public async Task AccountSASSignedIPs()
{
OperationContext opContext = new OperationContext();
HostName invalidIP = new HostName("255.255.255.255");
SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions();
policy.IPAddressOrRange = new IPAddressOrRange(invalidIP.ToString());
await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
policy.IPAddressOrRange = null;
await RunBlobTest(policy, null);
await RunQueueTest(policy, null);
await RunFileTest(policy, null);
policy.IPAddressOrRange = new IPAddressOrRange(new HostName("255.255.255.0").ToString(), invalidIP.ToString());
await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid IP access.", HttpStatusCode.Forbidden, "AuthorizationFailure");
}
public async Task AccountSASSignedProtocols()
{
int blobHttpsPort = 443;
int tableHttpsPort = 443;
int queueHttpsPort = 443;
int fileHttpsPort = 443;
if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.BlobSecurePortOverride))
{
blobHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.BlobSecurePortOverride);
}
if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.TableSecurePortOverride))
{
tableHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.TableSecurePortOverride);
}
if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.QueueSecurePortOverride))
{
queueHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.QueueSecurePortOverride);
}
if (!string.IsNullOrEmpty(TestBase.TargetTenantConfig.FileSecurePortOverride))
{
fileHttpsPort = Int32.Parse(TestBase.TargetTenantConfig.FileSecurePortOverride);
}
OperationContext opContext = new OperationContext();
for (int i = 0; i < 3; i++)
{
SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions();
policy.Protocols = i == 0 ? (SharedAccessProtocol?)null : (SharedAccessProtocol)i;
bool expectException = !(!policy.Protocols.HasValue || (policy.Protocols == SharedAccessProtocol.HttpsOrHttp));
if (expectException)
{
await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null);
await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null);
await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed without using Https.", HttpStatusCode.Unused, null);
}
else
{
await RunBlobTest(policy, null);
await RunQueueTest(policy, null);
await RunFileTest(policy, null);
}
await RunBlobTest(policy, blobHttpsPort);
await RunQueueTest(policy, queueHttpsPort);
await RunFileTest(policy, fileHttpsPort);
}
}
private SharedAccessAccountPolicy GetPolicyWithFullPermissions()
{
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy();
policy.SharedAccessStartTime = DateTime.Now - TimeSpan.FromMinutes(5);
policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(30);
policy.Permissions = (SharedAccessAccountPermissions)(0x100 - 0x1);
policy.Services = (SharedAccessAccountServices)(0x10 - 0x1);
policy.ResourceTypes = (SharedAccessAccountResourceTypes)(0x8 - 0x1);
policy.Protocols = SharedAccessProtocol.HttpsOrHttp;
policy.IPAddressOrRange = null;
return(policy);
}
public async Task RunFileTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null)
{
CloudFileClient fileClient = GenerateCloudFileClient();
string shareName = "s" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = fileClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
else
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80));
}
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, null, null, storageUri);
CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient();
CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName);
CloudFileShare share = fileClient.GetShareReference(shareName);
await share.CreateAsync();
string fileName = "file";
CloudFile file = share.GetRootDirectoryReference().GetFileReference(fileName);
CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(fileName);
byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 };
await file.CreateAsync(content.Length);
using (MemoryStream stream = new MemoryStream(content))
{
await file.WriteRangeAsync(stream, 0, null);
}
byte[] result = new byte[content.Length];
await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length, null, null, opContext);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
}
finally
{
fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait();
}
}
public void AccountSASResourceTypes()
{
Task[] tasks = new Task[8 * 3];
for (int i = 0; i < 0x8; i++)
{
SharedAccessAccountResourceTypes resourceTypes = (SharedAccessAccountResourceTypes)i;
SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions();
policy.ResourceTypes = resourceTypes;
tasks[i] = this.RunPermissionsTestBlobs(policy);
tasks[16 + i] = this.RunPermissionsTestQueues(policy);
tasks[24 + i] = this.RunPermissionsTestFiles(policy);
}
Task.WaitAll(tasks);
}
public async Task AccountSASStartExpiryTimes()
{
int?[] startOffsets = new int?[] { null, -5, 5 };
int[] endOffsets = new int[] { -5, 5 };
foreach (int?startOffset in startOffsets)
{
foreach (int endOffset in endOffsets)
{
OperationContext opContext = new OperationContext();
SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions();
if (startOffset.HasValue)
{
policy.SharedAccessStartTime = DateTime.Now + TimeSpan.FromMinutes(startOffset.Value);
}
else
{
policy.SharedAccessStartTime = null;
}
policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(endOffset);
bool expectException;
if (!policy.SharedAccessStartTime.HasValue)
{
expectException = (policy.SharedAccessExpiryTime < DateTime.Now);
}
else
{
expectException = ((policy.SharedAccessStartTime.Value > DateTime.Now) || (policy.SharedAccessExpiryTime < DateTime.Now));
}
if (expectException)
{
await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed");
await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed");
await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed with invalid start/expiry times.", HttpStatusCode.Forbidden, "AuthenticationFailed");
}
else
{
await RunBlobTest(policy, null);
await RunQueueTest(policy, null);
await RunFileTest(policy, null);
}
}
}
}
public void AccountSASPermissions()
{
// Single-threaded, takes 10 minutes to run
// Parallelized, 1 minute.
for (int i = 0; i < 0x100; i++)
{
Task[] tasks = new Task[3]; //each permission (0x100) times four services.
SharedAccessAccountPermissions permissions = (SharedAccessAccountPermissions)i;
SharedAccessAccountPolicy policy = GetPolicyWithFullPermissions();
policy.Permissions = permissions;
tasks[0] = this.RunPermissionsTestBlobs(policy);
tasks[2] = this.RunPermissionsTestQueues(policy);
tasks[3] = this.RunPermissionsTestFiles(policy);
Task.WaitAll(tasks);
}
}
public async Task RunBlobTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null)
{
CloudBlobClient blobClient = GenerateCloudBlobClient();
string containerName = "c" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = blobClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
else
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80));
}
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, storageUri, null, null, null);
CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();
CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName);
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
await container.CreateAsync();
string blobName = "blob";
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
string blobText = "blobText";
await blob.UploadTextAsync(blobText);
CloudBlockBlob blobWithSAS = containerWithSAS.GetBlockBlobReference(blobName);
Assert.AreEqual(blobText, await blobWithSAS.DownloadTextAsync(null, null, opContext));
}
finally
{
blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait();
}
}
public async Task AccountSASServices()
{
for (int i = 1; i < 0x10; i++)
{
OperationContext opContext = new OperationContext();
SharedAccessAccountPolicy policy = this.GetPolicyWithFullPermissions();
policy.Services = (SharedAccessAccountServices)i;
bool expectBlobException = !((policy.Services & SharedAccessAccountServices.Blob) == SharedAccessAccountServices.Blob);
bool expectQueueException = !((policy.Services & SharedAccessAccountServices.Queue) == SharedAccessAccountServices.Queue);
bool expectTableException = !((policy.Services & SharedAccessAccountServices.Table) == SharedAccessAccountServices.Table);
bool expectFileException = !((policy.Services & SharedAccessAccountServices.File) == SharedAccessAccountServices.File);
if (expectBlobException)
{
await TestHelper.ExpectedExceptionAsync((async() => await RunBlobTest(policy, null, opContext)), opContext, "Operation should have failed without Blob access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch");
}
else
{
await RunBlobTest(policy, null);
}
if (expectQueueException)
{
await TestHelper.ExpectedExceptionAsync((async() => await RunQueueTest(policy, null, opContext)), opContext, "Operation should have failed without Queue access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch");
}
else
{
await RunQueueTest(policy, null);
}
if (expectFileException)
{
await TestHelper.ExpectedExceptionAsync((async() => await RunFileTest(policy, null, opContext)), opContext, "Operation should have failed without File access.", HttpStatusCode.Forbidden, "AuthorizationServiceMismatch");
}
else
{
await RunFileTest(policy, null);
}
}
}
public async Task RunQueueTest(SharedAccessAccountPolicy policy, int?httpsPort, OperationContext opContext = null)
{
CloudQueueClient queueClient = GenerateCloudQueueClient();
string queueName = "q" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = queueClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
else
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "http", 80), TransformSchemeAndPort(storageUri.SecondaryUri, "http", 80));
}
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, storageUri, null, null);
CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient();
CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName);
CloudQueue queue = queueClient.GetQueueReference(queueName);
await queue.CreateAsync();
string messageText = "message text";
CloudQueueMessage message = new CloudQueueMessage(messageText);
await queue.AddMessageAsync(message);
Assert.AreEqual(messageText, (await queueWithSAS.GetMessageAsync(null, null, opContext)).AsString);
}
finally
{
queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait();
}
}
private SharedAccessAccountPolicy GetPolicyWithFullPermissions()
{
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy();
policy.SharedAccessStartTime = DateTime.Now - TimeSpan.FromMinutes(5);
policy.SharedAccessExpiryTime = DateTime.Now + TimeSpan.FromMinutes(30);
policy.Permissions = (SharedAccessAccountPermissions)(0x100 - 0x1);
policy.Services = (SharedAccessAccountServices)(0x10 - 0x1);
policy.ResourceTypes = (SharedAccessAccountResourceTypes)(0x8 - 0x1);
policy.Protocols = SharedAccessProtocol.HttpsOrHttp;
policy.IPAddressOrRange = null;
return policy;
}
public async Task RunFileTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null)
{
CloudFileClient fileClient = GenerateCloudFileClient();
string shareName = "s" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = fileClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, null, storageUri);
CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient();
CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName);
CloudFileShare share = fileClient.GetShareReference(shareName);
await share.CreateAsync();
string fileName = "file";
CloudFile file = share.GetRootDirectoryReference().GetFileReference(fileName);
CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(fileName);
byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 };
await file.CreateAsync(content.Length);
using (MemoryStream stream = new MemoryStream(content))
{
await file.WriteRangeAsync(stream, 0, null);
}
byte[] result = new byte[content.Length];
await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length, null, null, opContext);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
}
finally
{
fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunQueueTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null)
{
CloudQueueClient queueClient = GenerateCloudQueueClient();
string queueName = "q" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = queueClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, storageUri, null, null);
CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient();
CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName);
CloudQueue queue = queueClient.GetQueueReference(queueName);
await queue.CreateAsync();
string messageText = "message text";
CloudQueueMessage message = new CloudQueueMessage(messageText);
await queue.AddMessageAsync(message);
Assert.AreEqual(messageText, (await queueWithSAS.GetMessageAsync(null, null, opContext)).AsString);
}
finally
{
queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait();
}
}
public override void ExecuteCmdlet()
{
var sharedAccessPolicy = new SharedAccessAccountPolicy()
{
Permissions = SetupAccessPolicyPermission(this.Permission),
Services = Service,
ResourceTypes = ResourceType,
Protocols = Protocol,
IPAddressOrRange = Util.SetupIPAddressOrRangeForSAS(this.IPAddressOrRange)
};
DateTimeOffset? accessStartTime;
DateTimeOffset? accessEndTime;
SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime,
out accessStartTime, out accessEndTime, true);
sharedAccessPolicy.SharedAccessStartTime = accessStartTime;
sharedAccessPolicy.SharedAccessExpiryTime = accessEndTime;
this.WriteObject(Channel.GetStorageAccountSASToken(sharedAccessPolicy));
}
static public string CreateAzureSASToken(string connection, int hours = 5)
{
// Create Azure Account with Connection String
CloudStorageAccount account = CloudStorageAccount.Parse(connection);
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.List,
Services = SharedAccessAccountServices.Blob,
ResourceTypes = SharedAccessAccountResourceTypes.Object,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(5),
Protocols = SharedAccessProtocol.HttpsOrHttp
};
// Return the SAS token.
return account.GetSharedAccessSignature(policy);
}
/// <summary>
/// Get the SAS token for an account.
/// </summary>
/// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param>
/// <returns>Account SAS token.</returns>
public string GetStorageAccountSASToken(XSCL.SharedAccessAccountPolicy sharedAccessAccountPolicy)
{
return(StorageContext.StorageAccount.GetSharedAccessSignature(sharedAccessAccountPolicy));
}
/// <summary>
/// Creates an Account SAS Token
/// </summary>
/// <returns>A SAS token.</returns>
private static string GetAccountSASToken()
{
// Retrieve storage account information from connection string
CloudStorageAccount storageAccount = Common.CreateStorageAccountFromConnectionString();
// Create a new access policy for the account with the following properties:
// Permissions: Read, Write, List, Create, Delete
// ResourceType: Container
// Expires in 24 hours
// Protocols: HTTPS or HTTP (note that the storage emulator does not support HTTPS)
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
// When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
// Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete,
Services = SharedAccessAccountServices.Blob,
ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOrHttp
};
// Create new storage credentials using the SAS token.
string sasToken = storageAccount.GetSharedAccessSignature(policy);
// Return the SASToken
return sasToken;
}
internal static string GetHash(
SharedAccessAccountPolicy policy,
string accountName,
string sasVersion,
byte[] keyValue)
{
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}",
accountName,
SharedAccessAccountPolicy.PermissionsToString(policy.Permissions),
SharedAccessAccountPolicy.ServicesToString(policy.Services),
SharedAccessAccountPolicy.ResourceTypesToString(policy.ResourceTypes),
GetDateTimeOrEmpty(policy.SharedAccessStartTime),
GetDateTimeOrEmpty(policy.SharedAccessExpiryTime),
policy.IPAddressOrRange == null ? string.Empty : policy.IPAddressOrRange.ToString(),
GetProtocolString(policy.Protocols),
sasVersion,
string.Empty);
Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign);
return CryptoUtility.ComputeHmac256(keyValue, stringToSign);
}
public async Task RunPermissionsTestBlobs(SharedAccessAccountPolicy policy)
{
CloudBlobClient blobClient = GenerateCloudBlobClient();
string containerName = "c" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, blobClient.StorageUri, null, null, null);
CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();
CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName);
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the container (Create / Write perms, Container RT)
// List containers with prefix (List perms, Service RT)
// Create an append blob (Create / Write perms, Object RT)
// Append a block to append blob (Add / Write perms, Object RT)
// Read the data from the append blob (Read perms, Object RT)
// Delete the blob (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await containerWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await containerWithSAS.CreateAsync(), "Create a container should fail with SAS without Create or Write and Container-level permissions.");
await container.CreateAsync();
}
Assert.IsTrue(await container.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
ContainerResultSegment segment = null;
BlobContinuationToken ct = null;
IEnumerable <CloudBlobContainer> results = null;
do
{
segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, ct);
ct = segment.ContinuationToken;
results = segment.Results;
}while(ct != null && !results.Any());
Assert.AreEqual(container.Name, segment.Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => { ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null); segment.Results.First(); }, "List containers should fail with SAS without List and Service-level permissions.");
}
string blobName = "blob";
CloudAppendBlob appendBlob = container.GetAppendBlobReference(blobName);
CloudAppendBlob appendBlobWithSAS = containerWithSAS.GetAppendBlobReference(blobName);
//Try creating credentials using SAS Uri directly
CloudAppendBlob appendBlobWithSASUri = new CloudAppendBlob(new Uri(container.Uri + accountSASToken));
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await appendBlobWithSAS.CreateOrReplaceAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.CreateOrReplaceAsync(), "Creating an append blob should fail with SAS without Create or Write and Object-level perms.");
await appendBlob.CreateOrReplaceAsync();
}
Assert.IsTrue(await appendBlob.ExistsAsync());
string blobText = "blobText";
if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(blobText)))
{
await appendBlobWithSAS.AppendBlockAsync(stream);
}
}
else
{
using (MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(blobText)))
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.AppendBlockAsync(memStream), "Append a block to an append blob should fail with SAS without Add or Write and Object-level perms.");
memStream.Seek(0, SeekOrigin.Begin);
await appendBlob.AppendBlockAsync(memStream);
}
}
Assert.AreEqual(blobText, await appendBlob.DownloadTextAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
Assert.AreEqual(blobText, await appendBlobWithSAS.DownloadTextAsync());
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.DownloadTextAsync(), "Reading a blob's contents with SAS without Read and Object-level permissions should fail.");
}
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await appendBlobWithSAS.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await appendBlobWithSAS.DeleteAsync(), "Deleting a blob with SAS without Delete and Object-level perms should fail.");
await appendBlob.DeleteAsync();
}
Assert.IsFalse(await appendBlob.ExistsAsync());
}
finally
{
blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait();
}
}
/// <summary>
/// Creates an Account SAS Token
/// </summary>
/// <param name="storageAccount">The storage account object</param>
/// <returns>sasToken</returns>
private static string GetAccountSASToken()
{
// Retrieve storage account information from connection string
// How to create a storage connection string - http://msdn.microsoft.com/en-us/library/azure/ee758697.aspx
CloudStorageAccount storageAccount = CreateStorageAccountFromConnectionString(CloudConfigurationManager.GetSetting("StorageConnectionString"));
// Create a new access policy for the account with the following properties:
// Permissions: Read, Write, List, Create, Delete
// ResourceType: Container
// Expires in 24 hours
// Protocols: Https or Http (As Emulator does not yet support Https)
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete,
Services = SharedAccessAccountServices.Blob,
ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOrHttp
};
// Create new storage credentials using the SAS token.
string sasToken = storageAccount.GetSharedAccessSignature(policy);
// Return the SASToken
return sasToken;
}
public async Task RunBlobTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null)
{
CloudBlobClient blobClient = GenerateCloudBlobClient();
string containerName = "c" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = blobClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, storageUri, null, null, null);
CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();
CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName);
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
await container.CreateAsync();
string blobName = "blob";
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
string blobText = "blobText";
await blob.UploadTextAsync(blobText);
CloudBlockBlob blobWithSAS = containerWithSAS.GetBlockBlobReference(blobName);
Assert.AreEqual(blobText, await blobWithSAS.DownloadTextAsync(null, null, opContext));
}
finally
{
blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunPermissionsTestQueues(SharedAccessAccountPolicy policy)
{
CloudQueueClient queueClient = GenerateCloudQueueClient();
string queueName = "q" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, queueClient.StorageUri, null, null);
CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient();
CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName);
CloudQueue queue = queueClient.GetQueueReference(queueName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the queue (Create or Write perms, Container RT)
// List queues (List perms, Service RT)
// Set queue metadata (Write perms, Container RT)
// Insert a message (Add perms, Object RT)
// Peek a message (Read perms, Object RT)
// Get a message (Process perms, Object RT)
// Update a message (Update perms, Object RT)
// Clear all messages (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await queueWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.CreateAsync(), "Creating a queue with SAS should fail without Add and Container-level permissions.");
await queue.CreateAsync();
}
Assert.IsTrue(await queue.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
Assert.AreEqual(queueName, (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First(), "Listing queues with SAS should fail without Read and Service-level permissions.");
}
queueWithSAS.Metadata["metadatakey"] = "metadatavalue";
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await queueWithSAS.SetMetadataAsync();
await queue.FetchAttributesAsync();
Assert.AreEqual("metadatavalue", queue.Metadata["metadatakey"]);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.SetMetadataAsync(), "Setting a queue's metadata with SAS should fail without Write and Container-level permissions.");
}
string messageText = "messageText";
CloudQueueMessage message = new CloudQueueMessage(messageText);
if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.AddMessageAsync(message);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.AddMessageAsync(message), "Adding a queue message should fail with SAS without Add and Object-level permissions.");
await queue.AddMessageAsync(message);
}
Assert.AreEqual(messageText, ((await queue.PeekMessageAsync()).AsString));
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
Assert.AreEqual(messageText, (await queueWithSAS.PeekMessageAsync()).AsString);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.PeekMessageAsync(), "Peeking a queue message should fail with SAS without Read and Object-level permissions.");
}
CloudQueueMessage messageResult = null;
if (((policy.Permissions & SharedAccessAccountPermissions.ProcessMessages) == SharedAccessAccountPermissions.ProcessMessages) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
messageResult = await queueWithSAS.GetMessageAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.GetMessageAsync(), "Getting a message should fail with SAS without Process and Object-level permissions.");
messageResult = await queue.GetMessageAsync();
}
Assert.AreEqual(messageText, messageResult.AsString);
string newMessageContent = "new content";
messageResult.SetMessageContent(newMessageContent);
if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility), "Updating a message should fail with SAS without Update and Object-level permissions.");
await queue.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility);
}
messageResult = await queue.PeekMessageAsync();
Assert.AreEqual(newMessageContent, messageResult.AsString);
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.ClearAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await queueWithSAS.ClearAsync(), "Clearing messages should fail with SAS without delete and Object-level permissions.");
}
}
finally
{
queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunPermissionsTestBlobs(SharedAccessAccountPolicy policy)
{
CloudBlobClient blobClient = GenerateCloudBlobClient();
string containerName = "c" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(blobClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, blobClient.StorageUri, null, null, null);
CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();
CloudBlobContainer containerWithSAS = blobClientWithSAS.GetContainerReference(containerName);
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the container (Create / Write perms, Container RT)
// List containers with prefix (List perms, Service RT)
// Create an append blob (Create / Write perms, Object RT)
// Append a block to append blob (Add / Write perms, Object RT)
// Read the data from the append blob (Read perms, Object RT)
// Delete the blob (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await containerWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await containerWithSAS.CreateAsync(), "Create a container should fail with SAS without Create or Write and Container-level permissions.");
await container.CreateAsync();
}
Assert.IsTrue(await container.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null);
Assert.AreEqual(container.Name, segment.Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => { ContainerResultSegment segment = await blobClientWithSAS.ListContainersSegmentedAsync(container.Name, null); segment.Results.First(); }, "List containers should fail with SAS without List and Service-level permissions.");
}
string blobName = "blob";
CloudAppendBlob appendBlob = container.GetAppendBlobReference(blobName);
CloudAppendBlob appendBlobWithSAS = containerWithSAS.GetAppendBlobReference(blobName);
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await appendBlobWithSAS.CreateOrReplaceAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.CreateOrReplaceAsync(), "Creating an append blob should fail with SAS without Create or Write and Object-level perms.");
await appendBlob.CreateOrReplaceAsync();
}
Assert.IsTrue(await appendBlob.ExistsAsync());
string blobText = "blobText";
if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(blobText)))
{
await appendBlobWithSAS.AppendBlockAsync(stream);
}
}
else
{
using (MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(blobText)))
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.AppendBlockAsync(memStream), "Append a block to an append blob should fail with SAS without Add or Write and Object-level perms.");
memStream.Seek(0, SeekOrigin.Begin);
await appendBlob.AppendBlockAsync(memStream);
}
}
Assert.AreEqual(blobText, await appendBlob.DownloadTextAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
Assert.AreEqual(blobText, await appendBlobWithSAS.DownloadTextAsync());
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.DownloadTextAsync(), "Reading a blob's contents with SAS without Read and Object-level permissions should fail.");
}
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await appendBlobWithSAS.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await appendBlobWithSAS.DeleteAsync(), "Deleting a blob with SAS without Delete and Object-level perms should fail.");
await appendBlob.DeleteAsync();
}
Assert.IsFalse(await appendBlob.ExistsAsync());
}
finally
{
blobClient.GetContainerReference(containerName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunPermissionsTestQueues(SharedAccessAccountPolicy policy)
{
CloudQueueClient queueClient = GenerateCloudQueueClient();
string queueName = "q" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(queueClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, queueClient.StorageUri, null, null);
CloudQueueClient queueClientWithSAS = accountWithSAS.CreateCloudQueueClient();
CloudQueue queueWithSAS = queueClientWithSAS.GetQueueReference(queueName);
CloudQueue queue = queueClient.GetQueueReference(queueName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the queue (Create or Write perms, Container RT)
// List queues (List perms, Service RT)
// Set queue metadata (Write perms, Container RT)
// Insert a message (Add perms, Object RT)
// Peek a message (Read perms, Object RT)
// Get a message (Process perms, Object RT)
// Update a message (Update perms, Object RT)
// Clear all messages (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await queueWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.CreateAsync(), "Creating a queue with SAS should fail without Add and Container-level permissions.");
await queue.CreateAsync();
}
Assert.IsTrue(await queue.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
Assert.AreEqual(queueName, (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => (await queueClientWithSAS.ListQueuesSegmentedAsync(queueName, null)).Results.First(), "Listing queues with SAS should fail without Read and Service-level permissions.");
}
queueWithSAS.Metadata["metadatakey"] = "metadatavalue";
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await queueWithSAS.SetMetadataAsync();
await queue.FetchAttributesAsync();
Assert.AreEqual("metadatavalue", queue.Metadata["metadatakey"]);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.SetMetadataAsync(), "Setting a queue's metadata with SAS should fail without Write and Container-level permissions.");
}
string messageText = "messageText";
CloudQueueMessage message = new CloudQueueMessage(messageText);
if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.AddMessageAsync(message);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.AddMessageAsync(message), "Adding a queue message should fail with SAS without Add and Object-level permissions.");
await queue.AddMessageAsync(message);
}
Assert.AreEqual(messageText, ((await queue.PeekMessageAsync()).AsString));
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
Assert.AreEqual(messageText, (await queueWithSAS.PeekMessageAsync()).AsString);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.PeekMessageAsync(), "Peeking a queue message should fail with SAS without Read and Object-level permissions.");
}
CloudQueueMessage messageResult = null;
if (((policy.Permissions & SharedAccessAccountPermissions.ProcessMessages) == SharedAccessAccountPermissions.ProcessMessages) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
messageResult = await queueWithSAS.GetMessageAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.GetMessageAsync(), "Getting a message should fail with SAS without Process and Object-level permissions.");
messageResult = await queue.GetMessageAsync();
}
Assert.AreEqual(messageText, messageResult.AsString);
string newMessageContent = "new content";
messageResult.SetMessageContent(newMessageContent);
if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility), "Updating a message should fail with SAS without Update and Object-level permissions.");
await queue.UpdateMessageAsync(messageResult, TimeSpan.Zero, MessageUpdateFields.Content | MessageUpdateFields.Visibility);
}
messageResult = await queue.PeekMessageAsync();
Assert.AreEqual(newMessageContent, messageResult.AsString);
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await queueWithSAS.ClearAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await queueWithSAS.ClearAsync(), "Clearing messages should fail with SAS without delete and Object-level permissions.");
}
}
finally
{
queueClient.GetQueueReference(queueName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunPermissionsTestFiles(SharedAccessAccountPolicy policy)
{
CloudFileClient fileClient = GenerateCloudFileClient();
string shareName = "s" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, null, null, null, fileClient.StorageUri);
CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient();
CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName);
CloudFileShare share = fileClient.GetShareReference(shareName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the share (Create / Write perms, Container RT)
// List shares with prefix (List perms, Service RT)
// Create a new file (Create / Write, Object RT)
// Add a range to the file (Write, Object RT)
// Read the data from the file (Read, Object RT)
// Overwrite a file (Write, Object RT)
// Delete the file (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await shareWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await shareWithSAS.CreateAsync(), "Creating a share with SAS should fail without Create or Write and Container-level perms.");
await share.CreateAsync();
}
Assert.IsTrue(await share.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
Assert.AreEqual(shareName, (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First(), "Listing shared with SAS should fail without List and Service-level perms.");
}
string filename = "fileName";
CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(filename);
CloudFile file = share.GetRootDirectoryReference().GetFileReference(filename);
//Try creating credentials using SAS Uri directly
CloudFile fileWithSASUri = new CloudFile(new Uri(share.Uri + accountSASToken));
byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 };
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.CreateAsync(content.Length);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.CreateAsync(content.Length), "Creating a file with SAS should fail without Create or Write and Object-level perms.");
await file.CreateAsync(content.Length);
}
Assert.IsTrue(await file.ExistsAsync());
using (MemoryStream stream = new MemoryStream(content))
{
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.WriteRangeAsync(stream, 0, null);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.WriteRangeAsync(stream, 0, null), "Writing a range to a file with SAS should fail without Write and Object-level perms.");
stream.Seek(0, SeekOrigin.Begin);
await file.WriteRangeAsync(stream, 0, null);
}
}
byte[] result = new byte[content.Length];
await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
result = new byte[content.Length];
await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length), "Reading a file with SAS should fail without Read and Object-level perms.");
}
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.CreateAsync(2);
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.CreateAsync(2), "Overwriting a file with SAS should fail without Write and Object-level perms.");
await file.CreateAsync(2);
}
result = new byte[content.Length];
await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(0, result[i]);
}
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync <StorageException>(async() => await fileWithSAS.DeleteAsync(), "Deleting a file with SAS should fail without Delete and Object-level perms.");
await file.DeleteAsync();
}
Assert.IsFalse(await file.ExistsAsync());
}
finally
{
fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait();
}
}
public async Task RunPermissionsTestTables(SharedAccessAccountPolicy policy)
{
CloudTableClient tableClient = GenerateCloudTableClient();
string tableName = "t" + Guid.NewGuid().ToString("N");
ServiceProperties initialProperties = await tableClient.GetServicePropertiesAsync();
try
{
CloudStorageAccount account = new CloudStorageAccount(tableClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, tableClient.StorageUri, null);
CloudTableClient tableClientWithSAS = accountWithSAS.CreateCloudTableClient();
CloudTable tableWithSAS = tableClientWithSAS.GetTableReference(tableName);
CloudTable table = tableClient.GetTableReference(tableName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the table (Create or Write perms, Container RT)
// List tables (List perms, Container RT)
// Set table service properties (Write perms, Service RT)
// Insert an entity (Add perms, Object RT)
// Merge an entity (Update perms, Object RT)
// Insert or merge an entity (Add and update perms, Object RT) (test this twice, once for insert, once for merge.)
// Query the table for the entity (Read perms, Object RT)
// Delete the entity (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await tableWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(
async () => await tableWithSAS.CreateAsync(),
"Creating a table with SAS should fail without Add and Container-level permissions.");
await table.CreateAsync();
}
Assert.IsTrue(await table.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
Assert.AreEqual(tableName, (await tableClientWithSAS.ListTablesSegmentedAsync(tableName, null)).First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await tableClientWithSAS.ListTablesSegmentedAsync(tableName, null)).Results.First(), "Listing tables with SAS should fail without Read and Container-level permissions.");
}
ServiceProperties properties = new ServiceProperties(new LoggingProperties(), new MetricsProperties(), new MetricsProperties(), new CorsProperties());
properties.Logging = initialProperties.Logging;
properties.HourMetrics = initialProperties.HourMetrics;
properties.MinuteMetrics = initialProperties.MinuteMetrics;
properties.DefaultServiceVersion = initialProperties.DefaultServiceVersion;
CorsRule rule = new CorsRule();
string sampleOriginText = "sampleOrigin";
rule.AllowedOrigins.Add(sampleOriginText);
rule.AllowedMethods = CorsHttpMethods.Get;
rule.MaxAgeInSeconds = 100;
properties.Cors.CorsRules.Add(rule);
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
await tableClientWithSAS.SetServicePropertiesAsync(properties);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableClientWithSAS.SetServicePropertiesAsync(properties), "Setting table service properites should fail with SAS without Write and Service-level permissions.");
await tableClient.SetServicePropertiesAsync(properties);
}
Assert.AreEqual(sampleOriginText, rule.AllowedOrigins.First());
string propName = "prop";
string propName2 = "prop2";
DynamicTableEntity entity1 = new DynamicTableEntity();
string partitionKey = "PK";
string rowKeyPrefix = "RK";
entity1.PartitionKey = partitionKey;
entity1.RowKey = rowKeyPrefix + "1";
entity1.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(4) } };
entity1.ETag = "*";
if (((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await tableWithSAS.ExecuteAsync(TableOperation.Insert(entity1));
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Insert(entity1)), "Inserting an entity should fail without Add and Object-level permissions.");
await table.ExecuteAsync(TableOperation.Insert(entity1));
}
TableQuery query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey));
Assert.AreEqual(entity1.Properties[propName].Int32Value, table.ExecuteQuery(query).First().Properties[propName].Int32Value);
entity1.ETag = "*";
DynamicTableEntity entity1changed = new DynamicTableEntity();
entity1changed.PartitionKey = "PK";
entity1changed.RowKey = "RK1";
entity1changed.Properties = new Dictionary<string, EntityProperty>() { { propName2, EntityProperty.GeneratePropertyForInt(5) } };
entity1changed.ETag = "*";
if (((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await tableWithSAS.ExecuteAsync(TableOperation.Merge(entity1changed));
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Merge(entity1changed)), "Merging an entity should fail without Update and Object-level permissions.");
await table.ExecuteAsync(TableOperation.Merge(entity1changed));
}
DynamicTableEntity result = table.ExecuteQuery(query).First();
Assert.AreEqual(entity1.Properties[propName].Int32Value, result.Properties[propName].Int32Value);
Assert.AreEqual(entity1changed.Properties[propName2].Int32Value, result.Properties[propName2].Int32Value);
entity1changed.ETag = "*";
DynamicTableEntity entity2 = new DynamicTableEntity();
entity2.PartitionKey = partitionKey;
entity2.RowKey = rowKeyPrefix + "2";
entity2.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(4) } };
entity2.ETag = "*";
if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2));
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2)), "Inserting or merging an entity should fail without Add and Update and Object-level permissions.");
await table.ExecuteAsync(TableOperation.InsertOrMerge(entity2));
}
query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity2.PartitionKey, entity2.RowKey));
Assert.AreEqual(entity2.Properties[propName].Int32Value, table.ExecuteQuery(query).First().Properties[propName].Int32Value);
entity2.ETag = "*";
DynamicTableEntity entity2changed = new DynamicTableEntity();
entity2changed.PartitionKey = partitionKey;
entity2changed.RowKey = rowKeyPrefix + "2";
entity2changed.Properties = new Dictionary<string, EntityProperty>() { { propName2, EntityProperty.GeneratePropertyForInt(5) } };
entity2changed.ETag = "*";
if ((((policy.Permissions & SharedAccessAccountPermissions.Add) == SharedAccessAccountPermissions.Add) && ((policy.Permissions & SharedAccessAccountPermissions.Update) == SharedAccessAccountPermissions.Update)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed));
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed)), "Inserting or merging an entity should fail without Add and Update and Object-level permissions.");
await table.ExecuteAsync(TableOperation.InsertOrMerge(entity2changed));
}
entity2changed.ETag = "*";
result = table.ExecuteQuery(query).First();
Assert.AreEqual(entity2.Properties[propName].Int32Value, result.Properties[propName].Int32Value);
Assert.AreEqual(entity2changed.Properties[propName2].Int32Value, result.Properties[propName2].Int32Value);
query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey ge '{1}') and (RowKey le '{2}')", entity1.PartitionKey, entity1.RowKey, entity2.RowKey));
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
List<DynamicTableEntity> entities = tableWithSAS.ExecuteQuery(query).ToList();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await tableWithSAS.ExecuteQuerySegmentedAsync(query, null)).ToList(), "Querying tables should fail with SAS without Read and Object-level permissions.");
}
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await tableWithSAS.ExecuteAsync(TableOperation.Delete(entity1));
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await tableWithSAS.ExecuteAsync(TableOperation.Delete(entity1)), "Deleting an entity should fail with SAS without Delete and Object-level permissions.");
await table.ExecuteAsync(TableOperation.Delete(entity1));
}
query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey));
Assert.IsFalse(table.ExecuteQuery(query).Any());
}
finally
{
tableClient.GetTableReference(tableName).DeleteIfExistsAsync().Wait();
if (initialProperties != null)
{
tableClient.SetServicePropertiesAsync(initialProperties).Wait();
}
}
}
/// <summary>
/// Get the SAS token for an account.
/// </summary>
/// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param>
/// <returns>Account SAS token.</returns>
public string GetStorageAccountSASToken(SharedAccessAccountPolicy sharedAccessAccountPolicy)
{
return StorageContext.StorageAccount.GetSharedAccessSignature(sharedAccessAccountPolicy);
}
public async Task RunPermissionsTestFiles(SharedAccessAccountPolicy policy)
{
CloudFileClient fileClient = GenerateCloudFileClient();
string shareName = "s" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(fileClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, null, fileClient.StorageUri);
CloudFileClient fileClientWithSAS = accountWithSAS.CreateCloudFileClient();
CloudFileShare shareWithSAS = fileClientWithSAS.GetShareReference(shareName);
CloudFileShare share = fileClient.GetShareReference(shareName);
// General pattern - If current perms support doing a thing with SAS, do the thing with SAS and validate with shared
// Otherwise, make sure SAS fails and then do the thing with shared key.
// Things to do:
// Create the share (Create / Write perms, Container RT)
// List shares with prefix (List perms, Service RT)
// Create a new file (Create / Write, Object RT)
// Add a range to the file (Write, Object RT)
// Read the data from the file (Read, Object RT)
// Overwrite a file (Write, Object RT)
// Delete the file (Delete perms, Object RT)
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Container) == SharedAccessAccountResourceTypes.Container))
{
await shareWithSAS.CreateAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await shareWithSAS.CreateAsync(), "Creating a share with SAS should fail without Create or Write and Container-level perms.");
await share.CreateAsync();
}
Assert.IsTrue(await share.ExistsAsync());
if (((policy.Permissions & SharedAccessAccountPermissions.List) == SharedAccessAccountPermissions.List) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Service) == SharedAccessAccountResourceTypes.Service))
{
Assert.AreEqual(shareName, (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First().Name);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => (await fileClientWithSAS.ListSharesSegmentedAsync(shareName, null)).Results.First(), "Listing shared with SAS should fail without List and Service-level perms.");
}
string filename = "fileName";
CloudFile fileWithSAS = shareWithSAS.GetRootDirectoryReference().GetFileReference(filename);
CloudFile file = share.GetRootDirectoryReference().GetFileReference(filename);
byte[] content = new byte[] { 0x1, 0x2, 0x3, 0x4 };
if ((((policy.Permissions & SharedAccessAccountPermissions.Create) == SharedAccessAccountPermissions.Create) || ((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write)) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.CreateAsync(content.Length);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.CreateAsync(content.Length), "Creating a file with SAS should fail without Create or Write and Object-level perms.");
await file.CreateAsync(content.Length);
}
Assert.IsTrue(await file.ExistsAsync());
using (MemoryStream stream = new MemoryStream(content))
{
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.WriteRangeAsync(stream, 0, null);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.WriteRangeAsync(stream, 0, null), "Writing a range to a file with SAS should fail without Write and Object-level perms.");
stream.Seek(0, SeekOrigin.Begin);
await file.WriteRangeAsync(stream, 0, null);
}
}
byte[] result = new byte[content.Length];
await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
if (((policy.Permissions & SharedAccessAccountPermissions.Read) == SharedAccessAccountPermissions.Read) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
result = new byte[content.Length];
await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(content[i], result[i]);
}
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length), "Reading a file with SAS should fail without Read and Object-level perms.");
}
if (((policy.Permissions & SharedAccessAccountPermissions.Write) == SharedAccessAccountPermissions.Write) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.CreateAsync(2);
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.CreateAsync(2), "Overwriting a file with SAS should fail without Write and Object-level perms.");
await file.CreateAsync(2);
}
result = new byte[content.Length];
await file.DownloadRangeToByteArrayAsync(result, 0, 0, content.Length);
for (int i = 0; i < content.Length; i++)
{
Assert.AreEqual(0, result[i]);
}
if (((policy.Permissions & SharedAccessAccountPermissions.Delete) == SharedAccessAccountPermissions.Delete) &&
((policy.ResourceTypes & SharedAccessAccountResourceTypes.Object) == SharedAccessAccountResourceTypes.Object))
{
await fileWithSAS.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync<StorageException>(async () => await fileWithSAS.DeleteAsync(), "Deleting a file with SAS should fail without Delete and Object-level perms.");
await file.DeleteAsync();
}
Assert.IsFalse(await file.ExistsAsync());
}
finally
{
fileClient.GetShareReference(shareName).DeleteIfExistsAsync().Wait();
}
}
/// <summary>
/// Get the SAS token for an account.
/// </summary>
/// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param>
/// <returns>Account SAS token.</returns>
public string GetStorageAccountSASToken(SharedAccessAccountPolicy sharedAccessAccountPolicy)
{
throw new NotImplementedException();
}
public async Task RunTableTest(SharedAccessAccountPolicy policy, int? httpsPort, OperationContext opContext = null)
{
CloudTableClient tableClient = GenerateCloudTableClient();
string tableName = "t" + Guid.NewGuid().ToString("N");
try
{
CloudStorageAccount account = new CloudStorageAccount(tableClient.Credentials, false);
string accountSASToken = account.GetSharedAccessSignature(policy);
StorageCredentials accountSAS = new StorageCredentials(accountSASToken);
StorageUri storageUri = tableClient.StorageUri;
if (httpsPort != null)
{
storageUri = new StorageUri(TransformSchemeAndPort(storageUri.PrimaryUri, "https", httpsPort.Value), TransformSchemeAndPort(storageUri.SecondaryUri, "https", httpsPort.Value));
}
CloudStorageAccount accountWithSAS = CloudStorageAccount.Create(accountSAS, null, null, storageUri, null);
CloudTableClient tableClientWithSAS = accountWithSAS.CreateCloudTableClient();
CloudTable tableWithSAS = tableClientWithSAS.GetTableReference(tableName);
CloudTable table = tableClient.GetTableReference(tableName);
await table.CreateAsync();
string propName = "prop";
int propValue = 4;
DynamicTableEntity entity1 = new DynamicTableEntity();
string partitionKey = "PK";
string rowKeyPrefix = "RK";
entity1.PartitionKey = partitionKey;
entity1.RowKey = rowKeyPrefix + "1";
entity1.Properties = new Dictionary<string, EntityProperty>() { { propName, EntityProperty.GeneratePropertyForInt(propValue) } };
await table.ExecuteAsync(TableOperation.Insert(entity1));
TableQuery query = new TableQuery().Where(string.Format("(PartitionKey eq '{0}') and (RowKey eq '{1}')", entity1.PartitionKey, entity1.RowKey));
Assert.AreEqual(propValue, (await tableWithSAS.ExecuteQuerySegmentedAsync(query, null, null, opContext)).Results.First().Properties[propName].Int32Value);
}
finally
{
tableClient.GetTableReference(tableName).DeleteIfExistsAsync().Wait();
}
}
/// <summary>
/// Returns a shared access signature for the account.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessAccountPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
/// <remarks>The query string returned includes the leading question mark.</remarks>
public string GetSharedAccessSignature(SharedAccessAccountPolicy policy)
{
if (!this.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
string signature = SharedAccessSignatureHelper.GetHash(policy, this.Credentials.AccountName, Constants.HeaderConstants.TargetStorageVersion, this.Credentials.Key.KeyValue);
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(policy, signature, this.Credentials.Key.KeyName, Constants.HeaderConstants.TargetStorageVersion);
return builder.ToString();
}
public string GetSharedAccessSignature(SharedAccessAccountPolicy policy)
{
throw new System.NotImplementedException();
}
internal static UriQueryBuilder GetSignature(
SharedAccessAccountPolicy policy,
string signature,
string accountKeyName,
string sasVersion)
{
CommonUtility.AssertNotNull("signature", signature);
CommonUtility.AssertNotNull("policy", policy);
UriQueryBuilder builder = new UriQueryBuilder();
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName);
AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedProtocols, policy.Protocols == null ? null : GetProtocolString(policy.Protocols.Value));
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIP, policy.IPAddressOrRange == null ? null : policy.IPAddressOrRange.ToString());
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime));
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime));
string resourceTypes = SharedAccessAccountPolicy.ResourceTypesToString(policy.ResourceTypes);
if (!string.IsNullOrEmpty(resourceTypes))
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedResourceTypes, resourceTypes);
}
string services = SharedAccessAccountPolicy.ServicesToString(policy.Services);
if (!string.IsNullOrEmpty(services))
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedServices, services);
}
string permissions = SharedAccessAccountPolicy.PermissionsToString(policy.Permissions);
if (!string.IsNullOrEmpty(permissions))
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions);
}
return builder;
}
