public void TableQueryProjectionEncryptionNoSelect()
{
// Insert Entity
EncryptedBaseEntity ent1 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent1.Populate();
EncryptedBaseEntity ent2 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent2.Populate();
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
TableRequestOptions options = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(aesKey, null) };
currentTable.Execute(TableOperation.Insert(ent1), options, null);
currentTable.Execute(TableOperation.Insert(ent2), options, null);
tableClient.DefaultRequestOptions.PayloadFormat = TablePayloadFormat.Json;
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
TableEncryptionPolicy encryptionPolicy = new TableEncryptionPolicy(null, resolver);
IEnumerable<EncryptedBaseEntity> entities = null;
CloudTableClient encryptingTableClient = new CloudTableClient(this.tableClient.StorageUri, this.tableClient.Credentials);
encryptingTableClient.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy;
encryptingTableClient.DefaultRequestOptions.RequireEncryption = true;
entities = encryptingTableClient.GetTableReference(currentTable.Name).CreateQuery<EncryptedBaseEntity>().Select(ent => ent);
foreach (EncryptedBaseEntity ent in entities)
{
ent.Validate();
}
}
public void TableQueryPOCOProjectionEncryption()
{
// Insert Entity
EncryptedBaseEntity ent1 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent1.Populate();
EncryptedBaseEntity ent2 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent2.Populate();
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
TableRequestOptions options = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(aesKey, null) };
currentTable.Execute(TableOperation.Insert(ent1), options, null);
currentTable.Execute(TableOperation.Insert(ent2), options, null);
// Query with different payload formats.
DoTableQueryPOCOProjectionEncryption(TablePayloadFormat.Json, aesKey);
DoTableQueryPOCOProjectionEncryption(TablePayloadFormat.JsonNoMetadata, aesKey);
DoTableQueryPOCOProjectionEncryption(TablePayloadFormat.JsonFullMetadata, aesKey);
DoTableQueryPOCOProjectionEncryption(TablePayloadFormat.AtomPub, aesKey);
}
private void DoInsertPOCOEntityEncryptionWithAttributes(TablePayloadFormat format)
{
tableClient.DefaultRequestOptions.PayloadFormat = format;
// Insert Entity
EncryptedBaseEntity ent = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() + format};
ent.Populate();
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
TableRequestOptions insertOptions = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(aesKey, null) };
currentTable.Execute(TableOperation.Insert(ent), insertOptions, null);
// Retrieve Entity
// No need for an encryption resolver while retrieving the entity.
TableRequestOptions retrieveOptions = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(null, resolver) };
TableOperation operation = TableOperation.Retrieve<EncryptedBaseEntity>(ent.PartitionKey, ent.RowKey);
Assert.IsFalse(operation.IsTableEntity);
TableResult result = currentTable.Execute(operation, retrieveOptions, null);
EncryptedBaseEntity retrievedEntity = result.Result as EncryptedBaseEntity;
Assert.IsNotNull(retrievedEntity);
Assert.AreEqual(ent.PartitionKey, retrievedEntity.PartitionKey);
Assert.AreEqual(ent.RowKey, retrievedEntity.RowKey);
retrievedEntity.Validate();
}
private void DoInsertPOCOEntityEncryptionWithAttributesAndResolver(TablePayloadFormat format)
{
tableClient.DefaultRequestOptions.PayloadFormat = format;
// Insert Entity
EncryptedBaseEntity ent = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() + format };
ent.Populate();
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
TableRequestOptions insertOptions = new TableRequestOptions()
{
EncryptionPolicy = new TableEncryptionPolicy(aesKey, null),
EncryptionResolver = (pk, rk, propName) =>
{
if (propName == "B")
{
return true;
}
return false;
}
};
// Since we have specified attributes and resolver, properties A, B and foo will be encrypted.
currentTable.Execute(TableOperation.Insert(ent), insertOptions, null);
// Retrieve entity without decryption and confirm that all 3 properties were encrypted.
// No need for an encryption resolver while retrieving the entity.
TableOperation operation = TableOperation.Retrieve<EncryptedBaseEntity>(ent.PartitionKey, ent.RowKey);
Assert.IsFalse(operation.IsTableEntity);
TableResult result = currentTable.Execute(operation, null, null);
EncryptedBaseEntity retrievedEntity = result.Result as EncryptedBaseEntity;
Assert.IsNotNull(retrievedEntity);
Assert.AreEqual(ent.PartitionKey, retrievedEntity.PartitionKey);
Assert.AreEqual(ent.RowKey, retrievedEntity.RowKey);
// Since we store encrypted properties as byte arrays, if a POCO entity is being read as-is, odata will not assign the binary
// values to strings. In JSON no metadata, the service does not return the types and the client lib does the parsing and reads the
// base64 encoded string as-is.
if (format == TablePayloadFormat.JsonNoMetadata)
{
Assert.IsNotNull(retrievedEntity.foo);
Assert.IsNotNull(retrievedEntity.A);
Assert.IsNotNull(retrievedEntity.B);
Assert.AreEqual(ent.foo.GetType(), retrievedEntity.foo.GetType());
Assert.AreEqual(ent.A.GetType(), retrievedEntity.A.GetType());
Assert.AreEqual(ent.B.GetType(), retrievedEntity.B.GetType());
}
else
{
Assert.IsNull(retrievedEntity.foo);
Assert.IsNull(retrievedEntity.A);
Assert.IsNull(retrievedEntity.B);
}
// Retrieve entity without decryption and confirm that all 3 properties were encrypted.
// No need for an encryption resolver while retrieving the entity.
operation = TableOperation.Retrieve<DynamicTableEntity>(ent.PartitionKey, ent.RowKey);
Assert.IsFalse(operation.IsTableEntity);
result = currentTable.Execute(operation, null, null);
DynamicTableEntity retrievedDynamicEntity = result.Result as DynamicTableEntity;
Assert.IsNotNull(retrievedEntity);
Assert.AreEqual(ent.PartitionKey, retrievedDynamicEntity.PartitionKey);
Assert.AreEqual(ent.RowKey, retrievedDynamicEntity.RowKey);
if (format == TablePayloadFormat.JsonNoMetadata)
{
Assert.AreEqual(EdmType.String, retrievedDynamicEntity.Properties["foo"].PropertyType);
Assert.AreEqual(EdmType.String, retrievedDynamicEntity.Properties["A"].PropertyType);
Assert.AreEqual(EdmType.String, retrievedDynamicEntity.Properties["B"].PropertyType);
}
else
{
Assert.AreEqual(EdmType.Binary, retrievedDynamicEntity.Properties["foo"].PropertyType);
Assert.AreEqual(EdmType.Binary, retrievedDynamicEntity.Properties["A"].PropertyType);
Assert.AreEqual(EdmType.Binary, retrievedDynamicEntity.Properties["B"].PropertyType);
}
// Retrieve entity and decrypt.
TableRequestOptions retrieveOptions = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(null, resolver) };
operation = TableOperation.Retrieve<EncryptedBaseEntity>(ent.PartitionKey, ent.RowKey);
Assert.IsFalse(operation.IsTableEntity);
result = currentTable.Execute(operation, retrieveOptions, null);
retrievedEntity = result.Result as EncryptedBaseEntity;
Assert.IsNotNull(retrievedEntity);
Assert.AreEqual(ent.PartitionKey, retrievedEntity.PartitionKey);
Assert.AreEqual(ent.RowKey, retrievedEntity.RowKey);
retrievedEntity.Validate();
}
public void TableQueryEncryptionMixedMode()
{
// Insert Entity
EncryptedBaseEntity ent1 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent1.Populate();
EncryptedBaseEntity ent2 = new EncryptedBaseEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent2.Populate();
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
TableRequestOptions options = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(aesKey, null) };
// Insert an encrypted entity.
currentTable.Execute(TableOperation.Insert(ent1), options, null);
// Insert a non-encrypted entity.
currentTable.Execute(TableOperation.Insert(ent2), null, null);
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
options = new TableRequestOptions() { EncryptionPolicy = new TableEncryptionPolicy(null, resolver) };
// Set RequireEncryption to false and query. This will succeed.
options.RequireEncryption = false;
TableQuery<EncryptedBaseEntity> query = new TableQuery<EncryptedBaseEntity>();
currentTable.ExecuteQuery(query, options).ToList();
// Set RequireEncryption to true and query. This will fail because it can't find the metadata for the second enctity on the server.
options.RequireEncryption = true;
TestHelper.ExpectedException<StorageException>(
() => currentTable.ExecuteQuery(query, options).ToList(),
"All entities retrieved should be encrypted when RequireEncryption is set to true.");
}
