[Storage] Support secure SMB and NFSV3 (#15209)

* [Storage] Support NFSV3 in create account * [Storage] Support secure SMB
Azure · Jun 15, 2021 · 9d8d547 · 9d8d547
1 parent fed4db4
commit 9d8d547
Show file tree

Hide file tree

Showing 12 changed files with 1,119 additions and 22 deletions.
diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.cs
@@ -253,5 +253,14 @@ public void TestStorageBlobInventory()
         {
             TestRunner.RunTestScript("Test-StorageBlobInventory");
         }
+
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestNewAzureStorageAccountEnableNfsV3()
+        {
+            TestRunner.RunTestScript("Test-NewAzureStorageAccountEnableNfsV3");
+        }
+
     }
 }
diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1 b/src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1
@@ -1408,7 +1408,7 @@ function Test-NewSetAzureStorageAccountAllowSharedKeyAccess
         Assert-AreEqual $stotype $sto.Sku.Name;
         Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
         Assert-AreEqual $kind $sto.Kind;
-		#Assert-AreEqual $false $sto.AllowSharedKeyAccess
+        Assert-AreEqual $false $sto.AllowSharedKeyAccess
 
         Set-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -AllowSharedKeyAccess $true -EnableHttpsTrafficOnly $true 
 
@@ -1417,7 +1417,7 @@ function Test-NewSetAzureStorageAccountAllowSharedKeyAccess
         Assert-AreEqual $stotype $sto.Sku.Name;
         Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
         Assert-AreEqual $kind $sto.Kind;
-		#Assert-AreEqual $true $sto.AllowSharedKeyAccess
+        Assert-AreEqual $true $sto.AllowSharedKeyAccess
 
         Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname;
     }
@@ -1946,4 +1946,57 @@ function Test-StorageBlobInventory
         # Cleanup
         Clean-ResourceGroup $rgname
     }
+}
+
+
+<#
+.SYNOPSIS
+Test Test-NewAzureStorageAccountEnableNfsV3
+.DESCRIPTION
+SmokeTest
+#>
+function Test-NewAzureStorageAccountEnableNfsV3
+{
+    # Setup
+    $rgname = Get-StorageManagementTestResourceName;
+
+    try
+    {
+        # Test
+        $stoname = 'sto' + $rgname;
+        $stotype = 'Standard_LRS';
+        $loc = Get-ProviderLocation_Canary ResourceManagement;
+        $kind = 'StorageV2'
+
+        $rg = New-AzResourceGroup -Name $rgname -Location $loc;
+        Write-Output ("Resource Group created")
+
+        ## Create a vnet and subnet in same location, then get the subnet resource id
+        # New-AzVirtualNetwork -ResourceGroupName $rgname -Location $loc -AddressPrefix 10.0.0.0/24 -Name "vnet1" 
+        # $subnet = Get-AzVirtualNetwork -ResourceGroupName $rgname -Name "vnet1" | Add-AzVirtualNetworkSubnetConfig -Name "subnet1" -AddressPrefix "10.0.0.0/28" -ServiceEndpoint "Microsoft.Storage"  | Set-AzVirtualNetwork 
+        # $vnet1 = $subnet.Id
+        $vnet1 = "$($rg.ResourceId)/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/subnet1"
+
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -SkuName $stotype `
+				-EnableNfsV3 $true `
+				-EnableHierarchicalNamespace $true `
+				-EnableHttpsTrafficOnly $false `
+				-NetworkRuleSet (@{bypass="Logging,Metrics";defaultAction="allow";virtualNetworkRules=(@{VirtualNetworkResourceId="$vnet1";Action="allow"})}) 
+
+        Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
+        Assert-AreEqual $stoname $sto.StorageAccountName;
+        Assert-AreEqual $stotype $sto.Sku.Name;
+        Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
+        Assert-AreEqual $kind $sto.Kind;
+        Assert-AreEqual $true $sto.EnableHierarchicalNamespace
+        Assert-AreEqual $false $sto.EnableHttpsTrafficOnly
+        Assert-AreEqual $true $sto.EnableNfsV3
+
+        Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname;
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
 }
diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageFileTests.ps1 b/src/Storage/Storage.Management.Test/ScenarioTests/StorageFileTests.ps1
@@ -385,15 +385,43 @@ function Test-FileServiceProperties
         $stos = Get-AzStorageAccount -ResourceGroupName $rgname;
 
 		# Enable MC, and set smb setting
-		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $true 
+		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $true `
+					-SMBProtocolVersion SMB2.1,SMB3.0,SMB3.1.1 `
+					-SMBAuthenticationMethod Kerberos,NTLMv2 `
+					-SMBKerberosTicketEncryption RC4-HMAC,AES-256 `
+					-SMBChannelEncryption AES-128-CCM,AES-128-GCM,AES-256-GCM
 		$servicePropertie = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname 
+		Assert-AreEqual 3 $servicePropertie.ProtocolSettings.Smb.Versions.Count
+		Assert-AreEqual 2 $servicePropertie.ProtocolSettings.Smb.AuthenticationMethods.Count
+		Assert-AreEqual 2 $servicePropertie.ProtocolSettings.Smb.KerberosTicketEncryption.Count
+		Assert-AreEqual 3 $servicePropertie.ProtocolSettings.Smb.ChannelEncryption.Count
 		Assert-AreEqual $true $servicePropertie.ProtocolSettings.Smb.Multichannel.Enabled
 
 		# Disable MC, update smb setting
-		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $false 
+		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $false `
+					-SMBProtocolVersion SMB3.1.1 `
+					-SMBAuthenticationMethod Kerberos `
+					-SMBKerberosTicketEncryption AES-256 `
+					-SMBChannelEncryption AES-128-CCM
 		$servicePropertie = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname 
+		Assert-AreEqual "SMB3.1.1" $servicePropertie.ProtocolSettings.Smb.Versions[0]
+		Assert-AreEqual "Kerberos" $servicePropertie.ProtocolSettings.Smb.AuthenticationMethods[0]
+		Assert-AreEqual "AES-256" $servicePropertie.ProtocolSettings.Smb.KerberosTicketEncryption[0]
+		Assert-AreEqual "AES-128-CCM" $servicePropertie.ProtocolSettings.Smb.ChannelEncryption[0]
 		Assert-AreEqual $false $servicePropertie.ProtocolSettings.Smb.Multichannel.Enabled
 
+		# remove smb setting
+		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname `
+					-SMBProtocolVersion @() `
+					-SMBAuthenticationMethod @()`
+					-SMBKerberosTicketEncryption @() `
+					-SMBChannelEncryption @()
+		$servicePropertie = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname 
+		Assert-AreEqual $null $servicePropertie.ProtocolSettings.Smb.Versions
+		Assert-AreEqual $null $servicePropertie.ProtocolSettings.Smb.AuthenticationMethods
+		Assert-AreEqual $null $servicePropertie.ProtocolSettings.Smb.KerberosTicketEncryption
+		Assert-AreEqual $null $servicePropertie.ProtocolSettings.Smb.ChannelEncryption
+
         Remove-AzStorageAccount -Force -ResourceGroupName $rgname -Name $stoname;
     }
     finally