/// <summary>
/// Specifies that access to the storage account should be allowed only from selected networks.
/// </summary>
/// <returns>StorageNetworkRulesHelper</returns>
internal StorageNetworkRulesHelper WithAccessFromSelectedNetworks()
{
NetworkRuleSet networkRuleSet = this.GetNetworkRuleSetConfig(true);
networkRuleSet.DefaultAction = DefaultActionEnumExtension.ToSerializedValue(DefaultAction.Deny);
return(this);
}
/// <summary>
/// The NetworkRuleSet#defaultAction is a required property.
/// During create mode, this method sets the default action to DENY if it is already not set by the user
/// and user specifies at least one network rule or choose at least one exception.
///
/// When in update mode, this method set action to DENY only if there is no existing network rules and exception
/// hence this is the first time user is adding a network rule or exception and action is not explicitly set by user.
/// If there is any existing rules or exception, we honor currently configured action.
/// </summary>
internal void SetDefaultActionIfRequired()
{
if (isInCreateMode)
{
if (createParameters.NetworkRuleSet != null)
{
bool hasAtLeastOneRule = false;
if (createParameters.NetworkRuleSet.VirtualNetworkRules != null && createParameters.NetworkRuleSet.VirtualNetworkRules.Count() > 0)
{
hasAtLeastOneRule = true;
}
else if (createParameters.NetworkRuleSet.IpRules != null && createParameters.NetworkRuleSet.IpRules.Count() > 0)
{
hasAtLeastOneRule = true;
}
bool anyException = createParameters.NetworkRuleSet.Bypass != null;
if ((hasAtLeastOneRule || anyException) && createParameters.NetworkRuleSet.DefaultAction == null)
{
// If user specified at least one network rule or selected any exception
// and didn't choose the default access action then "DENY" access from
// unknown networks.
//
createParameters.NetworkRuleSet.DefaultAction = DefaultActionEnumExtension.ToSerializedValue(DefaultAction.Deny);
if (!anyException)
{
// If user didn't select any by-pass explicitly then disable "all bypass"
// if this is not specified then by default service allows access from
// "azure-services".
//
createParameters.NetworkRuleSet.Bypass = Bypass.None;
}
}
}
}
else
{
var currentRuleSet = this.inner.NetworkRuleSet;
bool hasNoExistingException = currentRuleSet != null && currentRuleSet.Bypass == null;
bool hasExistingRules = false;
if (currentRuleSet != null)
{
if (currentRuleSet.VirtualNetworkRules != null && currentRuleSet.VirtualNetworkRules.Count() > 0)
{
hasExistingRules = true;
}
else if (currentRuleSet.IpRules != null && currentRuleSet.IpRules.Count() > 0)
{
hasExistingRules = true;
}
}
if (!hasExistingRules)
{
if (updateParameters.NetworkRuleSet != null)
{
bool anyRulesAddedFirstTime = false;
if (updateParameters.NetworkRuleSet.VirtualNetworkRules != null && updateParameters.NetworkRuleSet.VirtualNetworkRules.Count() > 0)
{
anyRulesAddedFirstTime = true;
}
else if (updateParameters.NetworkRuleSet.IpRules != null && updateParameters.NetworkRuleSet.IpRules.Count() > 0)
{
anyRulesAddedFirstTime = true;
}
bool anyExceptionAddedFirstTime = !hasNoExistingException && updateParameters.NetworkRuleSet.Bypass != null;
if ((anyRulesAddedFirstTime || anyExceptionAddedFirstTime) && updateParameters.NetworkRuleSet.DefaultAction == null)
{
// If there was no existing rules & exceptions and if user specified at least one
// network rule or exception and didn't choose the default access action for
// unknown networks then DENY access from unknown networks.
//
updateParameters.NetworkRuleSet.DefaultAction = DefaultActionEnumExtension.ToSerializedValue(DefaultAction.Deny);
if (!anyExceptionAddedFirstTime)
{
// If user didn't select any by-pass explicitly then disable "all bypass"
// if this is not specified then by default service allows access from
// "azure-services".
//
createParameters.NetworkRuleSet.Bypass = Bypass.None;
}
}
}
}
}
}
