public IActionResult Create(FileUploadRequest request)
{
if (request == null)
{
return(this.BadRequest());
}
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to the service level APIs
ResourceTypes = AccountSasResourceTypes.Object,
// Access expires in 1 hour!
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
StartsOn = DateTimeOffset.UtcNow.AddSeconds(-30)
};
sas.SetPermissions(AccountSasPermissions.Write | AccountSasPermissions.Create | AccountSasPermissions.Delete);
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(_accountName, _key);
var container = new BlobContainerClient(_connectionString, "photos");
var blob = container.GetBlobClient(request.FileName);
var result = new UriBuilder(blob.Uri);
result.Query = sas.ToSasQueryParameters(credential).ToString();
return(this.Ok(result.Uri.ToString()));
}
public void GenerateAccountSas_RequiredParameters()
{
// Arrange
TestConstants constants = new TestConstants(this);
Uri serviceUri = new Uri($"https://{constants.Sas.Account}.queue.core.windows.net");
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
QueueServiceClient serviceClient = InstrumentClient(
new QueueServiceClient(
serviceUri,
constants.Sas.SharedKeyCredential,
GetOptions()));
// Act
Uri sasUri = serviceClient.GenerateAccountSasUri(
permissions: permissions,
expiresOn: expiresOn,
resourceTypes: resourceTypes);
// Assert
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, AccountSasServices.Queues, resourceTypes);
UriBuilder expectedUri = new UriBuilder(serviceUri)
{
Query = sasBuilder.ToSasQueryParameters(constants.Sas.SharedKeyCredential).ToString()
};
Assert.AreEqual(expectedUri.Uri, sasUri);
}
private string GenerateSasToken()
{
if (Mode == RecordedTestMode.Playback)
{
return(RecordedTestSanitizer.SanitizeValue);
}
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs.
Services = AccountSasServices.Blobs,
// Allow access to the service level APIs.
ResourceTypes = AccountSasResourceTypes.All,
// Access expires in 1 hour.
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Allow All access
sas.SetPermissions(AccountSasPermissions.All);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(TestEnvironment.AccountName, TestEnvironment.PrimaryStorageAccountKey);
// return a SAS token
return(sas.ToSasQueryParameters(credential).ToString());
}
public async Task AccountPermissionsRawPermissions(string permissionsString)
{
// Arrange
await using DisposingQueue test = await GetTestQueueAsync();
AccountSasBuilder accountSasBuilder = new AccountSasBuilder
{
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(1),
Services = AccountSasServices.Queues,
ResourceTypes = AccountSasResourceTypes.All
};
accountSasBuilder.SetPermissions(permissionsString);
Assert.AreEqual("rwdxylacuptfi", accountSasBuilder.Permissions);
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(TestConfigDefault.AccountName, TestConfigDefault.AccountKey);
Uri uri = new Uri($"{test.Queue.Uri}?{accountSasBuilder.ToSasQueryParameters(sharedKeyCredential)}");
QueueClient queueClient = new QueueClient(uri, GetOptions());
// Act
await queueClient.GetPropertiesAsync();
}
/// <summary>
/// Lazy Load a SasQueryParameters and cache it internally
/// </summary>
/// <param name="key"></param>
/// <returns></returns>
private SasQueryParameters GetSasQueryParameters(string key)
{
if (!_sasQueryParameters.ContainsKey(key))
{
var csBuilder = new DbConnectionStringBuilder();
csBuilder.ConnectionString = _connectionStrings[key];
string accountName = csBuilder["AccountName"].ToString();
string accountKey = csBuilder["AccountKey"].ToString();
var keyCredential = new StorageSharedKeyCredential(accountName, accountKey);
var sasBuilder = new AccountSasBuilder()
{
StartsOn = DateTimeOffset.UtcNow.AddMinutes(-5),
ExpiresOn = DateTimeOffset.UtcNow.AddMonths(1),
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.Object | AccountSasResourceTypes.Container
};
if (key.StartsWith(SourceStorageConnectionKey))
{
sasBuilder.SetPermissions(AccountSasPermissions.Read);
}
else if (key.StartsWith(DestinationStorageConnectionKey))
{
sasBuilder.SetPermissions(AccountSasPermissions.Add | AccountSasPermissions.Create | AccountSasPermissions.Write | AccountSasPermissions.Update);
}
_sasQueryParameters.Add(key, sasBuilder.ToSasQueryParameters(keyCredential));
}
return(_sasQueryParameters[key]);
}
public void GenerateAccountSas_WrongService_Service()
{
var constants = new TestConstants(this);
var blobEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account);
var blobSecondaryEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account + "-secondary");
var storageConnectionString = new StorageConnectionString(constants.Sas.SharedKeyCredential, blobStorageUri: (blobEndpoint, blobSecondaryEndpoint));
string connectionString = storageConnectionString.ToString(true);
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
AccountSasServices services = AccountSasServices.Files;// Wrong Service
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
BlobServiceClient serviceClient = InstrumentClient(new BlobServiceClient(connectionString, GetOptions()));
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes)
{
IPRange = new SasIPRange(System.Net.IPAddress.None, System.Net.IPAddress.None),
StartsOn = Recording.UtcNow.AddHours(-1)
};
// Act
try
{
Uri sasUri = serviceClient.GenerateAccountSasUri(sasBuilder);
Assert.Fail("BlobContainerClient.GenerateSasUri should have failed with an ArgumentException.");
}
catch (InvalidOperationException)
{
// the correct exception came back
}
}
public async Task AccountSas_AllPermissions()
{
// Arrange
await using DisposingContainer test = await GetTestContainerAsync();
string blobName = GetNewBlobName();
AppendBlobClient blob = InstrumentClient(test.Container.GetAppendBlobClient(blobName));
await blob.CreateAsync();
AccountSasBuilder accountSasBuilder = new AccountSasBuilder(
permissions: AccountSasPermissions.All,
expiresOn: Recording.UtcNow.AddDays(1),
services: AccountSasServices.Blobs,
resourceTypes: AccountSasResourceTypes.Object);
Uri accountSasUri = test.Container.GetParentBlobServiceClient().GenerateAccountSasUri(accountSasBuilder);
BlobUriBuilder blobUriBuilder = new BlobUriBuilder(accountSasUri)
{
BlobContainerName = test.Container.Name,
BlobName = blobName
};
// Assert
AppendBlobClient sasBlobClient = InstrumentClient(new AppendBlobClient(blobUriBuilder.ToUri(), GetOptions()));
await sasBlobClient.GetPropertiesAsync();
}
public static IActionResult Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("SAS Token Requests");
var accountName = Environment.GetEnvironmentVariable("AZURE_ACCOUNT_NAME");
var key = Environment.GetEnvironmentVariable("AZURE_ACCOUNT_KEY");
var sharedKeyCredentials = new StorageSharedKeyCredential(accountName, key);
var sasBuilder = new AccountSasBuilder()
{
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(5),
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.All,
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.All);
var sasToken = sasBuilder.ToSasQueryParameters(sharedKeyCredentials).ToString();
var storageUri = $"https://{accountName}.blob.core.windows.net/";
return(new OkObjectResult(new SasTokenDetails()
{
storageAccessToken = sasToken,
storageUri = storageUri
}));
}
public async Task AccountPermissionsRawPermissions(string permissionsString)
{
// Arrange
await using DisposingFileSystem test = await GetNewFileSystem();
AccountSasBuilder accountSasBuilder = new AccountSasBuilder
{
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(1),
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.All
};
await test.FileSystem.GetPropertiesAsync();
accountSasBuilder.SetPermissions(permissionsString);
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(TestConfigHierarchicalNamespace.AccountName, TestConfigHierarchicalNamespace.AccountKey);
Uri uri = new Uri($"{test.FileSystem.Uri}?{accountSasBuilder.ToSasQueryParameters(sharedKeyCredential)}");
DataLakeFileSystemClient sasFileSystemClient = InstrumentClient(new DataLakeFileSystemClient(uri, GetOptions()));
// Act
await sasFileSystemClient.GetPropertiesAsync();
}
/// <summary>
/// The GetSasUri.
/// </summary>
/// <param name="containerName">The containerName<see cref="string"/>.</param>
/// <returns>The <see cref="Task{BlobStorageRequest}"/>.</returns>
public async Task <BlobStorageRequest> GetSasUri(string containerName)
{
// connect to our storage account and create a blob client
var connectionString = SettingConfigurations.AzureWebJobsStorage;
var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(storageAccount.Credentials.AccountName, SettingConfigurations.AccountKey);
// get a reference to the container
var blobContainer = blobClient.GetContainerReference(containerName);
await blobContainer.CreateIfNotExistsAsync();
var sasBuilder = new AccountSasBuilder()
{
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddDays(7),
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.All,
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.All);
var sasToken = sasBuilder.ToSasQueryParameters(credential).ToString();
return(new BlobStorageRequest {
StorageAccessToken = sasToken, StorageUri = blobContainer.ServiceClient.StorageUri.PrimaryUri.AbsoluteUri
});
}
public void GenerateAccountSas_Builder()
{
// Arrange
TestConstants constants = new TestConstants(this);
Uri serviceUri = new Uri($"https://{constants.Sas.Account}.dfs.core.windows.net");
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
DateTimeOffset startsOn = Recording.UtcNow.AddHours(-1);
AccountSasServices services = AccountSasServices.Blobs;
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
DataLakeServiceClient serviceClient = InstrumentClient(new DataLakeServiceClient(
serviceUri,
constants.Sas.SharedKeyCredential,
GetOptions()));
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes)
{
StartsOn = startsOn
};
// Act
Uri sasUri = serviceClient.GenerateAccountSasUri(sasBuilder);
// Assert
AccountSasBuilder sasBuilder2 = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes)
{
StartsOn = startsOn
};
UriBuilder expectedUri = new UriBuilder(serviceUri);
expectedUri.Query += sasBuilder.ToSasQueryParameters(constants.Sas.SharedKeyCredential).ToString();
Assert.AreEqual(expectedUri.Uri, sasUri);
}
protected override async Task <string> GenerateSecret(ISecret secret, ILogger log)
{
log.LogInformation($"Resource Name: {secret.ResourceName}");
log.LogInformation($"Resource Group Name: {secret.ResourceGroupName}");
log.LogInformation($"Subscription Id: {secret.SubscriptionId}");
log.LogInformation($"Expires In (days): {secret.ExpiresInDays}");
var creds = new DefaultAzureCredential(includeInteractiveCredentials: true);
StorageManagementClient managementClient = new StorageManagementClient(secret.SubscriptionId, creds);
var accountKey = (await managementClient.StorageAccounts.ListKeysAsync(secret.ResourceGroupName, secret.ResourceName)).Value.Keys[0];
AccountSasBuilder sasBuilder = new AccountSasBuilder()
{
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.Service,
ExpiresOn = DateTimeOffset.UtcNow.AddDays(int.Parse(secret.ExpiresInDays)),
Protocol = SasProtocol.Https,
};
sasBuilder.SetPermissions(AccountSasPermissions.Read |
AccountSasPermissions.Write | AccountSasPermissions.List);
// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(secret.ResourceName, accountKey.Value)).ToString();
return(sasToken);
}
private static string GetContainerSasUri(string blobname)
{
string StorageAccountName = System.Environment.GetEnvironmentVariable("StorageAccountName");
string StorageAccountKey = System.Environment.GetEnvironmentVariable("StorageAccountKey");
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to the service level APIs
ResourceTypes = AccountSasResourceTypes.All,
StartsOn = DateTimeOffset.UtcNow,
// Access expires in 1 hour!
ExpiresOn = DateTimeOffset.UtcNow.AddDays(99999)
};
sas.Protocol = SasProtocol.Https;
sas.SetPermissions(AccountSasPermissions.Read);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(StorageAccountName, StorageAccountKey);
UriBuilder sasUri = new UriBuilder(System.Environment.GetEnvironmentVariable("BlobURI") + blobname);
sasUri.Query = sas.ToSasQueryParameters(credential).ToString();
return(sasUri.Uri.AbsoluteUri);
}
private static BlobServiceClient SharedAccessSignatureAuthAsync()
{
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to all service level APIs
ResourceTypes = AccountSasResourceTypes.All,
// Specify token expiration in hours
ExpiresOn = DateTimeOffset.UtcNow.AddHours(SasKeyExpiryTime)
};
// Allow all access => Create, Delete, List, Process, Read, Write & Update
sas.SetPermissions(AccountSasPermissions.All);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential =
new StorageSharedKeyCredential(AccountName, AccountKey);
// Build a SAS URI
string storageAccountUri = String.Format("https://{0}.blob.core.windows.net", AccountName);
UriBuilder sasUri = new UriBuilder(storageAccountUri);
sasUri.Query = sas.ToSasQueryParameters(credential).ToString();
// Create and return a service client that can authenticate with the SAS URI
return(new BlobServiceClient(sasUri.Uri));
}
public void GenerateAccountSas_RequiredParameters()
{
// Arrange
var constants = new TestConstants(this);
var queueEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account);
var queueSecondaryEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account + "-secondary");
var storageConnectionString = new StorageConnectionString(constants.Sas.SharedKeyCredential, queueStorageUri: (queueEndpoint, queueSecondaryEndpoint));
string connectionString = storageConnectionString.ToString(true);
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
QueueServiceClient serviceClient = InstrumentClient(new QueueServiceClient(connectionString, GetOptions()));
// Act
Uri sasUri = serviceClient.GenerateAccountSasUri(
permissions: permissions,
expiresOn: expiresOn,
resourceTypes: resourceTypes);
// Assert
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, AccountSasServices.Queues, resourceTypes);
UriBuilder expectedUri = new UriBuilder(queueEndpoint)
{
Query = sasBuilder.ToSasQueryParameters(constants.Sas.SharedKeyCredential).ToString()
};
Assert.AreEqual(expectedUri.Uri.ToString(), sasUri.ToString());
}
public void GenerateAccountSas_Builder()
{
TestConstants constants = TestConstants.Create(this);
Uri serviceUri = new Uri($"https://{constants.Sas.Account}.queue.core.windows.net");
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
AccountSasServices services = AccountSasServices.Queues;
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
QueueServiceClient serviceClient = InstrumentClient(
new QueueServiceClient(
serviceUri,
constants.Sas.SharedKeyCredential,
GetOptions()));
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes);
// Add more properties on the builder
sasBuilder.SetPermissions(permissions);
// Act
Uri sasUri = serviceClient.GenerateAccountSasUri(sasBuilder);
// Assert
AccountSasBuilder sasBuilder2 = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes);
UriBuilder expectedUri = new UriBuilder(serviceUri);
expectedUri.Query += sasBuilder.ToSasQueryParameters(constants.Sas.SharedKeyCredential).ToString();
Assert.AreEqual(expectedUri.Uri, sasUri);
}
public override void ExecuteCmdlet()
{
if (!UseTrack2Sdk()) // Track1
{
var sharedAccessPolicy = new SharedAccessAccountPolicy()
{
Permissions = SetupAccessPolicyPermission(this.Permission),
Services = Service,
ResourceTypes = ResourceType,
Protocols = Protocol,
IPAddressOrRange = Util.SetupIPAddressOrRangeForSAS(this.IPAddressOrRange)
};
DateTimeOffset?accessStartTime;
DateTimeOffset?accessEndTime;
SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime,
out accessStartTime, out accessEndTime, true);
sharedAccessPolicy.SharedAccessStartTime = accessStartTime;
sharedAccessPolicy.SharedAccessExpiryTime = accessEndTime;
this.WriteObject(Channel.GetStorageAccountSASToken(sharedAccessPolicy));
}
else
{
AccountSasBuilder sasBuilder = SasTokenHelper.SetAccountSasBuilder(this.Service, this.ResourceType, Permission, this.StartTime, this.ExpiryTime, this.IPAddressOrRange, this.Protocol);
string sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(Channel.StorageContext.StorageAccountName, Channel.StorageContext.StorageAccount.Credentials.ExportBase64EncodedKey())).ToString();
if (sasToken[0] != '?')
{
sasToken = "?" + sasToken;
}
this.WriteObject(sasToken);
}
}
public void GenerateAccountSas_Builder()
{
// Arrange
var constants = new TestConstants(this);
var blobEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account);
var blobSecondaryEndpoint = new Uri("http://127.0.0.1/" + constants.Sas.Account + "-secondary");
var storageConnectionString = new StorageConnectionString(constants.Sas.SharedKeyCredential, blobStorageUri: (blobEndpoint, blobSecondaryEndpoint));
string connectionString = storageConnectionString.ToString(true);
AccountSasPermissions permissions = AccountSasPermissions.Read | AccountSasPermissions.Write;
DateTimeOffset expiresOn = Recording.UtcNow.AddHours(+1);
DateTimeOffset startsOn = Recording.UtcNow.AddHours(-1);
AccountSasServices services = AccountSasServices.Blobs;
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All;
DataLakeServiceClient serviceClient = InstrumentClient(new DataLakeServiceClient(
blobEndpoint,
constants.Sas.SharedKeyCredential, GetOptions()));
AccountSasBuilder sasBuilder = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes)
{
StartsOn = startsOn
};
// Act
Uri sasUri = serviceClient.GenerateAccountSasUri(sasBuilder);
// Assert
AccountSasBuilder sasBuilder2 = new AccountSasBuilder(permissions, expiresOn, services, resourceTypes)
{
StartsOn = startsOn
};
UriBuilder expectedUri = new UriBuilder(blobEndpoint);
expectedUri.Query += sasBuilder.ToSasQueryParameters(constants.Sas.SharedKeyCredential).ToString();
Assert.AreEqual(expectedUri.Uri.ToString(), sasUri.ToString());
}
/// <summary>
/// Create a blob SAS build from Blob Object
/// </summary>
public static AccountSasBuilder SetAccountSasBuilder(SharedAccessAccountServices Service,
SharedAccessAccountResourceTypes type,
string Permission = null,
DateTime?StartTime = null,
DateTime?ExpiryTime = null,
string iPAddressOrRange = null,
SharedAccessProtocol?Protocol = null,
string EncryptionScope = null)
{
AccountSasBuilder sasBuilder = new AccountSasBuilder();
sasBuilder.ResourceTypes = GetAccountSasResourceTypes(type);
sasBuilder.Services = GetAccountSasServices(Service);
sasBuilder = SetAccountPermission(sasBuilder, Permission);
if (StartTime != null)
{
sasBuilder.StartsOn = StartTime.Value.ToUniversalTime();
}
if (ExpiryTime != null)
{
sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
else
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue && sasBuilder.StartsOn != null)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime();
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
if (iPAddressOrRange != null)
{
sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(iPAddressOrRange);
}
if (Protocol != null)
{
if (Protocol.Value == SharedAccessProtocol.HttpsOrHttp)
{
sasBuilder.Protocol = SasProtocol.HttpsAndHttp;
}
else //HttpsOnly
{
sasBuilder.Protocol = SasProtocol.Https;
}
}
if (EncryptionScope != null)
{
sasBuilder.EncryptionScope = EncryptionScope;
}
return(sasBuilder);
}
public List <ResourceFile> GetResourceFiles(
string containerName,
string folderName)
{
List <ResourceFile> fileList = new List <ResourceFile>();
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to all service level APIs
ResourceTypes = AccountSasResourceTypes.All,
// Specify token expiration in hours
ExpiresOn = DateTimeOffset.UtcNow.AddHours(SasKeyExpiryTime)
};
// Allow all access => Create, Delete, List, Process, Read, Write & Update
sas.SetPermissions(AccountSasPermissions.All);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential =
new StorageSharedKeyCredential(AccountName, AccountKey);
string storageAccountUri = String.Format("https://{0}.blob.core.windows.net", AccountName);
BlobServiceClient blobSvcClient = new BlobServiceClient(new Uri(storageAccountUri), credential);
BlobContainerClient containerClient = blobSvcClient.GetBlobContainerClient(containerName);
ResourceFile file = null;
// folderName is a prefix, does not need to include trailing slash '/'
foreach (BlobItem blobItem in
containerClient.GetBlobs(Azure.Storage.Blobs.Models.BlobTraits.None,
Azure.Storage.Blobs.Models.BlobStates.None,
folderName))
{
BlobUriBuilder blobUri = new BlobUriBuilder(new Uri(storageAccountUri));
blobUri.BlobContainerName = containerName;
blobUri.BlobName = blobItem.Name;
blobUri.Query = sas.ToSasQueryParameters(credential).ToString();
file = ResourceFile.FromUrl(blobUri.ToUri().ToString(), blobItem.Name);
// file.FilePath = folderName;
fileList.Add(file);
}
;
return(fileList);
}
public async Task SharedAccessSignatureAuthAsync()
{
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to queues
Services = new AccountSasServices()
{
Queues = true
}.ToString(),
// Allow access to the service level APIs
ResourceTypes = new AccountSasResourceTypes()
{
Service = true
}.ToString(),
// Allow read access
Permissions = new AccountSasPermissions()
{
Read = true
}.ToString(),
// Access expires in 1 hour!
ExpiryTime = DateTimeOffset.UtcNow.AddHours(1)
};
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(StorageAccountName, StorageAccountKey);
// Build a SAS URI
UriBuilder sasUri = new UriBuilder(StorageAccountQueueUri)
{
Query = sas.ToSasQueryParameters(credential).ToString()
};
// Create a client that can authenticate with the SAS URI
QueueServiceClient service = new QueueServiceClient(sasUri.Uri);
// Make a service request to verify we've succesfully authenticated
await service.GetPropertiesAsync();
// Try to create a new container (which is beyond our
// delegated permission)
StorageRequestFailedException ex =
Assert.ThrowsAsync <StorageRequestFailedException>(
async() => await service.CreateQueueAsync(Randomize("sample-queue")));
Assert.AreEqual(403, ex.Status);
}
/// <summary>
/// AccountSasBuilder Struct
/// https://docs.microsoft.com/cs-cz/dotnet/api/azure.storage.sas.accountsasbuilder?view=azure-dotnet-preview
///
/// </summary>
/// <returns></returns>
public static string AccountSasBuilder(string accountName, string accountKey)
{
// AccountSasBuilder is used to generate an account level Shared Access Signature(SAS) for Azure Storage services.
// mandatory fields
AccountSasBuilder accountSasBuilder;
try
{
accountSasBuilder = new AccountSasBuilder()
{
//IPRange =
Permissions = SAS_Utils.SAS.sp.v, // string - Add, Create, Delete, List, Process, Read, Update, Write (account)
//Protocol =
ResourceTypes = SAS_Utils.SAS.srt.v, // string - Container, Object, Service
Services = SAS_Utils.SAS.ss.v, // String - Blobs, Files, Queues
//StartTime = - DateTimeOffset.UtcNow // OK
ExpiryTime = SAS_Utils.SAS.seDateTime, // DateTimeOffset - DateTimeOffset.UtcNow.AddMinutes(60) // OK
Version = SAS_Utils.SAS.sv.v // String - sv
};
// Adding the optional fields commented out above
//-----------------------------------------------------------
if (!String.IsNullOrEmpty(SAS_Utils.SAS.st.v))
{
accountSasBuilder.StartTime = SAS_Utils.SAS.stDateTime;
}
if (!String.IsNullOrEmpty(SAS_Utils.SAS.spr.v))
{
accountSasBuilder.Protocol = Get_SasProtocol(SAS_Utils.SAS.spr.v); // SasProtocol - Https, HttpsAndHttp, None
}
if (!String.IsNullOrEmpty(SAS_Utils.SAS.sip.v))
{
accountSasBuilder.IPRange = new IPRange(new System.Net.IPAddress(SAS_Utils.fromIP), (SAS_Utils.toIP[0] == 0 ? null : new System.Net.IPAddress(SAS_Utils.toIP))); // IPRange - StartIP, optional EndIP
}
}
catch (Exception ex)
{
MessageBox.Show("Error on creating Account SAS\n\n" + ex.ToString(), "Invalid SAS parameters", MessageBoxButton.OK, MessageBoxImage.Exclamation);
return("");
}
//-----------------------------------------------------------
StorageSharedKeyCredential Credential = new StorageSharedKeyCredential(accountName, accountKey);
// Use the key to get the SAS token.
string sasToken = accountSasBuilder.ToSasQueryParameters(Credential).ToString();
return(sasToken);
}
public SasQueryParameters GetNewAccountSasCredentials(StorageSharedKeyCredential sharedKeyCredentials = default)
{
var builder = new AccountSasBuilder
{
Protocol = SasProtocol.None,
Services = AccountSasServices.Files,
ResourceTypes = AccountSasResourceTypes.Container,
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(+1),
IPRange = new SasIPRange(IPAddress.None, IPAddress.None)
};
builder.SetPermissions(AccountSasPermissions.Create | AccountSasPermissions.Delete);
return(builder.ToSasQueryParameters(sharedKeyCredentials));
}
/// <summary>
/// The <see cref="GenerateAccountSasUri(AccountSasBuilder)"/> returns a Uri that
/// generates a Service SAS based on the Client properties and builder passed.
///
/// For more information, see
/// <see href="https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sas">
/// Constructing a Service SAS</see>
/// </summary>
/// <param name="builder">
/// Used to generate a Shared Access Signature (SAS).
/// </param>
/// <returns>
/// A <see cref="Uri"/> containing the SAS Uri.
/// </returns>
/// <remarks>
/// A <see cref="Exception"/> will be thrown if
/// a failure occurs.
/// </remarks>
public Uri GenerateAccountSasUri(AccountSasBuilder builder)
{
builder = builder ?? throw Errors.ArgumentNull(nameof(builder));
if (!builder.Services.HasFlag(AccountSasServices.Queues))
{
throw Errors.SasServiceNotMatching(
nameof(builder.Services),
nameof(builder),
nameof(AccountSasServices.Queues));
}
QueueUriBuilder sasUri = new QueueUriBuilder(Uri);
sasUri.Query = builder.ToSasQueryParameters(ClientConfiguration.SharedKeyCredential).ToString();
return(sasUri.ToUri());
}
/// <summary>
/// Method that generates the SAS token for Azure Blob Storage authentication
/// </summary>
/// <param name="key">
/// Azure account key
/// </param>
/// <param name="accountName">
/// Azure account name
/// </param>
/// <returns>
/// SAS key
/// </returns>
public string GenerateSAS(string key, string accountName)
{
var sharedKeyCredentials = new StorageSharedKeyCredential(accountName, key);
var sasBuilder = new AccountSasBuilder()
{
StartsOn = DateTimeOffset.UtcNow - TimeSpan.FromSeconds(10),
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(5),
Services = AccountSasServices.All,
ResourceTypes = AccountSasResourceTypes.All,
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.All);
return(sasBuilder.ToSasQueryParameters(sharedKeyCredentials).ToString());
}
/// <summary>
/// The <see cref="GenerateAccountSasUri(AccountSasBuilder)"/> returns a <see cref="Uri"/>
/// that generates a DataLake Account Shared Access Signature (SAS)
/// based on the Client properties and builder passed.
/// The SAS is signed by the shared key credential of the client.
///
/// To check if the client is able to sign a Service Sas see
/// <see cref="CanGenerateAccountSasUri"/>.
///
/// For more information, see
/// <see href="https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sas">
/// Constructing an Account SAS</see>.
/// </summary>
/// <param name="builder">
/// Used to generate a Shared Access Signature (SAS).
/// </param>
/// <returns>
/// A <see cref="Uri"/> containing the SAS Uri.
/// </returns>
/// <remarks>
/// A <see cref="Exception"/> will be thrown if a failure occurs.
/// </remarks>
public Uri GenerateAccountSasUri(
AccountSasBuilder builder)
{
builder = builder ?? throw Errors.ArgumentNull(nameof(builder));
if (!builder.Services.HasFlag(AccountSasServices.Blobs))
{
throw Errors.SasServiceNotMatching(
nameof(builder.Services),
nameof(builder),
nameof(AccountSasServices.Blobs));
}
DataLakeUriBuilder sasUri = new DataLakeUriBuilder(Uri);
sasUri.Query = builder.ToSasQueryParameters(_storageSharedKeyCredential).ToString();
return(sasUri.ToUri());
}
public object RequestUploadInfo()
{
var sasBuilder = new AccountSasBuilder
{
Services = AccountSasServices.Blobs,
StartsOn = DateTimeOffset.UtcNow.AddMinutes(-5),
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(5),
Protocol = SasProtocol.Https,
ResourceTypes = AccountSasResourceTypes.Object | AccountSasResourceTypes.Container,
};
sasBuilder.SetPermissions(AccountSasPermissions.Read | AccountSasPermissions.Write | AccountSasPermissions.Update | AccountSasPermissions.Tag);
var client = new BlobServiceClient(azureOptions.CurrentValue.StorageAccount.ConnectionString);
return(new { Sas = client.GenerateAccountSasUri(sasBuilder).ToString(), ContainerName = azureOptions.CurrentValue.StorageAccount.ContainerName });
}
public async Task AccountPermissionsRawPermissions_InvalidPermission()
{
// Arrange
await using DisposingQueue test = await GetTestQueueAsync();
AccountSasBuilder accountSasBuilder = new AccountSasBuilder
{
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(1),
Services = AccountSasServices.Queues,
ResourceTypes = AccountSasResourceTypes.All
};
TestHelper.AssertExpectedException(
() => accountSasBuilder.SetPermissions("werteyfg"),
new ArgumentException("e is not a valid SAS permission"));
}
internal SharedAccessSignatureCredentials GetAccountSasCredentials(
AccountSasServices services = AccountSasServices.All,
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All,
AccountSasPermissions permissions = AccountSasPermissions.All)
{
var sasBuilder = new AccountSasBuilder
{
ExpiresOn = Recording.UtcNow.AddHours(1),
Services = services,
ResourceTypes = resourceTypes,
Protocol = SasProtocol.Https,
};
sasBuilder.SetPermissions(permissions);
var cred = new StorageSharedKeyCredential(TestConfigDefault.AccountName, TestConfigDefault.AccountKey);
return(new SharedAccessSignatureCredentials(sasBuilder.ToSasQueryParameters(cred).ToString()));
}
public SasQueryParameters GetNewAccountSas(
AccountSasResourceTypes resourceTypes = AccountSasResourceTypes.All,
AccountSasPermissions permissions = AccountSasPermissions.All,
StorageSharedKeyCredential sharedKeyCredentials = default)
{
var builder = new AccountSasBuilder
{
Protocol = SasProtocol.None,
Services = AccountSasServices.Blobs,
ResourceTypes = resourceTypes,
StartsOn = Recording.UtcNow.AddHours(-1),
ExpiresOn = Recording.UtcNow.AddHours(+1),
IPRange = new SasIPRange(IPAddress.None, IPAddress.None),
};
builder.SetPermissions(permissions);
return(builder.ToSasQueryParameters(sharedKeyCredentials ?? GetNewSharedKeyCredentials()));
}
