public async Task AccountSASSignedIPs() { OperationContext opContext = new OperationContext(); HostName invalidIP = new HostName("255.255.255.255"); SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions(); policy.IPAddressOrRange = new IPAddressOrRange(invalidIP.ToString()); await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); policy.IPAddressOrRange = null; await RunBlobTest(policy, null); await RunQueueTest(policy, null); await RunFileTest(policy, null); policy.IPAddressOrRange = new IPAddressOrRange(new HostName("255.255.255.0").ToString(), invalidIP.ToString()); await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure"); }
public async Task AccountSASSignedProtocols() { int blobHttpsPort = 443; int tableHttpsPort = 443; int queueHttpsPort = 443; int fileHttpsPort = 443; if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.BlobSecurePortOverride)) { blobHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.BlobSecurePortOverride); } if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.TableSecurePortOverride)) { tableHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.TableSecurePortOverride); } if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.QueueSecurePortOverride)) { queueHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.QueueSecurePortOverride); } if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.FileSecurePortOverride)) { fileHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.FileSecurePortOverride); } OperationContext opContext = new OperationContext(); for (int i = 0; i < 3; i++) { SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions(); policy.Protocols = i == 0 ? (SharedAccessProtocol?)null : (SharedAccessProtocol)i; bool expectException = !(!policy.Protocols.HasValue || (policy.Protocols == SharedAccessProtocol.HttpsOrHttp)); if (expectException) { await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null); await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null); await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null); } else { await RunBlobTest(policy, null); await RunQueueTest(policy, null); await RunFileTest(policy, null); } await RunBlobTest(policy, blobHttpsPort); await RunQueueTest(policy, queueHttpsPort); await RunFileTest(policy, fileHttpsPort); } }
private SharedAccessAccountPolicy GetPolicyWithFullPermissions() { SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy(); policy.SharedAccessStartTime = DateTime.Now - TimeSpan.FromMinutes(5); policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(30); policy.Permissions = (SharedAccessAccountPermissions)(0x100 - 0x1); policy.Services = (SharedAccessAccountServices)(0x10 - 0x1); policy.ResourceTypes = (SharedAccessAccountResourceTypes)(0x8 - 0x1); policy.Protocols = SharedAccessProtocol.HttpsOrHttp; policy.IPAddressOrRange = null; return(policy); }
public async Task RunFileTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null) { CloudFileClient fileClient = GenerateCloudFileClient(); string shareName = "s" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = fileClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } else { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80)); } CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, null, null, storageUri); CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient(); CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName); CloudFileShare share = fileClient.GetShareReference(shareName); await share.CreateAsync(); string fileName = "file"; CloudFile file = share.GetRootDirectoryReference().GetFileReference(fileName); CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(fileName); byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 }; await file.CreateAsync(content.Length); using (MemoryStream stream = new MemoryStream(content)) { await file.WriteRangeAsync(stream, 0, null); } byte[] result = new byte[content.Length]; await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length, null, null, opContext); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } } finally { fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait(); } }
public void AccountSASResourceTypes() { Task[] tasks = new Task[8 * 3]; for (int i = 0; i < 0x8; i++) { SharedAccessAccountResourceTypes resourceTypes = (SharedAccessAccountResourceTypes)i; SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions(); policy.ResourceTypes = resourceTypes; tasks[i] = this.RunPermissionsTestBlobs(policy); tasks[16 + i] = this.RunPermissionsTestQueues(policy); tasks[24 + i] = this.RunPermissionsTestFiles(policy); } Task.WaitAll(tasks); }
public async Task AccountSASStartExpiryTimes() { int?[] startOffsets = new int?[] { null, -5, 5 }; int[] endOffsets = new int[] { -5, 5 }; foreach (int?startOffset in startOffsets) { foreach (int endOffset in endOffsets) { OperationContext opContext = new OperationContext(); SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions(); if (startOffset.HasValue) { policy.SharedAccessStartTime = DateTime.Now + TimeSpan.FromMinutes(startOffset.Value); } else { policy.SharedAccessStartTime = null; } policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(endOffset); bool expectException; if (!policy.SharedAccessStartTime.HasValue) { expectException = (policy.SharedAccessExpiryTime < DateTime.Now); } else { expectException = ((policy.SharedAccessStartTime.Value > DateTime.Now) || (policy.SharedAccessExpiryTime < DateTime.Now)); } if (expectException) { await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed"); await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed"); await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed"); } else { await RunBlobTest(policy, null); await RunQueueTest(policy, null); await RunFileTest(policy, null); } } } }
public void AccountSASPermissions() { // Single-threaded, takes 10 minutes to run // Parallelized, 1 minute. for (int i = 0; i < 0x100; i++) { Task[] tasks = new Task[3]; //each permission (0x100) times four services. SharedAccessAccountPermissions permissions = (SharedAccessAccountPermissions)i; SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions(); policy.Permissions = permissions; tasks[0] = this.RunPermissionsTestBlobs(policy); tasks[2] = this.RunPermissionsTestQueues(policy); tasks[3] = this.RunPermissionsTestFiles(policy); Task.WaitAll(tasks); } }
public async Task RunBlobTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null) { CloudBlobClient blobClient = GenerateCloudBlobClient(); string containerName = "c" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = blobClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } else { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80)); } CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, storageUri, null, null, null); CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient(); CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName); CloudBlobContainer container = blobClient.GetContainerReference(containerName); await container.CreateAsync(); string blobName = "blob"; CloudBlockBlob blob = container.GetBlockBlobReference(blobName); string blobText = "blobText"; await blob.UploadTextAsync(blobText); CloudBlockBlob blobWithSAS = containerWithSAS.GetBlockBlobReference(blobName); Assert.AreEqual(blobText, await blobWithSAS.DownloadTextAsync(null, null, opContext)); } finally { blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait(); } }
public async Task AccountSASServices() { for (int i = 1; i < 0x10; i++) { OperationContext opContext = new OperationContext(); SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions(); policy.Services = (SharedAccessAccountServices)i; bool expectBlobException = !((policy.Services & SharedAccessAccountServices.Blob) == SharedAccessAccountServices.Blob); bool expectQueueException = !((policy.Services & SharedAccessAccountServices.Queue) == SharedAccessAccountServices.Queue); bool expectTableException = !((policy.Services & SharedAccessAccountServices.Table) == SharedAccessAccountServices.Table); bool expectFileException = !((policy.Services & SharedAccessAccountServices.File) == SharedAccessAccountServices.File); if (expectBlobException) { await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed without Blob access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch"); } else { await RunBlobTest(policy, null); } if (expectQueueException) { await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed without Queue access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch"); } else { await RunQueueTest(policy, null); } if (expectFileException) { await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed without File access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch"); } else { await RunFileTest(policy, null); } } }
public async Task RunQueueTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null) { CloudQueueClient queueClient = GenerateCloudQueueClient(); string queueName = "q" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = queueClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } else { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80)); } CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, storageUri, null, null); CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient(); CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName); CloudQueue queue = queueClient.GetQueueReference(queueName); await queue.CreateAsync(); string messageText = "message text"; CloudQueueMessage message = new CloudQueueMessage(messageText); await queue.AddMessageAsync(message); Assert.AreEqual(messageText, (await queueWithSAS.GetMessageAsync(null, null, opContext)).AsString); } finally { queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait(); } }
private SharedAccessAccountPolicy GetPolicyWithFullPermissions() { SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy(); policy.SharedAccessStartTime = DateTime.Now - TimeSpan.FromMinutes(5); policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(30); policy.Permissions = (SharedAccessAccountPermissions)(0x100 - 0x1); policy.Services = (SharedAccessAccountServices)(0x10 - 0x1); policy.ResourceTypes = (SharedAccessAccountResourceTypes)(0x8 - 0x1); policy.Protocols = SharedAccessProtocol.HttpsOrHttp; policy.IPAddressOrRange = null; return policy; }
public async Task RunFileTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null) { CloudFileClient fileClient = GenerateCloudFileClient(); string shareName = "s" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = fileClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, null, storageUri); CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient(); CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName); CloudFileShare share = fileClient.GetShareReference(shareName); await share.CreateAsync(); string fileName = "file"; CloudFile file = share.GetRootDirectoryReference().GetFileReference(fileName); CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(fileName); byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 }; await file.CreateAsync(content.Length); using (MemoryStream stream = new MemoryStream(content)) { await file.WriteRangeAsync(stream, 0, null); } byte[] result = new byte[content.Length]; await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length, null, null, opContext); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } } finally { fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait(); } }
public async Task RunQueueTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null) { CloudQueueClient queueClient = GenerateCloudQueueClient(); string queueName = "q" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = queueClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, storageUri, null, null); CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient(); CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName); CloudQueue queue = queueClient.GetQueueReference(queueName); await queue.CreateAsync(); string messageText = "message text"; CloudQueueMessage message = new CloudQueueMessage(messageText); await queue.AddMessageAsync(message); Assert.AreEqual(messageText, (await queueWithSAS.GetMessageAsync(null, null, opContext)).AsString); } finally { queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait(); } }
public override void ExecuteCmdlet() { var sharedAccessPolicy = new SharedAccessAccountPolicy() { Permissions = SetupAccessPolicyPermission(this.Permission), Services = Service, ResourceTypes = ResourceType, Protocols = Protocol, IPAddressOrRange = Util.SetupIPAddressOrRangeForSAS(this.IPAddressOrRange) }; DateTimeOffset? accessStartTime; DateTimeOffset? accessEndTime; SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime, out accessStartTime, out accessEndTime, true); sharedAccessPolicy.SharedAccessStartTime = accessStartTime; sharedAccessPolicy.SharedAccessExpiryTime = accessEndTime; this.WriteObject(Channel.GetStorageAccountSASToken(sharedAccessPolicy)); }
static public string CreateAzureSASToken(string connection, int hours = 5) { // Create Azure Account with Connection String CloudStorageAccount account = CloudStorageAccount.Parse(connection); // Create a new access policy for the account. SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy() { Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.List, Services = SharedAccessAccountServices.Blob, ResourceTypes = SharedAccessAccountResourceTypes.Object, SharedAccessExpiryTime = DateTime.UtcNow.AddHours(5), Protocols = SharedAccessProtocol.HttpsOrHttp }; // Return the SAS token. return account.GetSharedAccessSignature(policy); }
/// <summary> /// Get the SAS token for an account. /// </summary> /// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param> /// <returns>Account SAS token.</returns> public string GetStorageAccountSASToken(XSCL.SharedAccessAccountPolicy sharedAccessAccountPolicy) { return(StorageContext.StorageAccount.GetSharedAccessSignature(sharedAccessAccountPolicy)); }
/// <summary> /// Creates an Account SAS Token /// </summary> /// <returns>A SAS token.</returns> private static string GetAccountSASToken() { // Retrieve storage account information from connection string CloudStorageAccount storageAccount = Common.CreateStorageAccountFromConnectionString(); // Create a new access policy for the account with the following properties: // Permissions: Read, Write, List, Create, Delete // ResourceType: Container // Expires in 24 hours // Protocols: HTTPS or HTTP (note that the storage emulator does not support HTTPS) SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy() { // When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request. // Omitting the start time for a SAS that is effective immediately helps to avoid clock skew. Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete, Services = SharedAccessAccountServices.Blob, ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object, SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24), Protocols = SharedAccessProtocol.HttpsOrHttp }; // Create new storage credentials using the SAS token. string sasToken = storageAccount.GetSharedAccessSignature(policy); // Return the SASToken return sasToken; }
internal static string GetHash( SharedAccessAccountPolicy policy, string accountName, string sasVersion, byte[] keyValue) { string stringToSign = string.Format( CultureInfo.InvariantCulture, "{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}", accountName, SharedAccessAccountPolicy.PermissionsToString(policy.Permissions), SharedAccessAccountPolicy.ServicesToString(policy.Services), SharedAccessAccountPolicy.ResourceTypesToString(policy.ResourceTypes), GetDateTimeOrEmpty(policy.SharedAccessStartTime), GetDateTimeOrEmpty(policy.SharedAccessExpiryTime), policy.IPAddressOrRange == null ? string.Empty : policy.IPAddressOrRange.ToString(), GetProtocolString(policy.Protocols), sasVersion, string.Empty); Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign); return CryptoUtility.ComputeHmac256(keyValue, stringToSign); }
public async Task RunPermissionsTestBlobs(SharedAccessAccountPolicy policy) { CloudBlobClient blobClient = GenerateCloudBlobClient(); string containerName = "c" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, blobClient.StorageUri, null, null, null); CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient(); CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName); CloudBlobContainer container = blobClient.GetContainerReference(containerName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the container (Create / Write perms, Container RT) // List containers with prefix (List perms, Service RT) // Create an append blob (Create / Write perms, Object RT) // Append a block to append blob (Add / Write perms, Object RT) // Read the data from the append blob (Read perms, Object RT) // Delete the blob (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await containerWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await containerWithSAS.CreateAsync(), "Create a container should fail with SAS without Create or Write and Container-level permissions."); await container.CreateAsync(); } Assert.IsTrue(await container.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { ContainerResultSegment segment = null; BlobContinuationToken ct = null; IEnumerable <CloudBlobContainer> results = null; do { segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, ct); ct = segment.ContinuationToken; results = segment.Results; }while(ct != null && !results.Any()); Assert.AreEqual(container.Name, segment.Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => { ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null); segment.Results.First(); }, "List containers should fail with SAS without List and Service-level permissions."); } string blobName = "blob"; CloudAppendBlob appendBlob = container.GetAppendBlobReference(blobName); CloudAppendBlob appendBlobWithSAS = containerWithSAS.GetAppendBlobReference(blobName); //Try creating credentials using SAS Uri directly CloudAppendBlob appendBlobWithSASUri = new CloudAppendBlob(new Uri(container.Uri + accountSASToken)); if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await appendBlobWithSAS.CreateOrReplaceAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.CreateOrReplaceAsync(), "Creating an append blob should fail with SAS without Create or Write and Object-level perms."); await appendBlob.CreateOrReplaceAsync(); } Assert.IsTrue(await appendBlob.ExistsAsync()); string blobText = "blobText"; if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(blobText))) { await appendBlobWithSAS.AppendBlockAsync(stream); } } else { using (MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(blobText))) { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.AppendBlockAsync(memStream), "Append a block to an append blob should fail with SAS without Add or Write and Object-level perms."); memStream.Seek(0, SeekOrigin.Begin); await appendBlob.AppendBlockAsync(memStream); } } Assert.AreEqual(blobText, await appendBlob.DownloadTextAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { Assert.AreEqual(blobText, await appendBlobWithSAS.DownloadTextAsync()); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.DownloadTextAsync(), "Reading a blob's contents with SAS without Read and Object-level permissions should fail."); } if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await appendBlobWithSAS.DeleteAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.DeleteAsync(), "Deleting a blob with SAS without Delete and Object-level perms should fail."); await appendBlob.DeleteAsync(); } Assert.IsFalse(await appendBlob.ExistsAsync()); } finally { blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait(); } }
/// <summary> /// Creates an Account SAS Token /// </summary> /// <param name="storageAccount">The storage account object</param> /// <returns>sasToken</returns> private static string GetAccountSASToken() { // Retrieve storage account information from connection string // How to create a storage connection string - http://msdn.microsoft.com/en-us/library/azure/ee758697.aspx CloudStorageAccount storageAccount = CreateStorageAccountFromConnectionString(CloudConfigurationManager.GetSetting("StorageConnectionString")); // Create a new access policy for the account with the following properties: // Permissions: Read, Write, List, Create, Delete // ResourceType: Container // Expires in 24 hours // Protocols: Https or Http (As Emulator does not yet support Https) SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy() { Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete, Services = SharedAccessAccountServices.Blob, ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object, SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24), Protocols = SharedAccessProtocol.HttpsOrHttp }; // Create new storage credentials using the SAS token. string sasToken = storageAccount.GetSharedAccessSignature(policy); // Return the SASToken return sasToken; }
public async Task RunBlobTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null) { CloudBlobClient blobClient = GenerateCloudBlobClient(); string containerName = "c" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = blobClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, storageUri, null, null, null); CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient(); CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName); CloudBlobContainer container = blobClient.GetContainerReference(containerName); await container.CreateAsync(); string blobName = "blob"; CloudBlockBlob blob = container.GetBlockBlobReference(blobName); string blobText = "blobText"; await blob.UploadTextAsync(blobText); CloudBlockBlob blobWithSAS = containerWithSAS.GetBlockBlobReference(blobName); Assert.AreEqual(blobText, await blobWithSAS.DownloadTextAsync(null, null, opContext)); } finally { blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait(); } }
public async Task RunPermissionsTestQueues(SharedAccessAccountPolicy policy) { CloudQueueClient queueClient = GenerateCloudQueueClient(); string queueName = "q" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, queueClient.StorageUri, null, null); CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient(); CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName); CloudQueue queue = queueClient.GetQueueReference(queueName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the queue (Create or Write perms, Container RT) // List queues (List perms, Service RT) // Set queue metadata (Write perms, Container RT) // Insert a message (Add perms, Object RT) // Peek a message (Read perms, Object RT) // Get a message (Process perms, Object RT) // Update a message (Update perms, Object RT) // Clear all messages (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await queueWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.CreateAsync(), "Creating a queue with SAS should fail without Add and Container-level permissions."); await queue.CreateAsync(); } Assert.IsTrue(await queue.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { Assert.AreEqual(queueName, (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First(), "Listing queues with SAS should fail without Read and Service-level permissions."); } queueWithSAS.Metadata["metadatakey"] = "metadatavalue"; if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await queueWithSAS.SetMetadataAsync(); await queue.FetchAttributesAsync(); Assert.AreEqual("metadatavalue", queue.Metadata["metadatakey"]); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.SetMetadataAsync(), "Setting a queue's metadata with SAS should fail without Write and Container-level permissions."); } string messageText = "messageText"; CloudQueueMessage message = new CloudQueueMessage(messageText); if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.AddMessageAsync(message); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.AddMessageAsync(message), "Adding a queue message should fail with SAS without Add and Object-level permissions."); await queue.AddMessageAsync(message); } Assert.AreEqual(messageText, ((await queue.PeekMessageAsync()).AsString)); if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { Assert.AreEqual(messageText, (await queueWithSAS.PeekMessageAsync()).AsString); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.PeekMessageAsync(), "Peeking a queue message should fail with SAS without Read and Object-level permissions."); } CloudQueueMessage messageResult = null; if (((policy.Permissions & SharedAccessAccountPermissions.ProcessMessages) == SharedAccessAccountPermissions.ProcessMessages) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { messageResult = await queueWithSAS.GetMessageAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.GetMessageAsync(), "Getting a message should fail with SAS without Process and Object-level permissions."); messageResult = await queue.GetMessageAsync(); } Assert.AreEqual(messageText, messageResult.AsString); string newMessageContent = "new content"; messageResult.SetMessageContent(newMessageContent); if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility), "Updating a message should fail with SAS without Update and Object-level permissions."); await queue.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility); } messageResult = await queue.PeekMessageAsync(); Assert.AreEqual(newMessageContent, messageResult.AsString); if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.ClearAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.ClearAsync(), "Clearing messages should fail with SAS without delete and Object-level permissions."); } } finally { queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait(); } }
public async Task RunPermissionsTestBlobs(SharedAccessAccountPolicy policy) { CloudBlobClient blobClient = GenerateCloudBlobClient(); string containerName = "c" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, blobClient.StorageUri, null, null, null); CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient(); CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName); CloudBlobContainer container = blobClient.GetContainerReference(containerName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the container (Create / Write perms, Container RT) // List containers with prefix (List perms, Service RT) // Create an append blob (Create / Write perms, Object RT) // Append a block to append blob (Add / Write perms, Object RT) // Read the data from the append blob (Read perms, Object RT) // Delete the blob (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await containerWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await containerWithSAS.CreateAsync(), "Create a container should fail with SAS without Create or Write and Container-level permissions."); await container.CreateAsync(); } Assert.IsTrue(await container.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null); Assert.AreEqual(container.Name, segment.Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => { ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null); segment.Results.First(); }, "List containers should fail with SAS without List and Service-level permissions."); } string blobName = "blob"; CloudAppendBlob appendBlob = container.GetAppendBlobReference(blobName); CloudAppendBlob appendBlobWithSAS = containerWithSAS.GetAppendBlobReference(blobName); if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await appendBlobWithSAS.CreateOrReplaceAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.CreateOrReplaceAsync(), "Creating an append blob should fail with SAS without Create or Write and Object-level perms."); await appendBlob.CreateOrReplaceAsync(); } Assert.IsTrue(await appendBlob.ExistsAsync()); string blobText = "blobText"; if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(blobText))) { await appendBlobWithSAS.AppendBlockAsync(stream); } } else { using (MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(blobText))) { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.AppendBlockAsync(memStream), "Append a block to an append blob should fail with SAS without Add or Write and Object-level perms."); memStream.Seek(0, SeekOrigin.Begin); await appendBlob.AppendBlockAsync(memStream); } } Assert.AreEqual(blobText, await appendBlob.DownloadTextAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { Assert.AreEqual(blobText, await appendBlobWithSAS.DownloadTextAsync()); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.DownloadTextAsync(), "Reading a blob's contents with SAS without Read and Object-level permissions should fail."); } if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await appendBlobWithSAS.DeleteAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.DeleteAsync(), "Deleting a blob with SAS without Delete and Object-level perms should fail."); await appendBlob.DeleteAsync(); } Assert.IsFalse(await appendBlob.ExistsAsync()); } finally { blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait(); } }
public async Task RunPermissionsTestQueues(SharedAccessAccountPolicy policy) { CloudQueueClient queueClient = GenerateCloudQueueClient(); string queueName = "q" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, queueClient.StorageUri, null, null); CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient(); CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName); CloudQueue queue = queueClient.GetQueueReference(queueName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the queue (Create or Write perms, Container RT) // List queues (List perms, Service RT) // Set queue metadata (Write perms, Container RT) // Insert a message (Add perms, Object RT) // Peek a message (Read perms, Object RT) // Get a message (Process perms, Object RT) // Update a message (Update perms, Object RT) // Clear all messages (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await queueWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.CreateAsync(), "Creating a queue with SAS should fail without Add and Container-level permissions."); await queue.CreateAsync(); } Assert.IsTrue(await queue.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { Assert.AreEqual(queueName, (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First(), "Listing queues with SAS should fail without Read and Service-level permissions."); } queueWithSAS.Metadata["metadatakey"] = "metadatavalue"; if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await queueWithSAS.SetMetadataAsync(); await queue.FetchAttributesAsync(); Assert.AreEqual("metadatavalue", queue.Metadata["metadatakey"]); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.SetMetadataAsync(), "Setting a queue's metadata with SAS should fail without Write and Container-level permissions."); } string messageText = "messageText"; CloudQueueMessage message = new CloudQueueMessage(messageText); if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.AddMessageAsync(message); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.AddMessageAsync(message), "Adding a queue message should fail with SAS without Add and Object-level permissions."); await queue.AddMessageAsync(message); } Assert.AreEqual(messageText, ((await queue.PeekMessageAsync()).AsString)); if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { Assert.AreEqual(messageText, (await queueWithSAS.PeekMessageAsync()).AsString); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.PeekMessageAsync(), "Peeking a queue message should fail with SAS without Read and Object-level permissions."); } CloudQueueMessage messageResult = null; if (((policy.Permissions & SharedAccessAccountPermissions.ProcessMessages) == SharedAccessAccountPermissions.ProcessMessages) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { messageResult = await queueWithSAS.GetMessageAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.GetMessageAsync(), "Getting a message should fail with SAS without Process and Object-level permissions."); messageResult = await queue.GetMessageAsync(); } Assert.AreEqual(messageText, messageResult.AsString); string newMessageContent = "new content"; messageResult.SetMessageContent(newMessageContent); if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility), "Updating a message should fail with SAS without Update and Object-level permissions."); await queue.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility); } messageResult = await queue.PeekMessageAsync(); Assert.AreEqual(newMessageContent, messageResult.AsString); if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await queueWithSAS.ClearAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.ClearAsync(), "Clearing messages should fail with SAS without delete and Object-level permissions."); } } finally { queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait(); } }
public async Task RunPermissionsTestFiles(SharedAccessAccountPolicy policy) { CloudFileClient fileClient = GenerateCloudFileClient(); string shareName = "s" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, null, null, fileClient.StorageUri); CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient(); CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName); CloudFileShare share = fileClient.GetShareReference(shareName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the share (Create / Write perms, Container RT) // List shares with prefix (List perms, Service RT) // Create a new file (Create / Write, Object RT) // Add a range to the file (Write, Object RT) // Read the data from the file (Read, Object RT) // Overwrite a file (Write, Object RT) // Delete the file (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await shareWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await shareWithSAS.CreateAsync(), "Creating a share with SAS should fail without Create or Write and Container-level perms."); await share.CreateAsync(); } Assert.IsTrue(await share.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { Assert.AreEqual(shareName, (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First(), "Listing shared with SAS should fail without List and Service-level perms."); } string filename = "fileName"; CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(filename); CloudFile file = share.GetRootDirectoryReference().GetFileReference(filename); //Try creating credentials using SAS Uri directly CloudFile fileWithSASUri = new CloudFile(new Uri(share.Uri + accountSASToken)); byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 }; if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.CreateAsync(content.Length); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.CreateAsync(content.Length), "Creating a file with SAS should fail without Create or Write and Object-level perms."); await file.CreateAsync(content.Length); } Assert.IsTrue(await file.ExistsAsync()); using (MemoryStream stream = new MemoryStream(content)) { if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.WriteRangeAsync(stream, 0, null); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.WriteRangeAsync(stream, 0, null), "Writing a range to a file with SAS should fail without Write and Object-level perms."); stream.Seek(0, SeekOrigin.Begin); await file.WriteRangeAsync(stream, 0, null); } } byte[] result = new byte[content.Length]; await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { result = new byte[content.Length]; await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length), "Reading a file with SAS should fail without Read and Object-level perms."); } if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.CreateAsync(2); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.CreateAsync(2), "Overwriting a file with SAS should fail without Write and Object-level perms."); await file.CreateAsync(2); } result = new byte[content.Length]; await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(0, result[i]); } if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.DeleteAsync(); } else { await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.DeleteAsync(), "Deleting a file with SAS should fail without Delete and Object-level perms."); await file.DeleteAsync(); } Assert.IsFalse(await file.ExistsAsync()); } finally { fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait(); } }
public async Task RunPermissionsTestTables(SharedAccessAccountPolicy policy) { CloudTableClient tableClient = GenerateCloudTableClient(); string tableName = "t" + Guid.NewGuid().ToString("N"); ServiceProperties initialProperties = await tableClient.GetServicePropertiesAsync(); try { CloudStorageAccount account = new CloudStorageAccount(tableClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, tableClient.StorageUri, null); CloudTableClient tableClientWithSAS = accountWithSAS.CreateCloudTableClient(); CloudTable tableWithSAS = tableClientWithSAS.GetTableReference(tableName); CloudTable table = tableClient.GetTableReference(tableName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the table (Create or Write perms, Container RT) // List tables (List perms, Container RT) // Set table service properties (Write perms, Service RT) // Insert an entity (Add perms, Object RT) // Merge an entity (Update perms, Object RT) // Insert or merge an entity (Add and update perms, Object RT) (test this twice, once for insert, once for merge.) // Query the table for the entity (Read perms, Object RT) // Delete the entity (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await tableWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>( async () => await tableWithSAS.CreateAsync(), "Creating a table with SAS should fail without Add and Container-level permissions."); await table.CreateAsync(); } Assert.IsTrue(await table.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { Assert.AreEqual(tableName, (await tableClientWithSAS.ListTablesSegmentedAsync(tableName, null)).First().Name); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await tableClientWithSAS.ListTablesSegmentedAsync(tableName, null)).Results.First(), "Listing tables with SAS should fail without Read and Container-level permissions."); } ServiceProperties properties = new ServiceProperties(new LoggingProperties(), new MetricsProperties(), new MetricsProperties(), new CorsProperties()); properties.Logging = initialProperties.Logging; properties.HourMetrics = initialProperties.HourMetrics; properties.MinuteMetrics = initialProperties.MinuteMetrics; properties.DefaultServiceVersion = initialProperties.DefaultServiceVersion; CorsRule rule = new CorsRule(); string sampleOriginText = "sampleOrigin"; rule.AllowedOrigins.Add(sampleOriginText); rule.AllowedMethods = CorsHttpMethods.Get; rule.MaxAgeInSeconds = 100; properties.Cors.CorsRules.Add(rule); if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { await tableClientWithSAS.SetServicePropertiesAsync(properties); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableClientWithSAS.SetServicePropertiesAsync(properties), "Setting table service properites should fail with SAS without Write and Service-level permissions."); await tableClient.SetServicePropertiesAsync(properties); } Assert.AreEqual(sampleOriginText, rule.AllowedOrigins.First()); string propName = "prop"; string propName2 = "prop2"; DynamicTableEntity entity1 = new DynamicTableEntity(); string partitionKey = "PK"; string rowKeyPrefix = "RK"; entity1.PartitionKey = partitionKey; entity1.RowKey = rowKeyPrefix + "1"; entity1.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(4) } }; entity1.ETag = "*"; if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await tableWithSAS.ExecuteAsync(TableOperation.Insert(entity1)); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Insert(entity1)), "Inserting an entity should fail without Add and Object-level permissions."); await table.ExecuteAsync(TableOperation.Insert(entity1)); } TableQuery query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey)); Assert.AreEqual(entity1.Properties[propName].Int32Value, table.ExecuteQuery(query).First().Properties[propName].Int32Value); entity1.ETag = "*"; DynamicTableEntity entity1changed = new DynamicTableEntity(); entity1changed.PartitionKey = "PK"; entity1changed.RowKey = "RK1"; entity1changed.Properties = new Dictionary<string, EntityProperty>() { { propName2, EntityProperty.GeneratePropertyForInt(5) } }; entity1changed.ETag = "*"; if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await tableWithSAS.ExecuteAsync(TableOperation.Merge(entity1changed)); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Merge(entity1changed)), "Merging an entity should fail without Update and Object-level permissions."); await table.ExecuteAsync(TableOperation.Merge(entity1changed)); } DynamicTableEntity result = table.ExecuteQuery(query).First(); Assert.AreEqual(entity1.Properties[propName].Int32Value, result.Properties[propName].Int32Value); Assert.AreEqual(entity1changed.Properties[propName2].Int32Value, result.Properties[propName2].Int32Value); entity1changed.ETag = "*"; DynamicTableEntity entity2 = new DynamicTableEntity(); entity2.PartitionKey = partitionKey; entity2.RowKey = rowKeyPrefix + "2"; entity2.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(4) } }; entity2.ETag = "*"; if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2)); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2)), "Inserting or merging an entity should fail without Add and Update and Object-level permissions."); await table.ExecuteAsync(TableOperation.InsertOrMerge(entity2)); } query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity2.PartitionKey, entity2.RowKey)); Assert.AreEqual(entity2.Properties[propName].Int32Value, table.ExecuteQuery(query).First().Properties[propName].Int32Value); entity2.ETag = "*"; DynamicTableEntity entity2changed = new DynamicTableEntity(); entity2changed.PartitionKey = partitionKey; entity2changed.RowKey = rowKeyPrefix + "2"; entity2changed.Properties = new Dictionary<string, EntityProperty>() { { propName2, EntityProperty.GeneratePropertyForInt(5) } }; entity2changed.ETag = "*"; if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed)); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed)), "Inserting or merging an entity should fail without Add and Update and Object-level permissions."); await table.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed)); } entity2changed.ETag = "*"; result = table.ExecuteQuery(query).First(); Assert.AreEqual(entity2.Properties[propName].Int32Value, result.Properties[propName].Int32Value); Assert.AreEqual(entity2changed.Properties[propName2].Int32Value, result.Properties[propName2].Int32Value); query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey ge '{1}') and (RowKey le '{2}')", entity1.PartitionKey, entity1.RowKey, entity2.RowKey)); if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { List<DynamicTableEntity> entities = tableWithSAS.ExecuteQuery(query).ToList(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await tableWithSAS.ExecuteQuerySegmentedAsync(query, null)).ToList(), "Querying tables should fail with SAS without Read and Object-level permissions."); } if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await tableWithSAS.ExecuteAsync(TableOperation.Delete(entity1)); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Delete(entity1)), "Deleting an entity should fail with SAS without Delete and Object-level permissions."); await table.ExecuteAsync(TableOperation.Delete(entity1)); } query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey)); Assert.IsFalse(table.ExecuteQuery(query).Any()); } finally { tableClient.GetTableReference(tableName).DeleteIfExistsAsync().Wait(); if (initialProperties != null) { tableClient.SetServicePropertiesAsync(initialProperties).Wait(); } } }
/// <summary> /// Get the SAS token for an account. /// </summary> /// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param> /// <returns>Account SAS token.</returns> public string GetStorageAccountSASToken(SharedAccessAccountPolicy sharedAccessAccountPolicy) { return StorageContext.StorageAccount.GetSharedAccessSignature(sharedAccessAccountPolicy); }
public async Task RunPermissionsTestFiles(SharedAccessAccountPolicy policy) { CloudFileClient fileClient = GenerateCloudFileClient(); string shareName = "s" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, null, fileClient.StorageUri); CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient(); CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName); CloudFileShare share = fileClient.GetShareReference(shareName); // General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared // Otherwise, make sure SAS fails and then do the thing with shared key. // Things to do: // Create the share (Create / Write perms, Container RT) // List shares with prefix (List perms, Service RT) // Create a new file (Create / Write, Object RT) // Add a range to the file (Write, Object RT) // Read the data from the file (Read, Object RT) // Overwrite a file (Write, Object RT) // Delete the file (Delete perms, Object RT) if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container)) { await shareWithSAS.CreateAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await shareWithSAS.CreateAsync(), "Creating a share with SAS should fail without Create or Write and Container-level perms."); await share.CreateAsync(); } Assert.IsTrue(await share.ExistsAsync()); if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service)) { Assert.AreEqual(shareName, (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First().Name); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First(), "Listing shared with SAS should fail without List and Service-level perms."); } string filename = "fileName"; CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(filename); CloudFile file = share.GetRootDirectoryReference().GetFileReference(filename); byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 }; if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.CreateAsync(content.Length); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.CreateAsync(content.Length), "Creating a file with SAS should fail without Create or Write and Object-level perms."); await file.CreateAsync(content.Length); } Assert.IsTrue(await file.ExistsAsync()); using (MemoryStream stream = new MemoryStream(content)) { if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.WriteRangeAsync(stream, 0, null); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.WriteRangeAsync(stream, 0, null), "Writing a range to a file with SAS should fail without Write and Object-level perms."); stream.Seek(0, SeekOrigin.Begin); await file.WriteRangeAsync(stream, 0, null); } } byte[] result = new byte[content.Length]; await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { result = new byte[content.Length]; await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(content[i], result[i]); } } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length), "Reading a file with SAS should fail without Read and Object-level perms."); } if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.CreateAsync(2); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.CreateAsync(2), "Overwriting a file with SAS should fail without Write and Object-level perms."); await file.CreateAsync(2); } result = new byte[content.Length]; await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length); for (int i = 0; i < content.Length; i++) { Assert.AreEqual(0, result[i]); } if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) && ((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object)) { await fileWithSAS.DeleteAsync(); } else { await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.DeleteAsync(), "Deleting a file with SAS should fail without Delete and Object-level perms."); await file.DeleteAsync(); } Assert.IsFalse(await file.ExistsAsync()); } finally { fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait(); } }
/// <summary> /// Get the SAS token for an account. /// </summary> /// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param> /// <returns>Account SAS token.</returns> public string GetStorageAccountSASToken(SharedAccessAccountPolicy sharedAccessAccountPolicy) { throw new NotImplementedException(); }
public async Task RunTableTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null) { CloudTableClient tableClient = GenerateCloudTableClient(); string tableName = "t" + Guid.NewGuid().ToString("N"); try { CloudStorageAccount account = new CloudStorageAccount(tableClient.Credentials, false); string accountSASToken = account.GetSharedAccessSignature(policy); StorageCredentials accountSAS = new StorageCredentials(accountSASToken); StorageUri storageUri = tableClient.StorageUri; if (httpsPort != null) { storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value)); } CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, storageUri, null); CloudTableClient tableClientWithSAS = accountWithSAS.CreateCloudTableClient(); CloudTable tableWithSAS = tableClientWithSAS.GetTableReference(tableName); CloudTable table = tableClient.GetTableReference(tableName); await table.CreateAsync(); string propName = "prop"; int propValue = 4; DynamicTableEntity entity1 = new DynamicTableEntity(); string partitionKey = "PK"; string rowKeyPrefix = "RK"; entity1.PartitionKey = partitionKey; entity1.RowKey = rowKeyPrefix + "1"; entity1.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(propValue) } }; await table.ExecuteAsync(TableOperation.Insert(entity1)); TableQuery query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey)); Assert.AreEqual(propValue, (await tableWithSAS.ExecuteQuerySegmentedAsync(query, null, null, opContext)).Results.First().Properties[propName].Int32Value); } finally { tableClient.GetTableReference(tableName).DeleteIfExistsAsync().Wait(); } }
/// <summary> /// Returns a shared access signature for the account. /// </summary> /// <param name="policy">A <see cref="SharedAccessAccountPolicy"/> object specifying the access policy for the shared access signature.</param> /// <returns>A shared access signature, as a URI query string.</returns> /// <remarks>The query string returned includes the leading question mark.</remarks> public string GetSharedAccessSignature(SharedAccessAccountPolicy policy) { if (!this.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey); throw new InvalidOperationException(errorMessage); } string signature = SharedAccessSignatureHelper.GetHash(policy, this.Credentials.AccountName, Constants.HeaderConstants.TargetStorageVersion, this.Credentials.Key.KeyValue); UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(policy, signature, this.Credentials.Key.KeyName, Constants.HeaderConstants.TargetStorageVersion); return builder.ToString(); }
public string GetSharedAccessSignature(SharedAccessAccountPolicy policy) { throw new System.NotImplementedException(); }
internal static UriQueryBuilder GetSignature( SharedAccessAccountPolicy policy, string signature, string accountKeyName, string sasVersion) { CommonUtility.AssertNotNull("signature", signature); CommonUtility.AssertNotNull("policy", policy); UriQueryBuilder builder = new UriQueryBuilder(); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName); AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedProtocols, policy.Protocols == null ? null : GetProtocolString(policy.Protocols.Value)); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIP, policy.IPAddressOrRange == null ? null : policy.IPAddressOrRange.ToString()); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime)); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime)); string resourceTypes = SharedAccessAccountPolicy.ResourceTypesToString(policy.ResourceTypes); if (!string.IsNullOrEmpty(resourceTypes)) { AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedResourceTypes, resourceTypes); } string services = SharedAccessAccountPolicy.ServicesToString(policy.Services); if (!string.IsNullOrEmpty(services)) { AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedServices, services); } string permissions = SharedAccessAccountPolicy.PermissionsToString(policy.Permissions); if (!string.IsNullOrEmpty(permissions)) { AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions); } return builder; }