private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
CloudBlob SASblob;
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = container.GetBlockBlobReference(blob.Name);
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = container.GetPageBlobReference(blob.Name);
}
else
{
SASblob = container.GetAppendBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
else
{
SASblob = new CloudAppendBlob(credentials.TransformUri(blob.Uri));
}
}
HttpStatusCode failureCode = sasToken == null ? HttpStatusCode.NotFound : HttpStatusCode.Forbidden;
// We want to ensure that 'create', 'add', and 'write' permissions all allow for correct writing of blobs, as is reasonable.
if (((permissions & SharedAccessBlobPermissions.Create) == SharedAccessBlobPermissions.Create) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
if (blob.BlobType == BlobType.PageBlob)
{
CloudPageBlob SASpageBlob = (CloudPageBlob)SASblob;
SASpageBlob.Create(512);
CloudPageBlob pageBlob = (CloudPageBlob)blob;
byte[] buffer = new byte[512];
buffer[0] = 2; // random data
if (((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASpageBlob.UploadFromByteArray(buffer, 0, 512);
}
else
{
TestHelper.ExpectedException(
() => SASpageBlob.UploadFromByteArray(buffer, 0, 512),
"pageBlob SAS token without Write perms should not allow for writing/adding",
failureCode);
pageBlob.UploadFromByteArray(buffer, 0, 512);
}
}
else if (blob.BlobType == BlobType.BlockBlob)
{
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
UploadText(SASblob, "blob", Encoding.UTF8);
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"Block blob SAS token without Write or perms should not allow for writing",
failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
}
else // append blob
{
// If the sas token contains Feb 2012, append won't be accepted
if (sasToken.Contains(Constants.VersionConstants.February2012))
{
UploadText(blob, "blob", Encoding.UTF8);
}
else
{
CloudAppendBlob SASAppendBlob = SASblob as CloudAppendBlob;
SASAppendBlob.CreateOrReplace();
byte[] textAsBytes = Encoding.UTF8.GetBytes("blob");
using (MemoryStream stream = new MemoryStream())
{
stream.Write(textAsBytes, 0, textAsBytes.Length);
stream.Seek(0, SeekOrigin.Begin);
if (((permissions & SharedAccessBlobPermissions.Add) == SharedAccessBlobPermissions.Add) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASAppendBlob.AppendBlock(stream, null);
}
else
{
TestHelper.ExpectedException(
() => SASAppendBlob.AppendBlock(stream, null),
"Append blob SAS token without Write or Add perms should not allow for writing/adding",
failureCode);
stream.Seek(0, SeekOrigin.Begin);
((CloudAppendBlob)blob).AppendBlock(stream, null);
}
}
}
}
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"UploadText SAS does not allow for writing/adding",
((blob.BlobType == BlobType.AppendBlob) && (sasToken != null) && (sasToken.Contains(Constants.VersionConstants.February2012))) ? HttpStatusCode.BadRequest : failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
failureCode);
}
}
// need to have written to the blob to read from it.
if (((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read))
{
SASblob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, SASblob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, SASblob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, SASblob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, SASblob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, SASblob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => SASblob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
SASblob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => SASblob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
SASblob.Delete();
}
else
{
TestHelper.ExpectedException(
() => SASblob.Delete(),
"Delete blob while SAS does not allow for deleting",
failureCode);
}
}
/// <summary>
/// Checks for the existence of a specific storage container, if it doesn't exist it will create it.
/// </summary>
/// <param name="client">The <see cref="StorageManagementClient"/> that is performing the operation.</param>
/// <param name="accountName">The name of the storage account that we want to create the container in.</param>
/// <param name="containerName">The name of the container that we are about to create.</param>
/// <param name="publicAccess">The public access level for the container.</param>
/// <param name="permissions">The set of permissions that the ACL for this container must have.</param>
/// <returns>The async <see cref="Task"/> wrapper.</returns>
public static async Task CreateContainerIfNotExistsAsync(
this StorageManagementClient client,
string accountName,
string containerName,
BlobContainerPublicAccessType publicAccess,
SharedAccessBlobPermissions permissions)
{
Contract.Requires(client != null);
Contract.Requires(!string.IsNullOrWhiteSpace(accountName));
Contract.Requires(!string.IsNullOrWhiteSpace(containerName));
Contract.Requires(containerName.Length >= 3);
Contract.Requires(containerName.Length <= 63);
var key = (await client.StorageAccounts.GetKeysAsync(accountName)).PrimaryKey;
var storageAccount = CloudStorageAccount.Parse($"DefaultEndpointsProtocol=https;AccountName={accountName};AccountKey={key}");
var container = storageAccount.CreateCloudBlobClient().GetContainerReference(containerName);
await container.CreateIfNotExistsAsync();
await container.SetPermissionsAsync(new BlobContainerPermissions { PublicAccess = publicAccess });
FlexStreams.BuildEventsObserver.OnNext(new ProvisionEvent(AzureResource.StorageContainer, containerName));
var acl = container.GetSharedAccessSignature(new SharedAccessBlobPolicy { Permissions = permissions });
FlexStreams.BuildEventsObserver.OnNext(new StorageKeyEvent(accountName, containerName, acl));
}
/// <summary>
/// Converts the permissions specified for the shared access policy to a string.
/// </summary>
/// <param name="permissions">The shared access permissions.</param>
/// <returns>The shared access permissions in string format.</returns>
public static string PermissionsToString(SharedAccessBlobPermissions permissions)
{
// The service supports a fixed order => rwdl
StringBuilder builder = new StringBuilder();
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
builder.Append("r");
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
builder.Append("w");
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
builder.Append("d");
}
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
builder.Append("l");
}
return builder.ToString();
}
public Uri GetUri(SharedAccessBlobPermissions permissions)
{
var policy = new SharedAccessBlobPolicy
{
SharedAccessExpiryTime = DateTime.UtcNow.AddDays(31.0),
Permissions = permissions
};
return new Uri(_containerReference.Uri, _containerReference.GetSharedAccessSignature(policy) + "&comp=list&restype=container");
}
public string GetSasForBlob(CloudBlockBlob blob, SharedAccessBlobPermissions permission)
{
var sas = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
{
Permissions = permission,
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(2),
});
return string.Format(CultureInfo.InvariantCulture, "{0}{1}", blob.Uri, sas);
}
public static string GetSasUrl(ICloudBlob blob, SharedAccessBlobPermissions permissions)
{
var policy = new SharedAccessBlobPolicy
{
SharedAccessExpiryTime = DateTime.Now.AddMinutes(30),
Permissions = permissions
};
string sasBlobToken = blob.GetSharedAccessSignature(policy);
//Return the URI string for the container, including the SAS token.
return blob.Uri + sasBlobToken;
}
public static string GenerateBlobStorageSasUrl(string connectionString, string blobContainerName, DateTime expiryTime, SharedAccessBlobPermissions permissions)
{
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer blobContainer = blobClient.GetContainerReference(blobContainerName);
blobContainer.CreateIfNotExists();
var sasToken = blobContainer.GetSharedAccessSignature(
new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = expiryTime,
Permissions = permissions
});
return blobContainer.Uri + sasToken;
}
public static string CreateContainerWithPolicySASIfNotExist(string account, string key, string container, string policy, DateTime start, DateTime end, SharedAccessBlobPermissions permissions)
{
// 1. form the credentail and initial client
CloudStorageAccount storageaccount = new CloudStorageAccount(new WindowsAzure.Storage.Auth.StorageCredentials(account, key), false);
CloudBlobClient client = storageaccount.CreateCloudBlobClient();
// 2. create container if it doesn't exist
CloudBlobContainer storagecontainer = client.GetContainerReference(container);
storagecontainer.CreateIfNotExists();
// 3. validate policy, create/overwrite if doesn't match
bool policyFound = false;
SharedAccessBlobPolicy accesspolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = end,
SharedAccessStartTime = start,
Permissions = permissions
};
BlobContainerPermissions blobPermissions = storagecontainer.GetPermissions();
if (blobPermissions.SharedAccessPolicies.ContainsKey(policy))
{
SharedAccessBlobPolicy containerpolicy = blobPermissions.SharedAccessPolicies[policy];
if (!(permissions == (containerpolicy.Permissions & permissions) && start <= containerpolicy.SharedAccessStartTime && end >= containerpolicy.SharedAccessExpiryTime))
{
blobPermissions.SharedAccessPolicies[policy] = accesspolicy;
}
else
{
policyFound = true;
}
}
else
{
blobPermissions.SharedAccessPolicies.Add(policy, accesspolicy);
}
if (!policyFound)
{
storagecontainer.SetPermissions(blobPermissions);
}
// 4. genereate SAS and return
string containerSAS = storagecontainer.GetSharedAccessSignature(new SharedAccessBlobPolicy(), policy);
string containerUrl = storagecontainer.Uri.AbsoluteUri + containerSAS;
return containerUrl;
}
/// <summary>
/// Gets a blob container's SAS token
/// </summary>
/// <param name="containerName">The container name</param>
/// <param name="permissions">The permissions</param>
/// <param name="minutes">Number of minutes the permissions are effective</param>
/// <returns>System.String - The SAS token</returns>
public string GetBlobContainerSASToken(
string containerName,
SharedAccessBlobPermissions permissions,
int minutes)
{
var client = _account.CreateCloudBlobClient();
var policy = new SharedAccessBlobPolicy();
policy.Permissions = permissions;
policy.SharedAccessStartTime = System.DateTime.UtcNow.AddMinutes(-10);
policy.SharedAccessExpiryTime = System.DateTime.UtcNow.AddMinutes(10);
var container = client.GetContainerReference(containerName);
//Get the SAS token for the container.
var sasToken = container.GetSharedAccessSignature(policy);
return sasToken;
}
/// <summary>
/// Creates the shared access BLOB policy.
/// </summary>
/// <param name="permissions">The permissions.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <returns>SharedAccessBlobPolicy.</returns>
protected static SharedAccessBlobPolicy CreateSharedAccessBlobPolicy(SharedAccessBlobPermissions permissions, int expireOffsetInMinute = 10)
{
return new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(expireOffsetInMinute),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List
};
}
/// <summary>
/// Creates the container URI.
/// </summary>
/// <param name="containerName">Name of the container.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <param name="permission">The permission.</param>
/// <returns>System.String.</returns>
/// <exception cref="InvalidObjectException">Container;null</exception>
public string CreateContainerUri(string containerName, int expireOffsetInMinute = 10, SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read)
{
try
{
containerName.CheckEmptyString("containerName");
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
if (!container.Exists())
{
throw new InvalidObjectException("Container", null, containerName);
}
return GenerateContainerUri(container, expireOffsetInMinute, permission);
}
catch (Exception ex)
{
throw ex.Handle("CreateContainerUri", new { containerName, expireOffsetInMinute, permission });
}
}
/// <summary>
/// Gets the container sas URI.
/// </summary>
/// <param name="container">The container.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <param name="permission">The permission.</param>
/// <returns>System.String.</returns>
protected static string GenerateContainerUri(CloudBlobContainer container, int expireOffsetInMinute = 10, SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read)
{
//Set the expiry time and permissions for the container.
//In this case no start time is specified, so the shared access signature becomes valid immediately.
var sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(expireOffsetInMinute);
sasConstraints.Permissions = permission;
//Generate the shared access signature on the container, setting the constraints directly on the signature.
string sasContainerToken = container.GetSharedAccessSignature(sasConstraints);
//Return the URI string for the container, including the SAS token.
return container.Uri + sasContainerToken;
}
public async Task <Result <TokenDtoOutput> > GenerateToken(string permissionsStorage, int size, int limit,
SharedAccessBlobPermissions permissions, string blobName)
{
var storageAccount = CloudStorageAccount.Parse(_settings.StorageAccountConnection);
var blobClient = storageAccount.CreateCloudBlobClient();
var containerName = _userInfo.UserId;
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
await container.CreateIfNotExistsAsync();
if (permissionsStorage == "Write")
{
long fileSize = size;
BlobContinuationToken continuationToken = null;
CloudBlob blob;
var segmentSize = 100;
do
{
BlobResultSegment resultSegment = await container.ListBlobsSegmentedAsync(string.Empty,
true, BlobListingDetails.Metadata, segmentSize, continuationToken, null, null);
foreach (var blobItem in resultSegment.Results)
{
blob = (CloudBlob)blobItem;
fileSize += blob.Properties.Length;
if (limit <= fileSize)
{
return(_result.Create <TokenDtoOutput>(false, "Upgrade", null));
}
}
continuationToken = resultSegment.ContinuationToken;
} while (continuationToken != null);
}
var sasToken = GetBlobSasToken(container, blobName, permissions);
/*
* var sasToken =
* data.blobName != null ?
* GetBlobSasToken(container, data.blobName.ToString(), permissions) :
* GetContainerSasToken(container, permissions);
*/
var uri = "";
if (permissionsStorage == "Read")
{
uri = container.Uri + "/" + blobName + sasToken;
}
if (permissionsStorage == "Delete")
{
uri = storageAccount.BlobEndpoint.AbsoluteUri + sasToken;
}
if (permissionsStorage == "Write")
{
uri = storageAccount.BlobEndpoint.AbsoluteUri + sasToken;
}
var tokenModel = new TokenDtoOutput
{
Container = containerName,
BlobName = blobName,
Token = sasToken,
Permission = permissionsStorage,
Uri = uri
};
return(_result.Create <TokenDtoOutput>(true, "", tokenModel));
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, ICloudBlob blob)
{
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else
{
blob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
blob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => blob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
blob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => blob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
blob.Delete();
}
else
{
TestHelper.ExpectedException(
() => blob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
public static string GetBlobSasToken(CloudBlobContainer container, string blobName, SharedAccessBlobPermissions permissions, string policyName = null)
{
string sasBlobToken;
// Get a reference to a blob within the container.
// Note that the blob may not exist yet, but a SAS can still be created for it.
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
if (policyName == null)
{
var adHocSas = CreateAdHocSasPolicy(permissions);
// Generate the shared access signature on the blob, setting the constraints directly on the signature.
sasBlobToken = blob.GetSharedAccessSignature(adHocSas);
}
else
{
// Generate the shared access signature on the blob. In this case, all of the constraints for the
// shared access signature are specified on the container's stored access policy.
sasBlobToken = blob.GetSharedAccessSignature(null, policyName);
}
return(sasBlobToken);
}
public void WillReturnParseableSharedAccessSignature(
SharedAccessBlobPermissions permissions,
string expectedPermissions)
{
var container = new StandaloneAzureBlobContainer(new Uri(_containerPath));
Assert.Contains(expectedPermissions, container.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
Permissions = permissions
}));
}
public static string GetSASUri(string blobUrlRoot, string storageAccoutnName, string primaryKey, string container, string filename, TimeSpan persmissionDuration, SharedAccessBlobPermissions permissionType)
{
// Set the destination
string httpsBlobUrlRoot = string.Format("https:{0}", blobUrlRoot.Substring(blobUrlRoot.IndexOf('/')));
string vhdDestUri = httpsBlobUrlRoot + string.Format("{0}/{1}", container, filename);
var destinationBlob = new CloudPageBlob(new Uri(vhdDestUri), new StorageCredentials(storageAccoutnName, primaryKey));
var policy2 = new SharedAccessBlobPolicy()
{
Permissions = permissionType,
SharedAccessExpiryTime = DateTime.UtcNow.Add(persmissionDuration)
};
var destinationBlobToken2 = destinationBlob.GetSharedAccessSignature(policy2);
vhdDestUri += destinationBlobToken2;
return(vhdDestUri);
}
/// <summary>
/// create a container if doesn't exist, setting permission with policy, and return assosciated SAS signature
/// </summary>
/// <param name="account">storage account</param>
/// <param name="key">storage key</param>
/// <param name="container">container to be created</param>
/// <param name="policy">name for the policy</param>
/// <param name="start">start time of the policy</param>
/// <param name="end">expire time of the policy</param>
/// <param name="permissions">permission on the name</param>
/// <param name="blobUri">blob URI</param>
/// <returns>the SAS for the container, in full URI format.</returns>
private static string CreateContainerWithPolicySASIfNotExist(string account, string key, Uri blobUri, string container, string policy, DateTime start, DateTime end, SharedAccessBlobPermissions permissions)
{
// 1. form the credentail and initial client
CloudStorageAccount storageaccount = new CloudStorageAccount(new Microsoft.WindowsAzure.Storage.Auth.StorageCredentials(account, key),
blobEndpoint: blobUri,
queueEndpoint: null,
tableEndpoint: null,
fileEndpoint: null);
CloudBlobClient client = storageaccount.CreateCloudBlobClient();
// 2. create container if it doesn't exist
CloudBlobContainer storagecontainer = client.GetContainerReference(container);
storagecontainer.CreateIfNotExists();
// 3. validate policy, create/overwrite if doesn't match
bool policyFound = false;
SharedAccessBlobPolicy accesspolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = end,
SharedAccessStartTime = start,
Permissions = permissions
};
BlobContainerPermissions blobPermissions = storagecontainer.GetPermissions();
if (blobPermissions.SharedAccessPolicies.ContainsKey(policy))
{
SharedAccessBlobPolicy containerpolicy = blobPermissions.SharedAccessPolicies[policy];
if (!(permissions == (containerpolicy.Permissions & permissions) && start <= containerpolicy.SharedAccessStartTime && end >= containerpolicy.SharedAccessExpiryTime))
{
blobPermissions.SharedAccessPolicies[policy] = accesspolicy;
}
else
{
policyFound = true;
}
}
else
{
blobPermissions.SharedAccessPolicies.Add(policy, accesspolicy);
}
if (!policyFound)
{
storagecontainer.SetPermissions(blobPermissions);
}
// 4. genereate SAS and return
string container_sas = storagecontainer.GetSharedAccessSignature(new SharedAccessBlobPolicy(), policy);
string container_url = storagecontainer.Uri.AbsoluteUri + container_sas;
return(container_url);
}
private async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, CloudBlobContainer container, ICloudBlob blob)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
blob = new CloudPageBlob(blob.Uri, credentials);
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
public async Task <string> GetBlobSASUrlFromBlobPathAsync(CloudStorageAccount storageAccount, string containerName, string blobPath, DateTimeOffset expiryDateTime, SharedAccessBlobPermissions policyPermissions = SharedAccessBlobPermissions.Read)
{
string result = string.Empty;
if (storageAccount == null || string.IsNullOrWhiteSpace(containerName) || string.IsNullOrWhiteSpace(blobPath))
{
return(result);
}
CloudBlob blob = await this.GetBlobFromPathAsync(storageAccount, containerName, blobPath);
SharedAccessBlobPolicy sasBlobPolicy = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5), // For clock skew
SharedAccessExpiryTime = expiryDateTime,
Permissions = policyPermissions
};
//Generate the shared access signature on the blob, setting the constraints directly on the signature.
string sasBlobToken = blob.GetSharedAccessSignature(sasBlobPolicy);
result = blob.Uri.AbsoluteUri + sasBlobToken;
return(result);
}
public async Task CreateSharedAccessPolicy(CloudBlobClient blobClient, CloudBlobContainer container, string policyName, DateTimeOffset?expiryDateTime, SharedAccessBlobPermissions policyPermissions = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read)
{
ValidationResult validationResult = new ValidationResult();
validationResult.Validations.AddItems(Validator.ValidateBlobClient(blobClient).Validations);
validationResult.Validations.AddItems(Validator.ValidateContainer(container).Validations);
if (!validationResult.IsValid)
{
return;
}
//Get the container's existing permissions.
BlobContainerPermissions permissions = await container.GetPermissionsAsync();
//Create a new shared access policy and define its constraints.
SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = expiryDateTime,
Permissions = policyPermissions
};
//Add the new policy to the container's permissions, and set the container's permissions.
permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
await container.SetPermissionsAsync(permissions);
}
public void AssertIdentifierInSharedAccessPolicies(SharedAccessBlobPolicies sharedAccessPolicies, Basic.Azure.Storage.Communications.Common.BlobSignedIdentifier expectedIdentifier, SharedAccessBlobPermissions permissions)
{
var policy = sharedAccessPolicies.Where(i => i.Key.Equals(expectedIdentifier.Id, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault();
Assert.IsNotNull(policy);
Assert.AreEqual(expectedIdentifier.AccessPolicy.StartTime, policy.Value.SharedAccessStartTime.Value.UtcDateTime);
Assert.AreEqual(expectedIdentifier.AccessPolicy.Expiry, policy.Value.SharedAccessExpiryTime.Value.UtcDateTime);
Assert.IsTrue(policy.Value.Permissions.HasFlag(permissions));
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
CloudBlob SASblob;
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = container.GetBlockBlobReference(blob.Name);
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = container.GetPageBlobReference(blob.Name);
}
else
{
SASblob = container.GetAppendBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
else
{
SASblob = new CloudAppendBlob(credentials.TransformUri(blob.Uri));
}
}
HttpStatusCode failureCode = sasToken == null ? HttpStatusCode.NotFound : HttpStatusCode.Forbidden;
// We want to ensure that 'create', 'add', and 'write' permissions all allow for correct writing of blobs, as is reasonable.
if (((permissions & SharedAccessBlobPermissions.Create) == SharedAccessBlobPermissions.Create) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
if (blob.BlobType == BlobType.PageBlob)
{
CloudPageBlob SASpageBlob = (CloudPageBlob)SASblob;
SASpageBlob.Create(512);
CloudPageBlob pageBlob = (CloudPageBlob)blob;
byte[] buffer = new byte[512];
buffer[0] = 2; // random data
if (((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASpageBlob.UploadFromByteArray(buffer, 0, 512);
}
else
{
TestHelper.ExpectedException(
() => SASpageBlob.UploadFromByteArray(buffer, 0, 512),
"pageBlob SAS token without Write perms should not allow for writing/adding",
failureCode);
pageBlob.UploadFromByteArray(buffer, 0, 512);
}
}
else if (blob.BlobType == BlobType.BlockBlob)
{
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
UploadText(SASblob, "blob", Encoding.UTF8);
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"Block blob SAS token without Write or perms should not allow for writing",
failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
}
else // append blob
{
// If the sas token contains Feb 2012, append won't be accepted
if (sasToken.Contains(Constants.VersionConstants.February2012))
{
UploadText(blob, "blob", Encoding.UTF8);
}
else
{
CloudAppendBlob SASAppendBlob = SASblob as CloudAppendBlob;
SASAppendBlob.CreateOrReplace();
byte[] textAsBytes = Encoding.UTF8.GetBytes("blob");
using (MemoryStream stream = new MemoryStream())
{
stream.Write(textAsBytes, 0, textAsBytes.Length);
stream.Seek(0, SeekOrigin.Begin);
if (((permissions & SharedAccessBlobPermissions.Add) == SharedAccessBlobPermissions.Add) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASAppendBlob.AppendBlock(stream, null);
}
else
{
TestHelper.ExpectedException(
() => SASAppendBlob.AppendBlock(stream, null),
"Append blob SAS token without Write or Add perms should not allow for writing/adding",
failureCode);
stream.Seek(0, SeekOrigin.Begin);
((CloudAppendBlob)blob).AppendBlock(stream, null);
}
}
}
}
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"UploadText SAS does not allow for writing/adding",
((blob.BlobType == BlobType.AppendBlob) && (sasToken != null) && (sasToken.Contains(Constants.VersionConstants.February2012))) ? HttpStatusCode.BadRequest : failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
failureCode);
}
}
// need to have written to the blob to read from it.
if (((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read))
{
SASblob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, SASblob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, SASblob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, SASblob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, SASblob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, SASblob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => SASblob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
SASblob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => SASblob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
SASblob.Delete();
}
else
{
TestHelper.ExpectedException(
() => SASblob.Delete(),
"Delete blob while SAS does not allow for deleting",
failureCode);
}
}
private static void TestBlobSAS(ICloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
TestBlobSAS(testBlob, permissions, headers, null);
}
public async Task <Result <TokenDtoOutput> > GenerateToken(string permissionsStorage, int size, int limit,
SharedAccessBlobPermissions permissions, string blobName)
{
return(await _token.GenerateToken(permissionsStorage, size, limit, permissions, blobName));
}
private static async Task TestBlobSASAsync(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
await UploadTextAsync(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers);
await TestAccessAsync(sasToken, permissions, headers, null, testBlob);
}
public string GetSharedAccessSignature(SharedAccessBlobPermissions permissions, DateTimeOffset?endOfAccess)
{
throw new NotImplementedException();
}
public string GetBlobSASUrlFromBlob(ICloudBlob blob, DateTimeOffset expiryDateTime, SharedAccessBlobPermissions policyPermissions = SharedAccessBlobPermissions.Read)
{
string result = string.Empty;
if (blob == null)
{
return(result);
}
SharedAccessBlobPolicy sasBlobPolicy = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5), // For clock skew
SharedAccessExpiryTime = expiryDateTime,
Permissions = policyPermissions
};
//Generate the shared access signature on the blob, setting the constraints directly on the signature.
string sasBlobToken = blob.GetSharedAccessSignature(sasBlobPolicy);
result = blob.Uri.AbsoluteUri + sasBlobToken;
return(result);
}
private string GetBlobSasUri(CloudBlobClient stClient, string containerName, string BlobName, SharedAccessBlobPermissions Permissions, int hours)
{
//Get a reference to a blob within the container.
CloudBlobContainer container = stClient.GetContainerReference(containerName);
container.CreateIfNotExists();
CloudBlockBlob blob = container.GetBlockBlobReference(BlobName);
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddHours(hours),
Permissions = Permissions
};
string sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);
return(blob.Uri + sasBlobToken);
}
/// <summary>
/// Creates the BLOB URI.
/// </summary>
/// <param name="containerName">Name of the container.</param>
/// <param name="blobIdentifier">The BLOB identifier.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <param name="permission">The permission.</param>
/// <returns>BinaryStorageActionCredential.</returns>
/// <exception cref="InvalidObjectException">Container;null</exception>
protected BinaryStorageActionCredential CreateBlobUri(string containerName, string blobIdentifier, int expireOffsetInMinute = 10, SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read)
{
try
{
containerName.CheckEmptyString("containerName");
var container = blobClient.GetContainerReference(containerName);
if (!container.Exists())
{
throw new InvalidObjectException("Container", null, containerName);
}
return GenerateBlobUri(container, blobIdentifier, expireOffsetInMinute, permission);
}
catch (Exception ex)
{
throw ex.Handle("CreateBlobUri", new { containerName, expireOffsetInMinute, permission });
}
}
//SAS
public static string GetBlobSasToken(string connectionString, string blobContainer, string blobName, SharedAccessBlobPermissions permissions, string policyName = null)
{
CloudBlobContainer cloudBlobContainer = null;
string sasBlobToken = "";
if (CloudStorageAccount.TryParse(connectionString, out CloudStorageAccount storageAccount))
{
CloudBlobClient cloudBlobClient = storageAccount.CreateCloudBlobClient();
// Create a container called 'uploaddownloadblob' and append a GUID value to it to make the name unique.
cloudBlobContainer = cloudBlobClient.GetContainerReference(blobContainer);
CloudBlockBlob cloudBlockBlob = cloudBlobContainer.GetBlockBlobReference(blobName);
SharedAccessBlobPolicy adHocSas = new SharedAccessBlobPolicy
{
//Access is Valid for a week
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(1),
Permissions = permissions
};
// Generate the shared access signature on the blob, setting the constraints directly on the signature.
sasBlobToken = cloudBlockBlob.GetSharedAccessSignature(adHocSas, null, null, SharedAccessProtocol.HttpsOrHttp, null);
}
return(sasBlobToken);
}
/// <summary>
/// Applies the BLOB policy.
/// </summary>
/// <param name="container">The container.</param>
/// <param name="policyName">Name of the policy.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <param name="permissions">The permissions.</param>
protected static void ApplyBlobPolicy(CloudBlobContainer container, string policyName, int expireOffsetInMinute = 10, SharedAccessBlobPermissions permissions = SharedAccessBlobPermissions.List)
{
container.CheckNullObject("container");
policyName.CheckEmptyString("policyName");
//Get the container's existing permissions.
var containerPermissions = new BlobContainerPermissions();
var sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(expireOffsetInMinute),
Permissions = permissions
};
//Add the new policy to the container's permissions.
containerPermissions.SharedAccessPolicies.Clear();
containerPermissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
container.SetPermissions(containerPermissions);
}
/// <summary>
/// BlobのSAS Token署名を生成します。Blobが空の場合、Container SAS Token署名を生成します。
/// </summary>
/// <param name="container"></param>
/// <param name="blob"></param>
/// <param name="permission"></param>
/// <returns></returns>
public async Task <string> GenerateExpireTokenAsync(string container, string blob, SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.Read)
{
Expiry = TimeSpan.FromMinutes(-5);
return(await GenerateSasTokenAsync(client.GetContainerReference(container), blob, permission));
}
/// <summary>
/// Generates the BLOB URI.
/// </summary>
/// <param name="container">The container.</param>
/// <param name="blobIdentifier">The BLOB identifier.</param>
/// <param name="expireOffsetInMinute">The expire offset in minute.</param>
/// <param name="permission">The permission.</param>
/// <returns>BinaryStorageActionCredential.</returns>
protected static BinaryStorageActionCredential GenerateBlobUri(CloudBlobContainer container, string blobIdentifier, int expireOffsetInMinute = 10, SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read)
{
var blob = container.GetBlockBlobReference(blobIdentifier);
//Set the expiry time and permissions for the container.
//In this case no start time is specified, so the shared access signature becomes valid immediately.
var sasConstraints = new SharedAccessBlobPolicy();
var expiredStamp = DateTime.UtcNow.AddMinutes(expireOffsetInMinute);
sasConstraints.SharedAccessExpiryTime = expiredStamp;
sasConstraints.Permissions = permission;
string sasContainerToken = blob.GetSharedAccessSignature(sasConstraints);
//Return the URI string for the container, including the SAS token.
return new BinaryStorageActionCredential()
{
CredentialUri = blob.Uri + sasContainerToken,
StorageUri = blob.Uri.ToString(),
Container = container.Name,
Identifier = blobIdentifier,
CredentialExpiredStamp = expiredStamp
};
}
private async Task <string> GenerateSasTokenAsync(CloudBlobContainer container, string blob, SharedAccessBlobPermissions permission, string policyName = "")
{
return(string.IsNullOrWhiteSpace(blob)
? await GenerateContainerSasTokenAsync(container, permission)
: await GenerateBlobSasTokenAsync(container, blob, permission));
}
private async Task <string> GenerateBlobSasTokenAsync(CloudBlobContainer container, string blobName, SharedAccessBlobPermissions permission, string policyName = "")
{
string sasBlobToken;
await container.CreateIfNotExistsAsync();
var blob = container.GetBlockBlobReference(blobName);
if (string.IsNullOrWhiteSpace(policyName))
{
var policy = CreateAdhocPolicy(permission);
sasBlobToken = blob.GetSharedAccessSignature(policy);
}
else
{
sasBlobToken = blob.GetSharedAccessSignature(null, policyName);
}
return(sasBlobToken);
}
private static void TestBlobSAS(ICloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
TestBlobSAS(testBlob, permissions, headers, null);
}
public static string GenerateBlobStorageSasUrl(string connectionString, string blobContainerName, DateTime expiryTime, SharedAccessBlobPermissions permissions)
{
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer blobContainer = blobClient.GetContainerReference(blobContainerName);
blobContainer.CreateIfNotExists();
var sasToken = blobContainer.GetSharedAccessSignature(
new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = expiryTime,
Permissions = permissions
});
return(blobContainer.Uri + sasToken);
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, ICloudBlob blob)
{
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else
{
blob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
blob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => blob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
blob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => blob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
blob.Delete();
}
else
{
TestHelper.ExpectedException(
() => blob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
public string GenerateSharedAccessSignature(string containerName, string blobName,
bool read, bool write, bool delete, bool list, DateTime startTime, DateTime endTime)
{
CloudBlobClient client = CloudStorageAccount.CreateCloudBlobClient();
client.RetryPolicy = new LinearRetry(TimeSpan.Zero, 20);
//client.RetryPolicy = RetryPolicies.Retry(20, TimeSpan.Zero);
CloudBlobContainer container = client.GetContainerReference(containerName);
string path;
if (string.IsNullOrEmpty(blobName))
{
path = container.Uri.AbsoluteUri;
}
else
{
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
path = blob.Uri.AbsoluteUri;
}
SharedAccessBlobPermissions permissions = new SharedAccessBlobPermissions();
if (read) permissions |= SharedAccessBlobPermissions.Read;
if (write) permissions |= SharedAccessBlobPermissions.Write;
if (delete) permissions |= SharedAccessBlobPermissions.Delete;
if (list) permissions |= SharedAccessBlobPermissions.List;
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
Permissions = permissions,
SharedAccessStartTime = startTime,
SharedAccessExpiryTime = endTime
};
string queryString = container.GetSharedAccessSignature(policy);
return path + queryString;
}
/// <summary>
/// Returns a shared access signature (SAS) URL providing the specified permissions to the specified container.
/// </summary>
/// <param name="blobClient">A <see cref="Microsoft.WindowsAzure.Storage.Blob.CloudBlobClient"/>.</param>
/// <param name="containerName">The name of the container for which a SAS URL should be obtained.</param>
/// <param name="permissions">The permissions granted by the SAS URL.</param>
/// <returns>A SAS URL providing the specified access to the container.</returns>
/// <remarks>The SAS URL provided is valid for 2 hours from the time this method is called. The container must
/// already exist within Azure Storage.</remarks>
private static string GetContainerSasUrl(CloudBlobClient blobClient, string containerName, SharedAccessBlobPermissions permissions)
{
// Set the expiry time and permissions for the container access signature. In this case, no start time is specified,
// so the shared access signature becomes valid immediately
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(2),
Permissions = permissions
};
// Generate the shared access signature on the container, setting the constraints directly on the signature
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
string sasContainerToken = container.GetSharedAccessSignature(sasConstraints);
// Return the URL string for the container, including the SAS token
return(String.Format("{0}{1}", container.Uri, sasContainerToken));
}
private void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, CloudBlobContainer container, ICloudBlob blob)
{
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
blob = new CloudPageBlob(blob.Uri, credentials);
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
blob.FetchAttributes();
}
else
{
TestHelper.ExpectedException(
() => blob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
blob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => blob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
blob.Delete();
}
else
{
TestHelper.ExpectedException(
() => blob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
private static void TestBlobSAS(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers, null);
TestAccess(sasToken, permissions, headers, null, testBlob);
}
private static void TestBlobSAS(ICloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, string sasVersion)
{
UploadText(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers, null, sasVersion);
TestAccess(sasToken, permissions, headers, null, testBlob);
}
private string GetBlobSasToken(CloudBlobContainer container, string blobName, SharedAccessBlobPermissions permissions, string policyName = null)
{
string sasBlobToken;
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
if (policyName == null)
{
var adHocSas = CreateAdHocSasPolicy(permissions);
sasBlobToken = blob.GetSharedAccessSignature(adHocSas);
}
else
{
sasBlobToken = blob.GetSharedAccessSignature(null, policyName);
}
return(sasBlobToken);
}
/// <summary>
/// Returns a shared access signature (SAS) URL providing the specified permissions to the specified container.
/// </summary>
/// <param name="blobClient">A <see cref="Microsoft.WindowsAzure.Storage.Blob.CloudBlobClient"/>.</param>
/// <param name="containerName">The name of the container for which a SAS URL should be obtained.</param>
/// <param name="permissions">The permissions granted by the SAS URL.</param>
/// <returns>A SAS URL providing the specified access to the container.</returns>
/// <remarks>The SAS URL provided is valid for 2 hours from the time this method is called. The container must
/// already exist within Azure Storage.</remarks>
private static string GetContainerSasUrl(CloudBlobClient blobClient, string containerName, SharedAccessBlobPermissions permissions)
{
// Set the expiry time and permissions for the container access signature. In this case, no start time is specified,
// so the shared access signature becomes valid immediately
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(2),
Permissions = permissions
};
// Generate the shared access signature on the container, setting the constraints directly on the signature
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
string sasContainerToken = container.GetSharedAccessSignature(sasConstraints);
// Return the URL string for the container, including the SAS token
return String.Format("{0}{1}", container.Uri, sasContainerToken);
}
public void WillReturnEmptyStringForSharedAccessKeySignature(SharedAccessBlobPermissions permissions)
{
var container = new StandaloneAzureBlobContainer(new Uri(_containerPath));
Assert.Equal("", container.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
Permissions = permissions
}));
}
private static async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
blob = new CloudPageBlob(blob.Uri, credentials);
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
HttpStatusCode.Forbidden);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.Forbidden);
}
}
private async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, CloudBlobContainer container, ICloudBlob blob)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
blob = new CloudPageBlob(blob.Uri, credentials);
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
/// <summary>
/// Returns Uri composed of Container + SharedAccessSignature token.
/// If PolicyName is provided, will return SAS generated off of the policy,
/// otherwise will develop SAS from provided SharedAccessBlobPolicy parameters.
/// </summary>
/// <param name="container"></param>
/// <param name="policyName"></param>
/// <param name="duration"></param>
/// <param name="sharedAccessBlobPermissions"></param>
/// <returns></returns>
public static string GetContainerSharedAccessSignatureUri(this CloudBlobContainer container, string policyName = null, TimeSpan?duration = null, SharedAccessBlobPermissions sharedAccessBlobPermissions = SharedAccessBlobPermissions.Read)
{
var sharedAccessBlobPolicy = BuildSharedAccessBlobPolicy(duration, sharedAccessBlobPermissions);
//Generate the shared access signature on the container, setting the constraints directly on the signature.
// Note token starts with ? for easy appending to blob Uri:
string containerSharedAccessSignatureToken =
(!string.IsNullOrWhiteSpace(policyName))
? container.GetSharedAccessSignature(null, policyName)
: container.GetSharedAccessSignature(sharedAccessBlobPolicy);
//Return the URI string for the container, including the SAS token.
string result = container.Uri + containerSharedAccessSignatureToken;
return(result);
}
private static async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob, HttpStatusCode setBlobMetadataWhileSasExpectedStatusCode = HttpStatusCode.Forbidden, HttpStatusCode deleteBlobWhileSasExpectedStatusCode = HttpStatusCode.Forbidden, HttpStatusCode listBlobWhileSasExpectedStatusCode = HttpStatusCode.Forbidden)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
#if !FACADE_NETCORE
blob = new CloudPageBlob(blob.Uri, credentials);
#else
blob = new CloudPageBlob(blob.Uri, null, credentials);
#endif
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
listBlobWhileSasExpectedStatusCode);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
setBlobMetadataWhileSasExpectedStatusCode);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
deleteBlobWhileSasExpectedStatusCode);
}
}
public static void SetContainerSharedAccessPolicy(this CloudBlobContainer container, string policyName, TimeSpan?duration = null, SharedAccessBlobPermissions sharedAccessBlobPermissions = SharedAccessBlobPermissions.Read)
{
var sharedAccessBlobPolicy = BuildSharedAccessBlobPolicy(duration, sharedAccessBlobPermissions);
container.SetContainerSharedAccessPolicy(policyName, sharedAccessBlobPolicy);
}
/// <summary>
/// Returns a shared access signature (SAS) URL providing the specified
/// permissions to the specified container. The SAS URL provided is valid for 2 hours from
/// the time this method is called. The container must already exist in Azure Storage.
/// </summary>
/// <param name="blobClient">A <see cref="CloudBlobClient"/>.</param>
/// <param name="containerName">The name of the container for which a SAS URL will be obtained.</param>
/// <param name="permissions">The permissions granted by the SAS URL.</param>
/// <returns>A SAS URL providing the specified access to the container.</returns>
private static string GetContainerSasUrl(CloudBlobClient blobClient, string containerName, SharedAccessBlobPermissions permissions)
{
// Set the expiry time and permissions for the container access signature. In this case, no start time is specified,
// so the shared access signature becomes valid immediately. Expiration is in 2 hours.
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTime.Now.AddHours(-24),
SharedAccessExpiryTime = DateTime.Now.AddHours(24),
Permissions = permissions
};
// Generate the shared access signature on the container, setting the constraints directly on the signature
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
// Construct the Storage account connection string
string storageConnectionString = String.Format("DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}",
storageAccountName, storageAccountKey);
// Retrieve the storage account
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnectionString);
//string sasStorageToken = storageAccount.GetSharedAccessSignature(sasConstraints2);
string sasContainerToken = container.GetSharedAccessSignature(sasConstraints);
Console.WriteLine("SAS Url: {0}", String.Format("{0}{1}", container.Uri, sasContainerToken));
// Return the URL string for the container, including the SAS token
return(String.Format("{0}{1}", container.Uri, sasContainerToken));
}
