/// <summary> /// Create a blob SAS build from Blob Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder_FromBlob(BlobBaseClient blobClient, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null, string EncryptionScope = null) { BlobSasBuilder sasBuilder = SetBlobSasBuilder(blobClient.BlobContainerName, blobClient.Name, signedIdentifier, Permission, StartTime, ExpiryTime, iPAddressOrRange, Protocol, EncryptionScope); if (Util.GetVersionIdFromBlobUri(blobClient.Uri) != null) { sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blobClient.Uri); } if (Util.GetSnapshotTimeFromBlobUri(blobClient.Uri) != null) { sasBuilder.Snapshot = Util.GetSnapshotTimeFromBlobUri(blobClient.Uri).Value.UtcDateTime.ToString("o"); } return(sasBuilder); }
public static string GetSharedAccessSignature( CloudBlob blob, SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange, string targetStorageVersion) { if (!blob.ServiceClient.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.CurrentCulture, "CannotCreateSASWithoutAccountKey"); throw new InvalidOperationException(errorMessage); } string resourceName = GetCanonicalName(blob, targetStorageVersion); string signature = GetHash(policy, headers, groupPolicyIdentifier, resourceName, targetStorageVersion, protocols, ipAddressOrRange, blob.ServiceClient.Credentials.ExportKey()); // Future resource type changes from "c" => "container" UriQueryBuilder builder = GetSignature(policy, headers, groupPolicyIdentifier, "b", signature, null, targetStorageVersion, protocols, ipAddressOrRange); return(builder.ToString()); }
private string GenerateAndValidateAccountSAS( SharedAccessAccountServices service, SharedAccessAccountResourceTypes resourceType, string permission, SharedAccessProtocol?protocol = null, string iPAddressOrRange = null, DateTime?startTime = null, DateTime?expiryTime = null) { Test.Assert(CommandAgent.NewAzureStorageAccountSAS( service, resourceType, permission, protocol, iPAddressOrRange, startTime, expiryTime), "Should succeeded in generating an account sas with full permissions, services and resource types"); string sasToken; if (lang == Language.PowerShell) { sasToken = CommandAgent.Output[0][Constants.SASTokenKey].ToString(); } else { sasToken = "?" + CommandAgent.Output[0][Constants.SASTokenKeyNode]; } AccountSASUtils.ValidateAccountSAS( service, resourceType, permission, protocol, iPAddressOrRange, startTime, expiryTime, sasToken); return(sasToken); }
/// <summary> /// Get the complete query builder for creating the Shared Access Signature query. /// </summary> /// <param name="policy">The shared access policy to hash.</param> /// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param> /// <param name="signature">The signature to use.</param> /// <param name="accountKeyName">The name of the key used to create the signature, or <c>null</c> if the key is implicit.</param> /// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param> /// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param> /// <param name="ipAddressOrRange">The IP range for IPSAS.</param> /// <returns>The finished query builder.</returns> internal static UriQueryBuilder GetSignature( SharedAccessQueuePolicy policy, string accessPolicyIdentifier, string signature, string accountKeyName, string sasVersion, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { CommonUtility.AssertNotNull("signature", signature); UriQueryBuilder builder = new UriQueryBuilder(); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIdentifier, accessPolicyIdentifier); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName); AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedProtocols, GetProtocolString(protocols)); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIP, ipAddressOrRange == null ? null : ipAddressOrRange.ToString()); if (policy != null) { AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime)); AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime)); string permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions); if (!string.IsNullOrEmpty(permissions)) { AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions); } } return(builder); }
/// <summary> /// Get the complete query builder for creating the Shared Access Signature query. /// </summary> /// <param name="policy">The shared access policy to hash.</param> /// <param name="headers">The optional header values to set for a blob returned with this SAS.</param> /// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param> /// <param name="resourceType">"b" for blobs, "bs" for blob snapshots, or "c" for containers.</param> /// <param name="signature">The signature to use.</param> /// <param name="accountKeyName">The name of the key used to create the signature, or <c>null</c> if the key is implicit.</param> /// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param> /// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param> /// <param name="ipAddressOrRange">The IP range for IPSAS.</param> /// <param name="delegationKey">Key information for signatures using user-delegation-based SAS.</param> /// <returns>The finished query builder.</returns> internal static UriQueryBuilder GetSignature( SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string accessPolicyIdentifier, string resourceType, string signature, string accountKeyName, string sasVersion, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange, UserDelegationKey delegationKey = default(UserDelegationKey) ) { CommonUtility.AssertNotNullOrEmpty("resourceType", resourceType); UriQueryBuilder builder = new UriQueryBuilder(); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedResource, resourceType); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIdentifier, accessPolicyIdentifier); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedProtocols, SharedAccessSignatureHelper.GetProtocolString(protocols)); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIP, ipAddressOrRange == null ? null : ipAddressOrRange.ToString()); if (delegationKey != default(UserDelegationKey)) { SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyOid, delegationKey.SignedOid.ToString()); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyTid, delegationKey.SignedTid.ToString()); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyStart, SharedAccessSignatureHelper.GetDateTimeOrNull(delegationKey.SignedStart)); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyExpiry, SharedAccessSignatureHelper.GetDateTimeOrNull(delegationKey.SignedExpiry)); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyService, delegationKey.SignedService); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKeyVersion, delegationKey.SignedVersion); } if (policy != null) { SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, SharedAccessSignatureHelper.GetDateTimeOrNull(policy.SharedAccessStartTime)); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, SharedAccessSignatureHelper.GetDateTimeOrNull(policy.SharedAccessExpiryTime)); string permissions = SharedAccessBlobPolicy.PermissionsToString(policy.Permissions); if (!string.IsNullOrEmpty(permissions)) { SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions); } } if (headers != null) { SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.CacheControl, headers.CacheControl); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentType, headers.ContentType); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentEncoding, headers.ContentEncoding); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentLanguage, headers.ContentLanguage); SharedAccessSignatureHelper.AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentDisposition, headers.ContentDisposition); } return(builder); }
/// <summary> /// Converts the specified value to either a string representation or <c>null</c>. /// </summary> /// <param name="protocols">The protocols to convert</param> /// <returns>A string representing the specified value.</returns> internal static string GetProtocolString(SharedAccessProtocol?protocols) { if (!protocols.HasValue) { return(null); } return(protocols.Value == SharedAccessProtocol.HttpsOnly ? "https" : "https,http"); }
/// <summary> /// Create a blob SAS build from Blob Object /// </summary> public static AccountSasBuilder SetAccountSasBuilder(SharedAccessAccountServices Service, SharedAccessAccountResourceTypes type, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null, string EncryptionScope = null) { AccountSasBuilder sasBuilder = new AccountSasBuilder(); sasBuilder.ResourceTypes = GetAccountSasResourceTypes(type); sasBuilder.Services = GetAccountSasServices(Service); sasBuilder = SetAccountPermission(sasBuilder, Permission); if (StartTime != null) { sasBuilder.StartsOn = StartTime.Value.ToUniversalTime(); } if (ExpiryTime != null) { sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime(); } else { if (sasBuilder.StartsOn != DateTimeOffset.MinValue && sasBuilder.StartsOn != null) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime(); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } if (iPAddressOrRange != null) { sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(iPAddressOrRange); } if (Protocol != null) { if (Protocol.Value == SharedAccessProtocol.HttpsOrHttp) { sasBuilder.Protocol = SasProtocol.HttpsAndHttp; } else //HttpsOnly { sasBuilder.Protocol = SasProtocol.Https; } } if (EncryptionScope != null) { sasBuilder.EncryptionScope = EncryptionScope; } return(sasBuilder); }
/// <summary> /// Returns a shared access signature for the table. /// </summary> /// <param name="policy">A <see cref="SharedAccessTablePolicy"/> object specifying the access policy for the shared access signature.</param> /// <param name="accessPolicyIdentifier">A string identifying a stored access policy.</param> /// <param name="startPartitionKey">A string specifying the start partition key, or <c>null</c>.</param> /// <param name="startRowKey">A string specifying the start row key, or <c>null</c>.</param> /// <param name="endPartitionKey">A string specifying the end partition key, or <c>null</c>.</param> /// <param name="endRowKey">A string specifying the end row key, or <c>null</c>.</param> /// <param name="protocols">The allowed protocols (https only, or http and https). Null if you don't want to restrict protocol.</param> /// <param name="ipAddressOrRange">The allowed IP address or IP address range. Null if you don't want to restrict based on IP address.</param> /// <returns>A shared access signature, as a URI query string.</returns> /// <remarks>The query string returned includes the leading question mark.</remarks> /// <exception cref="InvalidOperationException">Thrown if the current credentials don't support creating a shared access signature.</exception> public string GetSharedAccessSignature( SharedAccessTablePolicy policy, string accessPolicyIdentifier, string startPartitionKey, string startRowKey, string endPartitionKey, string endRowKey, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { if (!this.ServiceClient.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey); throw new InvalidOperationException(errorMessage); } string resourceName = this.GetCanonicalName(); StorageAccountKey accountKey = this.ServiceClient.Credentials.Key; #if ALL_SERVICES string signature = SharedAccessSignatureHelper.GetHash( #else string signature = TableSharedAccessSignatureHelper.GetHash( #endif policy, accessPolicyIdentifier, startPartitionKey, startRowKey, endPartitionKey, endRowKey, resourceName, OperationContext.StorageVersion ?? Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange, accountKey.KeyValue); #if ALL_SERVICES UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature( #else UriQueryBuilder builder = TableSharedAccessSignatureHelper.GetSignature( #endif policy, this.Name, accessPolicyIdentifier, startPartitionKey, startRowKey, endPartitionKey, endRowKey, signature, accountKey.KeyName, OperationContext.StorageVersion ?? Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange); return(builder.ToString()); }
/// <summary> /// Get the signature hash embedded inside the Shared Access Signature. /// </summary> /// <param name="policy">The shared access policy to hash.</param> /// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param> /// <param name="resourceName">The canonical resource string, unescaped.</param> /// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param> /// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param> /// <param name="ipAddressOrRange">The IP range for IPSAS.</param> /// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param> /// <returns>The signed hash.</returns> internal static string GetHash( SharedAccessQueuePolicy policy, string accessPolicyIdentifier, string resourceName, string sasVersion, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange, byte[] keyValue) { CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName); CommonUtility.AssertNotNull("keyValue", keyValue); CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion); string permissions = null; DateTimeOffset?startTime = null; DateTimeOffset?expiryTime = null; if (policy != null) { permissions = SharedAccessQueuePolicy.PermissionsToString(policy.Permissions); startTime = policy.SharedAccessStartTime; expiryTime = policy.SharedAccessExpiryTime; } //// StringToSign = signedpermissions + "\n" + //// signedstart + "\n" + //// signedexpiry + "\n" + //// canonicalizedresource + "\n" + //// signedidentifier + "\n" + //// signedIP + "\n" + //// signedProtocol + "\n" + //// signedversion //// //// HMAC-SHA256(UTF8.Encode(StringToSign)) //// string stringToSign = string.Format( CultureInfo.InvariantCulture, "{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}", permissions, GetDateTimeOrEmpty(startTime), GetDateTimeOrEmpty(expiryTime), resourceName, accessPolicyIdentifier, ipAddressOrRange == null ? string.Empty : ipAddressOrRange.ToString(), GetProtocolString(protocols), sasVersion); Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign); return(CryptoUtility.ComputeHmac256(keyValue, stringToSign)); }
private static void ValidateProtocol( SharedAccessProtocol?expectedProtocol, string protocol) { string protocolString = "https,http"; if (null != expectedProtocol && SharedAccessProtocol.HttpsOrHttp != expectedProtocol) { protocolString = "https"; } Test.Assert(string.Equals(protocol.Replace("%2C", ","), protocolString), "Protocol: {0} == {1}", protocolString, protocol); }
/// <summary> /// Returns an user-delegation-based shared access signature for the container, with credentials solely based on the <see cref="UserDelegationKey"/> provided. /// </summary> /// <param name="delegationKey"><see cref="UserDelegationKey"/> for signing this SAS token.</param> /// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param> /// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob container accessed with this SAS.</param> /// <param name="protocols">The allowed protocols (https only, or http and https). Null if you don't want to restrict protocol.</param> /// <param name="ipAddressOrRange">The allowed IP address or IP address range. Null if you don't want to restrict based on IP address.</param> /// <returns></returns> public string GetUserDelegationSharedAccessSignature( UserDelegationKey delegationKey, SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers = default(SharedAccessBlobHeaders), SharedAccessProtocol?protocols = default(SharedAccessProtocol?), IPAddressOrRange ipAddressOrRange = default(IPAddressOrRange)) { string resourceName = this.GetSharedAccessCanonicalName(); string signature = BlobSharedAccessSignatureHelper.GetHash(policy, headers, resourceName, Constants.HeaderConstants.TargetStorageVersion, Constants.QueryConstants.ContainerResourceType, null /* snapshotTime */, protocols, ipAddressOrRange, delegationKey); UriQueryBuilder builder = BlobSharedAccessSignatureHelper.GetSignature(policy, headers, null, Constants.QueryConstants.ContainerResourceType, signature, null, Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange, delegationKey); return(builder.ToString()); }
/// <summary> /// Converts the specified value to either a string representation or <c>null</c>. /// </summary> /// <param name="protocols">The protocols to convert</param> /// <returns>A string representing the specified value.</returns> internal static string GetProtocolString(SharedAccessProtocol?protocols) { if (!protocols.HasValue) { return(null); } if ((protocols.Value != SharedAccessProtocol.HttpsOnly) && (protocols.Value != SharedAccessProtocol.HttpsOrHttp)) { throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, SR.InvalidProtocolsInSAS, protocols.Value)); } return(protocols.Value == SharedAccessProtocol.HttpsOnly ? "https" : "https,http"); }
public void CloudBlobSASSharedProtocolsQueryParamInvalid() { SharedAccessProtocol? protocol = default(SharedAccessProtocol); SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy() { Permissions = SharedAccessBlobPermissions.Read, SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5), SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30), }; CloudBlobContainer container = GetRandomContainerReference(); CloudBlockBlob blockBlob = container.GetBlockBlobReference("bb"); TestHelper.ExpectedException <ArgumentException>( () => blockBlob.GetSharedAccessSignature(policy, null /* headers */, null /* stored access policy ID */, protocol, null /* IP address or range */), "Creating a SAS should throw when using an invalid value for the Protocol enum.", String.Format(SR.InvalidProtocolsInSAS, protocol)); }
private static UriQueryBuilder GetSignature( SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string accessPolicyIdentifier, string resourceType, string signature, string accountKeyName, string sasVersion, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { UriQueryBuilder builder = new UriQueryBuilder(); AddEscapedIfNotNull(builder, SignedVersion, sasVersion); AddEscapedIfNotNull(builder, SignedResource, resourceType); AddEscapedIfNotNull(builder, SignedIdentifier, accessPolicyIdentifier); AddEscapedIfNotNull(builder, SignedKey, accountKeyName); AddEscapedIfNotNull(builder, Signature, signature); AddEscapedIfNotNull(builder, SignedProtocols, GetProtocolString(protocols)); AddEscapedIfNotNull(builder, SignedIP, ipAddressOrRange == null ? null : ipAddressOrRange.ToString()); if (policy != null) { AddEscapedIfNotNull(builder, SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime)); AddEscapedIfNotNull(builder, SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime)); string permissions = SharedAccessFilePolicy.PermissionsToString(policy.Permissions); if (!string.IsNullOrEmpty(permissions)) { AddEscapedIfNotNull(builder, SignedPermissions, permissions); } } if (headers != null) { AddEscapedIfNotNull(builder, CacheControl, headers.CacheControl); AddEscapedIfNotNull(builder, ContentType, headers.ContentType); AddEscapedIfNotNull(builder, ContentEncoding, headers.ContentEncoding); AddEscapedIfNotNull(builder, ContentLanguage, headers.ContentLanguage); AddEscapedIfNotNull(builder, ContentDisposition, headers.ContentDisposition); } return(builder); }
internal static string GetProtocolString(SharedAccessProtocol?protocols) { if (!protocols.HasValue) { return(null); } if (protocols.Value != SharedAccessProtocol.HttpsOnly && protocols.Value != SharedAccessProtocol.HttpsOrHttp) { throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, "Invalid value {0} for the SharedAccessProtocol parameter when creating a SharedAccessSignature. Use 'null' if you do not wish to include a SharedAccessProtocol.", new object[1] { protocols.Value })); } if (protocols.Value == SharedAccessProtocol.HttpsOnly) { return("https"); } return("https,http"); }
/// <summary> /// Create a blob SAS build from container Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder_FromContainer(BlobContainerClient container, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null) { BlobSasBuilder sasBuilder = SetBlobSasBuilder(container.Name, null, signedIdentifier, Permission, StartTime, ExpiryTime, iPAddressOrRange, Protocol); return(sasBuilder); }
public static string GetSharedAccessSignature( CloudFile file, SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange, string targetStorageVersion) { if (!file.ServiceClient.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.InvariantCulture, "CannotCreateSASWithoutAccountKey"); throw new InvalidOperationException(errorMessage); } string resourceName = GetCanonicalName(file); string signature = GetHash( policy, headers, groupPolicyIdentifier, resourceName, targetStorageVersion, protocols, ipAddressOrRange, file.ServiceClient.Credentials.ExportKey()); UriQueryBuilder builder = GetSignature( policy, headers, groupPolicyIdentifier, "f", signature, null, targetStorageVersion, protocols, ipAddressOrRange); return(builder.ToString()); }
/// <summary> /// Get the signature hash embedded inside the Shared Access Signature. /// </summary> /// <param name="policy">The shared access policy to hash.</param> /// <param name="headers">The optional header values to set for a file returned with this SAS.</param> /// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param> /// <param name="resourceName">The canonical resource string, unescaped.</param> /// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param> /// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param> /// <param name="ipAddressOrRange">The IP range for IPSAS.</param> /// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param> /// <returns>The signed hash.</returns> internal static string GetHash( SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string accessPolicyIdentifier, string resourceName, string sasVersion, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange, byte[] keyValue) { CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName); CommonUtility.AssertNotNull("keyValue", keyValue); CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion); string permissions = null; DateTimeOffset?startTime = null; DateTimeOffset?expiryTime = null; if (policy != null) { permissions = SharedAccessFilePolicy.PermissionsToString(policy.Permissions); startTime = policy.SharedAccessStartTime; expiryTime = policy.SharedAccessExpiryTime; } //// StringToSign = signedpermissions + "\n" + //// signedstart + "\n" + //// signedexpiry + "\n" + //// canonicalizedresource + "\n" + //// signedidentifier + "\n" + //// signedIP + "\n" + //// signedProtocol + "\n" + //// signedversion + "\n" + //// cachecontrol + "\n" + //// contentdisposition + "\n" + //// contentencoding + "\n" + //// contentlanguage + "\n" + //// contenttype //// //// HMAC-SHA256(UTF8.Encode(StringToSign)) //// string cacheControl = null; string contentDisposition = null; string contentEncoding = null; string contentLanguage = null; string contentType = null; if (headers != null) { cacheControl = headers.CacheControl; contentDisposition = headers.ContentDisposition; contentEncoding = headers.ContentEncoding; contentLanguage = headers.ContentLanguage; contentType = headers.ContentType; } string stringToSign = string.Format( CultureInfo.InvariantCulture, "{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}\n{10}\n{11}\n{12}", permissions, SharedAccessSignatureHelper.GetDateTimeOrEmpty(startTime), SharedAccessSignatureHelper.GetDateTimeOrEmpty(expiryTime), resourceName, accessPolicyIdentifier, ipAddressOrRange == null ? string.Empty : ipAddressOrRange.ToString(), SharedAccessSignatureHelper.GetProtocolString(protocols), sasVersion, cacheControl, contentDisposition, contentEncoding, contentLanguage, contentType); Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign); return(CryptoUtility.ComputeHmac256(keyValue, stringToSign)); }
/// <summary> /// Returns a shared access signature for the file. /// </summary> /// <param name="policy">A <see cref="SharedAccessFilePolicy"/> object specifying the access policy for the shared access signature.</param> /// <param name="headers">A <see cref="SharedAccessFileHeaders"/> object specifying optional header values to set for a file accessed with this SAS.</param> /// <param name="groupPolicyIdentifier">A string identifying a stored access policy.</param> /// <param name="protocols">The allowed protocols (https only, or http and https). Null if you don't want to restrict protocol.</param> /// <param name="ipAddressOrRange">The allowed IP address or IP address range. Null if you don't want to restrict based on IP address.</param> /// <returns>A shared access signature, as a URI query string.</returns> public string GetSharedAccessSignature(SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { if (!this.ServiceClient.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.InvariantCulture, SR.CannotCreateSASWithoutAccountKey); throw new InvalidOperationException(errorMessage); } string resourceName = this.GetCanonicalName(); StorageAccountKey accountKey = this.ServiceClient.Credentials.Key; string signature = FileSharedAccessSignatureHelper.GetHash(policy, headers, groupPolicyIdentifier, resourceName, Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange, accountKey.KeyValue); UriQueryBuilder builder = FileSharedAccessSignatureHelper.GetSignature(policy, headers, groupPolicyIdentifier, "f", signature, accountKey.KeyName, Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange); return(builder.ToString()); }
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { throw new System.NotImplementedException(); }
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { return(this.failoverExecutor.Execute(x => x.GetSharedAccessSignature(policy, groupPolicyIdentifier, protocols, ipAddressOrRange))); }
/// <summary> /// Get blob shared access signature /// </summary> /// <param name="blob">CloudBlob object</param> /// <param name="accessPolicy">SharedAccessBlobPolicy object</param> /// <param name="policyIdentifier">The existing policy identifier.</param> /// <returns></returns> private string GetBlobSharedAccessSignature(CloudBlob blob, SharedAccessBlobPolicy accessPolicy, string policyIdentifier, SharedAccessProtocol?protocol, IPAddressOrRange iPAddressOrRange, bool generateUserDelegationSas) { CloudBlobContainer container = blob.Container; if (generateUserDelegationSas) { Azure.Storage.UserDelegationKey userDelegationKey = Channel.GetUserDelegationKey(accessPolicy.SharedAccessStartTime, accessPolicy.SharedAccessExpiryTime, null, null, OperationContext); return(blob.GetUserDelegationSharedAccessSignature(userDelegationKey, accessPolicy, null, protocol, iPAddressOrRange)); } else { return(blob.GetSharedAccessSignature(accessPolicy, null, policyIdentifier, protocol, iPAddressOrRange)); } }
public abstract string GetAzureStorageFileSasFromCmd(string shareName, string filePath, string policy, string permission = null, DateTime?startTime = null, DateTime?expiryTime = null, bool fulluri = false, SharedAccessProtocol?protocol = null, string iPAddressOrRange = null);
/// <summary> /// Returns a shared access signature for the container. /// </summary> /// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param> /// <param name="groupPolicyIdentifier">A container-level access policy.</param> /// <param name="protocols">The allowed protocols (https only, or http and https). Null if you don't want to restrict protocol.</param> /// <param name="ipAddressOrRange">The allowed IP address or IP address range. Null if you don't want to restrict based on IP address.</param> /// <returns>A shared access signature, as a URI query string.</returns> /// <remarks>The query string returned includes the leading question mark.</remarks> public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange) { if (!this.ServiceClient.Credentials.IsSharedKey) { string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey); throw new InvalidOperationException(errorMessage); } string resourceName = this.GetSharedAccessCanonicalName(); StorageAccountKey accountKey = this.ServiceClient.Credentials.Key; string signature = SharedAccessSignatureHelper.GetHash(policy, null /* headers */, groupPolicyIdentifier, resourceName, Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange, accountKey.KeyValue); string accountKeyName = accountKey.KeyName; // Future resource type changes from "c" => "container" UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(policy, null /* headers */, groupPolicyIdentifier, "c", signature, accountKeyName, Constants.HeaderConstants.TargetStorageVersion, protocols, ipAddressOrRange); return(builder.ToString()); }
/// <summary> /// Create a blob SAS build from Blob Object /// </summary> public static BlobSasBuilder SetBlobSasBuilder(string containerName, string blobName = null, BlobSignedIdentifier signedIdentifier = null, string Permission = null, DateTime?StartTime = null, DateTime?ExpiryTime = null, string iPAddressOrRange = null, SharedAccessProtocol?Protocol = null, string EncryptionScope = null) { BlobSasBuilder sasBuilder; if (signedIdentifier != null) // Use save access policy { sasBuilder = new BlobSasBuilder { BlobContainerName = containerName, BlobName = blobName, Identifier = signedIdentifier.Id }; if (StartTime != null) { if (signedIdentifier.AccessPolicy.StartsOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.StartsOn != null) { throw new InvalidOperationException(Resources.SignedStartTimeMustBeOmitted); } else { sasBuilder.StartsOn = StartTime.Value.ToUniversalTime(); } } if (ExpiryTime != null) { if (signedIdentifier.AccessPolicy.PolicyExpiresOn != DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null) { throw new ArgumentException(Resources.SignedExpiryTimeMustBeOmitted); } else { sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime(); } } else if (signedIdentifier.AccessPolicy.PolicyExpiresOn == DateTimeOffset.MinValue && signedIdentifier.AccessPolicy.PolicyExpiresOn != null) { if (sasBuilder.StartsOn != DateTimeOffset.MinValue && sasBuilder.StartsOn != null) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.ToUniversalTime().AddHours(1); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } if (Permission != null) { if (signedIdentifier.AccessPolicy.Permissions != null) { throw new ArgumentException(Resources.SignedPermissionsMustBeOmitted); } else { sasBuilder = SetBlobPermission(sasBuilder, Permission); } } } else // use user input permission, starton, expireon { sasBuilder = new BlobSasBuilder { BlobContainerName = containerName, BlobName = blobName, }; sasBuilder = SetBlobPermission(sasBuilder, Permission); if (StartTime != null) { sasBuilder.StartsOn = StartTime.Value.ToUniversalTime(); } if (ExpiryTime != null) { sasBuilder.ExpiresOn = ExpiryTime.Value.ToUniversalTime(); } else { if (sasBuilder.StartsOn != DateTimeOffset.MinValue) { sasBuilder.ExpiresOn = sasBuilder.StartsOn.AddHours(1).ToUniversalTime(); } else { sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1); } } } if (iPAddressOrRange != null) { sasBuilder.IPRange = Util.SetupIPAddressOrRangeForSASTrack2(iPAddressOrRange); } if (Protocol != null) { if (Protocol.Value == SharedAccessProtocol.HttpsOrHttp) { sasBuilder.Protocol = SasProtocol.HttpsAndHttp; } else //HttpsOnly { sasBuilder.Protocol = SasProtocol.Https; } } if (EncryptionScope != null) { sasBuilder.EncryptionScope = EncryptionScope; } return(sasBuilder); }
public virtual string GetTableSasFromCmd(string tableName, string policy, string permission, DateTime?startTime = null, DateTime?expiryTime = null, bool fulluri = false, string startpk = "", string startrk = "", string endpk = "", string endrk = "", SharedAccessProtocol?protocol = null, string iPAddressOrRange = null) { return(string.Empty); }
public virtual string GetAccountSasFromCmd(SharedAccessAccountServices service, SharedAccessAccountResourceTypes resourceType, string permission, SharedAccessProtocol?protocol, string iPAddressOrRange, DateTime?startTime = null, DateTime?expiryTime = null) { return(string.Empty); }
/// <summary> /// Get blob shared access signature /// </summary> /// <param name="blob">CloudBlob object</param> /// <param name="accessPolicy">SharedAccessBlobPolicy object</param> /// <param name="policyIdentifier">The existing policy identifier.</param> /// <returns></returns> private string GetBlobSharedAccessSignature(CloudBlob blob, SharedAccessBlobPolicy accessPolicy, string policyIdentifier, SharedAccessProtocol?protocol, IPAddressOrRange iPAddressOrRange) { CloudBlobContainer container = blob.Container; return(blob.GetSharedAccessSignature(accessPolicy, null, policyIdentifier, protocol, iPAddressOrRange)); }
public string GetSharedAccessSignature(SharedAccessQueuePolicy policy, string accessPolicyIdentifier, SharedAccessProtocol?protocols = null, IPAddressOrRange ipAddressOrRange = null) { return(_queue.GetSharedAccessSignature(policy, accessPolicyIdentifier, protocols, ipAddressOrRange)); }
public abstract bool NewAzureStorageFileSAS(CloudFile file, string policyName = null, string permissions = null, DateTime?startTime = null, DateTime?expiryTime = null, bool fulluri = false, SharedAccessProtocol?protocol = null, string iPAddressOrRange = null);