public async Task SetPermissions_BlobContainerSasPermissions(BlobContainerSasPermissions permissions)
{
// Arrange
await using DisposingContainer test = await GetTestContainerAsync();
BlobSasBuilder blobSasBuilder = new BlobSasBuilder
{
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(1),
BlobContainerName = test.Container.Name
};
blobSasBuilder.SetPermissions(permissions);
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(TestConfigDefault.AccountName, TestConfigDefault.AccountKey);
BlobUriBuilder blobUriBuilder = new BlobUriBuilder(test.Container.Uri)
{
Sas = blobSasBuilder.ToSasQueryParameters(sharedKeyCredential)
};
BlobContainerClient sasContainerClient = new BlobContainerClient(blobUriBuilder.ToUri(), GetOptions());
// Act
await foreach (BlobItem blobItem in sasContainerClient.GetBlobsAsync())
{
// Just make sure the call succeeds.
}
}
private static BlobContainerSasPermissions ConvertPermissions(ContainerPermission permission)
{
BlobContainerSasPermissions blobPermissions = 0;
if (permission.HasFlag(ContainerPermission.Read))
{
blobPermissions |= BlobContainerSasPermissions.Read;
}
if (permission.HasFlag(ContainerPermission.Write))
{
blobPermissions |= BlobContainerSasPermissions.Write;
}
if (permission.HasFlag(ContainerPermission.Delete))
{
blobPermissions |= BlobContainerSasPermissions.Delete;
}
if (permission.HasFlag(ContainerPermission.List))
{
blobPermissions |= BlobContainerSasPermissions.List;
}
return(blobPermissions);
}
/// <summary>
/// Create a permissions string to provide
/// <see cref="BlobSasBuilder.Permissions"/>.
/// </summary>
/// <returns>A permissions string.</returns>
internal static string ToPermissionsString(this BlobContainerSasPermissions permissions)
{
var sb = new StringBuilder();
if ((permissions & BlobContainerSasPermissions.Read) == BlobContainerSasPermissions.Read)
{
sb.Append(Constants.Sas.Permissions.Read);
}
if ((permissions & BlobContainerSasPermissions.Add) == BlobContainerSasPermissions.Add)
{
sb.Append(Constants.Sas.Permissions.Add);
}
if ((permissions & BlobContainerSasPermissions.Create) == BlobContainerSasPermissions.Create)
{
sb.Append(Constants.Sas.Permissions.Create);
}
if ((permissions & BlobContainerSasPermissions.Write) == BlobContainerSasPermissions.Write)
{
sb.Append(Constants.Sas.Permissions.Write);
}
if ((permissions & BlobContainerSasPermissions.Delete) == BlobContainerSasPermissions.Delete)
{
sb.Append(Constants.Sas.Permissions.Delete);
}
if ((permissions & BlobContainerSasPermissions.List) == BlobContainerSasPermissions.List)
{
sb.Append(Constants.Sas.Permissions.List);
}
return(sb.ToString());
}
public async Task SetImmutibilityPolicyAsync_SetLegalHold_ContainerSas(BlobContainerSasPermissions sasPermissions)
{
// Arrange
await using DisposingImmutableStorageWithVersioningContainer vlwContainer = await GetTestVersionLevelWormContainer(TestConfigOAuth);
BlobBaseClient blob = await GetNewBlobClient(vlwContainer.Container, GetNewBlobName());
BlobContainerClient sharedKeyContainer = InstrumentClient(
GetServiceClient_OAuthAccount_SharedKey().GetBlobContainerClient(vlwContainer.Container.Name));
Uri containerSasUri = sharedKeyContainer.GenerateSasUri(sasPermissions, Recording.UtcNow.AddDays(1));
BlobBaseClient sasBlobClient = InstrumentClient(new BlobContainerClient(containerSasUri, GetOptions()).GetBlobBaseClient(blob.Name));
BlobImmutabilityPolicy immutabilityPolicy = new BlobImmutabilityPolicy
{
ExpiresOn = Recording.UtcNow.AddMinutes(5),
PolicyMode = BlobImmutabilityPolicyMode.Unlocked
};
// The service rounds Immutability Policy Expiry to the nearest second.
DateTimeOffset expectedImmutabilityPolicyExpiry = RoundToNearestSecond(immutabilityPolicy.ExpiresOn.Value);
// Act
Response <BlobImmutabilityPolicy> response = await sasBlobClient.SetImmutabilityPolicyAsync(
immutabilityPolicy : immutabilityPolicy);
// Assert
Assert.AreEqual(expectedImmutabilityPolicyExpiry, response.Value.ExpiresOn);
Assert.AreEqual(immutabilityPolicy.PolicyMode, response.Value.PolicyMode);
// Act
Response <BlobLegalHoldResult> legalHoldResponse = await sasBlobClient.SetLegalHoldAsync(hasLegalHold : false);
// Assert
Assert.IsFalse(legalHoldResponse.Value.HasLegalHold);
}
public string GenerateContainerSasUri(string containerName, BlobContainerSasPermissions permissions, DateTimeOffset expiresOn, string storedPolicyName = "")
{
var message = "";
var containerClient = GetBlobContainerClient(containerName);
if (!containerClient.CanGenerateSasUri)
{
message = "Could not generate the SAS uri.";
throw new ApiHttpStatusException <ErrorModel <int> >(HttpStatusCode.BadRequest, message, new ErrorModel <int>
{
Code = (int)HttpStatusCode.NotAcceptable,
Message = message,
});
}
var builder = new BlobSasBuilder(permissions, expiresOn)
{
BlobContainerName = containerClient.Name,
Resource = "c",
};
if (!string.IsNullOrWhiteSpace(storedPolicyName))
{
builder = new BlobSasBuilder();
builder.Identifier = storedPolicyName;
}
var sasUri = containerClient.GenerateSasUri(builder);
return(sasUri.ToString());
}
public BlobSasQueryParameters GetContainerSas(
string containerName,
BlobContainerSasPermissions permissions,
StorageSharedKeyCredential sharedKeyCredential = default,
string sasVersion = default)
{
BlobSasBuilder sasBuilder = GetBlobSasBuilder(containerName, sasVersion: sasVersion);
sasBuilder.SetPermissions(permissions);
return sasBuilder.ToSasQueryParameters(sharedKeyCredential ?? GetNewSharedKeyCredentials());
}
public string CreateSASToken(int tokenExpirationInDays, BlobContainerSasPermissions containerPermissions)
{
BlobSasBuilder builder = new BlobSasBuilder
{
BlobContainerName = Container.Name,
ExpiresOn = DateTimeOffset.UtcNow.AddDays(tokenExpirationInDays)
};
builder.SetPermissions(containerPermissions);
return(builder.ToSasQueryParameters(_credential).ToString());
}
public BlobSasQueryParameters GetContainerIdentitySas(
string containerName,
BlobContainerSasPermissions permissions,
UserDelegationKey userDelegationKey,
string accountName,
string sasVersion = default)
{
BlobSasBuilder sasBuilder = GetBlobSasBuilder(containerName, sasVersion: sasVersion);
sasBuilder.SetPermissions(permissions);
return sasBuilder.ToSasQueryParameters(userDelegationKey, accountName);
}
/// <summary>
/// Set blob permission to SAS builder
/// </summary>
public static BlobSasBuilder SetBlobPermission(BlobSasBuilder sasBuilder, string rawPermission)
{
BlobContainerSasPermissions permission = 0;
foreach (char c in rawPermission)
{
switch (c)
{
case 'r':
permission = permission | BlobContainerSasPermissions.Read;
break;
case 'a':
permission = permission | BlobContainerSasPermissions.Add;
break;
case 'c':
permission = permission | BlobContainerSasPermissions.Create;
break;
case 'w':
permission = permission | BlobContainerSasPermissions.Write;
break;
case 'd':
permission = permission | BlobContainerSasPermissions.Delete;
break;
case 'l':
permission = permission | BlobContainerSasPermissions.List;
break;
case 't':
permission = permission | BlobContainerSasPermissions.Tag;
break;
case 'x':
permission = permission | BlobContainerSasPermissions.DeleteBlobVersion;
break;
case 'i':
permission = permission | BlobContainerSasPermissions.SetImmutabilityPolicy;
break;
default:
// Can't convert to permission supported by XSCL, so use raw permission string
sasBuilder.SetPermissions(rawPermission);
return(sasBuilder);
}
}
sasBuilder.SetPermissions(permission);
return(sasBuilder);
}
public async Task <UriBuilder> CreateUriBuilder(
string containerName,
string resourceType = "c",
BlobContainerSasPermissions permission = BlobContainerSasPermissions.Read,
int expiresOnMinutes = 10,
CancellationToken cancellationToken = default
)
{
var accountName = AzureStorageUtils.GetAccountName(_connectionParameters);
if (!String.IsNullOrWhiteSpace(accountName))
{
var uriBuilder = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", accountName)
};
if (_connectionParameters.IsDevelopmentStorage)
{
return(uriBuilder);
}
else
{
var sasBuilder = CreateBlobSasBuilder(containerName, resourceType, permission, expiresOnMinutes);
StorageSharedKeyCredential credential;
if (!String.IsNullOrWhiteSpace(_connectionParameters.ConnectionString))
{
credential = AzureStorageUtils.CreateCredentialFromConnectionString(_connectionParameters.ConnectionString);
}
else
{
string accessKey = await GetStorageAccountKey(cancellationToken);
credential = new StorageSharedKeyCredential(_connectionParameters.StorageAccountName, accessKey);
}
var sasToken = sasBuilder.ToSasQueryParameters(credential);
uriBuilder.Query = sasToken.ToString();
return(uriBuilder);
}
}
else
{
return(null);
}
}
public static Uri?GetContainerSasUrlService(
BlobContainerClient client,
BlobContainerSasPermissions permissions,
bool tag = false,
TimeSpan?timeSpan = null)
{
var(start, expiry) = SasTimeWindow(timeSpan ?? TimeSpan.FromDays(30.0));
var sasBuilder = new BlobSasBuilder(permissions, expiry)
{
StartsOn = start
};
return(client.GenerateSasUri(sasBuilder));
}
private Uri GetStorageAccountSasUriForCleanupJob(BlobContainerClient blobContainerClient)
{
// We want to provide "Read", "Write" and "Delete" permissions to the storage container, so that it can
// create a blob, read it and subsequently delete it.
BlobContainerSasPermissions sasPermissions = BlobContainerSasPermissions.Write
| BlobContainerSasPermissions.Read
| BlobContainerSasPermissions.Delete;
BlobSasBuilder sasBuilder = new BlobSasBuilder(sasPermissions, DateTimeOffset.UtcNow.AddHours(1))
{
BlobContainerName = blobContainerClient.Name,
};
return(blobContainerClient.GenerateSasUri(sasBuilder));
}
/// <summary>
/// Create a permissions string to provide
/// <see cref="BlobSasBuilder.Permissions"/>.
/// </summary>
/// <returns>A permissions string.</returns>
internal static string ToPermissionsString(this BlobContainerSasPermissions permissions)
{
var sb = new StringBuilder();
if ((permissions & BlobContainerSasPermissions.Read) == BlobContainerSasPermissions.Read)
{
sb.Append(Constants.Sas.Permissions.Read);
}
if ((permissions & BlobContainerSasPermissions.Add) == BlobContainerSasPermissions.Add)
{
sb.Append(Constants.Sas.Permissions.Add);
}
if ((permissions & BlobContainerSasPermissions.Create) == BlobContainerSasPermissions.Create)
{
sb.Append(Constants.Sas.Permissions.Create);
}
if ((permissions & BlobContainerSasPermissions.Write) == BlobContainerSasPermissions.Write)
{
sb.Append(Constants.Sas.Permissions.Write);
}
if ((permissions & BlobContainerSasPermissions.Delete) == BlobContainerSasPermissions.Delete)
{
sb.Append(Constants.Sas.Permissions.Delete);
}
if ((permissions & BlobContainerSasPermissions.DeleteBlobVersion) == BlobContainerSasPermissions.DeleteBlobVersion)
{
sb.Append(Constants.Sas.Permissions.DeleteBlobVersion);
}
if ((permissions & BlobContainerSasPermissions.List) == BlobContainerSasPermissions.List)
{
sb.Append(Constants.Sas.Permissions.List);
}
if ((permissions & BlobContainerSasPermissions.Tag) == BlobContainerSasPermissions.Tag)
{
sb.Append(Constants.Sas.Permissions.Tag);
}
if ((permissions & BlobContainerSasPermissions.Filter) == BlobContainerSasPermissions.Filter)
{
sb.Append(Constants.Sas.Permissions.FilterByTags);
}
if ((permissions & BlobContainerSasPermissions.SetImmutabilityPolicy) == BlobContainerSasPermissions.SetImmutabilityPolicy)
{
sb.Append(Constants.Sas.Permissions.SetImmutabilityPolicy);
}
return(sb.ToString());
}
public async Async.Task <Uri> GetContainerSasUrl(Container container, StorageType storageType, BlobContainerSasPermissions permissions, TimeSpan?duration = null)
{
var client = await FindContainer(container, storageType) ?? throw new Exception($"unable to find container: {container.ContainerName} - {storageType}");
var(accountName, accountKey) = await _storage.GetStorageAccountNameAndKey(client.AccountName);
var(startTime, endTime) = SasTimeWindow(duration ?? TimeSpan.FromDays(30));
var sasBuilder = new BlobSasBuilder(permissions, endTime)
{
StartsOn = startTime,
BlobContainerName = container.ContainerName,
};
var sasUrl = client.GenerateSasUri(sasBuilder);
return(sasUrl);
}
public static Uri GetContainerSas(string containerName, StorageSharedKeyCredential key, BlobContainerSasPermissions permissions = BlobContainerSasPermissions.Read, uint durationMinutes = 10)
{
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
Resource = "c",
StartsOn = DateTimeOffset.UtcNow.AddMinutes(-5),
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(durationMinutes)
};
sasBuilder.SetPermissions(permissions);
var sasToken = sasBuilder.ToSasQueryParameters(key).ToString();
var fullUri = new UriBuilder()
{
Scheme = "https",
Host = $"{key.AccountName}.blob.core.windows.net",
Path = $"{containerName}",
Query = sasToken
};
return(fullUri.Uri);
}
private string GetSasTokenForPermissions(BlobContainerSasPermissions permissions, DateTime expiration)
{
string sas = _container.GenerateSasUri(permissions, expiration).ToString();
return(sas.Substring(sas.IndexOf('?')));
}
public async Async.Task <Uri> GetContainerSasUrl(Container container, StorageType storageType, BlobContainerSasPermissions permissions, TimeSpan?duration = null)
{
var client = await FindContainer(container, storageType) ?? throw new Exception($"unable to find container: {container.ContainerName} - {storageType}");
var(startTime, endTime) = SasTimeWindow(duration ?? CONTAINER_SAS_DEFAULT_DURATION);
var sasBuilder = new BlobSasBuilder(permissions, endTime)
{
StartsOn = startTime,
BlobContainerName = _config.OneFuzzStoragePrefix + container.ContainerName,
};
var sasUrl = client.GenerateSasUri(sasBuilder);
return(sasUrl);
}
BlobSasBuilder CreateBlobSasBuilder(string containerName, string resourceType = "c", BlobContainerSasPermissions permission = BlobContainerSasPermissions.Read, int expiresOnMinutes = 10)
{
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
Resource = resourceType,
StartsOn = DateTimeOffset.UtcNow.AddMinutes(-1),
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(expiresOnMinutes)
};
sasBuilder.SetPermissions(permission);
return(sasBuilder);
}
