private static ContentKeyPolicy EnsureContentKeyPolicyExists(IAzureMediaServicesClient client,
string resourceGroup, string accountName, string contentKeyPolicyName)
{
ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(TokenSigningKey);
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
List <ContentKeyPolicyTokenClaim> requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
List <ContentKeyPolicyOption> options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption(
new ContentKeyPolicyClearKeyConfiguration(),
new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey,
ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims))
};
// since we are randomly generating the signing key each time, make sure to create or update the policy each time.
// Normally you would use a long lived key so you would just check for the policies existence with Get instead of
// ensuring to create or update it each time.
ContentKeyPolicy policy = client.ContentKeyPolicies.CreateOrUpdate(resourceGroup, accountName, contentKeyPolicyName, options);
return(policy);
}
// </CreateMediaServicesClient>
/// <summary>
/// Create the content key policy that configures how the content key is delivered to end clients
/// via the Key Delivery component of Azure Media Services.
/// </summary>
/// <param name="client">The Media Services client.</param>
/// <param name="resourceGroupName">The name of the resource group within the Azure subscription.</param>
/// <param name="accountName"> The Media Services account name.</param>
/// <param name="contentKeyPolicyName">The name of the content key policy resource.</param>
/// <returns></returns>
// <GetOrCreateContentKeyPolicy>
private static async Task <ContentKeyPolicy> GetOrCreateContentKeyPolicyAsync(
IAzureMediaServicesClient client,
string resourceGroupName,
string accountName,
string contentKeyPolicyName,
byte[] tokenSigningKey)
{
ContentKeyPolicy policy = await client.ContentKeyPolicies.GetAsync(resourceGroupName, accountName, contentKeyPolicyName);
if (policy == null)
{
ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(tokenSigningKey);
List <ContentKeyPolicyTokenClaim> requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
ContentKeyPolicyTokenRestriction restriction
= new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey, ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims);
ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
ContentKeyPolicyWidevineConfiguration widevineConfig = ConfigureWidevineLicenseTempate();
List <ContentKeyPolicyOption> options = new List <ContentKeyPolicyOption>();
options.Add(
new ContentKeyPolicyOption()
{
Configuration = playReadyConfig,
// If you want to set an open restriction, use
// Restriction = new ContentKeyPolicyOpenRestriction()
Restriction = restriction
});
options.Add(
new ContentKeyPolicyOption()
{
Configuration = widevineConfig,
Restriction = restriction
});
policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroupName, accountName, contentKeyPolicyName, options);
}
else
{
// Get the signing key from the existing policy.
var policyProperties = await client.ContentKeyPolicies.GetPolicyPropertiesWithSecretsAsync(resourceGroupName, accountName, contentKeyPolicyName);
var restriction = policyProperties.Options[0].Restriction as ContentKeyPolicyTokenRestriction;
if (restriction != null)
{
var signingKey = restriction.PrimaryVerificationKey as ContentKeyPolicySymmetricTokenKey;
if (signingKey != null)
{
TokenSigningKey = signingKey.KeyValue;
}
}
}
return(policy);
}
// Create the content key policy that configures how the content key is delivered to end clients
private static async Task <ContentKeyPolicy> GetOrCreateContentKeyPolicyAsync(
IAzureMediaServicesClient client,
string resourceGroupName,
string accountName,
string contentKeyPolicyName,
byte[] tokenSigningKey)
{
ContentKeyPolicy policy = await client.ContentKeyPolicies.GetAsync(resourceGroupName, accountName, contentKeyPolicyName);
if (policy == null)
{
ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(TokenSigningKey);
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
List <ContentKeyPolicyTokenClaim> requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
List <ContentKeyPolicyOption> options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption(
new ContentKeyPolicyClearKeyConfiguration(),
new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey,
ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims))
};
policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroupName, accountName, contentKeyPolicyName, options);
}
return(policy);
}
private async Task <byte[]> GetOrCreateContentPolicy(string policyName)
{
var policy = await
_client.ContentKeyPolicies.GetAsync(_option.ResourceGroupName, _option.AccountName, policyName);
if (policy == null)
{
var primaryKey = new ContentKeyPolicySymmetricTokenKey(_option.TokenKey);
var requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
var restriction = new ContentKeyPolicyTokenRestriction(_option.Issuer, _option.Audience, primaryKey, ContentKeyPolicyRestrictionTokenType.Jwt, null, requiredClaims);
var options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption()
{
Name = "playReady",
Configuration = ConfigurePlayReadyLicenseTemplate(),
Restriction = restriction
},
new ContentKeyPolicyOption()
{
Name = "winevine",
Configuration = ConfigureWidevineLicenseTemplate(),
Restriction = restriction
}
};
await _client.ContentKeyPolicies.CreateOrUpdateAsync(_option.ResourceGroupName, _option.AccountName,
policyName, options);
}
var policyProperties =
await _client.ContentKeyPolicies.GetPolicyPropertiesWithSecretsAsync(_option.ResourceGroupName,
_option.AccountName, policyName);
if (policyProperties.Options[0].Restriction is ContentKeyPolicyTokenRestriction restriction2)
{
if (restriction2.PrimaryVerificationKey is ContentKeyPolicySymmetricTokenKey signingKey)
{
return(signingKey.KeyValue);
}
}
return(_option.TokenKey);
}
public async Task CreateContentPolicyIfNotExists()
{
var policyName = _option.ContentPolicyOption.ContentPolicyName;
var tokenKey = Encoding.ASCII.GetBytes(_option.ContentPolicyOption.TokenValidateKey);
var policy = await
_client.ContentKeyPolicies.GetAsync(_option.ResourceGroupName, _option.AccountName, policyName);
if (policy == null)
{
var primaryKey = new ContentKeyPolicySymmetricTokenKey(tokenKey);
var requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
var restriction = new ContentKeyPolicyTokenRestriction(_option.ContentPolicyOption.TokenIssuer,
_option.ContentPolicyOption.TokenAudience, primaryKey, ContentKeyPolicyRestrictionTokenType.Jwt, null,
requiredClaims);
var options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption()
{
Name = "playReady",
Configuration = ConfigurePlayReadyLicenseTemplate(),
Restriction = restriction
},
new ContentKeyPolicyOption()
{
Name = "winevine",
Configuration = ConfigureWidevineLicenseTemplate(),
Restriction = restriction
},
new ContentKeyPolicyOption(new ContentKeyPolicyClearKeyConfiguration(), restriction)
{
Name = "AES"
}
};
await _client.ContentKeyPolicies.CreateOrUpdateAsync(_option.ResourceGroupName, _option.AccountName,
policyName, options);
}
}
// </RunAsync>
/// <summary>
/// Create the content key policy that configures how the content key is delivered to end clients
/// via the Key Delivery component of Azure Media Services.
/// </summary>
/// <param name="client">The Media Services client.</param>
/// <param name="resourceGroupName">The name of the resource group within the Azure subscription.</param>
/// <param name="accountName"> The Media Services account name.</param>
/// <param name="contentKeyPolicyName">The name of the content key policy resource.</param>
/// <returns></returns>
// <GetOrCreateContentKeyPolicy>
private static async Task <ContentKeyPolicy> GetOrCreateContentKeyPolicyAsync(
IAzureMediaServicesClient client,
string resourceGroupName,
string accountName,
string contentKeyPolicyName)
{
bool createPolicy = false;
ContentKeyPolicy policy = null;
try
{
policy = await client.ContentKeyPolicies.GetAsync(resourceGroupName, accountName, contentKeyPolicyName);
}
catch (ErrorResponseException ex) when(ex.Response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
createPolicy = true;
}
if (createPolicy)
{
ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(TokenSigningKey);
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
List <ContentKeyPolicyTokenClaim> requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
List <ContentKeyPolicyOption> options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption(
new ContentKeyPolicyClearKeyConfiguration(),
new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey,
ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims))
};
// Since we are randomly generating the signing key each time, make sure to create or update the policy each time.
// Normally you would use a long lived key so you would just check for the policies existence with Get instead of
// ensuring to create or update it each time.
policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroupName, accountName, contentKeyPolicyName, options);
}
return(policy);
}
/// <summary>
/// Checks if content key policy exists, if not, creates new one
/// This code is based on https://github.com/Azure-Samples/media-services-v3-dotnet-core-tutorials/tree/master/NETCore/EncodeHTTPAndPublishAESEncrypted
/// </summary>
/// <param name="client">Azure Media Services instance client</param>
/// <param name="resourceGroup">Azure resource group</param>
/// <param name="accountName">Azure Media Services instance account name</param>
/// <param name="contentKeyPolicyName">Content key policy name</param>
/// <param name="tokenSigningKey">Token signing key</param>
/// <param name="issuer">Token issuer</param>
/// <param name="audience">Token audience</param>
/// <returns></returns>
public static async Task <ContentKeyPolicy> EnsureContentKeyPolicyExists(IAzureMediaServicesClient client, string resourceGroup, string accountName, string contentKeyPolicyName, byte[] tokenSigningKey, string issuer, string audience)
{
var primaryKey = new ContentKeyPolicySymmetricTokenKey(tokenSigningKey);
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
var requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
var options = new List <ContentKeyPolicyOption>()
{
new ContentKeyPolicyOption(
new ContentKeyPolicyClearKeyConfiguration(),
new ContentKeyPolicyTokenRestriction(issuer, audience, primaryKey,
ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims))
};
var policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroup, accountName, contentKeyPolicyName, options).ConfigureAwait(false);
return(policy);
}
public void ContentKeyPolicyComboTest()
{
using (MockContext context = this.StartMockContextAndInitializeClients(this.GetType()))
{
try
{
CreateMediaServicesAccount();
// List ContentKeyPolicies, which should be empty
var contentKeyPolicies = MediaClient.ContentKeyPolicies.List(ResourceGroup, AccountName);
Assert.Empty(contentKeyPolicies);
string policyName = TestUtilities.GenerateName("ContentKeyPolicy");
string policyDescription = "Test policy";
// Try to get the policy, which should not exist
Assert.Equal(System.Net.HttpStatusCode.NotFound, Assert.Throws <ErrorResponseException>(() => MediaClient.ContentKeyPolicies.Get(ResourceGroup, AccountName, policyName)).Response.StatusCode);
// Create the policy
ContentKeyPolicyOption[] options = new ContentKeyPolicyOption[]
{
new ContentKeyPolicyOption(new ContentKeyPolicyClearKeyConfiguration(), new ContentKeyPolicyOpenRestriction())
};
ContentKeyPolicy createdPolicy = MediaClient.ContentKeyPolicies.CreateOrUpdate(ResourceGroup, AccountName, policyName, options, policyDescription);
ValidateContentKeyPolicy(createdPolicy, policyName, policyDescription, options);
// List ContentKeyPolicies and validate the created policy shows up
contentKeyPolicies = MediaClient.ContentKeyPolicies.List(ResourceGroup, AccountName);
Assert.Single(contentKeyPolicies);
ValidateContentKeyPolicy(createdPolicy, policyName, policyDescription, options);
// Get the newly created policy
ContentKeyPolicy contentKeyPolicy = MediaClient.ContentKeyPolicies.Get(ResourceGroup, AccountName, policyName);
Assert.NotNull(contentKeyPolicy);
ValidateContentKeyPolicy(createdPolicy, policyName, policyDescription, options);
// Update the policy
var primaryVerificationKey = new ContentKeyPolicySymmetricTokenKey(new byte[32]);
ContentKeyPolicyOption[] options2 = new ContentKeyPolicyOption[]
{
new ContentKeyPolicyOption(new ContentKeyPolicyClearKeyConfiguration(),
new ContentKeyPolicyTokenRestriction(
"issuer",
"audience",
primaryVerificationKey,
ContentKeyPolicyRestrictionTokenType.Jwt,
requiredClaims: new ContentKeyPolicyTokenClaim[] { ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim }))
};
ContentKeyPolicy updatedByPutPolicy = MediaClient.ContentKeyPolicies.CreateOrUpdate(ResourceGroup, AccountName, policyName, options2, policyDescription);
ValidateContentKeyPolicy(updatedByPutPolicy, policyName, policyDescription, options2);
// List ContentKeyPolicies and validate the updated policy shows up as expected
contentKeyPolicies = MediaClient.ContentKeyPolicies.List(ResourceGroup, AccountName);
Assert.Single(contentKeyPolicies);
ValidateContentKeyPolicy(contentKeyPolicies.First(), policyName, policyDescription, options2);
// Get the newly updated policy
contentKeyPolicy = MediaClient.ContentKeyPolicies.Get(ResourceGroup, AccountName, policyName);
Assert.NotNull(contentKeyPolicy);
ValidateContentKeyPolicy(contentKeyPolicy, policyName, policyDescription, options2);
// Delete the policy
MediaClient.ContentKeyPolicies.Delete(ResourceGroup, AccountName, policyName);
// List ContentKeyPolicies, which should be empty again
contentKeyPolicies = MediaClient.ContentKeyPolicies.List(ResourceGroup, AccountName);
Assert.Empty(contentKeyPolicies);
// Try to get the policy, which should not exist
Assert.Equal(System.Net.HttpStatusCode.NotFound, Assert.Throws <ErrorResponseException>(() => MediaClient.ContentKeyPolicies.Get(ResourceGroup, AccountName, policyName)).Response.StatusCode);
}
finally
{
DeleteMediaServicesAccount();
}
}
}
// </RunAsync>
/// <summary>
/// Create the content key policy that configures how the content key is delivered to end clients
/// via the Key Delivery component of Azure Media Services.
/// </summary>
/// <param name="client">The Media Services client.</param>
/// <param name="resourceGroupName">The name of the resource group within the Azure subscription.</param>
/// <param name="accountName"> The Media Services account name.</param>
/// <param name="contentKeyPolicyName">The name of the content key policy resource.</param>
/// <returns></returns>
// <GetOrCreateContentKeyPolicy>
private static async Task <ContentKeyPolicy> GetOrCreateContentKeyPolicyAsync(
IAzureMediaServicesClient client,
string resourceGroupName,
string accountName,
string contentKeyPolicyName,
byte[] tokenSigningKey)
{
bool createPolicy = false;
ContentKeyPolicy policy = null;
try
{
policy = await client.ContentKeyPolicies.GetAsync(resourceGroupName, accountName, contentKeyPolicyName);
}
catch (ErrorResponseException ex) when(ex.Response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
createPolicy = true;
}
if (createPolicy)
{
ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(tokenSigningKey);
List <ContentKeyPolicyTokenClaim> requiredClaims = new List <ContentKeyPolicyTokenClaim>()
{
ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
};
List <ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
ContentKeyPolicyTokenRestriction restriction
= new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey, ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims);
ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
ContentKeyPolicyWidevineConfiguration widevineConfig = ConfigureWidevineLicenseTemplate();
// ContentKeyPolicyFairPlayConfiguration fairplayConfig = ConfigureFairPlayPolicyOptions();
List <ContentKeyPolicyOption> options = new List <ContentKeyPolicyOption>();
options.Add(
new ContentKeyPolicyOption()
{
Configuration = playReadyConfig,
// If you want to set an open restriction, use
// Restriction = new ContentKeyPolicyOpenRestriction()
Restriction = restriction
});
options.Add(
new ContentKeyPolicyOption()
{
Configuration = widevineConfig,
Restriction = restriction
});
// add CBCS ContentKeyPolicyOption into the list
// options.Add(
// new ContentKeyPolicyOption()
// {
// Configuration = fairplayConfig,
// Restriction = restriction,
// Name = "ContentKeyPolicyOption_CBCS"
// });
policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroupName, accountName, contentKeyPolicyName, options);
}
else
{
// Get the signing key from the existing policy.
var policyProperties = await client.ContentKeyPolicies.GetPolicyPropertiesWithSecretsAsync(resourceGroupName, accountName, contentKeyPolicyName);
if (policyProperties.Options[0].Restriction is ContentKeyPolicyTokenRestriction restriction)
{
if (restriction.PrimaryVerificationKey is ContentKeyPolicySymmetricTokenKey signingKey)
{
TokenSigningKey = signingKey.KeyValue;
}
}
}
return(policy);
}
