnsEndpointType <String>] [-DefaultProfile <IAzureContextContainer>]
- [-RoutingChoice <String>] [<CommonParameters>]
+ [-SasExpirationAction <String>] [-KeyExpirationPeriodInDay <Int32>] [-AllowBlobPublicAccess <Boolean>]
+ [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>] [-EnableNfsV3 <Boolean>]
+ [-AllowCrossTenantReplication <Boolean>] [-DefaultSharePermission <String>] [-EdgeZone <String>]
+ [-PublicNetworkAccess <String>] [-EnableAccountLevelImmutability] [-ImmutabilityPeriod <Int32>]
+ [-ImmutabilityPolicyState <String>] [-AllowedCopyScope <String>] [-DnsEndpointType <String>]
+ [-DefaultProfile <IAzureContextContainer>] [-RoutingChoice <String>] [<CommonParameters>]
 ```
 
 ### ActiveDirectoryDomainServicesForFile
@@ -68,12 +68,12 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
  [-ActiveDirectoryAzureStorageSid <String>] [-ActiveDirectorySamAccountName <String>]
  [-ActiveDirectoryAccountType <String>] [-AsJob] [-EncryptionKeyTypeForTable <String>]
  [-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption] [-SasExpirationPeriod <TimeSpan>]
- [-KeyExpirationPeriodInDay <Int32>] [-AllowBlobPublicAccess <Boolean>] [-MinimumTlsVersion <String>]
- [-AllowSharedKeyAccess <Boolean>] [-EnableNfsV3 <Boolean>] [-AllowCrossTenantReplication <Boolean>]
- [-DefaultSharePermission <String>] [-EdgeZone <String>] [-PublicNetworkAccess <String>]
- [-EnableAccountLevelImmutability] [-ImmutabilityPeriod <Int32>] [-ImmutabilityPolicyState <String>]
- [-AllowedCopyScope <String>] [-DnsEndpointType <String>] [-DefaultProfile <IAzureContextContainer>]
- [-RoutingChoice <String>] [<CommonParameters>]
+ [-SasExpirationAction <String>] [-KeyExpirationPeriodInDay <Int32>] [-AllowBlobPublicAccess <Boolean>]
+ [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>] [-EnableNfsV3 <Boolean>]
+ [-AllowCrossTenantReplication <Boolean>] [-DefaultSharePermission <String>] [-EdgeZone <String>]
+ [-PublicNetworkAccess <String>] [-EnableAccountLevelImmutability] [-ImmutabilityPeriod <Int32>]
+ [-ImmutabilityPolicyState <String>] [-AllowedCopyScope <String>] [-DnsEndpointType <String>]
+ [-DefaultProfile <IAzureContextContainer>] [-RoutingChoice <String>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -239,21 +239,24 @@ False
 
 This command creates a Storage account with EdgeZone as "microsoftlosangeles1" and AllowCrossTenantReplication as false, then show the created account related properties.
 
-### Example 12: Create a Storage account with KeyExpirationPeriod and SasExpirationPeriod
+### Example 12: Create a Storage account with KeyExpirationPeriod and SasExpirationPeriod with SasExpirationAction
 <!-- Skip: Output cannot be splitted from code -->
 
 
 ```powershell
-$account = New-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -SkuName Premium_LRS -Location eastus -KeyExpirationPeriodInDay 5 -SasExpirationPeriod "1.12:05:06"
+$account = New-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -SkuName Premium_LRS -Location eastus -KeyExpirationPeriodInDay 5 -SasExpirationPeriod "1.12:05:06" -SasExpirationAction Block
 
 $account.KeyPolicy.KeyExpirationPeriodInDays
 5
 
 $account.SasPolicy.SasExpirationPeriod
-1.12:05:06
+
+SasExpirationPeriod ExpirationAction
+------------------- ----------------
+1.12:05:06          Block          
 ```
 
-This command creates a Storage account with KeyExpirationPeriod and SasExpirationPeriod, then show the created account related properties.
+This command creates a Storage account with KeyExpirationPeriod and SasExpirationPeriod with SasExpirationAction, then show the created account related properties.
 
 ### Example 12: Create a Storage account with Keyvault encryption (access Keyvault with user assigned identity)
 <!-- Skip: Output cannot be splitted from code -->
@@ -1196,6 +1199,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -SasExpirationAction
+The action to be performed when SasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period. The default value is 'Log'.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -SasExpirationPeriod
 The SAS expiration period of this account, it is a timespan and accurate to seconds.