internal async Task GetAzureContainerStoredAccessPolicyAsync(long taskId, IStorageBlobManagement localChannel, string containerName, string policyName)
{
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = (await container.GetAccessPolicyAsync(BlobRequestConditions, cancellationToken: CmdletCancellationToken).ConfigureAwait(false)).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
if (!String.IsNullOrEmpty(policyName))
{
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
signedIdentifier = identifier;
}
}
if (signedIdentifier == null)
{
throw new ResourceNotFoundException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
else
{
OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(signedIdentifier));
}
}
else
{
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
OutputStream.WriteObject(taskId, AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(identifier));
}
}
}
/// <summary>
/// Create a blob SAS build from Blob Object
/// </summary>
public static BlobSasBuilder SetBlobSasBuilder_FromBlob(BlobBaseClient blobClient,
BlobSignedIdentifier signedIdentifier = null,
string Permission = null,
DateTime?StartTime = null,
DateTime?ExpiryTime = null,
string iPAddressOrRange = null,
SharedAccessProtocol?Protocol = null,
string EncryptionScope = null)
{
BlobSasBuilder sasBuilder = SetBlobSasBuilder(blobClient.BlobContainerName,
blobClient.Name,
signedIdentifier,
Permission,
StartTime,
ExpiryTime,
iPAddressOrRange,
Protocol,
EncryptionScope);
if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri);
}
if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.UtcDateTime.ToString("o");
}
return(sasBuilder);
}
private string GetContainerSASWithLighthouse(BlobServiceClient service, string storageAccount,
string storageContainer, string blobName, StorageSharedKeyCredential credential)
{
BlobSasBuilder blobSasBuilder;
BlobContainerClient container = service.GetBlobContainerClient(storageContainer);
BlobContainerAccessPolicy policy = container.GetAccessPolicy();
BlobSignedIdentifier blobSignedIdentifier = policy.SignedIdentifiers.FirstOrDefault(x => x.Id == "expiresapr");
// if stored access policy exists, use it, otherwise, specify permissions
if (blobSignedIdentifier != null)
{
blobSasBuilder = new BlobSasBuilder
{
BlobContainerName = storageContainer,
Identifier = blobSignedIdentifier.Id
};
/* load test how fast we can generate SAS token
* for (int ii = 0; ii < 100000; ++ii )
* {
* var blobSas = new BlobSasBuilder
* {
* BlobContainerName = storageContainer,
* BlobName = "abc" + ii,
* Identifier = blobSignedIdentifier.Id
* };
* var param = blobSas.ToSasQueryParameters(credential).ToString();
* }*/
}
else
{
DateTimeOffset expiresOn = DateTimeOffset.UtcNow.AddHours(2);
blobSasBuilder = new BlobSasBuilder
{
BlobContainerName = storageContainer,
ExpiresOn = expiresOn,
};
blobSasBuilder.SetPermissions(
BlobContainerSasPermissions.Read |
BlobContainerSasPermissions.Create |
BlobContainerSasPermissions.List);
}
var sasQueryParameters = blobSasBuilder.ToSasQueryParameters(credential).ToString();
String uri = String.IsNullOrEmpty(blobName) ?
String.Format("https://{0}.blob.core.windows.net/{1}?restype=container&comp=list&{2}",
storageAccount,
storageContainer,
sasQueryParameters.ToString()) :
String.Format("https://{0}.blob.core.windows.net/{1}/{2}?{3}",
storageAccount,
storageContainer,
blobName,
sasQueryParameters.ToString());
return(uri);
}
public async Task ParseResponseBodyAsync(System.IO.Stream responseStream)
{
using (StreamReader sr = new StreamReader(responseStream))
{
var content = await sr.ReadToEndAsync();
if (content.Length > 0)
{
var xDoc = XDocument.Parse(content);
var signedIdentifiers = new List <BlobSignedIdentifier>();
foreach (var identifierResponse in xDoc.Root.Elements().Where(e => e.Name.LocalName.Equals("SignedIdentifier")))
{
var identifier = new BlobSignedIdentifier();
identifier.AccessPolicy = new BlobAccessPolicy();
foreach (var element in identifierResponse.Elements())
{
switch (element.Name.LocalName)
{
case "Id":
identifier.Id = element.Value;
break;
case "AccessPolicy":
foreach (var apElement in element.Elements())
{
switch (apElement.Name.LocalName)
{
case "Permission":
identifier.AccessPolicy.Permission = SharedAccessPermissionParse.ParseBlob(apElement.Value);
break;
case "Start":
identifier.AccessPolicy.StartTime = Parsers.ParseUTCDate(apElement.Value);
break;
case "Expiry":
identifier.AccessPolicy.Expiry = Parsers.ParseUTCDate(apElement.Value);
break;
}
}
break;
}
}
signedIdentifiers.Add(identifier);
}
SignedIdentifiers = new ReadOnlyCollection <BlobSignedIdentifier>(signedIdentifiers);
}
}
}
internal string SetAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission, bool noStartTime, bool noExpiryTime)
{
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//Set the policy with new value
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
signedIdentifier = identifier;
}
}
if (signedIdentifier == null)
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
if (noStartTime)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = DateTimeOffset.MinValue;
}
else if (startTime != null)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime();
}
if (noExpiryTime)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = DateTimeOffset.MinValue;
}
else if (ExpiryTime != null)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
if (this.Permission != null)
{
signedIdentifier.AccessPolicy.Permissions = this.Permission;
signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission);
}
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, signedIdentifiers, BlobRequestConditions, CmdletCancellationToken);
WriteObject(AccessPolicyHelper.ConstructPolicyOutputPSObject <BlobSignedIdentifier>(signedIdentifier));
return(policyName);
}
/// <summary>
/// Create a container if doesn't exist, setting permission with policy, and return assosciated SAS signature
/// </summary>
/// <param name="account">Storage account</param>
/// <param name="Key">Storage account key</param>
/// <param name="blobUri">Blob endpoint URI</param>
/// <param name="containerName">Name of the container to be created</param>
/// <param name="policy">Name for the policy</param>
/// <param name="start">Start time of the policy</param>
/// <param name="end">Expire time of the policy</param>
/// <param name="permissions">Blob access permissions</param>
/// <returns>the SAS for the container, in full URI format.</returns>.
private static async Task <string> CreateContainerWithPolicySASIfNotExistAsync(string account, string key, Uri blobUri, string containerName, string policy, DateTime start, DateTime end, string permissions)
{
// 1. form the credentail and initial client
StagingStorageAccount stagingCredentials = new StagingStorageAccount(account, key, blobUri.ToString());
StorageSharedKeyCredential shardKeyCredentials = new StorageSharedKeyCredential(account, key);
BlobContainerClient containerClient = BlobUtilities.GetBlobContainerClient(containerName, stagingCredentials);
// 2. create container if it doesn't exist
containerClient.CreateIfNotExists();
// 3. validate policy, create/overwrite if doesn't match
BlobSignedIdentifier identifier = new BlobSignedIdentifier
{
Id = policy,
AccessPolicy = new BlobAccessPolicy
{
Permissions = permissions,
StartsOn = start,
ExpiresOn = end,
},
};
var accessPolicy = (await containerClient.GetAccessPolicyAsync()).Value;
bool policyFound = accessPolicy.SignedIdentifiers.Any(i => i == identifier);
if (policyFound == false)
{
await containerClient.SetAccessPolicyAsync(PublicAccessType.BlobContainer, permissions : new List <BlobSignedIdentifier> {
identifier
});
}
BlobSasBuilder sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
StartsOn = start,
ExpiresOn = end,
};
sasBuilder.SetPermissions(permissions);
BlobUriBuilder builder = new BlobUriBuilder(containerClient.Uri)
{
Sas = sasBuilder.ToSasQueryParameters(shardKeyCredentials)
};
string fullSas = builder.ToString();
return(fullSas);
}
/// <summary>
/// Create a blob SAS build from container Object
/// </summary>
public static BlobSasBuilder SetBlobSasBuilder_FromContainer(BlobContainerClient container,
BlobSignedIdentifier signedIdentifier = null,
string Permission = null,
DateTime?StartTime = null,
DateTime?ExpiryTime = null,
string iPAddressOrRange = null,
SharedAccessProtocol?Protocol = null)
{
BlobSasBuilder sasBuilder = SetBlobSasBuilder(container.Name,
null,
signedIdentifier,
Permission,
StartTime,
ExpiryTime,
iPAddressOrRange,
Protocol);
return(sasBuilder);
}
internal string CreateAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName, DateTime?startTime, DateTime?expiryTime, string permission)
{
if (!NameUtil.IsValidStoredAccessPolicyName(policyName))
{
throw new ArgumentException(String.Format(CultureInfo.CurrentCulture, Resources.InvalidAccessPolicyName, policyName));
}
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//Add new policy
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
throw new ResourceAlreadyExistException(String.Format(CultureInfo.CurrentCulture, Resources.PolicyAlreadyExists, policyName));
}
}
BlobSignedIdentifier signedIdentifier = new BlobSignedIdentifier();
signedIdentifier.Id = policyName;
signedIdentifier.AccessPolicy = new BlobAccessPolicy();
if (StartTime != null)
{
signedIdentifier.AccessPolicy.PolicyStartsOn = StartTime.Value.ToUniversalTime();
}
if (ExpiryTime != null)
{
signedIdentifier.AccessPolicy.PolicyExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
signedIdentifier.AccessPolicy.Permissions = AccessPolicyHelper.OrderBlobPermission(this.Permission);
var newsignedIdentifiers = new List <BlobSignedIdentifier>(signedIdentifiers);
newsignedIdentifiers.Add(signedIdentifier);
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, newsignedIdentifiers, BlobRequestConditions, CmdletCancellationToken);
return(policyName);
}
internal bool RemoveAzureContainerStoredAccessPolicy(IStorageBlobManagement localChannel, string containerName, string policyName)
{
bool success = false;
string result = string.Empty;
//Get container instance, Get existing permissions
CloudBlobContainer container_Track1 = Channel.GetContainerReference(containerName);
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(container_Track1, Channel.StorageContext, ClientOptions);
BlobContainerAccessPolicy accessPolicy = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value;
IEnumerable <BlobSignedIdentifier> signedIdentifiers = accessPolicy.SignedIdentifiers;
//remove policy
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == policyName)
{
signedIdentifier = identifier;
}
}
if (signedIdentifier == null)
{
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.PolicyNotFound, policyName));
}
if (ShouldProcess(policyName, "Remove policy"))
{
List <BlobSignedIdentifier> policyList = new List <BlobSignedIdentifier>(signedIdentifiers);
policyList.Remove(signedIdentifier);
//Set permissions back to container
container.SetAccessPolicy(accessPolicy.BlobPublicAccess, policyList, BlobRequestConditions, CmdletCancellationToken);
success = true;
}
return(success);
}
/// <summary>
/// Create a blob SAS build from Blob Object
/// </summary>
public static BlobSasBuilder SetBlobSasBuilder(string containerName,
string blobName = null,
BlobSignedIdentifier signedIdentifier = null,
string Permission = null,
DateTime?StartTime = null,
DateTime?ExpiryTime = null,
string iPAddressOrRange = null,
SharedAccessProtocol?Protocol = null,
string EncryptionScope = null)
{
BlobSasBuilder sasBuilder;
if (signedIdentifier != null) // Use save access policy
{
sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
BlobName = blobName,
Identifier = signedIdentifier.Id
};
if (StartTime != null)
{
if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.StartsOn != null)
{
throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted);
}
else
{
sasBuilder.StartsOn = StartTime.Value.ToUniversalTime();
}
}
if (ExpiryTime != null)
{
if (signedIdentifier.AccessPolicy.PolicyExpiresOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null)
{
throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted);
}
else
{
sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
}
else if (signedIdentifier.AccessPolicy.PolicyExpiresOn == DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null)
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue && sasBuilder.StartsOn != null)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1);
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
if (Permission != null)
{
if (signedIdentifier.AccessPolicy.Permissions != null)
{
throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted);
}
else
{
sasBuilder = SetBlobPermission(sasBuilder, Permission);
}
}
}
else // use user input permission, starton, expireon
{
sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
BlobName = blobName,
};
sasBuilder = SetBlobPermission(sasBuilder, Permission);
if (StartTime != null)
{
sasBuilder.StartsOn = StartTime.Value.ToUniversalTime();
}
if (ExpiryTime != null)
{
sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime();
}
else
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime();
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
}
if (iPAddressOrRange != null)
{
sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(iPAddressOrRange);
}
if (Protocol != null)
{
if (Protocol.Value == SharedAccessProtocol.HttpsOrHttp)
{
sasBuilder.Protocol = SasProtocol.HttpsAndHttp;
}
else //HttpsOnly
{
sasBuilder.Protocol = SasProtocol.Https;
}
}
if (EncryptionScope != null)
{
sasBuilder.EncryptionScope = EncryptionScope;
}
return(sasBuilder);
}
public override void ExecuteCmdlet()
{
CloudBlob blob = null;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPermission ||
ParameterSetName == BlobNamePipelineParmeterSetWithPolicy)
{
blob = GetCloudBlobByName(Container, Blob);
}
else
{
blob = this.CloudBlob;
}
// When the input context is Oauth bases, can't generate normal SAS, but UserDelegationSas
bool generateUserDelegationSas = false;
if (Channel != null && Channel.StorageContext != null && Channel.StorageContext.StorageAccount.Credentials.IsToken)
{
if (ShouldProcess(blob.Name, "Generate User Delegation SAS, since input Storage Context is OAuth based."))
{
generateUserDelegationSas = true;
if (!string.IsNullOrEmpty(accessPolicyIdentifier))
{
throw new ArgumentException("When input Storage Context is OAuth based, Saved Policy is not supported.", "Policy");
}
}
else
{
return;
}
}
if (!(blob is InvalidCloudBlob) && !UseTrack2Sdk())
{
SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier);
SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange), generateUserDelegationSas);
if (FullUri)
{
string fullUri = blob.SnapshotQualifiedUri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
else // Use Track2 SDk
{
//Get blob instance
BlobBaseClient blobClient;
if (this.BlobBaseClient != null)
{
blobClient = this.BlobBaseClient;
}
else
{
blobClient = AzureStorageBlob.GetTrack2BlobClient(blob, Channel.StorageContext, this.ClientOptions);
}
// Get contaienr saved policy if any
BlobSignedIdentifier identifier = null;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPolicy || ParameterSetName == BlobPipelineParameterSetWithPolicy)
{
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(Channel.GetContainerReference(blobClient.BlobContainerName), Channel.StorageContext, ClientOptions);
identifier = SasTokenHelper.GetBlobSignedIdentifier(container, this.Policy, CmdletCancellationToken);
}
//Create SAS builder
BlobSasBuilder sasBuilder = SasTokenHelper.SetBlobSasBuilder_FromBlob(blobClient, identifier, this.Permission, this.StartTime, this.ExpiryTime, this.IPAddressOrRange, this.Protocol);
//Create SAS and ourput
string sasToken = SasTokenHelper.GetBlobSharedAccessSignature(Channel.StorageContext, sasBuilder, generateUserDelegationSas, ClientOptions, CmdletCancellationToken);
if (sasToken[0] != '?')
{
sasToken = "?" + sasToken;
}
if (FullUri)
{
string fullUri = blobClient.Uri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
}
protected void AssertIdentifierInSharedAccessPolicies(Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPolicies sharedAccessPolicies, BlobSignedIdentifier expectedIdentifier, Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPermissions permissions)
{
var policy = sharedAccessPolicies.Where(i => i.Key.Equals(expectedIdentifier.Id, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault();
Assert.IsNotNull(policy);
Assert.AreEqual(expectedIdentifier.AccessPolicy.StartTime, policy.Value.SharedAccessStartTime.Value.UtcDateTime);
Assert.AreEqual(expectedIdentifier.AccessPolicy.Expiry, policy.Value.SharedAccessExpiryTime.Value.UtcDateTime);
Assert.IsTrue(policy.Value.Permissions.HasFlag(permissions));
}
private async Task <BlobContainerClient> GetClient(CancellationToken ct)
{
if (_client == null)
{
BlobServiceClient serviceClient = new BlobServiceClient(AccountBlobUri, AccountCredential, BlobOptions);
_logger.LogInformation($"Attempting to connect to {serviceClient.Uri} to store blobs.");
BlobContainerClient newClient;
int attemptCt = 0;
do
{
try
{
newClient = serviceClient.GetBlobContainerClient(_containerName);
if (!(await newClient.ExistsAsync(ct)).Value)
{
newClient = (await serviceClient.CreateBlobContainerAsync(_containerName, PublicAccessType.None, metadata: null, ct));
}
}
catch (Exception ex)
{
_logger.LogWarning(ex, $"Failed to create or access {_containerName}, retrying with new name.");
continue;
}
try
{
DateTime baseTime = DateTime.UtcNow;
// Add the new (or update existing) "download" policy to the container
// This is used to mint the SAS tokens without an expiration policy
// Expiration can be added later by modifying this policy
BlobSignedIdentifier downloadPolicyIdentifier = new BlobSignedIdentifier()
{
Id = AccessPolicyDownloadId,
AccessPolicy = new BlobAccessPolicy()
{
Permissions = "r",
PolicyStartsOn = new DateTimeOffset(baseTime.AddSeconds(-ClockSkewSec)),
PolicyExpiresOn = new DateTimeOffset(DateTime.UtcNow.AddDays(_sasValidDays).AddSeconds(ClockSkewSec)),
}
};
_logger.LogInformation($"Writing download access policy: {AccessPolicyDownloadId} to {_containerName}.");
await newClient.SetAccessPolicyAsync(PublicAccessType.None, new BlobSignedIdentifier[] { downloadPolicyIdentifier }, cancellationToken : ct);
}
catch (Exception ex)
{
_logger.LogWarning(ex, $"Failed to write access policy for {_containerName}, retrying.");
continue;
}
_logger.LogInformation($"Container {_containerName} is ready.");
_client = newClient;
break;
} while (++attemptCt < MaxFullLoopRetries);
}
if (_client == null)
{
_logger.LogError("Failed to create or access container for publishing drop.");
}
return(_client);
}
public override void ExecuteCmdlet()
{
CloudBlob blob = null;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPermission ||
ParameterSetName == BlobNamePipelineParmeterSetWithPolicy)
{
blob = GetCloudBlobByName(Container, Blob);
}
else
{
blob = this.CloudBlob;
}
// When the input context is Oauth bases, can't generate normal SAS, but UserDelegationSas
bool generateUserDelegationSas = false;
if (Channel != null && Channel.StorageContext != null && Channel.StorageContext.StorageAccount.Credentials.IsToken)
{
if (ShouldProcess(blob.Name, "Generate User Delegation SAS, since input Storage Context is OAuth based."))
{
generateUserDelegationSas = true;
if (!string.IsNullOrEmpty(accessPolicyIdentifier))
{
throw new ArgumentException("When input Storage Context is OAuth based, Saved Policy is not supported.", "Policy");
}
}
else
{
return;
}
}
if (!(blob is InvalidCloudBlob) && !UseTrack2SDK())
{
SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy();
bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier);
SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange), generateUserDelegationSas);
if (FullUri)
{
string fullUri = blob.SnapshotQualifiedUri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
else // Use Track2 SDk
{
BlobBaseClient blobClient;
if (this.BlobBaseClient != null)
{
blobClient = this.BlobBaseClient;
}
else
{
blobClient = AzureStorageBlob.GetTrack2BlobClient(blob, Channel.StorageContext, this.ClientOptions);
}
BlobSasBuilder sasBuilder;
if (ParameterSetName == BlobNamePipelineParmeterSetWithPolicy || ParameterSetName == BlobPipelineParameterSetWithPolicy)
{
BlobContainerClient container = AzureStorageContainer.GetTrack2BlobContainerClient(Channel.GetContainerReference(blobClient.BlobContainerName), Channel.StorageContext, ClientOptions);
IEnumerable <BlobSignedIdentifier> signedIdentifiers = container.GetAccessPolicy(cancellationToken: CmdletCancellationToken).Value.SignedIdentifiers;
BlobSignedIdentifier signedIdentifier = null;
foreach (BlobSignedIdentifier identifier in signedIdentifiers)
{
if (identifier.Id == this.Policy)
{
signedIdentifier = identifier;
break;
}
}
if (signedIdentifier is null)
{
throw new ArgumentException(string.Format(Resources.InvalidAccessPolicy, this.Policy));
}
sasBuilder = new BlobSasBuilder
{
BlobContainerName = blobClient.BlobContainerName,
BlobName = blobClient.Name,
Identifier = this.Policy
};
if (this.StartTime != null)
{
if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue)
{
throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted);
}
else
{
sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime();
}
}
if (this.ExpiryTime != null)
{
if (signedIdentifier.AccessPolicy.ExpiresOn != DateTimeOffset.MinValue)
{
throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted);
}
else
{
sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime();
}
}
else if (signedIdentifier.AccessPolicy.ExpiresOn == DateTimeOffset.MinValue)
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1);
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
if (this.Permission != null)
{
if (signedIdentifier.AccessPolicy.Permissions != null)
{
throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted);
}
else
{
sasBuilder.SetPermissions(this.Permission);
}
}
}
else
{
sasBuilder = new BlobSasBuilder
{
BlobContainerName = blobClient.BlobContainerName,
BlobName = blobClient.Name,
};
sasBuilder.SetPermissions(this.Permission);
if (this.StartTime != null)
{
sasBuilder.StartsOn = this.StartTime.Value.ToUniversalTime();
}
if (this.ExpiryTime != null)
{
sasBuilder.ExpiresOn = this.ExpiryTime.Value.ToUniversalTime();
}
else
{
if (sasBuilder.StartsOn != DateTimeOffset.MinValue)
{
sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime();
}
else
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
}
}
}
if (this.IPAddressOrRange != null)
{
sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(this.IPAddressOrRange);
}
if (this.Protocol != null)
{
if (this.Protocol.Value == SharedAccessProtocol.HttpsOrHttp)
{
sasBuilder.Protocol = SasProtocol.HttpsAndHttp;
}
else //HttpsOnly
{
sasBuilder.Protocol = SasProtocol.Https;
}
}
if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri);
}
if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null)
{
sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.ToString("o");
}
string sasToken = GetBlobSharedAccessSignature(blobClient, sasBuilder, generateUserDelegationSas);
if (sasToken[0] != '?')
{
sasToken = "?" + sasToken;
}
if (FullUri)
{
string fullUri = blobClient.Uri.ToString();
if (blob.IsSnapshot)
{
// Since snapshot URL already has '?', need remove '?' in the first char of sas
fullUri = fullUri + "&" + sasToken.Substring(1);
}
else
{
fullUri = fullUri + sasToken;
}
WriteObject(fullUri);
}
else
{
WriteObject(sasToken);
}
}
}
