public async Task SasAuth()
{
string storageUri = StorageUri;
string accountName = StorageAccountName;
string accountKey = PrimaryStorageAccountKey;
string tableName = "OfficeSupplies";
#region Snippet:TablesAuthSas
// Construct a new <see cref="TableServiceClient" /> using a <see cref="TableSharedKeyCredential" />.
var credential = new TableSharedKeyCredential(accountName, accountKey);
var serviceClient = new TableServiceClient(
new Uri(storageUri),
credential);
// Build a shared access signature with the Write and Delete permissions and access to all service resource types.
TableAccountSasBuilder sasWriteDelete = serviceClient.GetSasBuilder(TableAccountSasPermissions.Write | TableAccountSasPermissions.Delete, TableAccountSasResourceTypes.All, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenWriteDelete = sasWriteDelete.Sign(credential);
// Create the TableServiceClients using the SAS URIs.
var serviceClientWithSas = new TableServiceClient(new Uri(storageUri), new AzureSasCredential(tokenWriteDelete));
// Validate that we are able to create a table using the SAS URI with Write and Delete permissions.
await serviceClientWithSas.CreateTableIfNotExistsAsync(tableName);
// Validate that we are able to delete a table using the SAS URI with Write and Delete permissions.
await serviceClientWithSas.DeleteTableAsync(tableName);
#endregion
}
public void ValidateAccountSasCredentialsWithResourceTypes()
{
// Create a SharedKeyCredential that we can use to sign the SAS token
var credential = new TableSharedKeyCredential(TestEnvironment.StorageAccountName, TestEnvironment.PrimaryStorageAccountKey);
// Build a shared access signature with all permissions and access to only Service resource types.
TableAccountSasBuilder sasService = service.GetSasBuilder(TableAccountSasPermissions.All, TableAccountSasResourceTypes.Service, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenService = sasService.Sign(credential);
// Build a shared access signature with all permissions and access to Service and Container resource types.
TableAccountSasBuilder sasServiceContainer = service.GetSasBuilder(TableAccountSasPermissions.All, TableAccountSasResourceTypes.Service | TableAccountSasResourceTypes.Container, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenServiceContainer = sasServiceContainer.Sign(credential);
// Build SAS URIs.
UriBuilder sasUriService = new UriBuilder(ServiceUri)
{
Query = tokenService
};
UriBuilder sasUriServiceContainer = new UriBuilder(ServiceUri)
{
Query = tokenServiceContainer
};
// Create the TableServiceClients using the SAS URIs.
var sasAuthedServiceClientService = InstrumentClient(new TableServiceClient(new Uri(ServiceUri), new AzureSasCredential(tokenService), InstrumentClientOptions(new TableClientOptions())));
var sasAuthedServiceClientServiceContainer = InstrumentClient(new TableServiceClient(new Uri(ServiceUri), new AzureSasCredential(tokenServiceContainer), InstrumentClientOptions(new TableClientOptions())));
// Validate that we are unable to create a table using the SAS URI with access to Service resource types.
var sasTableName = Recording.GenerateAlphaNumericId("testtable", useOnlyLowercase: true);
var ex = Assert.ThrowsAsync <RequestFailedException>(async() => await sasAuthedServiceClientService.CreateTableAsync(sasTableName).ConfigureAwait(false));
Assert.That(ex.Status, Is.EqualTo((int)HttpStatusCode.Forbidden));
Assert.That(ex.ErrorCode, Is.EqualTo(TableErrorCode.AuthorizationResourceTypeMismatch.ToString()));
// Validate that we are able to create a table using the SAS URI with access to Service and Container resource types.
Assert.That(async() => await sasAuthedServiceClientServiceContainer.CreateTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
// Validate that we are able to get table service properties using the SAS URI with access to Service resource types.
Assert.That(async() => await sasAuthedServiceClientService.GetPropertiesAsync().ConfigureAwait(false), Throws.Nothing);
// Validate that we are able to get table service properties using the SAS URI with access to Service and Container resource types.
Assert.That(async() => await sasAuthedServiceClientService.GetPropertiesAsync().ConfigureAwait(false), Throws.Nothing);
// Validate that we are able to delete a table using the SAS URI with access to Service and Container resource types.
Assert.That(async() => await sasAuthedServiceClientServiceContainer.DeleteTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
}
public void SetPermissions(string permissionsString, TableAccountSasPermissions permissions, TableAccountSasResourceTypes resourceTypes)
{
var TableAccountSasBuilder = new TableAccountSasBuilder(permissionsString, resourceTypes, DateTimeOffset.Now);
Assert.That(TableAccountSasBuilder.Permissions, Is.EqualTo(permissionsString));
TableAccountSasBuilder.SetPermissions(permissions);
Assert.That(TableAccountSasBuilder.Permissions, Is.EqualTo(permissionsString));
}
public void GenerateSasUri(TableServiceClient client, TableSharedKeyCredential cred)
{
TableAccountSasPermissions permissions = TableAccountSasPermissions.Add;
TableAccountSasResourceTypes resourceTypes = TableAccountSasResourceTypes.Container;
var expires = DateTime.Now.AddDays(1);
var expectedSas = new TableAccountSasBuilder(permissions, resourceTypes, expires).Sign(cred);
var actualSas = client.GenerateSasUri(permissions, resourceTypes, expires);
Assert.AreEqual("?" + expectedSas, actualSas.Query);
}
public void ValidateAccountSasCredentialsWithPermissionsWithSasDuplicatedInUri()
{
// Create a SharedKeyCredential that we can use to sign the SAS token
var credential = new TableSharedKeyCredential(TestEnvironment.StorageAccountName, TestEnvironment.PrimaryStorageAccountKey);
// Build a shared access signature with only Delete permissions and access to all service resource types.
TableAccountSasBuilder sasDelete = service.GetSasBuilder(TableAccountSasPermissions.Delete, TableAccountSasResourceTypes.All, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenDelete = sasDelete.Sign(credential);
// Build a shared access signature with the Write and Delete permissions and access to all service resource types.
TableAccountSasBuilder sasWriteDelete = service.GetSasBuilder(TableAccountSasPermissions.Write, TableAccountSasResourceTypes.All, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenWriteDelete = sasWriteDelete.Sign(credential);
// Build SAS URIs.
UriBuilder sasUriDelete = new UriBuilder(ServiceUri)
{
Query = tokenDelete
};
UriBuilder sasUriWriteDelete = new UriBuilder(ServiceUri)
{
Query = tokenWriteDelete
};
// Create the TableServiceClients using the SAS URIs.
// Intentionally double add the Sas to the endpoint and the cred to validate de-duping
var sasAuthedServiceDelete = InstrumentClient(new TableServiceClient(sasUriDelete.Uri, new AzureSasCredential(tokenDelete), InstrumentClientOptions(new TableClientOptions())));
var sasAuthedServiceWriteDelete = InstrumentClient(new TableServiceClient(sasUriWriteDelete.Uri, new AzureSasCredential(tokenWriteDelete), InstrumentClientOptions(new TableClientOptions())));
// Validate that we are unable to create a table using the SAS URI with only Delete permissions.
var sasTableName = Recording.GenerateAlphaNumericId("testtable", useOnlyLowercase: true);
var ex = Assert.ThrowsAsync <RequestFailedException>(async() => await sasAuthedServiceDelete.CreateTableAsync(sasTableName).ConfigureAwait(false));
Assert.That(ex.Status, Is.EqualTo((int)HttpStatusCode.Forbidden));
Assert.That(ex.ErrorCode, Is.EqualTo(TableErrorCode.AuthorizationPermissionMismatch.ToString()));
// Validate that we are able to create a table using the SAS URI with Write and Delete permissions.
Assert.That(async() => await sasAuthedServiceWriteDelete.CreateTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
// Validate that we are able to delete a table using the SAS URI with only Delete permissions.
Assert.That(async() => await sasAuthedServiceDelete.DeleteTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
}
public void ParseUri(Uri uri)
{
// Act
var TableAccountSasBuilder = new TableAccountSasBuilder(uri);
// Assert
Assert.AreEqual(TableSasProtocol.Https, TableAccountSasBuilder.Protocol);
Assert.AreEqual(new DateTimeOffset(2015, 4, 30, 2, 23, 26, TimeSpan.Zero), TableAccountSasBuilder.ExpiresOn);
Assert.AreEqual("", TableAccountSasBuilder.Identifier);
Assert.AreEqual(TableSasIPRange.Parse("168.1.5.60-168.1.5.70"), TableAccountSasBuilder.IPRange);
Assert.AreEqual("rw", TableAccountSasBuilder.Permissions);
Assert.AreEqual(TableAccountSasResourceTypes.Service, TableAccountSasBuilder.ResourceTypes);
Assert.AreEqual(TableSasProtocol.Https, TableAccountSasBuilder.Protocol);
Assert.AreEqual(new DateTimeOffset(2015, 4, 29, 22, 18, 26, TimeSpan.Zero), TableAccountSasBuilder.StartsOn);
Assert.AreEqual("2015-04-05", TableAccountSasBuilder.Version);
}
public void ValidateAccountSasCredentialsWithPermissions()
{
// Create a SharedKeyCredential that we can use to sign the SAS token
var credential = new TableSharedKeyCredential(TestEnvironment.StorageAccountName, TestEnvironment.PrimaryStorageAccountKey);
// Build a shared access signature with only Delete permissions and access to all service resource types.
TableAccountSasBuilder sasDelete = service.GetSasBuilder(TableAccountSasPermissions.Delete, TableAccountSasResourceTypes.All, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenDelete = sasDelete.Sign(credential);
// Build a shared access signature with the Write and Delete permissions and access to all service resource types.
TableAccountSasBuilder sasWriteDelete = service.GetSasBuilder(TableAccountSasPermissions.Write, TableAccountSasResourceTypes.All, new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
string tokenWriteDelete = sasWriteDelete.Sign(credential);
// Build SAS URIs.
UriBuilder sasUriDelete = new UriBuilder(TestEnvironment.StorageUri)
{
Query = tokenDelete
};
UriBuilder sasUriWriteDelete = new UriBuilder(TestEnvironment.StorageUri)
{
Query = tokenWriteDelete
};
// Create the TableServiceClients using the SAS URIs.
var sasAuthedServiceDelete = InstrumentClient(new TableServiceClient(sasUriDelete.Uri, Recording.InstrumentClientOptions(new TableClientOptions())));
var sasAuthedServiceWriteDelete = InstrumentClient(new TableServiceClient(sasUriWriteDelete.Uri, Recording.InstrumentClientOptions(new TableClientOptions())));
// Validate that we are unable to create a table using the SAS URI with only Delete permissions.
var sasTableName = Recording.GenerateAlphaNumericId("testtable", useOnlyLowercase: true);
Assert.That(async() => await sasAuthedServiceDelete.CreateTableAsync(sasTableName).ConfigureAwait(false), Throws.InstanceOf <RequestFailedException>().And.Property("Status").EqualTo((int)HttpStatusCode.Forbidden));
// Validate that we are able to create a table using the SAS URI with Write and Delete permissions.
Assert.That(async() => await sasAuthedServiceWriteDelete.CreateTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
// Validate that we are able to delete a table using the SAS URI with only Delete permissions.
Assert.That(async() => await sasAuthedServiceDelete.DeleteTableAsync(sasTableName).ConfigureAwait(false), Throws.Nothing);
}
