internal async Task GetAzureContainerStoredAccessPolicyAsync(long taskId, IStorageBlobManagement localChannel, string containerName, string policyName) { //Get container instance, Get existing permissions CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName); BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions); BlobContainerAccessPolicy accessPolicy = (await container.GetAccessPolicyAsync(BlobRequestConditions, cancellationToken: CmdletCancellationToken).ConfigureAwait(false)).Value; IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers; if (!String.IsNullOrEmpty(policyName)) { BlobSignedIdentifier signedIdentifier = null; foreach (BlobSignedIdentifier identifier in signedIdentifiers) { if (identifier.Id == policyName) { signedIdentifier = identifier; } } if (signedIdentifier == null) { throw new ResourceNotFoundException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName)); } else { OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(signedIdentifier)); } } else { foreach (BlobSignedIdentifier identifier in signedIdentifiers) { OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(identifier)); } } }
/// <summary> /// Create a blob SAS build from Blob Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder_FromBlob(BlobBaseClient blobClient, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null, string EncryptionScope = null) { BlobSasBuilder sasBuilder = SetBlobSasBuilder(blobClient.BlobContainerName, blobClient.Name, signedIdentifier, Permission, StartTime, ExpiryTime, iPAddressOrRange, Protocol, EncryptionScope); if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null) { sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri); } if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null) { sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.UtcDateTime.ToString("o"); } return(sasBuilder); }
private string GetContainerSASWithLighthouse(BlobServiceClient service, string storageAccount, string storageContainer, string blobName, StorageSharedKeyCredential credential) { BlobSasBuilder blobSasBuilder; BlobContainerClient container = service.GetBlobContainerClient(storageContainer); BlobContainerAccessPolicy policy = container.GetAccessPolicy(); BlobSignedIdentifier blobSignedIdentifier = policy.SignedIdentifiers.FirstOrDefault(x => x.Id == "expiresapr"); // if stored access policy exists, use it, otherwise, specify permissions if (blobSignedIdentifier != null) { blobSasBuilder = new BlobSasBuilder { BlobContainerName = storageContainer, Identifier = blobSignedIdentifier.Id }; /* load test how fast we can generate SAS token * for (int ii = 0; ii < 100000; ++ii ) * { * var blobSas = new BlobSasBuilder * { * BlobContainerName = storageContainer, * BlobName = "abc" + ii, * Identifier = blobSignedIdentifier.Id * }; * var param = blobSas.ToSasQueryParameters(credential).ToString(); * }*/ } else { DateTimeOffset expiresOn = DateTimeOffset.UtcNow.AddHours(2); blobSasBuilder = new BlobSasBuilder { BlobContainerName = storageContainer, ExpiresOn = expiresOn, }; blobSasBuilder.SetPermissions( BlobContainerSasPermissions.Read | BlobContainerSasPermissions.Create | BlobContainerSasPermissions.List); } var sasQueryParameters = blobSasBuilder.ToSasQueryParameters(credential).ToString(); String uri = String.IsNullOrEmpty(blobName) ? String.Format("https://{0}.blob.core.windows.net/{1}?restype=container&comp=list&{2}", storageAccount, storageContainer, sasQueryParameters.ToString()) : String.Format("https://{0}.blob.core.windows.net/{1}/{2}?{3}", storageAccount, storageContainer, blobName, sasQueryParameters.ToString()); return(uri); }
public async Task ParseResponseBodyAsync(System.IO.Stream responseStream) { using (StreamReader sr = new StreamReader(responseStream)) { var content = await sr.ReadToEndAsync(); if (content.Length > 0) { var xDoc = XDocument.Parse(content); var signedIdentifiers = new List <BlobSignedIdentifier>(); foreach (var identifierResponse in xDoc.Root.Elements().Where(e => e.Name.LocalName.Equals("SignedIdentifier"))) { var identifier = new BlobSignedIdentifier(); identifier.AccessPolicy = new BlobAccessPolicy(); foreach (var element in identifierResponse.Elements()) { switch (element.Name.LocalName) { case "Id": identifier.Id = element.Value; break; case "AccessPolicy": foreach (var apElement in element.Elements()) { switch (apElement.Name.LocalName) { case "Permission": identifier.AccessPolicy.Permission = SharedAccessPermissionParse.ParseBlob(apElement.Value); break; case "Start": identifier.AccessPolicy.StartTime = Parsers.ParseUTCDate(apElement.Value); break; case "Expiry": identifier.AccessPolicy.Expiry = Parsers.ParseUTCDate(apElement.Value); break; } } break; } } signedIdentifiers.Add(identifier); } SignedIdentifiers = new ReadOnlyCollection <BlobSignedIdentifier>(signedIdentifiers); } } }
internal string SetAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission, bool noStartTime, bool noExpiryTime) { //Get container instance, Get existing permissions CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName); BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions); BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value; IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers; //Set the policy with new value BlobSignedIdentifier signedIdentifier = null; foreach (BlobSignedIdentifier identifier in signedIdentifiers) { if (identifier.Id == policyName) { signedIdentifier = identifier; } } if (signedIdentifier == null) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName)); } if (noStartTime) { signedIdentifier.AccessPolicy.PolicyStartsOn = DateTimeOffset.MinValue; } else if (startTime != null) { signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime(); } if (noExpiryTime) { signedIdentifier.AccessPolicy.PolicyExpiresOn = DateTimeOffset.MinValue; } else if (ExpiryTime != null) { signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime(); } if (this.Permission != null) { signedIdentifier.AccessPolicy.Permissions = this.Permission; signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission); } //Set permissions back to container container.SetAccessPolicy(accessPolicy.BlobPublicAccess, signedIdentifiers, BlobRequestConditions, CmdletCancellationToken); WriteObject(AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(signedIdentifier)); return(policyName); }
/// <summary> /// Create a container if doesn't exist, setting permission with policy, and return assosciated SAS signature /// </summary> /// <param name="account">Storage account</param> /// <param name="Key">Storage account key</param> /// <param name="blobUri">Blob endpoint URI</param> /// <param name="containerName">Name of the container to be created</param> /// <param name="policy">Name for the policy</param> /// <param name="start">Start time of the policy</param> /// <param name="end">Expire time of the policy</param> /// <param name="permissions">Blob access permissions</param> /// <returns>the SAS for the container, in full URI format.</returns>. private static async Task <string> CreateContainerWithPolicySASIfNotExistAsync(string account, string key, Uri blobUri, string containerName, string policy, DateTime start, DateTime end, string permissions) { // 1. form the credentail and initial client StagingStorageAccount stagingCredentials = new StagingStorageAccount(account, key, blobUri.ToString()); StorageSharedKeyCredential shardKeyCredentials = new StorageSharedKeyCredential(account, key); BlobContainerClient containerClient = BlobUtilities.GetBlobContainerClient(containerName, stagingCredentials); // 2. create container if it doesn't exist containerClient.CreateIfNotExists(); // 3. validate policy, create/overwrite if doesn't match BlobSignedIdentifier identifier = new BlobSignedIdentifier { Id = policy, AccessPolicy = new BlobAccessPolicy { Permissions = permissions, StartsOn = start, ExpiresOn = end, }, }; var accessPolicy = (await containerClient.GetAccessPolicyAsync()).Value; bool policyFound = accessPolicy.SignedIdentifiers.Any(i => i == identifier); if (policyFound == false) { await containerClient.SetAccessPolicyAsync(PublicAccessType.BlobContainer, permissions : new List <BlobSignedIdentifier> { identifier }); } BlobSasBuilder sasBuilder = new BlobSasBuilder { BlobContainerName = containerName, StartsOn = start, ExpiresOn = end, }; sasBuilder.SetPermissions(permissions); BlobUriBuilder builder = new BlobUriBuilder(containerClient.Uri) { Sas = sasBuilder.ToSasQueryParameters(shardKeyCredentials) }; string fullSas = builder.ToString(); return(fullSas); }
/// <summary> /// Create a blob SAS build from container Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder_FromContainer(BlobContainerClient container, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null) { BlobSasBuilder sasBuilder = SetBlobSasBuilder(container.Name, null, signedIdentifier, Permission, StartTime, ExpiryTime, iPAddressOrRange, Protocol); return(sasBuilder); }
internal string CreateAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission) { if (!NameUtil.IsValidStoredAccessPolicyName(policyName)) { throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName)); } //Get container instance, Get existing permissions CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName); BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions); BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value; IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers; //Add new policy foreach (BlobSignedIdentifier identifier in signedIdentifiers) { if (identifier.Id == policyName) { throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName)); } } BlobSignedIdentifier signedIdentifier = new BlobSignedIdentifier(); signedIdentifier.Id = policyName; signedIdentifier.AccessPolicy = new BlobAccessPolicy(); if (StartTime != null) { signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime(); } if (ExpiryTime != null) { signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime(); } signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission); var newsignedIdentifiers = new List <BlobSignedIdentifier>(signedIdentifiers); newsignedIdentifiers.Add(signedIdentifier); //Set permissions back to container container.SetAccessPolicy(accessPolicy.BlobPublicAccess, newsignedIdentifiers, BlobRequestConditions, CmdletCancellationToken); return(policyName); }
internal bool RemoveAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName) { bool success = false; string result = string.Empty; //Get container instance, Get existing permissions CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName); BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions); BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value; IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers; //remove policy BlobSignedIdentifier signedIdentifier = null; foreach (BlobSignedIdentifier identifier in signedIdentifiers) { if (identifier.Id == policyName) { signedIdentifier = identifier; } } if (signedIdentifier == null) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName)); } if (ShouldProcess(policyName, "Remove policy")) { List <BlobSignedIdentifier> policyList = new List <BlobSignedIdentifier>(signedIdentifiers); policyList.Remove(signedIdentifier); //Set permissions back to container container.SetAccessPolicy(accessPolicy.BlobPublicAccess, policyList, BlobRequestConditions, CmdletCancellationToken); success = true; } return(success); }
/// <summary> /// Create a blob SAS build from Blob Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder(string containerName, string blobName = null, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null, string EncryptionScope = null) { BlobSasBuilder sasBuilder; if (signedIdentifier != null) // Use save access policy { sasBuilder = new BlobSasBuilder { BlobContainerName = containerName, BlobName = blobName, Identifier = signedIdentifier.Id }; if (StartTime != null) { if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.StartsOn != null) { throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted); } else { sasBuilder.StartsOn = StartTime.Value.ToUniversalTime(); } } if (ExpiryTime != null) { if (signedIdentifier.AccessPolicy.PolicyExpiresOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null) { throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted); } else { sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime(); } } else if (signedIdentifier.AccessPolicy.PolicyExpiresOn == DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null) { if (sasBuilder.StartsOn != DateTimeOffset.MinValue && sasBuilder.StartsOn != null) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } if (Permission != null) { if (signedIdentifier.AccessPolicy.Permissions != null) { throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted); } else { sasBuilder = SetBlobPermission(sasBuilder, Permission); } } } else // use user input permission, starton, expireon { sasBuilder = new BlobSasBuilder { BlobContainerName = containerName, BlobName = blobName, }; sasBuilder = SetBlobPermission(sasBuilder, Permission); if (StartTime != null) { sasBuilder.StartsOn = StartTime.Value.ToUniversalTime(); } if (ExpiryTime != null) { sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime(); } else { if (sasBuilder.StartsOn != DateTimeOffset.MinValue) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime(); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } } if (iPAddressOrRange != null) { sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(iPAddressOrRange); } if (Protocol != null) { if (Protocol.Value == SharedAccessProtocol.HttpsOrHttp) { sasBuilder.Protocol = SasProtocol.HttpsAndHttp; } else //HttpsOnly { sasBuilder.Protocol = SasProtocol.Https; } } if (EncryptionScope != null) { sasBuilder.EncryptionScope = EncryptionScope; } return(sasBuilder); }
public override void ExecuteCmdlet() { CloudBlob blob = null; if (ParameterSetName == BlobNamePipelineParmeterSetWithPermission || ParameterSetName == BlobNamePipelineParmeterSetWithPolicy) { blob = GetCloudBlobByName(Container, Blob); } else { blob = this.CloudBlob; } // When the input context is Oauth bases, can't generate normal SAS, but UserDelegationSas bool generateUserDelegationSas = false; if (Channel != null && Channel.StorageContext != null && Channel.StorageContext.StorageAccount.Credentials.IsToken) { if (ShouldProcess(blob.Name, "Generate User Delegation SAS, since input Storage Context is OAuth based.")) { generateUserDelegationSas = true; if (!string.IsNullOrEmpty(accessPolicyIdentifier)) { throw new ArgumentException("When input Storage Context is OAuth based, Saved Policy is not supported.", "Policy"); } } else { return; } } if (!(blob is InvalidCloudBlob) && !UseTrack2Sdk()) { SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy(); bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier); SetupAccessPolicy(accessPolicy, shouldSetExpiryTime); string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange), generateUserDelegationSas); if (FullUri) { string fullUri = blob.SnapshotQualifiedUri.ToString(); if (blob.IsSnapshot) { // Since snapshot URL already has '?', need remove '?' in the first char of sas fullUri = fullUri + "&" + sasToken.Substring(1); } else { fullUri = fullUri + sasToken; } WriteObject(fullUri); } else { WriteObject(sasToken); } } else // Use Track2 SDk { //Get blob instance BlobBaseClient blobClient; if (this.BlobBaseClient != null) { blobClient = this.BlobBaseClient; } else { blobClient = AzureStorageBlob.GetTrack2BlobClient(blob, Channel.StorageContext, this.ClientOptions); } // Get contaienr saved policy if any BlobSignedIdentifier identifier = null; if (ParameterSetName == BlobNamePipelineParmeterSetWithPolicy || ParameterSetName == BlobPipelineParameterSetWithPolicy) { BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(Channel.GetContainerReference(blobClient.BlobContainerName), Channel.StorageContext, ClientOptions); identifier = SasTokenHelper.GetBlobSignedIdentifier(container, this.Policy, CmdletCancellationToken); } //Create SAS builder BlobSasBuilder sasBuilder = SasTokenHelper.SetBlobSasBuilder_FromBlob(blobClient, identifier, this.Permission, this.StartTime, this.ExpiryTime, this.IPAddressOrRange, this.Protocol); //Create SAS and ourput string sasToken = SasTokenHelper.GetBlobSharedAccessSignature(Channel.StorageContext, sasBuilder, generateUserDelegationSas, ClientOptions, CmdletCancellationToken); if (sasToken[0] != '?') { sasToken = "?" + sasToken; } if (FullUri) { string fullUri = blobClient.Uri.ToString(); if (blob.IsSnapshot) { // Since snapshot URL already has '?', need remove '?' in the first char of sas fullUri = fullUri + "&" + sasToken.Substring(1); } else { fullUri = fullUri + sasToken; } WriteObject(fullUri); } else { WriteObject(sasToken); } } }
protected void AssertIdentifierInSharedAccessPolicies(Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPolicies sharedAccessPolicies, BlobSignedIdentifier expectedIdentifier, Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPermissions permissions) { var policy = sharedAccessPolicies.Where(i => i.Key.Equals(expectedIdentifier.Id, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault(); Assert.IsNotNull(policy); Assert.AreEqual(expectedIdentifier.AccessPolicy.StartTime, policy.Value.SharedAccessStartTime.Value.UtcDateTime); Assert.AreEqual(expectedIdentifier.AccessPolicy.Expiry, policy.Value.SharedAccessExpiryTime.Value.UtcDateTime); Assert.IsTrue(policy.Value.Permissions.HasFlag(permissions)); }
private async Task <BlobContainerClient> GetClient(CancellationToken ct) { if (_client == null) { BlobServiceClient serviceClient = new BlobServiceClient(AccountBlobUri, AccountCredential, BlobOptions); _logger.LogInformation($"Attempting to connect to {serviceClient.Uri} to store blobs."); BlobContainerClient newClient; int attemptCt = 0; do { try { newClient = serviceClient.GetBlobContainerClient(_containerName); if (!(await newClient.ExistsAsync(ct)).Value) { newClient = (await serviceClient.CreateBlobContainerAsync(_containerName, PublicAccessType.None, metadata: null, ct)); } } catch (Exception ex) { _logger.LogWarning(ex, $"Failed to create or access {_containerName}, retrying with new name."); continue; } try { DateTime baseTime = DateTime.UtcNow; // Add the new (or update existing) "download" policy to the container // This is used to mint the SAS tokens without an expiration policy // Expiration can be added later by modifying this policy BlobSignedIdentifier downloadPolicyIdentifier = new BlobSignedIdentifier() { Id = AccessPolicyDownloadId, AccessPolicy = new BlobAccessPolicy() { Permissions = "r", PolicyStartsOn = new DateTimeOffset(baseTime.AddSeconds(-ClockSkewSec)), PolicyExpiresOn = new DateTimeOffset(DateTime.UtcNow.AddDays(_sasValidDays).AddSeconds(ClockSkewSec)), } }; _logger.LogInformation($"Writing download access policy: {AccessPolicyDownloadId} to {_containerName}."); await newClient.SetAccessPolicyAsync(PublicAccessType.None, new BlobSignedIdentifier[] { downloadPolicyIdentifier }, cancellationToken : ct); } catch (Exception ex) { _logger.LogWarning(ex, $"Failed to write access policy for {_containerName}, retrying."); continue; } _logger.LogInformation($"Container {_containerName} is ready."); _client = newClient; break; } while (++attemptCt < MaxFullLoopRetries); } if (_client == null) { _logger.LogError("Failed to create or access container for publishing drop."); } return(_client); }
public override void ExecuteCmdlet() { CloudBlob blob = null; if (ParameterSetName == BlobNamePipelineParmeterSetWithPermission || ParameterSetName == BlobNamePipelineParmeterSetWithPolicy) { blob = GetCloudBlobByName(Container, Blob); } else { blob = this.CloudBlob; } // When the input context is Oauth bases, can't generate normal SAS, but UserDelegationSas bool generateUserDelegationSas = false; if (Channel != null && Channel.StorageContext != null && Channel.StorageContext.StorageAccount.Credentials.IsToken) { if (ShouldProcess(blob.Name, "Generate User Delegation SAS, since input Storage Context is OAuth based.")) { generateUserDelegationSas = true; if (!string.IsNullOrEmpty(accessPolicyIdentifier)) { throw new ArgumentException("When input Storage Context is OAuth based, Saved Policy is not supported.", "Policy"); } } else { return; } } if (!(blob is InvalidCloudBlob) && !UseTrack2SDK()) { SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy(); bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier); SetupAccessPolicy(accessPolicy, shouldSetExpiryTime); string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange), generateUserDelegationSas); if (FullUri) { string fullUri = blob.SnapshotQualifiedUri.ToString(); if (blob.IsSnapshot) { // Since snapshot URL already has '?', need remove '?' in the first char of sas fullUri = fullUri + "&" + sasToken.Substring(1); } else { fullUri = fullUri + sasToken; } WriteObject(fullUri); } else { WriteObject(sasToken); } } else // Use Track2 SDk { BlobBaseClient blobClient; if (this.BlobBaseClient != null) { blobClient = this.BlobBaseClient; } else { blobClient = AzureStorageBlob.GetTrack2BlobClient(blob, Channel.StorageContext, this.ClientOptions); } BlobSasBuilder sasBuilder; if (ParameterSetName == BlobNamePipelineParmeterSetWithPolicy || ParameterSetName == BlobPipelineParameterSetWithPolicy) { BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(Channel.GetContainerReference(blobClient.BlobContainerName), Channel.StorageContext, ClientOptions); IEnumerable <BlobSignedIdentifier> signedIdentifiers = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value.SignedIdentifiers; BlobSignedIdentifier signedIdentifier = null; foreach (BlobSignedIdentifier identifier in signedIdentifiers) { if (identifier.Id == this.Policy) { signedIdentifier = identifier; break; } } if (signedIdentifier is null) { throw new ArgumentException(string.Format(Resources.InvalidAccessPolicy, this.Policy)); } sasBuilder = new BlobSasBuilder { BlobContainerName = blobClient.BlobContainerName, BlobName = blobClient.Name, Identifier = this.Policy }; if (this.StartTime != null) { if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue) { throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted); } else { sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime(); } } if (this.ExpiryTime != null) { if (signedIdentifier.AccessPolicy.ExpiresOn != DateTimeOffset.MinValue) { throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted); } else { sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime(); } } else if (signedIdentifier.AccessPolicy.ExpiresOn == DateTimeOffset.MinValue) { if (sasBuilder.StartsOn != DateTimeOffset.MinValue) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } if (this.Permission != null) { if (signedIdentifier.AccessPolicy.Permissions != null) { throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted); } else { sasBuilder.SetPermissions(this.Permission); } } } else { sasBuilder = new BlobSasBuilder { BlobContainerName = blobClient.BlobContainerName, BlobName = blobClient.Name, }; sasBuilder.SetPermissions(this.Permission); if (this.StartTime != null) { sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime(); } if (this.ExpiryTime != null) { sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime(); } else { if (sasBuilder.StartsOn != DateTimeOffset.MinValue) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime(); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } } if (this.IPAddressOrRange != null) { sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(this.IPAddressOrRange); } if (this.Protocol != null) { if (this.Protocol.Value == SharedAccessProtocol.HttpsOrHttp) { sasBuilder.Protocol = SasProtocol.HttpsAndHttp; } else //HttpsOnly { sasBuilder.Protocol = SasProtocol.Https; } } if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null) { sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri); } if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null) { sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.ToString("o"); } string sasToken = GetBlobSharedAccessSignature(blobClient, sasBuilder, generateUserDelegationSas); if (sasToken[0] != '?') { sasToken = "?" + sasToken; } if (FullUri) { string fullUri = blobClient.Uri.ToString(); if (blob.IsSnapshot) { // Since snapshot URL already has '?', need remove '?' in the first char of sas fullUri = fullUri + "&" + sasToken.Substring(1); } else { fullUri = fullUri + sasToken; } WriteObject(fullUri); } else { WriteObject(sasToken); } } }