internal string CreateAzureQueueStoredAccessPolicy(IStorageQueueManagement localChannel, string queueName, string policyName, DateTime? startTime, DateTime? expiryTime, string permission)
{
if (!NameUtil.IsValidStoredAccessPolicyName(policyName))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName));
}
//Get existing permissions
CloudQueue queue = Channel.GetQueueReference(queueName);
QueuePermissions queuePermissions = localChannel.GetPermissions(queue);
//Add new policy
if (queuePermissions.SharedAccessPolicies.Keys.Contains(policyName))
{
throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
}
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy();
AccessPolicyHelper.SetupAccessPolicy<SharedAccessQueuePolicy>(policy, startTime, expiryTime, permission);
queuePermissions.SharedAccessPolicies.Add(policyName, policy);
//Set permissions back to queue
localChannel.SetPermissions(queue, queuePermissions);
return policyName;
}
public void SetupAccessPolicyPermissionTest()
{
SharedAccessQueuePolicy accessPolicy = new SharedAccessQueuePolicy();
command.SetupAccessPolicyPermission(accessPolicy, "");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.None);
accessPolicy.Permissions = SharedAccessQueuePermissions.Read;
command.SetupAccessPolicyPermission(accessPolicy, "");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Read);
command.SetupAccessPolicyPermission(accessPolicy, "a");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Add);
command.SetupAccessPolicyPermission(accessPolicy, "aAaaa");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Add);
command.SetupAccessPolicyPermission(accessPolicy, "ru");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Update | SharedAccessQueuePermissions.Read);
command.SetupAccessPolicyPermission(accessPolicy, "ur");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Update | SharedAccessQueuePermissions.Read);
command.SetupAccessPolicyPermission(accessPolicy, "raUP");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Add
| SharedAccessQueuePermissions.Read | SharedAccessQueuePermissions.Update | SharedAccessQueuePermissions.ProcessMessages);
command.SetupAccessPolicyPermission(accessPolicy, "UPrrrra");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessQueuePermissions.Add
| SharedAccessQueuePermissions.Read | SharedAccessQueuePermissions.Update | SharedAccessQueuePermissions.ProcessMessages);
AssertThrows<ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "rwDl"));
AssertThrows<ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "x"));
AssertThrows<ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "rwx"));
AssertThrows<ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "ABC"));
}
public void ValidateSetupAccessPolicyPermissionTest()
{
SharedAccessBlobPolicy blobAccessPolicy = new SharedAccessBlobPolicy();
AccessPolicyHelper.SetupAccessPolicyPermission(blobAccessPolicy, null);
Assert.AreEqual(blobAccessPolicy.Permissions, SharedAccessBlobPermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(blobAccessPolicy, "");
Assert.AreEqual(blobAccessPolicy.Permissions, SharedAccessBlobPermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(blobAccessPolicy, "D");
Assert.AreEqual(blobAccessPolicy.Permissions, SharedAccessBlobPermissions.Delete);
SharedAccessTablePolicy tableAccessPolicy = new SharedAccessTablePolicy();
AccessPolicyHelper.SetupAccessPolicyPermission(tableAccessPolicy, null);
Assert.AreEqual(tableAccessPolicy.Permissions, SharedAccessTablePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(tableAccessPolicy, "");
Assert.AreEqual(tableAccessPolicy.Permissions, SharedAccessTablePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(tableAccessPolicy, "ar");
Assert.AreEqual(tableAccessPolicy.Permissions, SharedAccessTablePermissions.Add | SharedAccessTablePermissions.Query);
SharedAccessQueuePolicy queueAccessPolicy = new SharedAccessQueuePolicy();
AccessPolicyHelper.SetupAccessPolicyPermission(queueAccessPolicy, null);
Assert.AreEqual(queueAccessPolicy.Permissions, SharedAccessQueuePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(queueAccessPolicy, "");
Assert.AreEqual(queueAccessPolicy.Permissions, SharedAccessQueuePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(queueAccessPolicy, "p");
Assert.AreEqual(queueAccessPolicy.Permissions, SharedAccessQueuePermissions.ProcessMessages);
SharedAccessFilePolicy fileAccessPolicy = new SharedAccessFilePolicy();
AccessPolicyHelper.SetupAccessPolicyPermission(fileAccessPolicy, null);
Assert.AreEqual(fileAccessPolicy.Permissions, SharedAccessFilePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(fileAccessPolicy, "");
Assert.AreEqual(fileAccessPolicy.Permissions, SharedAccessFilePermissions.None);
AccessPolicyHelper.SetupAccessPolicyPermission(fileAccessPolicy, "lwc");
Assert.AreEqual(fileAccessPolicy.Permissions, SharedAccessFilePermissions.List | SharedAccessFilePermissions.Write | SharedAccessFilePermissions.Create);
}
public static string GetAddSasForQueues()
{
var cloudQueueClient = StorageAccount.CreateCloudQueueClient();
var policy = new SharedAccessQueuePolicy()
{
Permissions = SharedAccessQueuePermissions.Add | SharedAccessQueuePermissions.Read,
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(15)
};
var sasToken = cloudQueueClient.GetQueueReference("messagequeue").GetSharedAccessSignature(policy, null);
return sasToken;
}
/// <summary>
/// Manage stored access policies specified on the queue
/// </summary>
/// <param name="cloudQueueClient"></param>
/// <returns></returns>
private static async Task QueueAclSample(CloudQueueClient cloudQueueClient)
{
// Create the queue name -- use a guid in the name so it's unique.
string queueName = "demotest-" + Guid.NewGuid();
// Create the queue with this name.
Console.WriteLine("Creating queue with name {0}", queueName);
CloudQueue queue = cloudQueueClient.GetQueueReference(queueName);
try
{
await queue.CreateIfNotExistsAsync();
Console.WriteLine(" Queue created successfully.");
}
catch (StorageException exStorage)
{
Common.WriteException(exStorage);
Console.WriteLine(
"Please make sure your storage account is specified correctly in the app.config - then restart the sample.");
Console.WriteLine("Press any key to exit");
Console.ReadLine();
throw;
}
catch (Exception ex)
{
Console.WriteLine(" Exception thrown creating queue.");
Common.WriteException(ex);
throw;
}
// Set queue permissions
SharedAccessQueuePolicy accessQueuePolicy = new SharedAccessQueuePolicy();
accessQueuePolicy.SharedAccessStartTime = new DateTimeOffset(DateTime.Now);
accessQueuePolicy.SharedAccessExpiryTime = new DateTimeOffset(DateTime.Now.AddMinutes(10));
accessQueuePolicy.Permissions = SharedAccessQueuePermissions.Update;
QueuePermissions permissions = new QueuePermissions();
permissions.SharedAccessPolicies.Add("key1", accessQueuePolicy);
Console.WriteLine("Set queue permissions");
await queue.SetPermissionsAsync(permissions);
// Get queue permissions
Console.WriteLine("Get queue permissions:");
permissions = await queue.GetPermissionsAsync();
foreach (var keyValue in permissions.SharedAccessPolicies)
{
Console.WriteLine(" {0}:", keyValue.Key);
Console.WriteLine(" permissions: {0}:", keyValue.Value.Permissions);
Console.WriteLine(" start time: {0}:", keyValue.Value.SharedAccessStartTime);
Console.WriteLine(" expiry time: {0}:", keyValue.Value.SharedAccessExpiryTime);
}
// Delete queue
Console.WriteLine("Deleting queue with name {0}", queueName);
queue.DeleteIfExists();
}
public void CloudQueueSASSharedProtocolsQueryParam()
{
CloudQueueClient client = GenerateCloudQueueClient();
CloudQueue queue = client.GetQueueReference(GenerateNewQueueName());
try
{
queue.Create();
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy()
{
Permissions = SharedAccessQueuePermissions.Read,
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
};
string sampleMessageContent = "sample content";
CloudQueueMessage message = new CloudQueueMessage(sampleMessageContent);
queue.AddMessage(message);
foreach (SharedAccessProtocol? protocol in new SharedAccessProtocol?[] { null, SharedAccessProtocol.HttpsOrHttp, SharedAccessProtocol.HttpsOnly })
{
string queueToken = queue.GetSharedAccessSignature(policy, null, protocol, null);
StorageCredentials queueSAS = new StorageCredentials(queueToken);
Uri queueSASUri = new Uri(queue.Uri + queueSAS.SASToken);
StorageUri queueSASStorageUri = new StorageUri(new Uri(queue.StorageUri.PrimaryUri + queueSAS.SASToken), new Uri(queue.StorageUri.SecondaryUri + queueSAS.SASToken));
int httpPort = queueSASUri.Port;
int securePort = 443;
if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.QueueSecurePortOverride))
{
securePort = Int32.Parse(TestBase.TargetTenantConfig.QueueSecurePortOverride);
}
var schemesAndPorts = new[] {
new { scheme = Uri.UriSchemeHttp, port = httpPort},
new { scheme = Uri.UriSchemeHttps, port = securePort}
};
CloudQueue queueWithSAS;
CloudQueueMessage resultMessage;
foreach (var item in schemesAndPorts)
{
queueSASUri = TransformSchemeAndPort(queueSASUri, item.scheme, item.port);
queueSASStorageUri = new StorageUri(TransformSchemeAndPort(queueSASStorageUri.PrimaryUri, item.scheme, item.port), TransformSchemeAndPort(queueSASStorageUri.SecondaryUri, item.scheme, item.port));
if (protocol.HasValue && protocol == SharedAccessProtocol.HttpsOnly && string.CompareOrdinal(item.scheme, Uri.UriSchemeHttp) == 0)
{
queueWithSAS = new CloudQueue(queueSASUri);
TestHelper.ExpectedException(() => queueWithSAS.PeekMessage(), "Access a queue using SAS with a shared protocols that does not match", HttpStatusCode.Unused);
queueWithSAS = new CloudQueue(queueSASStorageUri, null);
TestHelper.ExpectedException(() => queueWithSAS.PeekMessage(), "Access a queue using SAS with a shared protocols that does not match", HttpStatusCode.Unused);
}
else
{
queueWithSAS = new CloudQueue(queueSASUri);
resultMessage = queueWithSAS.PeekMessage();
Assert.AreEqual(sampleMessageContent, resultMessage.AsString);
queueWithSAS = new CloudQueue(queueSASStorageUri, null);
resultMessage = queueWithSAS.PeekMessage();
Assert.AreEqual(sampleMessageContent, resultMessage.AsString);
}
}
}
}
finally
{
queue.DeleteIfExists();
}
}
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy)
{
return _cloudQueue.GetSharedAccessSignature(policy);
}
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange)
{
throw new System.NotImplementedException();
}
/// <summary>
/// Generates the queue SAS URL.
/// </summary>
/// <param name="storageAccount">The storage account.</param>
/// <param name="dto">The data transfer object.</param>
private static void GenerateQueueSasUrl(CloudStorageAccount storageAccount, DataDto dto)
{
CloudQueueClient queueClient = storageAccount.CreateCloudQueueClient();
// Retrieve a reference to a queue
CloudQueue queue = queueClient.GetQueueReference("dataqueue");
// Create the queue if it doesn't already exist
// TODO: Avoid the next line of code in productive systems, since it makes call to azure queue storage.
// It's better to make sure the queue always exists from the beginning.
queue.CreateIfNotExists();
var accessQueuePolicy = new SharedAccessQueuePolicy();
accessQueuePolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddHours(1);
accessQueuePolicy.Permissions = SharedAccessQueuePermissions.Add;
// Generate the SAS token. No access policy identifier is used which makes it non revocable.
// The token is generated without issuing any calls against the Windows Azure Storage.
string sasToken = queue.GetSharedAccessSignature(accessQueuePolicy, null);
dto.QueueUrl = queue.Uri;
dto.QueueSasToken = sasToken;
}
internal static string GetHash(
SharedAccessQueuePolicy policy,
string accessPolicyIdentifier,
string resourceName,
string sasVersion,
byte[] keyValue)
{
CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName);
CommonUtility.AssertNotNull("keyValue", keyValue);
CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion);
string permissions = null;
DateTimeOffset? startTime = null;
DateTimeOffset? expiryTime = null;
if (policy != null)
{
permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions);
startTime = policy.SharedAccessStartTime;
expiryTime = policy.SharedAccessExpiryTime;
}
//// StringToSign = signedpermissions + "\n" +
//// signedstart + "\n" +
//// signedexpiry + "\n" +
//// canonicalizedresource + "\n" +
//// signedidentifier + "\n" +
//// signedversion
////
//// HMAC-SHA256(UTF8.Encode(StringToSign))
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}",
permissions,
GetDateTimeOrEmpty(startTime),
GetDateTimeOrEmpty(expiryTime),
resourceName,
accessPolicyIdentifier,
sasVersion);
return CryptoUtility.ComputeHmac256(keyValue, stringToSign);
}
/// <summary>
/// Set up access policy permission
/// </summary>
/// <param name="policy">SharedAccessBlobPolicy object</param>
/// <param name="permission">Permisson</param>
internal void SetupAccessPolicyPermission(SharedAccessQueuePolicy policy, string permission)
{
if (string.IsNullOrEmpty(permission)) return;
policy.Permissions = SharedAccessQueuePermissions.None;
permission = permission.ToLower();
foreach (char op in permission)
{
switch(op)
{
case StorageNouns.Permission.Read:
policy.Permissions |= SharedAccessQueuePermissions.Read;
break;
case StorageNouns.Permission.Add:
policy.Permissions |= SharedAccessQueuePermissions.Add;
break;
case StorageNouns.Permission.Update:
policy.Permissions |= SharedAccessQueuePermissions.Update;
break;
case StorageNouns.Permission.Process:
policy.Permissions |= SharedAccessQueuePermissions.ProcessMessages;
break;
default:
throw new ArgumentException(string.Format(Resources.InvalidAccessPermission, op));
}
}
}
/// <summary>
/// Get the signature hash embedded inside the Shared Access Signature.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="resourceName">The canonical resource string, unescaped.</param>
/// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param>
/// <returns>The signed hash.</returns>
internal static string GetSharedAccessSignatureHashImpl(
SharedAccessQueuePolicy policy,
string accessPolicyIdentifier,
string resourceName,
byte[] keyValue)
{
if (policy == null)
{
return GetSharedAccessSignatureHashImpl(
null /*SharedAccessQueuePolicy.Permissions */,
null /*policy.SharedAccessStartTime*/,
null /*policy.SharedAccessExpiryTime*/,
null /* startPartitionKey (table only) */,
null /* startRowKey (table only) */,
null /* endPartitionKey (table only) */,
null /* endRowKey (table only) */,
false /* not using table SAS */,
accessPolicyIdentifier,
resourceName,
keyValue);
}
else
{
return GetSharedAccessSignatureHashImpl(
SharedAccessQueuePolicy.PermissionsToString(policy.Permissions),
policy.SharedAccessStartTime,
policy.SharedAccessExpiryTime,
null /* startPartitionKey (table only) */,
null /* startRowKey (table only) */,
null /* endPartitionKey (table only) */,
null /* endRowKey (table only) */,
false /* not using table SAS */,
accessPolicyIdentifier,
resourceName,
keyValue);
}
}
/// <summary>
/// Get the complete query builder for creating the Shared Access Signature query.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="signature">The signature to use.</param>
/// <param name="accountKeyName">The name of the key used to create the signature, or null if the key is implicit.</param>
/// <returns>The finished query builder.</returns>
internal static UriQueryBuilder GetSharedAccessSignatureImpl(
SharedAccessQueuePolicy policy,
string accessPolicyIdentifier,
string signature,
string accountKeyName)
{
CommonUtility.AssertNotNull("signature", signature);
if (policy == null)
{
return GetSharedAccessSignatureImpl(
null /* permissions*/,
null /* policy.SharedAccessStartTime*/,
null /* policy.SharedAccessExpiryTime*/,
null /* startPartitionKey (table only) */,
null /* startRowKey (table only) */,
null /* endPartitionKey (table only) */,
null /* endRowKey (table only) */,
accessPolicyIdentifier,
null /* resourceType (blob only) */,
null /* tableName (table only) */,
signature,
accountKeyName);
}
string permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions);
if (string.IsNullOrEmpty(permissions))
{
permissions = null;
}
return GetSharedAccessSignatureImpl(
permissions,
policy.SharedAccessStartTime,
policy.SharedAccessExpiryTime,
null /* startPartitionKey (table only) */,
null /* startRowKey (table only) */,
null /* endPartitionKey (table only) */,
null /* endRowKey (table only) */,
accessPolicyIdentifier,
null /* resourceType (blob only) */,
null /* tableName (table only) */,
signature,
accountKeyName);
}
public void CloudQueueSASWithAbsoluteUri()
{
CloudQueueClient queueClient = GenerateCloudQueueClient();
CloudQueue queue = queueClient.GetQueueReference(queueClient.BaseUri + GenerateNewQueueName());
try
{
queue.CreateIfNotExists();
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy()
{
Permissions = SharedAccessQueuePermissions.Read,
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(10)
};
string sasToken = queue.GetSharedAccessSignature(policy);
StorageCredentials creds = new StorageCredentials(sasToken);
CloudQueue sasQueue = new CloudQueue(queue.Uri, creds);
sasQueue.PeekMessage();
}
finally
{
queue.DeleteIfExists();
}
}
/// <summary>
/// Creates SAS constraints from the given parameters.
/// </summary>
/// <param name="permissions">The permission set.</param>
/// <param name="expiration">The expiration time.</param>
/// <returns>Returns the access policy.</returns>
private static SharedAccessQueuePolicy GetQueueSasConstraints(ResourcePermissions permissions, DateTime? expiration)
{
SharedAccessQueuePolicy sasConstraints = new SharedAccessQueuePolicy();
// Set the start time to five minutes in the past.
sasConstraints.SharedAccessStartTime = DateTimeOffset.Now - TimeSpan.FromMinutes(5);
// Expiration.
if (expiration != null)
{
sasConstraints.SharedAccessExpiryTime = expiration.Value;
}
// Permissions.
sasConstraints.Permissions = SharedAccessQueuePermissions.None;
if ((permissions & ResourcePermissions.Read) == ResourcePermissions.Read)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Read;
}
if ((permissions & ResourcePermissions.Add) == ResourcePermissions.Add)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Add;
}
if ((permissions & ResourcePermissions.Update) == ResourcePermissions.Update)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Update;
}
if ((permissions & ResourcePermissions.Process) == ResourcePermissions.Process)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.ProcessMessages;
}
return sasConstraints;
}
static string RequestSasToken(CloudQueue queue)
{
// Omitting any authentication code since this is beyond the scope of
// this sample code
// creating a shared access policy that expires in 1 day.
// No start time is specified, which means that the token is valid immediately.
// The policy specifies full permissions.
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy()
{
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-15),
SharedAccessExpiryTime = DateTime.UtcNow.AddDays(1.0),
Permissions = SharedAccessQueuePermissions.Add |
SharedAccessQueuePermissions.Read |
SharedAccessQueuePermissions.Update |
SharedAccessQueuePermissions.ProcessMessages
};
// Generate the SAS token. No access policy identifier is used which
// makes it a non-revocable token
// limiting the table SAS access to only the request customer's id
string sasToken = queue.GetSharedAccessSignature(policy);
return sasToken;
}
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy)
{
if (policy == null)
{
throw new ArgumentNullException("policy");
}
return string.Format(
CultureInfo.InvariantCulture,
"?sv={0:yyyy-MM-dd}&sr=c&sig=s&sp={1}",
DateTime.Today,
policy.Permissions.DeterminePermissionsString());
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">The access policy for the shared access signature.</param>
/// <param name="accessPolicyIdentifier">A queue-level access policy.</param>
/// <returns>A shared access signature.</returns>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier)
{
if (!this.ServiceClient.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
string resourceName = this.GetCanonicalName();
string signature = SharedAccessSignatureHelper.GetSharedAccessSignatureHashImpl(
policy,
accessPolicyIdentifier,
resourceName,
this.ServiceClient.Credentials);
string accountKeyName = this.ServiceClient.Credentials.IsSharedKey ? this.ServiceClient.Credentials.KeyName : null;
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSharedAccessSignatureImpl(
policy,
accessPolicyIdentifier,
signature,
accountKeyName);
return builder.ToString();
}
/// <summary>
/// Update the access policy
/// </summary>
/// <param name="policy">Access policy object</param>
/// <param name="shouldSetExpiryTime">Should set the default expiry time</param>
private void SetupAccessPolicy(SharedAccessQueuePolicy policy, bool shouldSetExpiryTime)
{
DateTimeOffset? accessStartTime;
DateTimeOffset? accessEndTime;
SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime, out accessStartTime, out accessEndTime, shouldSetExpiryTime);
policy.SharedAccessStartTime = accessStartTime;
policy.SharedAccessExpiryTime = accessEndTime;
SetupAccessPolicyPermission(policy, Permission);
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy)
{
return(this.GetSharedAccessSignature(policy, null /* accessPolicyIdentifier */));
}
public override void ExecuteCmdlet()
{
if (String.IsNullOrEmpty(Name)) return;
CloudQueue queue = Channel.GetQueueReference(Name);
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateQueueAccessPolicy(Channel, queue.Name, policy, accessPolicyIdentifier);
SetupAccessPolicy(policy, shouldSetExpiryTime);
string sasToken = queue.GetSharedAccessSignature(policy, accessPolicyIdentifier);
if (FullUri)
{
string fullUri = queue.Uri.ToString() + sasToken;
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="accessPolicyIdentifier">A string identifying a stored access policy.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier)
{
return(this.GetSharedAccessSignature(policy, accessPolicyIdentifier, null, null));
}
/// <summary>
/// Get the complete query builder for creating the Shared Access Signature query.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="signature">The signature to use.</param>
/// <param name="accountKeyName">The name of the key used to create the signature, or <c>null</c> if the key is implicit.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format. Value must be <c>2012-02-12</c> or later.</param>
/// <returns>The finished query builder.</returns>
internal static UriQueryBuilder GetSignature(
SharedAccessQueuePolicy policy,
string accessPolicyIdentifier,
string signature,
string accountKeyName,
string sasVersion)
{
CommonUtility.AssertNotNull("signature", signature);
UriQueryBuilder builder = new UriQueryBuilder();
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIdentifier, accessPolicyIdentifier);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName);
AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature);
if (policy != null)
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime));
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime));
string permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions);
if (!string.IsNullOrEmpty(permissions))
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions);
}
}
return builder;
}
public void SetupAccessPolicyTest()
{
DateTime? start = DateTime.Now;
DateTime? end = start.Value.AddHours(1.0);
SharedAccessBlobPolicy blobAccessPolicy = new SharedAccessBlobPolicy();
AccessPolicyHelper.SetupAccessPolicy(blobAccessPolicy, start, end, "a");
Assert.AreEqual(blobAccessPolicy.SharedAccessStartTime.Value.UtcDateTime.ToString(), start.Value.ToUniversalTime().ToString());
Assert.AreEqual(blobAccessPolicy.SharedAccessExpiryTime.Value.UtcDateTime.ToString(), end.Value.ToUniversalTime().ToString());
Assert.AreEqual(blobAccessPolicy.Permissions, SharedAccessBlobPermissions.Add);
SharedAccessTablePolicy tableAccessPolicy = new SharedAccessTablePolicy();
AccessPolicyHelper.SetupAccessPolicy(tableAccessPolicy, null, end, "d", true);
Assert.AreEqual(tableAccessPolicy.SharedAccessStartTime, null);
Assert.AreEqual(tableAccessPolicy.SharedAccessExpiryTime.Value.UtcDateTime.ToString(), end.Value.ToUniversalTime().ToString());
Assert.AreEqual(tableAccessPolicy.Permissions, SharedAccessTablePermissions.Delete);
SharedAccessQueuePolicy queueAccessPolicy = new SharedAccessQueuePolicy();
AccessPolicyHelper.SetupAccessPolicy(queueAccessPolicy, start, null, "", noExpiryTime: true);
Assert.AreEqual(queueAccessPolicy.SharedAccessStartTime.Value.UtcDateTime.ToString(), start.Value.ToUniversalTime().ToString());
Assert.AreEqual(queueAccessPolicy.SharedAccessExpiryTime, null);
Assert.AreEqual(queueAccessPolicy.Permissions, SharedAccessQueuePermissions.None);
SharedAccessFilePolicy fileAccessPolicy = new SharedAccessFilePolicy();
AccessPolicyHelper.SetupAccessPolicy(fileAccessPolicy, null, null, "dl", true, true);
Assert.AreEqual(fileAccessPolicy.SharedAccessStartTime, null);
Assert.AreEqual(fileAccessPolicy.SharedAccessExpiryTime, null);
Assert.AreEqual(fileAccessPolicy.Permissions, SharedAccessFilePermissions.List| SharedAccessFilePermissions.Delete);
}
/// <summary>
/// Get the signature hash embedded inside the Shared Access Signature.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="resourceName">The canonical resource string, unescaped.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param>
/// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param>
/// <param name="ipAddressOrRange">The IP range for IPSAS.</param>
/// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param>
/// <returns>The signed hash.</returns>
internal static string GetHash(
SharedAccessQueuePolicy policy,
string accessPolicyIdentifier,
string resourceName,
string sasVersion,
SharedAccessProtocol? protocols,
IPAddressOrRange ipAddressOrRange,
byte[] keyValue)
{
CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName);
CommonUtility.AssertNotNull("keyValue", keyValue);
CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion);
string permissions = null;
DateTimeOffset? startTime = null;
DateTimeOffset? expiryTime = null;
if (policy != null)
{
permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions);
startTime = policy.SharedAccessStartTime;
expiryTime = policy.SharedAccessExpiryTime;
}
//// StringToSign = signedpermissions + "\n" +
//// signedstart + "\n" +
//// signedexpiry + "\n" +
//// canonicalizedresource + "\n" +
//// signedidentifier + "\n" +
//// signedIP + "\n" +
//// signedProtocol + "\n" +
//// signedversion
////
//// HMAC-SHA256(UTF8.Encode(StringToSign))
////
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}",
permissions,
GetDateTimeOrEmpty(startTime),
GetDateTimeOrEmpty(expiryTime),
resourceName,
accessPolicyIdentifier,
ipAddressOrRange == null ? string.Empty : ipAddressOrRange.ToString(),
GetProtocolString(protocols),
sasVersion);
Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign);
return CryptoUtility.ComputeHmac256(keyValue, stringToSign);
}
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier)
{
throw new System.NotImplementedException();
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="accessPolicyIdentifier">A string identifying a stored access policy.</param>
/// <param name="protocols">The allowed protocols (https only, or http and https). Null if you don't want to restrict protocol.</param>
/// <param name="ipAddressOrRange">The allowed IP address or IP address range. Null if you don't want to restrict based on IP address.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier, SharedAccessProtocol? protocols, IPAddressOrRange ipAddressOrRange)
{
if (!this.ServiceClient.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
string resourceName = this.GetCanonicalName();
StorageAccountKey accountKey = this.ServiceClient.Credentials.Key;
string signature = SharedAccessSignatureHelper.GetHash(
policy,
accessPolicyIdentifier,
resourceName,
Constants.HeaderConstants.TargetStorageVersion,
protocols,
ipAddressOrRange,
accountKey.KeyValue);
string accountKeyName = accountKey.KeyName;
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(
policy,
accessPolicyIdentifier,
signature,
accountKeyName,
Constants.HeaderConstants.TargetStorageVersion,
protocols,
ipAddressOrRange);
return builder.ToString();
}
/// <summary>
/// Helper function for testing the IPAddressOrRange funcitonality for queues
/// </summary>
/// <param name="generateInitialIPAddressOrRange">Function that generates an initial IPAddressOrRange object to use. This is expected to fail on the service.</param>
/// <param name="generateFinalIPAddressOrRange">Function that takes in the correct IP address (according to the service) and returns the IPAddressOrRange object
/// that should be accepted by the service</param>
public void CloudQueueSASIPAddressHelper(Func<IPAddressOrRange> generateInitialIPAddressOrRange, Func<IPAddress, IPAddressOrRange> generateFinalIPAddressOrRange)
{
CloudQueueClient client = GenerateCloudQueueClient();
CloudQueue queue = client.GetQueueReference(GenerateNewQueueName());
try
{
queue.Create();
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy()
{
Permissions = SharedAccessQueuePermissions.Read,
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
};
string sampleMessageContent = "sample content";
CloudQueueMessage message = new CloudQueueMessage(sampleMessageContent);
queue.AddMessage(message);
// The plan then is to use an incorrect IP address to make a call to the service
// ensure that we get an error message
// parse the error message to get my actual IP (as far as the service sees)
// then finally test the success case to ensure we can actually make requests
IPAddressOrRange ipAddressOrRange = generateInitialIPAddressOrRange();
string queueToken = queue.GetSharedAccessSignature(policy, null, null, ipAddressOrRange);
StorageCredentials queueSAS = new StorageCredentials(queueToken);
Uri queueSASUri = queueSAS.TransformUri(queue.Uri);
StorageUri queueSASStorageUri = queueSAS.TransformUri(queue.StorageUri);
CloudQueue queueWithSAS = new CloudQueue(queueSASUri);
OperationContext opContext = new OperationContext();
IPAddress actualIP = null;
opContext.ResponseReceived += (sender, e) =>
{
Stream stream = e.Response.GetResponseStream();
stream.Seek(0, SeekOrigin.Begin);
using (StreamReader reader = new StreamReader(stream))
{
string text = reader.ReadToEnd();
XDocument xdocument = XDocument.Parse(text);
actualIP = IPAddress.Parse(xdocument.Descendants("SourceIP").First().Value);
}
};
bool exceptionThrown = false;
CloudQueueMessage resultMessage;
try
{
resultMessage = queueWithSAS.PeekMessage(null, opContext);
}
catch (StorageException)
{
exceptionThrown = true;
Assert.IsNotNull(actualIP);
}
Assert.IsTrue(exceptionThrown);
ipAddressOrRange = generateFinalIPAddressOrRange(actualIP);
queueToken = queue.GetSharedAccessSignature(policy, null, null, ipAddressOrRange);
queueSAS = new StorageCredentials(queueToken);
queueSASUri = queueSAS.TransformUri(queue.Uri);
queueSASStorageUri = queueSAS.TransformUri(queue.StorageUri);
queueWithSAS = new CloudQueue(queueSASUri);
resultMessage = queue.PeekMessage();
Assert.AreEqual(sampleMessageContent, resultMessage.AsString);
Assert.IsTrue(queueWithSAS.StorageUri.PrimaryUri.Equals(queue.Uri));
Assert.IsNull(queueWithSAS.StorageUri.SecondaryUri);
queueWithSAS = new CloudQueue(queueSASStorageUri, null);
resultMessage = queue.PeekMessage();
Assert.AreEqual(sampleMessageContent, resultMessage.AsString);
Assert.IsTrue(queueWithSAS.StorageUri.Equals(queue.StorageUri));
}
finally
{
queue.DeleteIfExists();
}
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="accessPolicyIdentifier">A string identifying a stored access policy.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier)
{
return this.GetSharedAccessSignature(policy, accessPolicyIdentifier, null, null);
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="accessPolicyIdentifier">A string identifying a stored access policy.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format. Value must be <c>2012-02-12</c> or later.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier, string sasVersion)
{
if (!this.ServiceClient.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
string resourceName = this.GetCanonicalName();
StorageAccountKey accountKey = this.ServiceClient.Credentials.Key;
string validatedSASVersion = SharedAccessSignatureHelper.ValidateSASVersionString(sasVersion);
string signature = SharedAccessSignatureHelper.GetHash(
policy,
accessPolicyIdentifier,
resourceName,
validatedSASVersion,
accountKey.KeyValue);
string accountKeyName = accountKey.KeyName;
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(
policy,
accessPolicyIdentifier,
signature,
accountKeyName,
validatedSASVersion);
return builder.ToString();
}
/// <summary>
/// Returns a shared access signature for the queue.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessQueuePolicy"/> object specifying the access policy for the shared access signature.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy)
{
return this.GetSharedAccessSignature(policy, null /* accessPolicyIdentifier */);
}
public async Task UpdateQueueSASTestAsync()
{
CloudQueueClient client = GenerateCloudQueueClient();
CloudQueue queue = client.GetQueueReference(GenerateNewQueueName());
try
{
await queue.CreateAsync();
string messageContent = Guid.NewGuid().ToString();
CloudQueueMessage message = new CloudQueueMessage(messageContent);
await queue.AddMessageAsync(message);
SharedAccessQueuePolicy policy = new SharedAccessQueuePolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = SharedAccessQueuePermissions.Add | SharedAccessQueuePermissions.ProcessMessages,
};
string id = Guid.NewGuid().ToString();
string sasToken = queue.GetSharedAccessSignature(policy, null);
StorageCredentials sasCreds = new StorageCredentials(sasToken);
CloudQueue sasQueue = new CloudQueue(queue.Uri, sasCreds);
OperationContext context = new OperationContext();
await TestHelper.ExpectedExceptionAsync(
async () => await sasQueue.PeekMessageAsync(null, context),
context,
"Peek when Sas does not allow Read access on the queue",
HttpStatusCode.Forbidden);
await sasQueue.AddMessageAsync(message);
SharedAccessQueuePolicy policy2 = new SharedAccessQueuePolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = SharedAccessQueuePermissions.Add | SharedAccessQueuePermissions.ProcessMessages | SharedAccessQueuePermissions.Read,
};
string sasToken2 = queue.GetSharedAccessSignature(policy2, null);
sasCreds.UpdateSASToken(sasToken2);
sasQueue = new CloudQueue(queue.Uri, sasCreds);
await sasQueue.PeekMessageAsync();
}
finally
{
queue.DeleteIfExistsAsync().AsTask().Wait();
}
}
