internal string SetAzureTableStoredAccessPolicy(IStorageTableManagement localChannel, string tableName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission, bool noStartTime, bool noExpiryTime)
{
DateTime?startTimeToSet = startTime;
DateTime?expiryTimetoSet = expiryTime;
//Get existing permissions
CloudTable table = localChannel.GetTableReference(Table);
TablePermissions tablePermissions = localChannel.GetTablePermissions(table);
//Set the policy with new value
if (!tablePermissions.SharedAccessPolicies.Keys.Contains(policyName))
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
SharedAccessTablePolicy policy = tablePermissions.SharedAccessPolicies[policyName];
AccessPolicyHelper.SetupAccessPolicy <SharedAccessTablePolicy>(policy, startTime, expiryTime, permission, noStartTime, noExpiryTime);
tablePermissions.SharedAccessPolicies[policyName] = policy;
//Set permission back to table
localChannel.SetTablePermissions(table, tablePermissions);
WriteObject(AccessPolicyHelper.ConstructPolicyOutputPSObject <SharedAccessTablePolicy>(tablePermissions.SharedAccessPolicies, policyName));
return(policyName);
}
internal string CreateAzureTableStoredAccessPolicy(IStorageTableManagement localChannel, string tableName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission)
{
if (!NameUtil.IsValidStoredAccessPolicyName(policyName))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName));
}
//Get existing permissions
CloudTable table = localChannel.GetTableReference(tableName);
TablePermissions tablePermissions = localChannel.GetTablePermissions(table, null, TableOperationContext);
//Add new policy
if (tablePermissions.SharedAccessPolicies.Keys.Contains(policyName))
{
throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
}
SharedAccessTablePolicy policy = new SharedAccessTablePolicy();
AccessPolicyHelper.SetupAccessPolicy <SharedAccessTablePolicy>(policy, startTime, expiryTime, permission);
tablePermissions.SharedAccessPolicies.Add(policyName, policy);
//Set permissions back to table
localChannel.SetTablePermissions(table, tablePermissions, null, TableOperationContext);
return(policyName);
}
/// <summary>
/// Creates a shared access policy on the table.
/// </summary>
/// <param name="table">A CloudTable object.</param>
/// <param name="policyName">The name of the stored access policy.</param>
/// <returns>A Task object</returns>
private static async Task CreateSharedAccessPolicy(CloudTable table, string policyName)
{
// Create a new shared access policy and define its constraints.
// The access policy provides add, update, and query permissions.
SharedAccessTablePolicy sharedPolicy = new SharedAccessTablePolicy()
{
// Permissions enable users to add, update, query, and delete entities in the table.
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Permissions = SharedAccessTablePermissions.Add | SharedAccessTablePermissions.Update |
SharedAccessTablePermissions.Query | SharedAccessTablePermissions.Delete
};
try
{
// Get the table's existing permissions.
TablePermissions permissions = await table.GetPermissionsAsync();
// Add the new policy to the table's permissions, and update the table's permissions.
permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
await table.SetPermissionsAsync(permissions);
Console.WriteLine("Wait 30 seconds for pemissions to propagate");
Thread.Sleep(30);
}
catch (StorageException e)
{
Console.WriteLine(e.Message);
Console.ReadLine();
throw;
}
}
public override void ExecuteCmdlet()
{
if (String.IsNullOrEmpty(Name))
{
return;
}
CloudTable table = Channel.GetTableReference(Name);
SharedAccessTablePolicy policy = new SharedAccessTablePolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateTableAccessPolicy(Channel, table.Name, policy, accessPolicyIdentifier);
SetupAccessPolicy(policy, shouldSetExpiryTime);
ValidatePkAndRk(StartPartitionKey, StartRowKey, EndPartitionKey, EndRowKey);
string sasToken = table.GetSharedAccessSignature(policy, accessPolicyIdentifier, StartPartitionKey,
StartRowKey, EndPartitionKey, EndRowKey);
if (FullUri)
{
string fullUri = table.Uri.ToString() + sasToken;
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
public static async Task <IActionResult> Run([HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log, ExecutionContext context)
{
//Get SASURI for table access
string requestBody = new System.IO.StreamReader(req.Body).ReadToEndAsync().Result;
dynamic data = JsonConvert.DeserializeObject(requestBody);
string _storageAccountName = data["StorageAccountName"].ToString();
string _storageAccountKey = data["StorageAccountKey"].ToString();
StorageCredentials _storageCredentials = new StorageCredentials(_storageAccountName, _storageAccountKey);
CloudStorageAccount SourceStorageAccount = new CloudStorageAccount(storageCredentials: _storageCredentials, accountName: _storageAccountName, endpointSuffix: "core.windows.net", useHttps: true);
CloudTableClient client = SourceStorageAccount.CreateCloudTableClient();
var FileListTable = client.GetTableReference("Filelist");
SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(1),
Permissions = SharedAccessTablePermissions.Add | SharedAccessTablePermissions.Update
};
var sasToken = FileListTable.GetSharedAccessSignature(policy);
var sasCredentials = new StorageCredentials(sasToken);
//Run in Debug and break on this point so that you can grab the SASURI
return(new OkObjectResult(new { }));
}
public void SetupAccessPolicyPermissionTest()
{
SharedAccessTablePolicy accessPolicy = new SharedAccessTablePolicy();
command.SetupAccessPolicyPermission(accessPolicy, "");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.None);
accessPolicy.Permissions = SharedAccessTablePermissions.Add;
command.SetupAccessPolicyPermission(accessPolicy, "");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Add);
command.SetupAccessPolicyPermission(accessPolicy, "u");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Update);
command.SetupAccessPolicyPermission(accessPolicy, "uUUU");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Update);
command.SetupAccessPolicyPermission(accessPolicy, "drrq");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Delete | SharedAccessTablePermissions.Query);
command.SetupAccessPolicyPermission(accessPolicy, "rq");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Query);
command.SetupAccessPolicyPermission(accessPolicy, "q");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Query);
command.SetupAccessPolicyPermission(accessPolicy, "r");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Query);
command.SetupAccessPolicyPermission(accessPolicy, "qd");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Delete | SharedAccessTablePermissions.Query);
command.SetupAccessPolicyPermission(accessPolicy, "audq");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Add
| SharedAccessTablePermissions.Query | SharedAccessTablePermissions.Update | SharedAccessTablePermissions.Delete);
command.SetupAccessPolicyPermission(accessPolicy, "dqaaaau");
Assert.AreEqual(accessPolicy.Permissions, SharedAccessTablePermissions.Add
| SharedAccessTablePermissions.Query | SharedAccessTablePermissions.Update | SharedAccessTablePermissions.Delete);
AssertThrows <ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "rwDl"));
AssertThrows <ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "x"));
AssertThrows <ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "rwx"));
AssertThrows <ArgumentException>(() => command.SetupAccessPolicyPermission(accessPolicy, "ABC"));
}
public override void ExecuteCmdlet()
{
if (String.IsNullOrEmpty(Name))
{
return;
}
// when user is using oauth credential, the current code uses track 2 sdk, which is why this needs to be blocked here.
// reimplement when we deprecate legacy table sdk, probably by adding a new AccountKey cmdlet parameter.
if (this.Channel.IsTokenCredential)
{
throw new ArgumentException("Create Shared Access Signature is not supported while using OAuth.");
}
CloudTable table = Channel.GetTableReference(Name);
SharedAccessTablePolicy policy = new SharedAccessTablePolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateTableAccessPolicy(Channel, table.Name, policy, accessPolicyIdentifier);
SetupAccessPolicy(policy, shouldSetExpiryTime);
ValidatePkAndRk(StartPartitionKey, StartRowKey, EndPartitionKey, EndRowKey);
string sasToken = table.GetSharedAccessSignature(policy, accessPolicyIdentifier, StartPartitionKey,
StartRowKey, EndPartitionKey, EndRowKey, Protocol, Util.SetupTableIPAddressOrRangeForSAS(IPAddressOrRange));
if (FullUri)
{
string fullUri = table.Uri.ToString() + sasToken;
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
/// <summary>
/// Set up access policy permission
/// </summary>
/// <param name="policy">SharedAccessBlobPolicy object</param>
/// <param name="permission">Permission</param>
internal void SetupAccessPolicyPermission(SharedAccessTablePolicy policy, string permission)
{
if (string.IsNullOrEmpty(permission))
{
return;
}
policy.Permissions = SharedAccessTablePermissions.None;
permission = permission.ToLower();
foreach (char op in permission)
{
switch (op)
{
case StorageNouns.Permission.Add:
policy.Permissions |= SharedAccessTablePermissions.Add;
break;
case StorageNouns.Permission.Update:
policy.Permissions |= SharedAccessTablePermissions.Update;
break;
case StorageNouns.Permission.Delete:
policy.Permissions |= SharedAccessTablePermissions.Delete;
break;
case StorageNouns.Permission.Read:
case StorageNouns.Permission.Query:
policy.Permissions |= SharedAccessTablePermissions.Query;
break;
default:
throw new ArgumentException(string.Format(Resources.InvalidAccessPermission, op));
}
}
}
private async Task SetupTableStoredAccessPolicyAsync(CloudTable table)
{
var permissions = await table.GetPermissionsAsync();
var policy = new SharedAccessTablePolicy();
if (permissions.SharedAccessPolicies.Count > 0 && permissions.SharedAccessPolicies.ContainsKey(PolicyName))
{
// extend the existing one by 1h
policy = permissions.SharedAccessPolicies[PolicyName];
policy.SharedAccessExpiryTime = DateTime.UtcNow.AddHours(48);
}
else
{
// create a new one
policy = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(48),
Permissions = SharedAccessTablePermissions.Add | SharedAccessTablePermissions.Update
};
permissions.SharedAccessPolicies.Add(PolicyName, policy);
}
await table.SetPermissionsAsync(permissions);
}
static string RequestSasToken(CloudTable table, string customerId)
{
// Omitting any authentication code since this is beyond the scope of
// this sample code
// creating a shared access policy that expires in 1 day.
// No start time is specified, which means that the token is valid immediately.
// The policy specifies full permissions.
SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
{
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-15),
SharedAccessExpiryTime = DateTime.UtcNow.AddDays(1.0),
Permissions = SharedAccessTablePermissions.Add
| SharedAccessTablePermissions.Query
| SharedAccessTablePermissions.Update
| SharedAccessTablePermissions.Delete
};
// Generate the SAS token. No access policy identifier is used which
// makes it a non-revocable token
// limiting the table SAS access to only the request customer's id
string sasToken = table.GetSharedAccessSignature(
policy /* access policy */,
null /* access policy identifier */,
customerId /* start partition key */,
null /* start row key */,
customerId /* end partition key */,
null /* end row key */);
return(sasToken);
}
/// <summary>
/// Manage stored access policies specified on the table
/// </summary>
/// <param name="table"></param>
/// <returns></returns>
private static async Task TableAclSample(CloudTable table)
{
// Set table permissions
SharedAccessTablePolicy accessTablePolicy = new SharedAccessTablePolicy();
accessTablePolicy.SharedAccessStartTime = new DateTimeOffset(DateTime.Now);
accessTablePolicy.SharedAccessExpiryTime = new DateTimeOffset(DateTime.Now.AddMinutes(10));
accessTablePolicy.Permissions = SharedAccessTablePermissions.Update;
TablePermissions permissions = new TablePermissions();
permissions.SharedAccessPolicies.Add("key1", accessTablePolicy);
Console.WriteLine("Set table permissions");
await table.SetPermissionsAsync(permissions);
// Get table permissions
Console.WriteLine("Get table permissions:");
permissions = await table.GetPermissionsAsync();
foreach (var keyValue in permissions.SharedAccessPolicies)
{
Console.WriteLine(" {0}:", keyValue.Key);
Console.WriteLine(" permissions: {0}:", keyValue.Value.Permissions);
Console.WriteLine(" start time: {0}:", keyValue.Value.SharedAccessStartTime);
Console.WriteLine(" expiry time: {0}:", keyValue.Value.SharedAccessExpiryTime);
}
}
public void ClearAndAddTestStoredAccessPolicies()
{
DateTime startTime = DateTime.UtcNow;
DateTime expiryTime = startTime.AddDays(1);
tableMock.tablePermissions.SharedAccessPolicies.Clear();
SharedAccessTablePolicy testPolicy1 = new SharedAccessTablePolicy();
testPolicy1.Permissions = SharedAccessTablePermissions.None;
testPolicy1.Permissions |= SharedAccessTablePermissions.Query;
testPolicy1.SharedAccessStartTime = startTime;
testPolicy1.SharedAccessExpiryTime = expiryTime;
tableMock.tablePermissions.SharedAccessPolicies.Add(PolicyName1, testPolicy1);
SharedAccessTablePolicy testPolicy2 = new SharedAccessTablePolicy();
testPolicy1.Permissions = SharedAccessTablePermissions.None;
testPolicy1.Permissions |= SharedAccessTablePermissions.Query;
testPolicy1.SharedAccessStartTime = startTime;
testPolicy1.SharedAccessExpiryTime = expiryTime;
tableMock.tablePermissions.SharedAccessPolicies.Add(PolicyName2, testPolicy2);
tableMock.ClearAndAddTestSignedIdentifiers(
new Tuple <string, TableAccessPolicy>(PolicyName1, new TableAccessPolicy(startTime, expiryTime, "raud")),
new Tuple <string, TableAccessPolicy>(PolicyName2, new TableAccessPolicy(startTime, null, "r")),
new Tuple <string, TableAccessPolicy>(PolicyName3, new TableAccessPolicy(null, expiryTime, "au")),
new Tuple <string, TableAccessPolicy>(PolicyName4, new TableAccessPolicy(null, null, "aud")));
}
/// <summary>
/// Private method to generate a SAS URL with given access and permissions.
/// </summary>
/// <param name="table">The name of the table to give access to.</param>
/// <param name="policy">An optional name to create a named policy.</param>
/// <param name="query"><c>true</c> to allow query/read permission; otherwise, <c>false</c>.</param>
/// <param name="add"><c>true</c> to allow add/insert permission; otherwise, <c>false</c>.</param>
/// <param name="update"><c>true</c> to allow update/replace permission; otherwise, <c>false</c>.</param>
/// <param name="delete"><c>true</c> to allow delete permission; otherwise, <c>false</c>.</param>
/// <param name="startPartitionKey">An optional starting partition key that will limit the range of accessible rows.</param>
/// <param name="endPartitionKey">An optional ending partition key that will limit the range of accessible rows.</param>
/// <param name="startRowKey">An optional starting row key that will limit the range of accessible rows.</param>
/// <param name="endRowKey">An optional ending row key that will limit the range of accessible rows.</param>
/// <param name="expiry">An optional <see cref="DateTimeOffset"/> that sets when the access will expire.</param>
/// <returns>A SAS URL that can be shared to give the specified access to the table.</returns>
private static string GetTableSAS(string table, string policy, bool query, bool add, bool update, bool delete, string startPartitionKey = null, string endPartitionKey = null, string startRowKey = null, string endRowKey = null, DateTimeOffset?expiry = null)
{
var storage = CloudStorageAccount.Parse(StorageConnectionString);
var client = storage.CreateCloudTableClient();
var reference = client.GetTableReference(table);
var sas = new SharedAccessTablePolicy();
sas.SharedAccessExpiryTime = expiry ?? DateTimeOffset.MaxValue;
sas.Permissions =
(query ? SharedAccessTablePermissions.Query : 0) |
(add ? SharedAccessTablePermissions.Add : 0) |
(update ? SharedAccessTablePermissions.Update : 0) |
(delete ? SharedAccessTablePermissions.Delete : 0);
if (!String.IsNullOrEmpty(policy))
{
// This will fail if the table doesn't exist.
var permissions = reference.GetPermissions();
var policies = permissions.SharedAccessPolicies;
SharedAccessTablePolicy existing;
if (!policies.TryGetValue(policy, out existing))
{
policies.Add(policy, existing = sas);
}
existing.SharedAccessExpiryTime = sas.SharedAccessExpiryTime;
existing.Permissions = sas.Permissions;
reference.SetPermissions(permissions);
sas = new SharedAccessTablePolicy();
}
return(reference.Uri + reference.GetSharedAccessSignature(sas, policy, startPartitionKey, startRowKey, endPartitionKey, endRowKey));
}
/// <summary>
/// Validate the table access policy
/// </summary>
/// <param name="policy">SharedAccessBlobPolicy object</param>
/// <param name="policyIdentifier">The policy identifier which need to be checked.</param>
internal static bool ValidateTableAccessPolicy(IStorageTableManagement channel,
string tableName, SharedAccessTablePolicy policy, string policyIdentifier)
{
if (string.IsNullOrEmpty(policyIdentifier))
{
return(true);
}
CloudTable table = channel.GetTableReference(tableName);
TableRequestOptions options = null;
OperationContext context = null;
TablePermissions permission = channel.GetTablePermissions(table, options, context);
SharedAccessTablePolicy sharedAccessPolicy =
GetExistingPolicy <SharedAccessTablePolicy>(permission.SharedAccessPolicies, policyIdentifier);
if (policy.Permissions != SharedAccessTablePermissions.None)
{
throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted);
}
if (policy.SharedAccessExpiryTime.HasValue && sharedAccessPolicy.SharedAccessExpiryTime.HasValue)
{
throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted);
}
return(!sharedAccessPolicy.SharedAccessExpiryTime.HasValue);
}
public async Task <string> RequestStorageTokenAsync(string account, string domain)
{
await EnsureInitConnectionAsync();
// Omitting any authentication code since this is beyond the scope of
// this sample code
// creating a shared access policy that expires in 30 minutes.
// No start time is specified, which means that the token is valid immediately.
// The policy specifies full permissions.
SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(AccessPolicyDurationInMinutes),
Permissions = SharedAccessTablePermissions.Query
};
// Generate the SAS token. No access policy identifier is used which
// makes it a non-revocable token
// limiting the table SAS access to only the request customer's id
string sasToken = this._table.GetSharedAccessSignature(
policy /* access policy */,
null /* access policy identifier */,
domain /* start partition key */,
account /* start row key */,
domain /* end partition key */,
account /* end row key */);
return(sasToken);
}
public void SetupAccessPolicyTest()
{
DateTime?start = DateTime.Now;
DateTime?end = start.Value.AddHours(1.0);
SharedAccessBlobPolicy blobAccessPolicy = new SharedAccessBlobPolicy();
AccessPolicyHelper.SetupAccessPolicy(blobAccessPolicy, start, end, "a");
Assert.AreEqual(blobAccessPolicy.SharedAccessStartTime.Value.UtcDateTime.ToString(), start.Value.ToUniversalTime().ToString());
Assert.AreEqual(blobAccessPolicy.SharedAccessExpiryTime.Value.UtcDateTime.ToString(), end.Value.ToUniversalTime().ToString());
Assert.AreEqual(blobAccessPolicy.Permissions, SharedAccessBlobPermissions.Add);
SharedAccessTablePolicy tableAccessPolicy = new SharedAccessTablePolicy();
AccessPolicyHelper.SetupAccessPolicy(tableAccessPolicy, null, end, "d", true);
Assert.AreEqual(tableAccessPolicy.SharedAccessStartTime, null);
Assert.AreEqual(tableAccessPolicy.SharedAccessExpiryTime.Value.UtcDateTime.ToString(), end.Value.ToUniversalTime().ToString());
Assert.AreEqual(tableAccessPolicy.Permissions, SharedAccessTablePermissions.Delete);
SharedAccessQueuePolicy queueAccessPolicy = new SharedAccessQueuePolicy();
AccessPolicyHelper.SetupAccessPolicy(queueAccessPolicy, start, null, "", noExpiryTime: true);
Assert.AreEqual(queueAccessPolicy.SharedAccessStartTime.Value.UtcDateTime.ToString(), start.Value.ToUniversalTime().ToString());
Assert.AreEqual(queueAccessPolicy.SharedAccessExpiryTime, null);
Assert.AreEqual(queueAccessPolicy.Permissions, SharedAccessQueuePermissions.None);
SharedAccessFilePolicy fileAccessPolicy = new SharedAccessFilePolicy();
AccessPolicyHelper.SetupAccessPolicy(fileAccessPolicy, null, null, "dl", true, true);
Assert.AreEqual(fileAccessPolicy.SharedAccessStartTime, null);
Assert.AreEqual(fileAccessPolicy.SharedAccessExpiryTime, null);
Assert.AreEqual(fileAccessPolicy.Permissions, SharedAccessFilePermissions.List | SharedAccessFilePermissions.Delete);
}
/// <summary>
/// Get the signature hash embedded inside the Shared Access Signature.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="startPartitionKey">The start partition key, or <c>null</c>.</param>
/// <param name="startRowKey">The start row key, or <c>null</c>.</param>
/// <param name="endPartitionKey">The end partition key, or <c>null</c>.</param>
/// <param name="endRowKey">The end row key, or <c>null</c>.</param>
/// <param name="resourceName">The canonical resource string, unescaped.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param>
/// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param>
/// <returns>The signed hash.</returns>
internal static string GetHash(
SharedAccessTablePolicy policy,
string accessPolicyIdentifier,
string startPartitionKey,
string startRowKey,
string endPartitionKey,
string endRowKey,
string resourceName,
string sasVersion,
byte[] keyValue)
{
CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName);
CommonUtility.AssertNotNull("keyValue", keyValue);
CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion);
string permissions = null;
DateTimeOffset?startTime = null;
DateTimeOffset?expiryTime = null;
if (policy != null)
{
permissions = SharedAccessTablePolicy.PermissionsToString(policy.Permissions);
startTime = policy.SharedAccessStartTime;
expiryTime = policy.SharedAccessExpiryTime;
}
//// StringToSign = signedpermissions + "\n" +
//// signedstart + "\n" +
//// signedexpiry + "\n" +
//// canonicalizedresource + "\n" +
//// signedidentifier + "\n" +
//// signedversion + "\n" +
//// startpk + "\n" +
//// startrk + "\n" +
//// endpk + "\n" +
//// endrk
////
//// HMAC-SHA256(UTF8.Encode(StringToSign))
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}",
permissions,
GetDateTimeOrEmpty(startTime),
GetDateTimeOrEmpty(expiryTime),
resourceName,
accessPolicyIdentifier,
sasVersion,
startPartitionKey,
startRowKey,
endPartitionKey,
endRowKey);
Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign);
return(CryptoUtility.ComputeHmac256(keyValue, stringToSign));
}
private static void WriteSharedAccessIdentifiers(SharedAccessTablePolicies sharedAccessPolicies, Stream outputStream)
{
WriteSharedAccessIdentifiers(sharedAccessPolicies, outputStream, delegate(SharedAccessTablePolicy policy, XmlWriter writer)
{
writer.WriteElementString("Start", SharedAccessSignatureHelper.GetDateTimeOrEmpty(policy.SharedAccessStartTime));
writer.WriteElementString("Expiry", SharedAccessSignatureHelper.GetDateTimeOrEmpty(policy.SharedAccessExpiryTime));
writer.WriteElementString("Permission", SharedAccessTablePolicy.PermissionsToString(policy.Permissions));
});
}
public void SetPolicyNoStartTimeNoExpiryTime()
{
CloudTable table = tableUtil.CreateTable();
Utility.ClearStoredAccessPolicy <CloudTable>(table);
Utility.RawStoredAccessPolicy samplePolicy = Utility.SetUpStoredAccessPolicyData <SharedAccessTablePolicy>(lang == Language.NodeJS)[0];
double effectiveTime = 30;
try
{
CreateStoredAccessPolicy(samplePolicy.PolicyName, samplePolicy.Permission, samplePolicy.StartTime, samplePolicy.ExpiryTime, table);
//NoStartTime
Test.Assert(CommandAgent.SetAzureStorageTableStoredAccessPolicy(table.Name, samplePolicy.PolicyName, null, null, null, true, false),
"Set stored access policy with -NoStartTime should succeed");
Thread.Sleep(TimeSpan.FromSeconds(effectiveTime));
SharedAccessTablePolicies expectedPolicies = new SharedAccessTablePolicies();
expectedPolicies.Add(samplePolicy.PolicyName, Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, samplePolicy.ExpiryTime, samplePolicy.Permission));
Utility.ValidateStoredAccessPolicies <SharedAccessTablePolicy>(table.GetPermissions().SharedAccessPolicies, expectedPolicies);
SharedAccessTablePolicy policy = Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, samplePolicy.ExpiryTime, samplePolicy.Permission);
Collection <Dictionary <string, object> > comp = new Collection <Dictionary <string, object> >();
comp.Add(Utility.ConstructGetPolicyOutput <SharedAccessTablePolicy>(policy, samplePolicy.PolicyName));
CommandAgent.OutputValidation(comp);
//NoExpiryTime
Test.Assert(CommandAgent.SetAzureStorageTableStoredAccessPolicy(table.Name, samplePolicy.PolicyName, null, null, null, false, true),
"Set stored access policy with -NoExpiryTime should succeed");
Thread.Sleep(TimeSpan.FromSeconds(effectiveTime));
expectedPolicies = new SharedAccessTablePolicies();
expectedPolicies.Add(samplePolicy.PolicyName, Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, null, samplePolicy.Permission));
Utility.ValidateStoredAccessPolicies <SharedAccessTablePolicy>(table.GetPermissions().SharedAccessPolicies, expectedPolicies);
policy = Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, null, samplePolicy.Permission);
comp = new Collection <Dictionary <string, object> >();
comp.Add(Utility.ConstructGetPolicyOutput <SharedAccessTablePolicy>(policy, samplePolicy.PolicyName));
CommandAgent.OutputValidation(comp);
//both
Utility.ClearStoredAccessPolicy <CloudTable>(table);
CreateStoredAccessPolicy(samplePolicy.PolicyName, samplePolicy.Permission, samplePolicy.StartTime, samplePolicy.ExpiryTime, table);
Test.Assert(CommandAgent.SetAzureStorageTableStoredAccessPolicy(table.Name, samplePolicy.PolicyName, null, null, null, true, true),
"Set stored access policy with both -NoStartTime and -NoExpiryTime should succeed");
Thread.Sleep(TimeSpan.FromSeconds(effectiveTime));
expectedPolicies = new SharedAccessTablePolicies();
expectedPolicies.Add(samplePolicy.PolicyName, Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, null, samplePolicy.Permission));
Utility.ValidateStoredAccessPolicies <SharedAccessTablePolicy>(table.GetPermissions().SharedAccessPolicies, expectedPolicies);
policy = Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(null, null, samplePolicy.Permission);
comp = new Collection <Dictionary <string, object> >();
comp.Add(Utility.ConstructGetPolicyOutput <SharedAccessTablePolicy>(policy, samplePolicy.PolicyName));
CommandAgent.OutputValidation(comp);
}
finally
{
tableUtil.RemoveTable(table);
}
}
private SharedAccessTablePolicy CreateTablePermission(string permissions, ref string policyName)
{
///permissions: start=0;expiry=30;policy=hello;p=adqu
///
var set = permissions.Split(';');
var policy = new SharedAccessTablePolicy();
foreach (var s in set)
{
var p = s.Split('=');
switch (p[0].ToLowerInvariant())
{
case "expiry":
policy.SharedAccessExpiryTime = DateTime.Now.AddDays(Convert.ToInt32(p[1]));
break;
case "start":
policy.SharedAccessStartTime = DateTime.Now.AddDays(Convert.ToInt32(p[1]));
break;
case "policy":
policyName = p[1];
break;
case "p":
for (var i = 0; i < p[1].Length; ++i)
{
switch (Char.ToLowerInvariant(p[1][i]))
{
case 'a':
policy.Permissions |= SharedAccessTablePermissions.Add;
break;
case 'd':
policy.Permissions |= SharedAccessTablePermissions.Delete;
break;
case 'q':
policy.Permissions |= SharedAccessTablePermissions.Query;
break;
case 'u':
policy.Permissions |= SharedAccessTablePermissions.Update;
break;
}
}
break;
default:
throw new Exception("Unknown parameter: " + p[0] + ". Expected: start=<days>;expiry=<days>;policy=<policyName>;p=adqu");
}
}
return(policy);
}
public string GetKeySas(string curso)
{
SharedAccessTablePolicy policy = new SharedAccessTablePolicy
{
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30),
Permissions = SharedAccessTablePermissions.Query | SharedAccessTablePermissions.Delete
};
string token = this.tablaalumnos.GetSharedAccessSignature(policy, null, curso, null, curso, null);
return(token);
}
/// <summary>
/// Update the access policy
/// </summary>
/// <param name="policy">Access policy object</param>
/// <param name="shouldSetExpiryTime">Should set the default expiry time</param>
private void SetupAccessPolicy(SharedAccessTablePolicy policy, bool shouldSetExpiryTime)
{
DateTimeOffset?accessStartTime;
DateTimeOffset?accessEndTime;
SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime,
out accessStartTime, out accessEndTime, shouldSetExpiryTime);
policy.SharedAccessStartTime = accessStartTime;
policy.SharedAccessExpiryTime = accessEndTime;
SetupAccessPolicyPermission(policy, Permission);
}
public String GetSeguridadSaS(String division)
{
CloudTable tabla = GetTablaEquipos();
SharedAccessTablePolicy permisos = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30),
Permissions = SharedAccessTablePermissions.Query | SharedAccessTablePermissions.Update
};
String token = tabla.GetSharedAccessSignature(permisos, null, division, null, division, null);
return(token);
}
/// <summary>
/// Create a service SAS for a Table - SharedAccessTablePolicy - Microsoft.Azure.Cosmos.Table
/// SharedAccessTablePolicy: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.cosmos.table.sharedaccesstablepolicy?view=azure-dotnet
/// </summary>
/// <param name="accountName"></param>
/// <param name="accountKey"></param>
/// <param name="tableName"></param>
/// <param name="policyName"></param>
/// <returns> queue.Uri + SAS Token</returns>
public static string Get_ServiceSAS_Table(string accountName, string accountKey, string tableName, string policyName = null)
{
//--------------------------------------------------
// Creating StorageCredentials and table references using the 'Microsoft.Azure.Cosmos.Table' library
string tableUri = string.Format("https://{0}.table.core.windows.net", accountName);
StorageCredentials storageCredentials = new StorageCredentials(accountName, accountKey);
StorageUri uri = new StorageUri(new Uri(tableUri));
CloudTableClient tableClient = new CloudTableClient(uri, storageCredentials);
CloudTable table = tableClient.GetTableReference(tableName);
//--------------------------------------------------
// Create a new access policy and define its constraints, using the 'Microsoft.Azure.Cosmos.Table' library.
// Note that the SharedAccessTablePolicy class is used both to define the parameters of an ad hoc SAS, and
// to construct a shared access policy that is saved to the container's shared access policies.
Microsoft.Azure.Cosmos.Table.SharedAccessTablePolicy tablePolicy;
try
{
tablePolicy = new SharedAccessTablePolicy()
{
Permissions = Set_PermissionsFromStr_ServiceSAS_Tables(),
// SharedAccessStartTime =
SharedAccessExpiryTime = SAS_Utils.SAS.seDateTime
};
// Adding the optional fields commented out above
//-----------------------------------------------------------
if (!String.IsNullOrEmpty(SAS_Utils.SAS.st.v))
{
tablePolicy.SharedAccessStartTime = SAS_Utils.SAS.stDateTime;
}
//-----------------------------------------------------------
}
catch (Exception ex)
{
MessageBox.Show("Error on generating the Table Service SAS\n" + ex, "Invalid SAS parameters", MessageBoxButton.OK, MessageBoxImage.Exclamation);
return("");
}
if (String.IsNullOrEmpty(policyName))
{
// Generate the shared access signature on the table, setting the constraints directly on the signature.
//return tableUri + table.GetSharedAccessSignature(blobPolicy);
return(table.GetSharedAccessSignature(tablePolicy));
}
else
{
// Generate the shared access signature on the table. In this case, all of the constraints for the
// shared access signature are specified on the container's stored access policy.
return(table.GetSharedAccessSignature(tablePolicy, policyName));
}
}
private static SharedAccessTablePolicy sharedKey()
{
SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(1),
Permissions = SharedAccessTablePermissions.Query
| SharedAccessTablePermissions.Add
| SharedAccessTablePermissions.Update
| SharedAccessTablePermissions.Delete
};
return(policy);
}
/// <summary>
/// Creates a Windows Azure SAS key for adding entries to a table.
/// Adds a shared policy on the table so that access can later be revoked. If an existing policy with the specified name already
/// exists, it is used or altered to match the required level of access (SharedAccessTablePermissions.Add).
/// </summary>
/// <param name="storageConnectionString">Connection string to storage account where the table resides</param>
/// <param name="tableName">The name of the table for which access is granted. If the table does not exist, it is created.</param>
/// <param name="sharedPolicyName">The name that is given to the shared policy through which the SAS key is generated</param>
/// <param name="expireAfter">How long before the key should expire</param>
/// <returns></returns>
public Uri CreateAddOnlySasKey(string storageConnectionString, string tableName, string sharedPolicyName, TimeSpan expireAfter)
{
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnectionString);
CloudTableClient tableClient = storageAccount.CreateCloudTableClient();
CloudTable table = tableClient.GetTableReference(tableName);
// Create the table if doesn't exist
table.CreateIfNotExists();
// Create a target Shared Policy with desired expiration time and permissions - can later be used to revoke the sas key
SharedAccessTablePolicy targetSharedPolicy = new SharedAccessTablePolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.Add(expireAfter),
Permissions = SharedAccessTablePermissions.Add
};
// Get current table permissions
TablePermissions tablePermissions = table.GetPermissions();
// If the table already has a policy with this name
if (tablePermissions.SharedAccessPolicies.ContainsKey(sharedPolicyName))
{
// update it's values to match the target values
Console.WriteLine("Updating existing shared policy");
SharedAccessTablePolicy existingSharedPolicy = tablePermissions.SharedAccessPolicies[sharedPolicyName];
existingSharedPolicy.SharedAccessExpiryTime = targetSharedPolicy.SharedAccessExpiryTime;
existingSharedPolicy.Permissions = targetSharedPolicy.Permissions;
table.SetPermissions(tablePermissions);
}
else
{
// No such policy found - create a new one
Console.WriteLine("Adding new shared access policy to table");
tablePermissions.SharedAccessPolicies.Add(sharedPolicyName, targetSharedPolicy);
table.SetPermissions(tablePermissions);
}
// Generate the SAS key
string sasTableToken = table.GetSharedAccessSignature(
null,
sharedPolicyName,
null,
null,
null,
null);
Uri sasUri = new Uri(table.Uri + sasTableToken);
Console.WriteLine("Sas Uri: {0}", sasUri);
return(sasUri);
}
/// <summary>
/// Get the complete query builder for creating the Shared Access Signature query.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="tableName">The name of the table associated with this shared access signature.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="startPartitionKey">The start partition key, or null.</param>
/// <param name="startRowKey">The start row key, or null.</param>
/// <param name="endPartitionKey">The end partition key, or null.</param>
/// <param name="endRowKey">The end row key, or null.</param>
/// <param name="signature">The signature to use.</param>
/// <param name="accountKeyName">The name of the key used to create the signature, or null if the key is implicit.</param>
/// <returns>The finished query builder.</returns>
internal static UriQueryBuilder GetSharedAccessSignatureImpl(
SharedAccessTablePolicy policy,
string tableName,
string accessPolicyIdentifier,
string startPartitionKey,
string startRowKey,
string endPartitionKey,
string endRowKey,
string signature,
string accountKeyName)
{
CommonUtils.AssertNotNull("signature", signature);
if (policy == null)
{
return(GetSharedAccessSignatureImpl(
null /* policy.Permissions */,
null /* policy.SharedAccessStartTime */,
null /* policy.SharedAccessExpiryTime */,
startPartitionKey,
startRowKey,
endPartitionKey,
endRowKey,
accessPolicyIdentifier,
null /* resourceType (blob only) */,
tableName,
signature,
accountKeyName));
}
string permissions = SharedAccessTablePolicy.PermissionsToString(policy.Permissions);
if (string.IsNullOrEmpty(permissions))
{
permissions = null;
}
return(GetSharedAccessSignatureImpl(
permissions,
policy.SharedAccessStartTime,
policy.SharedAccessExpiryTime,
startPartitionKey,
startRowKey,
endPartitionKey,
endRowKey,
accessPolicyIdentifier,
null /* resourceType (blob only) */,
tableName,
signature,
accountKeyName));
}
internal void SetStoredAccessPolicyAndValidate(Utility.RawStoredAccessPolicy policy1, Utility.RawStoredAccessPolicy policy2, string tableName = null, bool ifCleanupPolicy = true, bool ifCleanupTable = true)
{
CloudTable table = tableUtil.CreateTable(tableName);
if (ifCleanupPolicy)
{
Utility.ClearStoredAccessPolicy <CloudTable>(table);
}
policy2.PolicyName = policy1.PolicyName;
try
{
CommandAgent.NewAzureStorageTableStoredAccessPolicy(table.Name, policy1.PolicyName, policy1.Permission, policy1.StartTime, policy1.ExpiryTime);
Test.Assert(CommandAgent.SetAzureStorageTableStoredAccessPolicy(table.Name, policy2.PolicyName, policy2.Permission, policy2.StartTime, policy2.ExpiryTime),
"Set stored access policy in table should succeed");
Test.Info("Set stored access policy:{0}", policy2.PolicyName);
//get the policy and validate
SharedAccessTablePolicies expectedPolicies = new SharedAccessTablePolicies();
if (policy2.StartTime == null)
{
policy2.StartTime = policy1.StartTime;
}
if (policy2.ExpiryTime == null)
{
policy2.ExpiryTime = policy1.ExpiryTime;
}
if (policy2.Permission == null)
{
policy2.Permission = policy1.Permission;
}
expectedPolicies.Add(policy2.PolicyName, Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(policy2.StartTime, policy2.ExpiryTime, policy2.Permission));
Utility.WaitForPolicyBecomeValid <CloudTable>(table, policy2);
Utility.ValidateStoredAccessPolicies <SharedAccessTablePolicy>(table.GetPermissions().SharedAccessPolicies, expectedPolicies);
//validate the output
SharedAccessTablePolicy policy = Utility.SetupSharedAccessPolicy <SharedAccessTablePolicy>(policy2.StartTime, policy2.ExpiryTime, policy2.Permission);
Collection <Dictionary <string, object> > comp = new Collection <Dictionary <string, object> >();
comp.Add(Utility.ConstructGetPolicyOutput <SharedAccessTablePolicy>(policy, policy2.PolicyName));
CommandAgent.OutputValidation(comp);
}
finally
{
if (ifCleanupTable)
{
tableUtil.RemoveTable(table);
}
}
}
public async Task CloudTableExtensionsTest()
{
// Arrange
var permissions = new TablePermissions();
permissions.SharedAccessPolicies.Add("default", new SharedAccessTablePolicy
{
Permissions = SharedAccessTablePermissions.Query,
SharedAccessExpiryTime = DateTimeOffset.UtcNow,
SharedAccessStartTime = DateTimeOffset.UtcNow
});
// Act
// Create table
await _cloudTable.CreateAsync();
// Create table
bool createIfNotExistsResult = await _cloudTable.CreateIfNotExistsAsync();
// Check whether table exists
bool existsResult = await _cloudTable.ExistsAsync();
// Set & get permissions
await _cloudTable.SetPermissionsAsync(permissions);
TablePermissions permissionsResult = await _cloudTable.GetPermissionsAsync();
// Delete table
await _cloudTable.DeleteAsync();
bool deleteIfExistsResult = await _cloudTable.DeleteIfExistsAsync();
// Assert
Assert.False(createIfNotExistsResult);
Assert.True(existsResult);
Assert.NotNull(permissionsResult);
Assert.NotNull(permissionsResult.SharedAccessPolicies);
Assert.Equal(permissionsResult.SharedAccessPolicies.Count, permissions.SharedAccessPolicies.Count);
foreach (var policy in permissionsResult.SharedAccessPolicies)
{
Assert.Contains(policy.Key, permissions.SharedAccessPolicies.Keys);
SharedAccessTablePolicy value = permissions.SharedAccessPolicies[policy.Key];
Assert.Equal(policy.Value.Permissions, value.Permissions);
}
Assert.False(deleteIfExistsResult);
}
private static string TableInsertAlunos(CloudStorageAccount conta)
{
CloudTableClient tableClient = conta.CreateCloudTableClient();
CloudTable jogos = tableClient.GetTableReference("jogos");
jogos.CreateIfNotExists();
Jogo santosFluminense = new Jogo("A", "1")
{
TimeA = "Flu",
TimeB = "SAN",
DataJogo = new DateTime(2017, 5, 13)
};
Jogo palvasco = new Jogo("A", "2")
{
TimeA = "PAL",
TimeB = "VASCO",
DataJogo = new DateTime(2017, 5, 14)
};
Jogo corponte = new Jogo("A", "3")
{
TimeA = "COR",
TimeB = "PONTE",
DataJogo = new DateTime(2017, 5, 14)
};
TableBatchOperation lote = new TableBatchOperation();
lote.Add(TableOperation.Insert(santosFluminense));
lote.Add(TableOperation.Insert(palvasco));
// jogos.ExecuteBatch(lote);
jogos.Execute(TableOperation.Insert(corponte));
SharedAccessTablePolicy regra = new SharedAccessTablePolicy();
regra.SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-5);
regra.SharedAccessExpiryTime = DateTime.UtcNow.AddDays(2);
regra.Permissions =
SharedAccessTablePermissions.Delete
| SharedAccessTablePermissions.Query
| SharedAccessTablePermissions.Update;
var sasToken =
jogos.GetSharedAccessSignature(regra, null, null, null, null, null);
return($"{jogos.Uri}{sasToken}");
}
