private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
CloudBlob SASblob;
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = container.GetBlockBlobReference(blob.Name);
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = container.GetPageBlobReference(blob.Name);
}
else
{
SASblob = container.GetAppendBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
else
{
SASblob = new CloudAppendBlob(credentials.TransformUri(blob.Uri));
}
}
HttpStatusCode failureCode = sasToken == null ? HttpStatusCode.NotFound : HttpStatusCode.Forbidden;
// We want to ensure that 'create', 'add', and 'write' permissions all allow for correct writing of blobs, as is reasonable.
if (((permissions & SharedAccessBlobPermissions.Create) == SharedAccessBlobPermissions.Create) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
if (blob.BlobType == BlobType.PageBlob)
{
CloudPageBlob SASpageBlob = (CloudPageBlob)SASblob;
SASpageBlob.Create(512);
CloudPageBlob pageBlob = (CloudPageBlob)blob;
byte[] buffer = new byte[512];
buffer[0] = 2; // random data
if (((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASpageBlob.UploadFromByteArray(buffer, 0, 512);
}
else
{
TestHelper.ExpectedException(
() => SASpageBlob.UploadFromByteArray(buffer, 0, 512),
"pageBlob SAS token without Write perms should not allow for writing/adding",
failureCode);
pageBlob.UploadFromByteArray(buffer, 0, 512);
}
}
else if (blob.BlobType == BlobType.BlockBlob)
{
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
UploadText(SASblob, "blob", Encoding.UTF8);
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"Block blob SAS token without Write or perms should not allow for writing",
failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
}
else // append blob
{
// If the sas token contains Feb 2012, append won't be accepted
if (sasToken.Contains(Constants.VersionConstants.February2012))
{
UploadText(blob, "blob", Encoding.UTF8);
}
else
{
CloudAppendBlob SASAppendBlob = SASblob as CloudAppendBlob;
SASAppendBlob.CreateOrReplace();
byte[] textAsBytes = Encoding.UTF8.GetBytes("blob");
using (MemoryStream stream = new MemoryStream())
{
stream.Write(textAsBytes, 0, textAsBytes.Length);
stream.Seek(0, SeekOrigin.Begin);
if (((permissions & SharedAccessBlobPermissions.Add) == SharedAccessBlobPermissions.Add) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASAppendBlob.AppendBlock(stream, null);
}
else
{
TestHelper.ExpectedException(
() => SASAppendBlob.AppendBlock(stream, null),
"Append blob SAS token without Write or Add perms should not allow for writing/adding",
failureCode);
stream.Seek(0, SeekOrigin.Begin);
((CloudAppendBlob)blob).AppendBlock(stream, null);
}
}
}
}
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"UploadText SAS does not allow for writing/adding",
((blob.BlobType == BlobType.AppendBlob) && (sasToken != null) && (sasToken.Contains(Constants.VersionConstants.February2012))) ? HttpStatusCode.BadRequest : failureCode);
UploadText(blob, "blob", Encoding.UTF8);
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
failureCode);
}
}
// need to have written to the blob to read from it.
if (((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read))
{
SASblob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, SASblob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, SASblob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, SASblob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, SASblob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, SASblob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => SASblob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
SASblob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => SASblob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
failureCode);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
SASblob.Delete();
}
else
{
TestHelper.ExpectedException(
() => SASblob.Delete(),
"Delete blob while SAS does not allow for deleting",
failureCode);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="SharedAccessBlobHeaders"/> class based on an existing instance.
/// </summary>
/// <param name="sharedAccessBlobHeaders">The set of <see cref="SharedAccessBlobHeaders"/> to clone.</param>
public SharedAccessBlobHeaders(SharedAccessBlobHeaders sharedAccessBlobHeaders)
{
CommonUtility.AssertNotNull("sharedAccessBlobHeaders", sharedAccessBlobHeaders);
this.ContentType = sharedAccessBlobHeaders.ContentType;
this.ContentDisposition = sharedAccessBlobHeaders.ContentDisposition;
this.ContentEncoding = sharedAccessBlobHeaders.ContentEncoding;
this.ContentLanguage = sharedAccessBlobHeaders.ContentLanguage;
this.CacheControl = sharedAccessBlobHeaders.CacheControl;
}
/// <summary>
/// Get the complete query builder for creating the Shared Access Signature query.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="headers">The optional header values to set for a blob returned with this SAS.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="resourceType">Either "b" for blobs or "c" for containers.</param>
/// <param name="signature">The signature to use.</param>
/// <param name="accountKeyName">The name of the key used to create the signature, or <c>null</c> if the key is implicit.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param>
/// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param>
/// <param name="ipAddressOrRange">The IP range for IPSAS.</param>
/// <returns>The finished query builder.</returns>
internal static UriQueryBuilder GetSignature(
SharedAccessBlobPolicy policy,
SharedAccessBlobHeaders headers,
string accessPolicyIdentifier,
string resourceType,
string signature,
string accountKeyName,
string sasVersion,
SharedAccessProtocol? protocols,
IPAddressOrRange ipAddressOrRange
)
{
CommonUtility.AssertNotNullOrEmpty("resourceType", resourceType);
UriQueryBuilder builder = new UriQueryBuilder();
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedVersion, sasVersion);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedResource, resourceType);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIdentifier, accessPolicyIdentifier);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedKey, accountKeyName);
AddEscapedIfNotNull(builder, Constants.QueryConstants.Signature, signature);
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedProtocols, GetProtocolString(protocols));
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedIP, ipAddressOrRange == null ? null : ipAddressOrRange.ToString());
if (policy != null)
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedStart, GetDateTimeOrNull(policy.SharedAccessStartTime));
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedExpiry, GetDateTimeOrNull(policy.SharedAccessExpiryTime));
string permissions = SharedAccessBlobPolicy.PermissionsToString(policy.Permissions);
if (!string.IsNullOrEmpty(permissions))
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.SignedPermissions, permissions);
}
}
if (headers != null)
{
AddEscapedIfNotNull(builder, Constants.QueryConstants.CacheControl, headers.CacheControl);
AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentType, headers.ContentType);
AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentEncoding, headers.ContentEncoding);
AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentLanguage, headers.ContentLanguage);
AddEscapedIfNotNull(builder, Constants.QueryConstants.ContentDisposition, headers.ContentDisposition);
}
return builder;
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <param name="groupPolicyIdentifier">A string identifying a stored access policy.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier)
{
return(this.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, null, null));
}
public void CloudAppendBlobSASHeaders()
{
for (int i = 1; i < 0x40; i++)
{
CloudAppendBlob testBlob = this.testContainer.GetAppendBlobReference("blob" + i);
SharedAccessBlobPermissions permissions = (SharedAccessBlobPermissions)i;
SharedAccessBlobHeaders headers = new SharedAccessBlobHeaders()
{
CacheControl = "no-transform",
ContentDisposition = "attachment",
ContentEncoding = "gzip",
ContentLanguage = "tr,en",
ContentType = "text/html"
};
TestBlobSAS(testBlob, permissions, headers);
}
}
private static async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
blob = new CloudPageBlob(blob.Uri, credentials);
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
HttpStatusCode.Forbidden);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async () => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.Forbidden);
}
}
private static async Task TestBlobSASAsync(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
await UploadTextAsync(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers);
await TestAccessAsync(sasToken, permissions, headers, null, testBlob);
}
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol? protocols, IPAddressOrRange ipAddressOrRange)
{
throw new NotImplementedException();
}
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers)
{
throw new NotImplementedException();
}
public void CloudPageBlobHeaders20120212SASVersion()
{
SharedAccessBlobHeaders headers = new SharedAccessBlobHeaders()
{
CacheControl = "no-transform",
ContentDisposition = "attachment",
ContentEncoding = "gzip",
ContentLanguage = "tr,en",
ContentType = "text/html"
};
try
{
CloudPageBlob testBlob = this.testContainer.GetPageBlobReference("blob" + 1);
SharedAccessBlobPermissions permissions = (SharedAccessBlobPermissions)1;
TestBlobSAS(testBlob, permissions, headers, Constants.VersionConstants.February2012);
Assert.Fail();
}
catch (ArgumentException e)
{
Assert.AreEqual(SR.InvalidHeaders, e.Message);
}
}
private static async Task TestBlobSASAsync(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
await UploadTextAsync(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers);
await TestAccessAsync(sasToken, permissions, headers, null, testBlob);
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <param name="groupPolicyIdentifier">A string identifying a stored access policy.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier)
{
if (!this.ServiceClient.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.InvariantCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
string resourceName = this.GetCanonicalName(true /* ignoreSnapshotTime */, Constants.HeaderConstants.TargetStorageVersion);
StorageAccountKey accountKey = this.ServiceClient.Credentials.Key;
string signature = SharedAccessSignatureHelper.GetHash(policy, headers, groupPolicyIdentifier, resourceName, Constants.HeaderConstants.TargetStorageVersion, accountKey.KeyValue);
// Future resource type changes from "c" => "container"
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(policy, headers, groupPolicyIdentifier, "b", signature, accountKey.KeyName, Constants.HeaderConstants.TargetStorageVersion);
return builder.ToString();
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers)
{
return this.GetSharedAccessSignature(policy, headers, null /* groupPolicyIdentifier */);
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else if (blob.BlobType == BlobType.PageBlob)
{
blob = container.GetPageBlobReference(blob.Name);
}
else
{
blob = container.GetAppendBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else if (blob.BlobType == BlobType.PageBlob)
{
blob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
else
{
blob = new CloudAppendBlob(credentials.TransformUri(blob.Uri));
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
blob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => blob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
blob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => blob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
blob.Delete();
}
else
{
TestHelper.ExpectedException(
() => blob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
private static void TestBlobSAS(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, string sasVersion)
{
UploadText(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers, null, sasVersion);
TestAccess(sasToken, permissions, headers, null, testBlob);
}
#pragma warning disable 0618
private static void TestBlobSAS(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
TestBlobSAS(testBlob, permissions, headers, null);
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob)
{
CloudBlob SASblob;
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = container.GetBlockBlobReference(blob.Name);
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = container.GetPageBlobReference(blob.Name);
}
else
{
SASblob = container.GetAppendBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
SASblob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else if (blob.BlobType == BlobType.PageBlob)
{
SASblob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
else
{
SASblob = new CloudAppendBlob(credentials.TransformUri(blob.Uri));
}
}
// We want to ensure that 'create', 'add', and 'write' permissions all allow for correct writing of blobs, as is reasonable.
if (((permissions & SharedAccessBlobPermissions.Create) == SharedAccessBlobPermissions.Create) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
if (blob.BlobType == BlobType.PageBlob)
{
CloudPageBlob SASpageBlob = (CloudPageBlob)SASblob;
SASpageBlob.Create(512);
CloudPageBlob pageBlob = (CloudPageBlob)blob;
byte[] buffer = new byte[512];
buffer[0] = 2; // random data
if (((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASpageBlob.UploadFromByteArray(buffer, 0, 512);
}
else
{
TestHelper.ExpectedException(
() => SASpageBlob.UploadFromByteArray(buffer, 0, 512),
"pageBlob SAS token without Write perms should not allow for writing/adding",
HttpStatusCode.Forbidden);
pageBlob.UploadFromByteArray(buffer, 0, 512);
}
}
else if (blob.BlobType == BlobType.BlockBlob)
{
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
UploadText(SASblob, "blob", Encoding.UTF8);
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"Block blob SAS token without Write or perms should not allow for writing",
HttpStatusCode.Forbidden);
UploadText(blob, "blob", Encoding.UTF8);
}
}
else // append blob
{
// If the sas token contains Feb 2012, append won't be accepted
if (sasToken.Contains(Constants.VersionConstants.February2012))
{
UploadText(blob, "blob", Encoding.UTF8);
}
else
{
CloudAppendBlob SASAppendBlob = SASblob as CloudAppendBlob;
SASAppendBlob.CreateOrReplace();
byte[] textAsBytes = Encoding.UTF8.GetBytes("blob");
using (MemoryStream stream = new MemoryStream())
{
stream.Write(textAsBytes, 0, textAsBytes.Length);
stream.Seek(0, SeekOrigin.Begin);
if (((permissions & SharedAccessBlobPermissions.Add) == SharedAccessBlobPermissions.Add) || ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write))
{
SASAppendBlob.AppendBlock(stream, null);
}
else
{
TestHelper.ExpectedException(
() => SASAppendBlob.AppendBlock(stream, null),
"Append blob SAS token without Write or Add perms should not allow for writing/adding",
HttpStatusCode.Forbidden);
stream.Seek(0, SeekOrigin.Begin);
((CloudAppendBlob)blob).AppendBlock(stream, null);
}
}
}
}
}
else
{
TestHelper.ExpectedException(
() => UploadText(SASblob, "blob", Encoding.UTF8),
"UploadText SAS does not allow for writing/adding",
((blob.BlobType == BlobType.AppendBlob) && (sasToken != null) && (sasToken.Contains(Constants.VersionConstants.February2012))) ? HttpStatusCode.BadRequest : HttpStatusCode.Forbidden);
UploadText(blob, "blob", Encoding.UTF8);
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.Forbidden);
}
}
// need to have written to the blob to read from it.
if (((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read))
{
SASblob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, SASblob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, SASblob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, SASblob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, SASblob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, SASblob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => SASblob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
SASblob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => SASblob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
SASblob.Delete();
}
else
{
TestHelper.ExpectedException(
() => SASblob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.Forbidden);
}
}
private static void TestBlobSAS(ICloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
TestBlobSAS(testBlob, permissions, headers, null);
}
private static void TestBlobSAS(ICloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, string sasVersion)
{
UploadText(testBlob, "blob", Encoding.UTF8);
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers, null, sasVersion);
TestAccess(sasToken, permissions, headers, null, testBlob);
}
private static async Task TestAccessAsync(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, CloudBlob blob, HttpStatusCode setBlobMetadataWhileSasExpectedStatusCode = HttpStatusCode.Forbidden, HttpStatusCode deleteBlobWhileSasExpectedStatusCode = HttpStatusCode.Forbidden, HttpStatusCode listBlobWhileSasExpectedStatusCode = HttpStatusCode.Forbidden)
{
OperationContext operationContext = new OperationContext();
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(container.Uri, credentials);
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(blob.Uri, credentials);
}
else
{
#if !FACADE_NETCORE
blob = new CloudPageBlob(blob.Uri, credentials);
#else
blob = new CloudPageBlob(blob.Uri, null, credentials);
#endif
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
await container.ListBlobsSegmentedAsync(null);
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.None, null, null, null, operationContext),
operationContext,
"List blobs while SAS does not allow for listing",
listBlobWhileSasExpectedStatusCode);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
await blob.FetchAttributesAsync();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.FetchAttributesAsync(null, null, operationContext),
operationContext,
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.Forbidden);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
await blob.SetMetadataAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.SetMetadataAsync(null, null, operationContext),
operationContext,
"Set blob metadata while SAS does not allow for writing",
setBlobMetadataWhileSasExpectedStatusCode);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
await blob.DeleteAsync();
}
else
{
await TestHelper.ExpectedExceptionAsync(
async() => await blob.DeleteAsync(DeleteSnapshotsOption.None, null, null, operationContext),
operationContext,
"Delete blob while SAS does not allow for deleting",
deleteBlobWhileSasExpectedStatusCode);
}
}
private static void TestAccess(string sasToken, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers, CloudBlobContainer container, ICloudBlob blob)
{
StorageCredentials credentials = string.IsNullOrEmpty(sasToken) ?
new StorageCredentials() :
new StorageCredentials(sasToken);
if (container != null)
{
container = new CloudBlobContainer(credentials.TransformUri(container.Uri));
if (blob.BlobType == BlobType.BlockBlob)
{
blob = container.GetBlockBlobReference(blob.Name);
}
else
{
blob = container.GetPageBlobReference(blob.Name);
}
}
else
{
if (blob.BlobType == BlobType.BlockBlob)
{
blob = new CloudBlockBlob(credentials.TransformUri(blob.Uri));
}
else
{
blob = new CloudPageBlob(credentials.TransformUri(blob.Uri));
}
}
if (container != null)
{
if ((permissions & SharedAccessBlobPermissions.List) == SharedAccessBlobPermissions.List)
{
container.ListBlobs().ToArray();
}
else
{
TestHelper.ExpectedException(
() => container.ListBlobs().ToArray(),
"List blobs while SAS does not allow for listing",
HttpStatusCode.NotFound);
}
}
if ((permissions & SharedAccessBlobPermissions.Read) == SharedAccessBlobPermissions.Read)
{
blob.FetchAttributes();
// Test headers
if (headers != null)
{
if (headers.CacheControl != null)
{
Assert.AreEqual(headers.CacheControl, blob.Properties.CacheControl);
}
if (headers.ContentDisposition != null)
{
Assert.AreEqual(headers.ContentDisposition, blob.Properties.ContentDisposition);
}
if (headers.ContentEncoding != null)
{
Assert.AreEqual(headers.ContentEncoding, blob.Properties.ContentEncoding);
}
if (headers.ContentLanguage != null)
{
Assert.AreEqual(headers.ContentLanguage, blob.Properties.ContentLanguage);
}
if (headers.ContentType != null)
{
Assert.AreEqual(headers.ContentType, blob.Properties.ContentType);
}
}
}
else
{
TestHelper.ExpectedException(
() => blob.FetchAttributes(),
"Fetch blob attributes while SAS does not allow for reading",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Write) == SharedAccessBlobPermissions.Write)
{
blob.SetMetadata();
}
else
{
TestHelper.ExpectedException(
() => blob.SetMetadata(),
"Set blob metadata while SAS does not allow for writing",
HttpStatusCode.NotFound);
}
if ((permissions & SharedAccessBlobPermissions.Delete) == SharedAccessBlobPermissions.Delete)
{
blob.Delete();
}
else
{
TestHelper.ExpectedException(
() => blob.Delete(),
"Delete blob while SAS does not allow for deleting",
HttpStatusCode.NotFound);
}
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <returns>A shared access signature.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers)
{
return(this.GetSharedAccessSignature(policy, headers, null /* groupPolicyIdentifier */, null /* sasVersion */));
}
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, string sasVersion)
{
throw new NotImplementedException();
}
/// <summary>
/// Get the signature hash embedded inside the Shared Access Signature.
/// </summary>
/// <param name="policy">The shared access policy to hash.</param>
/// <param name="headers">The optional header values to set for a blob returned with this SAS.</param>
/// <param name="accessPolicyIdentifier">An optional identifier for the policy.</param>
/// <param name="resourceName">The canonical resource string, unescaped.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format.</param>
/// <param name="protocols">The HTTP/HTTPS protocols for Account SAS.</param>
/// <param name="ipAddressOrRange">The IP range for IPSAS.</param>
/// <param name="keyValue">The key value retrieved as an atomic operation used for signing.</param>
/// <returns>The signed hash.</returns>
internal static string GetHash(
SharedAccessBlobPolicy policy,
SharedAccessBlobHeaders headers,
string accessPolicyIdentifier,
string resourceName,
string sasVersion,
SharedAccessProtocol? protocols,
IPAddressOrRange ipAddressOrRange,
byte[] keyValue)
{
CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName);
CommonUtility.AssertNotNull("keyValue", keyValue);
CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion);
string permissions = null;
DateTimeOffset? startTime = null;
DateTimeOffset? expiryTime = null;
if (policy != null)
{
permissions = SharedAccessBlobPolicy.PermissionsToString(policy.Permissions);
startTime = policy.SharedAccessStartTime;
expiryTime = policy.SharedAccessExpiryTime;
}
//// StringToSign = signedpermissions + "\n" +
//// signedstart + "\n" +
//// signedexpiry + "\n" +
//// canonicalizedresource + "\n" +
//// signedidentifier + "\n" +
//// signedIP + "\n" +
//// signedProtocol + "\n" +
//// signedversion + "\n" +
//// cachecontrol + "\n" +
//// contentdisposition + "\n" +
//// contentencoding + "\n" +
//// contentlanguage + "\n" +
//// contenttype
////
//// HMAC-SHA256(UTF8.Encode(StringToSign))
////
string cacheControl = null;
string contentDisposition = null;
string contentEncoding = null;
string contentLanguage = null;
string contentType = null;
if (headers != null)
{
cacheControl = headers.CacheControl;
contentDisposition = headers.ContentDisposition;
contentEncoding = headers.ContentEncoding;
contentLanguage = headers.ContentLanguage;
contentType = headers.ContentType;
}
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}\n{10}\n{11}\n{12}",
permissions,
GetDateTimeOrEmpty(startTime),
GetDateTimeOrEmpty(expiryTime),
resourceName,
accessPolicyIdentifier,
ipAddressOrRange == null ? string.Empty : ipAddressOrRange.ToString(),
GetProtocolString(protocols),
sasVersion,
cacheControl,
contentDisposition,
contentEncoding,
contentLanguage,
contentType);
Logger.LogVerbose(null /* operationContext */, SR.TraceStringToSign, stringToSign);
return CryptoUtility.ComputeHmac256(keyValue, stringToSign);
}
public string GetBlobSasUrl(string containerName, string blobName, DateTimeOffset expiry, bool isDownload = false,
string filename = null, string contentType = null, BlobUrlAccess access = BlobUrlAccess.Read)
{
var blob = _blobClient.GetContainerReference(containerName)
.GetBlockBlobReference(blobName);
var builder = new UriBuilder(blob.Uri);
var headers = new SharedAccessBlobHeaders();
var hasFilename = !string.IsNullOrEmpty(filename);
if (hasFilename || isDownload)
{
headers.ContentDisposition = "attachment" + (hasFilename ? "; filename=\"" + filename + "\"" : string.Empty);
}
if (!string.IsNullOrEmpty(contentType))
{
headers.ContentType = contentType;
}
builder.Query = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
Permissions = access.ToPermissions(),
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = expiry,
}, headers).TrimStart('?');
return builder.Uri.ToString();
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <param name="groupPolicyIdentifier">A string identifying a stored access policy.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier)
{
return this.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, null /* sasVersion */);
}
public async Task CloudPageBlobSASHeadersAsync()
{
for (int i = 1; i < 8; i++)
{
CloudPageBlob testBlob = this.testContainer.GetPageBlobReference("blob" + i);
SharedAccessBlobPermissions permissions = (SharedAccessBlobPermissions)i;
SharedAccessBlobHeaders headers = new SharedAccessBlobHeaders()
{
CacheControl = "no-transform",
ContentDisposition = "attachment",
#if !ASPNET_K
ContentEncoding = "gzip",
#endif
ContentLanguage = "tr,en",
ContentType = "text/html"
};
await TestBlobSASAsync(testBlob, permissions, headers);
}
}
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier)
{
throw new System.NotImplementedException();
}
private static void TestBlobSAS(CloudBlob testBlob, SharedAccessBlobPermissions permissions, SharedAccessBlobHeaders headers)
{
SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
{
SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
Permissions = permissions,
};
string sasToken = testBlob.GetSharedAccessSignature(policy, headers, null);
TestAccess(sasToken, permissions, headers, null, testBlob);
}
internal static string GetHash(
SharedAccessBlobPolicy policy,
SharedAccessBlobHeaders headers,
string accessPolicyIdentifier,
string resourceName,
string sasVersion,
byte[] keyValue)
{
CommonUtility.AssertNotNullOrEmpty("resourceName", resourceName);
CommonUtility.AssertNotNull("keyValue", keyValue);
CommonUtility.AssertNotNullOrEmpty("sasVersion", sasVersion);
string permissions = null;
DateTimeOffset? startTime = null;
DateTimeOffset? expiryTime = null;
if (policy != null)
{
permissions = SharedAccessBlobPolicy.PermissionsToString(policy.Permissions);
startTime = policy.SharedAccessStartTime;
expiryTime = policy.SharedAccessExpiryTime;
}
//// StringToSign = signedpermissions + "\n" +
//// signedstart + "\n" +
//// signedexpiry + "\n" +
//// canonicalizedresource + "\n" +
//// signedidentifier + "\n" +
//// signedversion + "\n" +
//// cachecontrol + "\n" +
//// contentdisposition + "\n" +
//// contentencoding + "\n" +
//// contentlanguage + "\n" +
//// contenttype
////
//// HMAC-SHA256(UTF8.Encode(StringToSign))
////
//// Note that the final five headers are invalid for the 2012-02-12 version.
string stringToSign = string.Format(
CultureInfo.InvariantCulture,
"{0}\n{1}\n{2}\n{3}\n{4}\n{5}",
permissions,
GetDateTimeOrEmpty(startTime),
GetDateTimeOrEmpty(expiryTime),
resourceName,
accessPolicyIdentifier,
sasVersion);
if (string.Equals(sasVersion, Constants.VersionConstants.February2012))
{
if (headers != null)
{
string errorString = string.Format(CultureInfo.CurrentCulture, SR.InvalidHeaders);
throw new ArgumentException(errorString);
}
}
else
{
string cacheControl = null;
string contentDisposition = null;
string contentEncoding = null;
string contentLanguage = null;
string contentType = null;
if (headers != null)
{
cacheControl = headers.CacheControl;
contentDisposition = headers.ContentDisposition;
contentEncoding = headers.ContentEncoding;
contentLanguage = headers.ContentLanguage;
contentType = headers.ContentType;
}
stringToSign = stringToSign + string.Format(
CultureInfo.InvariantCulture,
"\n{0}\n{1}\n{2}\n{3}\n{4}",
cacheControl,
contentDisposition,
contentEncoding,
contentLanguage,
contentType);
}
return CryptoUtility.ComputeHmac256(keyValue, stringToSign);
}
/// <summary>
/// Returns a shared access signature for the blob.
/// </summary>
/// <param name="policy">A <see cref="SharedAccessBlobPolicy"/> object specifying the access policy for the shared access signature.</param>
/// <param name="headers">A <see cref="SharedAccessBlobHeaders"/> object specifying optional header values to set for a blob accessed with this SAS.</param>
/// <param name="groupPolicyIdentifier">A string identifying a stored access policy.</param>
/// <param name="sasVersion">A string indicating the desired SAS version to use, in storage service version format. Value must be <c>2012-02-12</c> or later.</param>
/// <returns>A shared access signature, as a URI query string.</returns>
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, string sasVersion)
{
if (!this.ServiceClient.Credentials.IsSharedKey)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASWithoutAccountKey);
throw new InvalidOperationException(errorMessage);
}
if (this.SnapshotTime != null)
{
string errorMessage = string.Format(CultureInfo.CurrentCulture, SR.CannotCreateSASForSnapshot);
throw new NotSupportedException(errorMessage);
}
string resourceName = this.GetCanonicalName(true);
StorageAccountKey accountKey = this.ServiceClient.Credentials.Key;
string validatedSASVersion = SharedAccessSignatureHelper.ValidateSASVersionString(sasVersion);
string signature = SharedAccessSignatureHelper.GetHash(policy, headers, groupPolicyIdentifier, resourceName, validatedSASVersion, accountKey.KeyValue);
// Future resource type changes from "c" => "container"
UriQueryBuilder builder = SharedAccessSignatureHelper.GetSignature(policy, headers, groupPolicyIdentifier, "b", signature, accountKey.KeyName, validatedSASVersion);
return builder.ToString();
}
public string GetSharedAccessSignature(SharedAccessBlobPolicy policy, SharedAccessBlobHeaders headers, string groupPolicyIdentifier, SharedAccessProtocol?protocols, IPAddressOrRange ipAddressOrRange)
{
throw new System.NotImplementedException();
}
