/// <summary>
        /// The <see cref="GetUserDelegationKey"/> operation retrieves a
        /// key that can be used to delegate Active Directory authorization to
        /// shared access signatures created with <see cref="Sas.DataLakeSasBuilder"/>.
        /// </summary>
        /// <param name="startsOn">
        /// Start time for the key's validity, with null indicating an
        /// immediate start.  The time should be specified in UTC.
        /// </param>
        /// <param name="expiresOn">
        /// Expiration of the key's validity.  The time should be specified
        /// in UTC.
        /// </param>
        /// <param name="cancellationToken">
        /// Optional <see cref="CancellationToken"/> to propagate
        /// notifications that the operation should be cancelled.
        /// </param>
        /// <returns>
        /// A <see cref="Response{UserDelegationKey}"/> describing
        /// the use delegation key.
        /// </returns>
        /// <remarks>
        /// A <see cref="RequestFailedException"/> will be thrown if
        /// a failure occurs.
        /// </remarks>
        public virtual Response <UserDelegationKey> GetUserDelegationKey(
            DateTimeOffset?startsOn,
            DateTimeOffset expiresOn,
            CancellationToken cancellationToken = default)
        {
            DiagnosticScope scope = ClientDiagnostics.CreateScope($"{nameof(DataLakeServiceClient)}.{nameof(GetUserDelegationKey)}");

            try
            {
                scope.Start();

                Response <Blobs.Models.UserDelegationKey> response = _blobServiceClient.GetUserDelegationKey(
                    startsOn,
                    expiresOn,
                    cancellationToken);

                return(Response.FromValue(
                           new UserDelegationKey(response.Value),
                           response.GetRawResponse()));
            }
            catch (Exception ex)
            {
                scope.Failed(ex);
                throw;
            }
            finally
            {
                scope.Dispose();
            }
        }
Exemplo n.º 2
0
        /// <summary>
        /// Get SAS string
        /// </summary>
        public static string GetBlobSharedAccessSignature(AzureStorageContext context, BlobSasBuilder sasBuilder, bool generateUserDelegationSas, BlobClientOptions ClientOptions, CancellationToken cancelToken)
        {
            if (context != null && context.StorageAccount.Credentials.IsSharedKey)
            {
                return(sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(context.StorageAccountName, context.StorageAccount.Credentials.ExportBase64EncodedKey())).ToString());
            }
            if (generateUserDelegationSas)
            {
                global::Azure.Storage.Blobs.Models.UserDelegationKey userDelegationKey = null;
                BlobServiceClient oauthService = new BlobServiceClient(context.StorageAccount.BlobEndpoint, context.Track2OauthToken, ClientOptions);

                Util.ValidateUserDelegationKeyStartEndTime(sasBuilder.StartsOn, sasBuilder.ExpiresOn);

                userDelegationKey = oauthService.GetUserDelegationKey(
                    startsOn: sasBuilder.StartsOn == DateTimeOffset.MinValue || sasBuilder.StartsOn == null ? DateTimeOffset.UtcNow : sasBuilder.StartsOn.ToUniversalTime(),
                    expiresOn: sasBuilder.ExpiresOn.ToUniversalTime(),
                    cancellationToken: cancelToken);

                return(sasBuilder.ToSasQueryParameters(userDelegationKey, context.StorageAccountName).ToString());
            }
            else
            {
                throw new InvalidOperationException("Create SAS only supported with SharedKey or Oauth credentail.");
            }
        }
        private string GetContainerSASWithServicePrincipal(BlobServiceClient service,
                                                           string storageAccount, string storageContainer, string blobName)
        {
            DateTimeOffset expiresOn      = DateTimeOffset.UtcNow.AddHours(2);
            BlobSasBuilder blobSasBuilder = new BlobSasBuilder
            {
                BlobContainerName = storageContainer,
                ExpiresOn         = DateTimeOffset.UtcNow.AddHours(2)
            };

            blobSasBuilder.SetPermissions(
                BlobContainerSasPermissions.Read |
                BlobContainerSasPermissions.Create |
                BlobContainerSasPermissions.List);

            // the principal must have storage account level "Storage Blob Delegator" role to
            // be able to get user delegation key
            UserDelegationKey delegationKey = service.GetUserDelegationKey(null, expiresOn).Value;
            var    sasQueryParameters       = blobSasBuilder.ToSasQueryParameters(delegationKey, storageAccount);
            String uri = String.IsNullOrEmpty(blobName) ?
                         String.Format("https://{0}.blob.core.windows.net/{1}?restype=container&comp=list&{2}",
                                       storageAccount,
                                       storageContainer,
                                       sasQueryParameters.ToString()) :
                         String.Format("https://{0}.blob.core.windows.net/{1}/{2}?{3}",
                                       storageAccount,
                                       storageContainer,
                                       blobName,
                                       sasQueryParameters.ToString());

            return(uri);
        }
Exemplo n.º 4
0
        private static string GetBlobSasToken(BlobBaseClient blob, AzureStorageContext context)
        {
            if (null == context.StorageAccount.Credentials ||
                (context.StorageAccount.Credentials.IsAnonymous && !context.StorageAccount.Credentials.IsToken))
            {
                return(string.Empty);
            }
            else if (context.StorageAccount.Credentials.IsSAS)
            {
                return(context.StorageAccount.Credentials.SASToken);
            }

            // SAS life time is at least 10 minutes.
            TimeSpan sasLifeTime = TimeSpan.FromMinutes(CopySASLifeTimeInMinutes);

            if (context.StorageAccount.Credentials.IsToken)
            {
                sasLifeTime = TimeSpan.FromMinutes(CopySASLifeTimeInMinutesOauth);
            }

            BlobSasBuilder sasBuilder = new BlobSasBuilder
            {
                BlobContainerName = blob.BlobContainerName,
                BlobName          = blob.Name,
                ExpiresOn         = DateTimeOffset.UtcNow.Add(sasLifeTime),
            };

            if (Util.GetVersionIdFromBlobUri(blob.Uri) != null)
            {
                sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blob.Uri);
            }
            sasBuilder.SetPermissions("rt");

            string sasToken = null;

            if (context != null && context.StorageAccount.Credentials.IsToken) //oauth
            {
                global::Azure.Storage.Blobs.Models.UserDelegationKey userDelegationKey = null;
                BlobServiceClient oauthService = new BlobServiceClient(context.StorageAccount.BlobEndpoint, context.Track2OauthToken, null);

                Util.ValidateUserDelegationKeyStartEndTime(sasBuilder.StartsOn, sasBuilder.ExpiresOn);

                userDelegationKey = oauthService.GetUserDelegationKey(
                    startsOn: sasBuilder.StartsOn == DateTimeOffset.MinValue || sasBuilder.StartsOn == null? DateTimeOffset.UtcNow : sasBuilder.StartsOn.ToUniversalTime(),
                    expiresOn: sasBuilder.ExpiresOn.ToUniversalTime());

                sasToken = sasBuilder.ToSasQueryParameters(userDelegationKey, context.StorageAccountName).ToString();
            }
            else // sharedkey
            {
                sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(context.StorageAccountName, context.StorageAccount.Credentials.ExportBase64EncodedKey())).ToString();
            }

            if (sasToken[0] != '?')
            {
                sasToken = "?" + sasToken;
            }
            return(sasToken);
        }
        public virtual Response <UserDelegationKey> GetUserDelegationKey(
            DateTimeOffset?start,
            DateTimeOffset expiry,
            CancellationToken cancellationToken = default)
        {
            Response <Blobs.Models.UserDelegationKey> response = _blobServiceClient.GetUserDelegationKey(
                start,
                expiry,
                cancellationToken);

            return(Response.FromValue(
                       new UserDelegationKey(response.Value),
                       response.GetRawResponse()));
        }
        public static string CreateSASToken(string BlobStorageAccountName, string BlobStorageContainerName, string BlobStorageFolderPath, string DataFileName, int accessDuration)
        {
            // Get a credential and create a client object for the blob container. Note using new Azure Core credential flow
            BlobServiceClient blobClient = new BlobServiceClient(new Uri(BlobStorageAccountName),
                                                                 new DefaultAzureCredential());

            //blobClient.GetProperties();
            var startDate = DateTimeOffset.UtcNow.AddMinutes(-1);
            var endDate   = DateTimeOffset.UtcNow.AddDays(accessDuration);

            // Get a user delegation key for the Blob service that's valid for seven days.
            // You can use the key to generate any number of shared access signatures over the lifetime of the key.
            UserDelegationKey key = blobClient.GetUserDelegationKey(startDate, endDate);
            Uri BlobUri           = new Uri(BlobStorageAccountName);
            BlobContainerClient containerClient = new BlobContainerClient(BlobUri, new DefaultAzureCredential());
            // Create a SAS token
            BlobSasBuilder sasBuilder = new BlobSasBuilder()
            {
                BlobContainerName = BlobStorageContainerName,
                BlobName          = String.Format("{0}{1}", BlobStorageFolderPath, DataFileName),
                Resource          = "b",
                StartsOn          = startDate,
                ExpiresOn         = endDate,
                Protocol          = SasProtocol.Https
            };

            // Specify read permissions for the SAS.
            BlobSasPermissions perms = BlobSasPermissions.Create | BlobSasPermissions.Write;

            sasBuilder.SetPermissions(perms);

            // Use the key to get the SAS token.
            string sasToken = sasBuilder.ToSasQueryParameters(key, BlobUri.Host.Split('.')[0]).ToString();

            // Construct the full URI, including the SAS token.
            UriBuilder fullUri = new UriBuilder()
            {
                Scheme = "https",
                Host   = string.Format("{0}.blob.core.windows.net", BlobUri.Host.Split('.')[0]),
                Path   = string.Format("{0}/{1}{2}", BlobStorageContainerName, BlobStorageFolderPath, DataFileName),
                Query  = sasToken
            };

            string retvar = "&Path=" + Uri.EscapeDataString(fullUri.Path.ToString());

            retvar += "&" + sasToken;

            return(retvar);
        }
        private static string GenerateSASToken()
        {
            var storageUrl     = Environment.GetEnvironmentVariable("STORAGE_ACCOUNT_URL");
            var blobUrl        = Environment.GetEnvironmentVariable("BLOB_URL");
            var identity       = CreateManagedIdentityCredential();
            var blobClient     = new BlobClient(new Uri(blobUrl), identity);
            var blobSasBuilder = new Azure.Storage.Sas.BlobSasBuilder();

            blobSasBuilder.BlobContainerName = blobClient.BlobContainerName;
            blobSasBuilder.BlobName          = blobClient.Name;
            blobSasBuilder.SetPermissions(Azure.Storage.Sas.BlobSasPermissions.All);
            blobSasBuilder.ExpiresOn = new DateTimeOffset(DateTime.Now.AddDays(1));
            var blobServiceClient = new BlobServiceClient(new Uri(storageUrl), identity);
            var userDelegationKey = blobServiceClient.GetUserDelegationKey(new DateTimeOffset(DateTime.Now), new DateTimeOffset(DateTime.Now.AddDays(2)));
            var parameters        = blobSasBuilder.ToSasQueryParameters(userDelegationKey, blobClient.AccountName);

            return(parameters.ToString());
        }
Exemplo n.º 8
0
        static void Main(string[] args)
        {
            string storageAccount = "az204testing";

            DateTimeOffset startTimeKey = DateTimeOffset.UtcNow;
            DateTimeOffset endTimeKey   = DateTimeOffset.UtcNow.AddDays(7);
            DateTimeOffset startTimeSAS = startTimeKey;
            DateTimeOffset endTimeSAS   = startTimeSAS.AddDays(1);

            Uri blobEndpointUri = new Uri($"https://{storageAccount}.blob.core.windows.net");

            var defaultCredentials = new DefaultAzureCredential(true);

            BlobServiceClient blobClient = new BlobServiceClient(blobEndpointUri,
                                                                 defaultCredentials);

            //Get the key. We are going to use this key for creating the SAS
            UserDelegationKey key = blobClient.GetUserDelegationKey(startTimeKey,
                                                                    endTimeKey);

            System.Console.WriteLine($"User Key Starts on: {key.SignedStartsOn}");
            System.Console.WriteLine($"User Key Expires on: {key.SignedExpiresOn}");
            System.Console.WriteLine($"User Key Service: {key.SignedService}");
            System.Console.WriteLine($"User Key Version: {key.SignedVersion}");

            //We need to use the BlobSasBuilder for creating the SAS
            BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
            {
                StartsOn  = startTimeSAS,
                ExpiresOn = endTimeSAS
            };

            //We set the permissions Create, List, Add, Read, and Write
            blobSasBuilder.SetPermissions("clarw");

            string sasToken = blobSasBuilder.ToSasQueryParameters
                                  (key, storageAccount).ToString();

            System.Console.WriteLine($"SAS Token: {sasToken}");
        }
Exemplo n.º 9
0
        private async Task <UserDelegationKey> GetUserDelegationKey(DateTimeOffset?expiration = null)
        {
            // refresh user-delegation key as necessary, valid for up to a maximum of 7 days
            if (__userDelegationKey == null || (expiration != null && __userDelegationKey.SignedExpiresOn <= expiration))
            {
                lock (UserDelegationLock)
                {
                    // additional check is neccessary to ensure that token hasnt been refreshed while thread was waiting for lock to be released
                    if (__userDelegationKey == null || (expiration != null && __userDelegationKey.SignedExpiresOn <= expiration))
                    {
                        var response = _client.GetUserDelegationKey(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(UserDelegationKeyLifetimeInDays));
                        if (response == null)
                        {
                            throw new ArgumentNullException($"User account delegation key generation failed for storage account: {_client.AccountName}");
                        }

                        __userDelegationKey = response.Value;
                    }
                }
            }

            return(__userDelegationKey);
        }
Exemplo n.º 10
0
        static void MainUse(string[] args)
        {
            string storageAccount = "az204testing";
            string containerName  = "az204-blob-testing";
            string blobName       = System.IO.Path.GetRandomFileName();

            DateTimeOffset startTimeKey = DateTimeOffset.UtcNow;
            DateTimeOffset endTimeKey   = DateTimeOffset.UtcNow.AddDays(7);
            DateTimeOffset startTimeSAS = startTimeKey;
            DateTimeOffset endTimeSAS   = startTimeSAS.AddYears(1);

            Uri blobEndpointUri = new Uri($"https://{storageAccount}.blob.core.windows.net");

            var defaultCredentials = new DefaultAzureCredential(true);

            BlobServiceClient blobClient = new BlobServiceClient(blobEndpointUri,
                                                                 defaultCredentials);

            //Get the key. We are going to use this key for creating the SAS
            UserDelegationKey key = blobClient.GetUserDelegationKey(startTimeKey,
                                                                    endTimeKey);

            Console.WriteLine($"User Key Starts on: {key.SignedStartsOn}");
            Console.WriteLine($"User Key Expires on: {key.SignedExpiresOn}");
            Console.WriteLine($"User Key Service: {key.SignedService}");
            Console.WriteLine($"User Key Version: {key.SignedVersion}");

            //We need to use the BlobSasBuilder for creating the SAS
            BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
            {
                BlobContainerName = containerName,
                BlobName          = blobName,
                Resource          = "b",
                StartsOn          = startTimeSAS,
                ExpiresOn         = endTimeSAS,
                Protocol          = Azure.Storage.Sas.SasProtocol.Https
            };

            //We set the permissions Create, List, Add, Read, and Write
            blobSasBuilder.SetPermissions(BlobSasPermissions.All);

            string sasToken = blobSasBuilder.ToSasQueryParameters
                                  (key, storageAccount).ToString();

            Console.WriteLine($"SAS Token: {sasToken}");

            //We construct the full URI for accessing the Azure Storage Account
            UriBuilder blobUri = new UriBuilder()
            {
                Scheme = "https",
                Host   = $"{storageAccount}.blob.core.windows.net",
                Path   = $"{containerName}/{blobName}",
                Query  = sasToken
            };

            //We create a random text file
            using (System.IO.StreamWriter sw = System.IO.File.CreateText(blobName))
            {
                sw.Write("This is a testing blob for uploading using user delegated SAS tokens");
            }

            BlobClient testingBlob = new BlobClient(blobUri.Uri);

            testingBlob.Upload(blobName);

            //Now we download the blob again and print the content.

            Console.WriteLine($"Reading content from testing blob {blobName}");
            Console.WriteLine();

            BlobDownloadInfo downloadInfo = testingBlob.Download();

            using (StreamReader sr = new StreamReader(downloadInfo.Content, true))
            {
                string line;
                while ((line = sr.ReadLine()) != null)
                {
                    Console.WriteLine(line);
                }
            }

            Console.WriteLine();
            Console.WriteLine("Finished reading content from testing blob");
        }