private string GetContainerSASWithLighthouse(BlobServiceClient service, string storageAccount,
string storageContainer, string blobName, StorageSharedKeyCredential credential)
{
BlobSasBuilder blobSasBuilder;
BlobContainerClient container = service.GetBlobContainerClient(storageContainer);
BlobContainerAccessPolicy policy = container.GetAccessPolicy();
BlobSignedIdentifier blobSignedIdentifier = policy.SignedIdentifiers.FirstOrDefault(x => x.Id == "expiresapr");
// if stored access policy exists, use it, otherwise, specify permissions
if (blobSignedIdentifier != null)
{
blobSasBuilder = new BlobSasBuilder
{
BlobContainerName = storageContainer,
Identifier = blobSignedIdentifier.Id
};
/* load test how fast we can generate SAS token
* for (int ii = 0; ii < 100000; ++ii )
* {
* var blobSas = new BlobSasBuilder
* {
* BlobContainerName = storageContainer,
* BlobName = "abc" + ii,
* Identifier = blobSignedIdentifier.Id
* };
* var param = blobSas.ToSasQueryParameters(credential).ToString();
* }*/
}
else
{
DateTimeOffset expiresOn = DateTimeOffset.UtcNow.AddHours(2);
blobSasBuilder = new BlobSasBuilder
{
BlobContainerName = storageContainer,
ExpiresOn = expiresOn,
};
blobSasBuilder.SetPermissions(
BlobContainerSasPermissions.Read |
BlobContainerSasPermissions.Create |
BlobContainerSasPermissions.List);
}
var sasQueryParameters = blobSasBuilder.ToSasQueryParameters(credential).ToString();
String uri = String.IsNullOrEmpty(blobName) ?
String.Format("https://{0}.blob.core.windows.net/{1}?restype=container&comp=list&{2}",
storageAccount,
storageContainer,
sasQueryParameters.ToString()) :
String.Format("https://{0}.blob.core.windows.net/{1}/{2}?{3}",
storageAccount,
storageContainer,
blobName,
sasQueryParameters.ToString());
return(uri);
}
internal string SetAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission, bool noStartTime, bool noExpiryTime)
{
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//Set the policy with new value
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
signedIdentifier = identifier;
}
}
if (signedIdentifier == null)
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
if (noStartTime)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = DateTimeOffset.MinValue;
}
else if (startTime != null)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime();
}
if (noExpiryTime)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = DateTimeOffset.MinValue;
}
else if (ExpiryTime != null)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
if (this.Permission != null)
{
signedIdentifier.AccessPolicy.Permissions = this.Permission;
signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission);
}
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, signedIdentifiers, BlobRequestConditions, CmdletCancellationToken);
WriteObject(AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(signedIdentifier));
return(policyName);
}
/// <summary>
/// set the access level of specified container
/// </summary>
/// <param name="name">container name</param>
/// <param name="accessLevel">access level in ("off", "blob", "container")</param>
internal async Task SetContainerAcl(long taskId, IStorageBlobManagement localChannel, string name, BlobContainerPublicAccessType accessLevel)
{
if (!NameUtil.IsValidContainerName(name))
{
throw new ArgumentException(String.Format(Resources.InvalidContainerName, name));
}
BlobRequestOptions requestOptions = RequestOptions;
CloudBlobContainer container = localChannel.GetContainerReference(name);
BlobContainerClient containerClient = AzureStorageContainer.GetTrack2BlobContainerClient(container, this.Channel.StorageContext, ClientOptions);
// Get container permission and set the public access as input
BlobContainerAccessPolicy accessPolicy;
try
{
accessPolicy = containerClient.GetAccessPolicy(null, this.CmdletCancellationToken);
}
catch (global::Azure.RequestFailedException e) when(e.Status == 404)
{
throw new ResourceNotFoundException(String.Format(Resources.ContainerNotFound, name));
}
PublicAccessType publicAccessType = PublicAccessType.None;
switch (accessLevel)
{
case BlobContainerPublicAccessType.Blob:
publicAccessType = PublicAccessType.Blob;
break;
case BlobContainerPublicAccessType.Container:
publicAccessType = PublicAccessType.BlobContainer;
break;
case BlobContainerPublicAccessType.Off:
publicAccessType = PublicAccessType.None;
break;
default:
case BlobContainerPublicAccessType.Unknown:
throw new ArgumentOutOfRangeException("Permission");
}
await containerClient.SetAccessPolicyAsync(publicAccessType, accessPolicy.SignedIdentifiers, null, this.CmdletCancellationToken).ConfigureAwait(false);
if (PassThru)
{
AzureStorageContainer storageContainer = new AzureStorageContainer(containerClient, Channel.StorageContext);
storageContainer.SetTrack2Permission();
OutputStream.WriteObject(taskId, storageContainer);
}
}
/// <summary>
/// Get a BlobSignedIdentifier from contaienr with a specific Id
/// </summary>
public static BlobSignedIdentifier GetBlobSignedIdentifier(BlobContainerClient container, string identifierId, CancellationToken cancellationToken)
{
IEnumerable <BlobSignedIdentifier> signedIdentifiers = container.GetAccessPolicy(cancellationToken: cancellationToken).Value.SignedIdentifiers;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == identifierId)
{
return(identifier);
}
}
throw new ArgumentException(string.Format(Resources.InvalidAccessPolicy, identifierId));
}
public void RemoveAccessPolicyIfExists(string containerName, string policyName)
{
var container = new BlobContainerClient(connectionString, containerName);
var exisitingPolicies = container.GetAccessPolicy().Value.SignedIdentifiers.ToList();
var policyToBeRemoved = exisitingPolicies.SingleOrDefault(x => x.Id == policyName);
if (policyToBeRemoved == null)
{
return;
}
exisitingPolicies.Remove(policyToBeRemoved);
container.SetAccessPolicy(permissions: exisitingPolicies);
}
internal string CreateAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission)
{
if (!NameUtil.IsValidStoredAccessPolicyName(policyName))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName));
}
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//Add new policy
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
}
}
BlobSignedIdentifier signedIdentifier = new BlobSignedIdentifier();
signedIdentifier.Id = policyName;
signedIdentifier.AccessPolicy = new BlobAccessPolicy();
if (StartTime != null)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime();
}
if (ExpiryTime != null)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission);
var newsignedIdentifiers = new List <BlobSignedIdentifier>(signedIdentifiers);
newsignedIdentifiers.Add(signedIdentifier);
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, newsignedIdentifiers, BlobRequestConditions, CmdletCancellationToken);
return(policyName);
}
internal bool RemoveAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName)
{
bool success = false;
string result = string.Empty;
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//remove policy
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
signedIdentifier = identifier;
}
}
if (signedIdentifier == null)
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
if (ShouldProcess(policyName, "Remove policy"))
{
List <BlobSignedIdentifier> policyList = new List <BlobSignedIdentifier>(signedIdentifiers);
policyList.Remove(signedIdentifier);
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, policyList, BlobRequestConditions, CmdletCancellationToken);
success = true;
}
return(success);
}
public async Task CreateSharedAccessPolicy()
{
string connectionString = this.ConnectionString;
string containerName = Randomize("sample-container");
BlobContainerClient containerClient = new BlobContainerClient(connectionString, containerName);
try
{
await containerClient.CreateIfNotExistsAsync();
#region Snippet:SampleSnippetsBlobMigration_SharedAccessPolicy
// Create one or more stored access policies.
List <BlobSignedIdentifier> signedIdentifiers = new List <BlobSignedIdentifier>
{
new BlobSignedIdentifier
{
Id = "mysignedidentifier",
AccessPolicy = new BlobAccessPolicy
{
StartsOn = DateTimeOffset.UtcNow.AddHours(-1),
ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
Permissions = "rw"
}
}
};
// Set the container's access policy.
await containerClient.SetAccessPolicyAsync(permissions : signedIdentifiers);
#endregion
BlobContainerAccessPolicy containerAccessPolicy = containerClient.GetAccessPolicy();
Assert.AreEqual(signedIdentifiers.First().Id, containerAccessPolicy.SignedIdentifiers.First().Id);
}
finally
{
await containerClient.DeleteIfExistsAsync();
}
}
public void SetTrack2Permission(BlobContainerAccessPolicy accesspolicy = null)
{
// Try to get container permission if not input it, and container not deleted
if (accesspolicy == null && (this.IsDeleted == null || !this.IsDeleted.Value))
{
try
{
accesspolicy = privateBlobContainerClient.GetAccessPolicy().Value;
}
catch (global::Azure.RequestFailedException e) when(e.Status == 403 || e.Status == 404)
{
// 404 Not found, or 403 Forbidden means we don't have permission to query the Permission of the specified container.
// Just skip return container permission in this case.
}
}
if (accesspolicy != null)
{
AccessPolicy = accesspolicy;
switch (accesspolicy.BlobPublicAccess)
{
case PublicAccessType.Blob:
PublicAccess = BlobContainerPublicAccessType.Blob;
break;
case PublicAccessType.BlobContainer:
PublicAccess = BlobContainerPublicAccessType.Container;
break;
case PublicAccessType.None:
default:
PublicAccess = BlobContainerPublicAccessType.Off;
break;
}
}
}
//-------------------------------------------------
// Set container public access level
//-------------------------------------------------
// <Snippet_SetPublicContainerPermissions>
public static void SetPublicContainerPermissions(BlobContainerClient container)
{
container.SetAccessPolicy(PublicAccessType.BlobContainer);
Console.WriteLine("Container {0} - permissions set to {1}",
container.Name, container.GetAccessPolicy().Value);
}
/// <summary>
/// set the access level of specified container
/// </summary>
/// <param name="name">container name</param>
/// <param name="accessLevel">access level in ("off", "blob", "container")</param>
internal async Task SetContainerAcl(long taskId, IStorageBlobManagement localChannel, string name, BlobContainerPublicAccessType accessLevel)
{
if (!NameUtil.IsValidContainerName(name))
{
throw new ArgumentException(String.Format(Resources.InvalidContainerName, name));
}
BlobRequestOptions requestOptions = RequestOptions;
AccessCondition accessCondition = null;
bool needUseTrack2 = false;
CloudBlobContainer container = localChannel.GetContainerReference(name);
// Get container permission and set the public access as input
BlobContainerPermissions permissions = null;
try
{
permissions = localChannel.GetContainerPermissions(container, null, requestOptions, OperationContext);
}
catch (StorageException e) when(e.IsNotFoundException())
{
throw new ResourceNotFoundException(String.Format(Resources.ContainerNotFound, name));
}
catch (StorageException e) when(e.IsConflictException())
{
// 409 Conflict, might caused by the container has an Stored access policy contains a permission that is not supported by Track1 SDK API veresion, so switch to Track2 SDK
needUseTrack2 = true;
}
if (!needUseTrack2) // Track1
{
permissions.PublicAccess = accessLevel;
await localChannel.SetContainerPermissionsAsync(container, permissions, accessCondition, requestOptions, OperationContext, CmdletCancellationToken).ConfigureAwait(false);
if (PassThru)
{
WriteCloudContainerObject(taskId, localChannel, container, permissions);
}
}
else // Track2
{
BlobContainerClient containerClient = AzureStorageContainer.GetTrack2BlobContainerClient(container, this.Channel.StorageContext, ClientOptions);
// Get container permission and set the public access as input
BlobContainerAccessPolicy accessPolicy;
accessPolicy = containerClient.GetAccessPolicy(null, this.CmdletCancellationToken);
PublicAccessType publicAccessType = PublicAccessType.None;
switch (accessLevel)
{
case BlobContainerPublicAccessType.Blob:
publicAccessType = PublicAccessType.Blob;
break;
case BlobContainerPublicAccessType.Container:
publicAccessType = PublicAccessType.BlobContainer;
break;
case BlobContainerPublicAccessType.Off:
publicAccessType = PublicAccessType.None;
break;
default:
case BlobContainerPublicAccessType.Unknown:
throw new ArgumentOutOfRangeException("Permission");
}
await containerClient.SetAccessPolicyAsync(publicAccessType, accessPolicy.SignedIdentifiers, null, this.CmdletCancellationToken).ConfigureAwait(false);
if (PassThru)
{
AzureStorageContainer storageContainer = new AzureStorageContainer(container, null);
storageContainer.Context = localChannel.StorageContext;
storageContainer.SetTrack2Permission();
OutputStream.WriteObject(taskId, storageContainer);
}
}
}
public override void ExecuteCmdlet()
{
CloudBlob blob = null;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPermission ||
ParameterSetName == BlobNamePipelineParmeterSetWithPolicy)
{
blob = GetCloudBlobByName(Container, Blob);
}
else
{
blob = this.CloudBlob;
}
// When the input context is Oauth bases, can't generate normal SAS, but UserDelegationSas
bool generateUserDelegationSas = false;
if (Channel != null && Channel.StorageContext != null && Channel.StorageContext.StorageAccount.Credentials.IsToken)
{
if (ShouldProcess(blob.Name, "Generate User Delegation SAS, since input Storage Context is OAuth based."))
{
generateUserDelegationSas = true;
if (!string.IsNullOrEmpty(accessPolicyIdentifier))
{
throw new ArgumentException("When input Storage Context is OAuth based, Saved Policy is not supported.", "Policy");
}
}
else
{
return;
}
}
if (!(blob is InvalidCloudBlob) && !UseTrack2SDK())
{
SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier);
SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange), generateUserDelegationSas);
if (FullUri)
{
string fullUri = blob.SnapshotQualifiedUri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
else // Use Track2 SDk
{
BlobBaseClient blobClient;
if (this.BlobBaseClient != null)
{
blobClient = this.BlobBaseClient;
}
else
{
blobClient = AzureStorageBlob.GetTrack2BlobClient(blob, Channel.StorageContext, this.ClientOptions);
}
BlobSasBuilder sasBuilder;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPolicy || ParameterSetName == BlobPipelineParameterSetWithPolicy)
{
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(Channel.GetContainerReference(blobClient.BlobContainerName), Channel.StorageContext, ClientOptions);
IEnumerable <BlobSignedIdentifier> signedIdentifiers = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value.SignedIdentifiers;
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == this.Policy)
{
signedIdentifier = identifier;
break;
}
}
if (signedIdentifier is null)
{
throw new ArgumentException(string.Format(Resources.InvalidAccessPolicy, this.Policy));
}
sasBuilder = new BlobSasBuilder
{
BlobContainerName = blobClient.BlobContainerName,
BlobName = blobClient.Name,
Identifier = this.Policy
};
if (this.StartTime != null)
{
if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue)
{
throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted);
}
else
{
sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime();
}
}
if (this.ExpiryTime != null)
{
if (signedIdentifier.AccessPolicy.ExpiresOn != DateTimeOffset.MinValue)
{
throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted);
}
else
{
sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime();
}
}
else if (signedIdentifier.AccessPolicy.ExpiresOn == DateTimeOffset.MinValue)
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1);
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
if (this.Permission != null)
{
if (signedIdentifier.AccessPolicy.Permissions != null)
{
throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted);
}
else
{
sasBuilder.SetPermissions(this.Permission);
}
}
}
else
{
sasBuilder = new BlobSasBuilder
{
BlobContainerName = blobClient.BlobContainerName,
BlobName = blobClient.Name,
};
sasBuilder.SetPermissions(this.Permission);
if (this.StartTime != null)
{
sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime();
}
if (this.ExpiryTime != null)
{
sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime();
}
else
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime();
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
}
if (this.IPAddressOrRange != null)
{
sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(this.IPAddressOrRange);
}
if (this.Protocol != null)
{
if (this.Protocol.Value == SharedAccessProtocol.HttpsOrHttp)
{
sasBuilder.Protocol = SasProtocol.HttpsAndHttp;
}
else //HttpsOnly
{
sasBuilder.Protocol = SasProtocol.Https;
}
}
if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri);
}
if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.ToString("o");
}
string sasToken = GetBlobSharedAccessSignature(blobClient, sasBuilder, generateUserDelegationSas);
if (sasToken[0] != '?')
{
sasToken = "?" + sasToken;
}
if (FullUri)
{
string fullUri = blobClient.Uri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
}
