azure: Filter out storage accounts that deny public requests (#1698)

* Filter out storage accounts that dney public requests * Bump
microsoft · Feb 29, 2024 · efd6201 · efd6201
1 parent c840d9d
commit efd6201
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 17 deletions.
diff --git a/azure/package-lock.json b/azure/package-lock.json
diff --git a/azure/package.json b/azure/package.json
@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureutils",
     "author": "Microsoft Corporation",
-    "version": "3.0.0",
+    "version": "3.0.1",
     "description": "Common Azure utils for developing Azure extensions for VS Code",
     "tags": [
         "azure",
@@ -34,7 +34,7 @@
         "@azure/arm-resources": "^5.0.0",
         "@azure/arm-resources-profile-2020-09-01-hybrid": "^2.0.0",
         "@azure/arm-resources-subscriptions": "^2.0.0",
-        "@azure/arm-storage": "^18.0.0",
+        "@azure/arm-storage": "^18.2.0",
         "@azure/arm-storage-profile-2020-09-01-hybrid": "^2.0.0",
         "@azure/core-client": "^1.6.0",
         "@azure/core-rest-pipeline": "^1.9.0",

diff --git a/azure/src/wizard/StorageAccountListStep.ts b/azure/src/wizard/StorageAccountListStep.ts
@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import type { StorageAccount, StorageManagementClient } from '@azure/arm-storage';
+import type { NetworkRuleSet, StorageAccount, StorageManagementClient } from '@azure/arm-storage';
 import { AzureWizardPromptStep, IAzureNamingRules, IAzureQuickPickItem, IAzureQuickPickOptions, IWizardOptions, nonNullProp, openUrl } from '@microsoft/vscode-azext-utils';
 import * as vscode from 'vscode';
 import * as types from '../../index';
@@ -121,7 +121,8 @@ export class StorageAccountListStep<T extends types.IStorageAccountWizardContext
 
         let hasFilteredAccountsBySku: boolean = false;
         let hasFilteredAccountsByLocation: boolean = false;
-        const storageAccounts: StorageAccount[] = (await storageAccountsTask)
+        let hasFilteredAccountsByNetwork = false;
+        const storageAccounts: (StorageAccount & { networkAcls?: NetworkRuleSet })[] = (await storageAccountsTask)
             .sort((a: StorageAccount, b: StorageAccount) => nonNullProp(a, 'name').localeCompare(nonNullProp(b, 'name')));
         for (const sa of storageAccounts) {
             if (!sa.kind || sa.kind.match(kindRegExp) || !sa.sku || sa.sku.name.match(performanceRegExp) || sa.sku.name.match(replicationRegExp)) {
@@ -134,6 +135,14 @@ export class StorageAccountListStep<T extends types.IStorageAccountWizardContext
                 continue;
             }
 
+            // old storage accounts (and the typings) use `networkRuleSet` but newer storage accounts have `networkAcls`
+            const networkDefaultAction = sa.networkRuleSet?.defaultAction ?? sa.networkAcls?.defaultAction;
+            if (sa.publicNetworkAccess?.toLocaleLowerCase() === 'disabled' ||
+                sa.publicNetworkAccess?.toLocaleLowerCase() === 'enabled' && networkDefaultAction === 'Deny') {
+                hasFilteredAccountsByNetwork = true;
+                continue;
+            }
+
             picks.push({
                 id: sa.id,
                 // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
@@ -162,6 +171,15 @@ export class StorageAccountListStep<T extends types.IStorageAccountWizardContext
             });
         }
 
+        if (hasFilteredAccountsByNetwork) {
+            picks.push({
+                label: vscode.l10n.t('$(warning) Some storage accounts were filtered because of their network configurations.'),
+                onPicked: () => { /* do nothing */ },
+                data: undefined
+            });
+        }
+
+
         return picks;
     }
 }