| | | 1 | | // Copyright (c) Microsoft Corporation. All rights reserved. |
| | | 2 | | // Licensed under the MIT License. |
| | | 3 | | |
| | | 4 | | using System; |
| | | 5 | | using System.ComponentModel; |
| | | 6 | | using Azure.Core; |
| | | 7 | | |
| | | 8 | | namespace Azure.Data.Tables.Sas |
| | | 9 | | { |
| | | 10 | | /// <summary> |
| | | 11 | | /// <see cref="TableAccountSasBuilder"/> is used to generate a Shared Access |
| | | 12 | | /// Signature (SAS) for an Azure Storage table. |
| | | 13 | | /// For more information, see <see href="https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sa |
| | | 14 | | /// </summary> |
| | | 15 | | public class TableAccountSasBuilder |
| | | 16 | | { |
| | | 17 | | /// <summary> |
| | | 18 | | /// Initializes an instance of a <see cref="TableAccountSasBuilder"/>. |
| | | 19 | | /// </summary> |
| | | 20 | | /// <param name="permissions">The permissions associated with the shared access signature.</param> |
| | | 21 | | /// <param name="resourceTypes"><see cref="TableAccountSasResourceTypes"/> containing the accessible resource ty |
| | | 22 | | /// <param name="expiresOn">The time at which the shared access signature becomes invalid.</param> |
| | 36 | 23 | | public TableAccountSasBuilder(TableAccountSasPermissions permissions, TableAccountSasResourceTypes resourceTypes |
| | | 24 | | { |
| | 36 | 25 | | ExpiresOn = expiresOn; |
| | 36 | 26 | | SetPermissions(permissions); |
| | 36 | 27 | | ResourceTypes = resourceTypes; |
| | 36 | 28 | | } |
| | | 29 | | |
| | | 30 | | /// <summary> |
| | | 31 | | /// Initializes an instance of a <see cref="TableAccountSasBuilder"/>. |
| | | 32 | | /// </summary> |
| | | 33 | | /// <param name="rawPermissions">The permissions associated with the shared access signature. This string should |
| | | 34 | | /// <param name="resourceTypes"><see cref="TableAccountSasResourceTypes"/> containing the accessible resource ty |
| | | 35 | | /// <param name="expiresOn">The time at which the shared access signature becomes invalid.</param> |
| | 4 | 36 | | public TableAccountSasBuilder(string rawPermissions, TableAccountSasResourceTypes resourceTypes, DateTimeOffset |
| | | 37 | | { |
| | 4 | 38 | | ExpiresOn = expiresOn; |
| | 4 | 39 | | Permissions = rawPermissions; |
| | 4 | 40 | | ResourceTypes = resourceTypes; |
| | 4 | 41 | | } |
| | | 42 | | |
| | | 43 | | /// <summary> |
| | | 44 | | /// The optional signed protocol field specifies the protocol |
| | | 45 | | /// permitted for a request made with the SAS. Possible values are |
| | | 46 | | /// <see cref="TableSasProtocol.HttpsAndHttp"/>, |
| | | 47 | | /// <see cref="TableSasProtocol.Https"/>, and |
| | | 48 | | /// <see cref="TableSasProtocol.None"/>. |
| | | 49 | | /// </summary> |
| | 0 | 50 | | public TableSasProtocol Protocol { get; set; } |
| | | 51 | | |
| | | 52 | | /// <summary> |
| | | 53 | | /// Optionally specify the time at which the shared access signature |
| | | 54 | | /// becomes valid. If omitted when DateTimeOffset.MinValue is used, |
| | | 55 | | /// start time for this call is assumed to be the time when the |
| | | 56 | | /// storage service receives the request. |
| | | 57 | | /// </summary> |
| | 0 | 58 | | public DateTimeOffset StartsOn { get; set; } |
| | | 59 | | |
| | | 60 | | /// <summary> |
| | | 61 | | /// The time at which the shared access signature becomes invalid. |
| | | 62 | | /// This field must be omitted if it has been specified in an |
| | | 63 | | /// associated stored access policy. |
| | | 64 | | /// </summary> |
| | 144 | 65 | | public DateTimeOffset ExpiresOn { get; set; } |
| | | 66 | | |
| | | 67 | | /// <summary> |
| | | 68 | | /// The permissions associated with the shared access signature. The |
| | | 69 | | /// user is restricted to operations allowed by the permissions. This |
| | | 70 | | /// field must be omitted if it has been specified in an associated |
| | | 71 | | /// stored access policy. <see cref="TableAccountSasPermissions"/> can be used to create the |
| | | 72 | | /// permissions string. |
| | | 73 | | /// </summary> |
| | 144 | 74 | | public string Permissions { get; private set; } |
| | | 75 | | |
| | | 76 | | /// <summary> |
| | | 77 | | /// Specifies an IP address or a range of IP addresses from which to |
| | | 78 | | /// accept requests. If the IP address from which the request |
| | | 79 | | /// originates does not match the IP address or address range |
| | | 80 | | /// specified on the SAS token, the request is not authenticated. |
| | | 81 | | /// When specifying a range of IP addresses, note that the range is |
| | | 82 | | /// inclusive. |
| | | 83 | | /// </summary> |
| | 0 | 84 | | public TableSasIPRange IPRange { get; set; } |
| | | 85 | | |
| | | 86 | | /// <summary> |
| | | 87 | | /// An optional unique value up to 64 characters in length that |
| | | 88 | | /// correlates to an access policy specified for the container. |
| | | 89 | | /// </summary> |
| | 0 | 90 | | public string Identifier { get; set; } |
| | | 91 | | |
| | | 92 | | /// <summary> |
| | | 93 | | /// The resource types associated with the shared access signature. The |
| | | 94 | | /// user is restricted to operations on the specified resources. |
| | | 95 | | /// </summary> |
| | 144 | 96 | | public TableAccountSasResourceTypes ResourceTypes { get; set; } |
| | | 97 | | |
| | | 98 | | /// <summary> |
| | | 99 | | /// The storage service version to use to authenticate requests made |
| | | 100 | | /// with this shared access signature, and the service version to use |
| | | 101 | | /// when handling requests made with this shared access signature. |
| | | 102 | | /// </summary> |
| | 136 | 103 | | internal string Version { get; set; } |
| | | 104 | | |
| | | 105 | | /// <summary> |
| | | 106 | | /// Sets the permissions for a table SAS. |
| | | 107 | | /// </summary> |
| | | 108 | | /// <param name="permissions"> |
| | | 109 | | /// <see cref="TableAccountSasPermissions"/> containing the allowed permissions. |
| | | 110 | | /// </param> |
| | | 111 | | public void SetPermissions(TableAccountSasPermissions permissions) |
| | | 112 | | { |
| | 36 | 113 | | Permissions = permissions.ToPermissionsString(); |
| | 36 | 114 | | } |
| | | 115 | | |
| | | 116 | | /// <summary> |
| | | 117 | | /// Sets the permissions for the SAS using a raw permissions string. |
| | | 118 | | /// </summary> |
| | | 119 | | /// <param name="rawPermissions">Raw permissions string for the SAS.</param> |
| | | 120 | | public void SetPermissions(string rawPermissions) |
| | | 121 | | { |
| | 0 | 122 | | Permissions = rawPermissions; |
| | 0 | 123 | | } |
| | | 124 | | |
| | | 125 | | /// <summary> |
| | | 126 | | /// Use an account's <see cref="TableSharedKeyCredential"/> to sign this |
| | | 127 | | /// shared access signature values to produce the proper SAS query |
| | | 128 | | /// parameters for authenticating requests. |
| | | 129 | | /// </summary> |
| | | 130 | | /// <param name="sharedKeyCredential"> |
| | | 131 | | /// The storage account's <see cref="TableSharedKeyCredential"/>. |
| | | 132 | | /// </param> |
| | | 133 | | /// <returns> |
| | | 134 | | /// An instance of <see cref="TableAccountSasQueryParameters"/>. |
| | | 135 | | /// </returns> |
| | | 136 | | public TableAccountSasQueryParameters ToSasQueryParameters(TableSharedKeyCredential sharedKeyCredential) |
| | | 137 | | { |
| | 32 | 138 | | sharedKeyCredential = sharedKeyCredential ?? throw Errors.ArgumentNull(nameof(sharedKeyCredential)); |
| | | 139 | | |
| | 32 | 140 | | EnsureState(); |
| | | 141 | | |
| | 32 | 142 | | var startTime = TableSasExtensions.FormatTimesForSasSigning(StartsOn); |
| | 32 | 143 | | var expiryTime = TableSasExtensions.FormatTimesForSasSigning(ExpiresOn); |
| | | 144 | | |
| | | 145 | | // String to sign: https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sas#constructing |
| | 32 | 146 | | var stringToSign = string.Join("\n", |
| | 32 | 147 | | sharedKeyCredential.AccountName, |
| | 32 | 148 | | Permissions, |
| | 32 | 149 | | TableConstants.Sas.TableAccountServices.Table, |
| | 32 | 150 | | ResourceTypes.ToPermissionsString(), |
| | 32 | 151 | | startTime, |
| | 32 | 152 | | expiryTime, |
| | 32 | 153 | | IPRange.ToString(), |
| | 32 | 154 | | Protocol.ToProtocolString(), |
| | 32 | 155 | | Version, |
| | 32 | 156 | | ""); |
| | 32 | 157 | | var signature = TableSharedKeyCredential.ComputeSasSignature(sharedKeyCredential, stringToSign); |
| | 32 | 158 | | var p = new TableAccountSasQueryParameters( |
| | 32 | 159 | | version: Version, |
| | 32 | 160 | | resourceTypes: ResourceTypes, |
| | 32 | 161 | | protocol: Protocol, |
| | 32 | 162 | | startsOn: StartsOn, |
| | 32 | 163 | | expiresOn: ExpiresOn, |
| | 32 | 164 | | ipRange: IPRange, |
| | 32 | 165 | | identifier: Identifier, |
| | 32 | 166 | | resource: null, |
| | 32 | 167 | | permissions: Permissions, |
| | 32 | 168 | | signature: signature); |
| | 32 | 169 | | return p; |
| | | 170 | | } |
| | | 171 | | |
| | | 172 | | /// <summary> |
| | | 173 | | /// Use an account's <see cref="TableSharedKeyCredential"/> to sign this |
| | | 174 | | /// shared access signature values to produce the proper SAS query |
| | | 175 | | /// parameters for authenticating requests. |
| | | 176 | | /// </summary> |
| | | 177 | | /// <param name="sharedKeyCredential"> |
| | | 178 | | /// The storage account's <see cref="TableSharedKeyCredential"/>. |
| | | 179 | | /// </param> |
| | | 180 | | /// <returns> |
| | | 181 | | /// A URL encoded query string representing the SAS. |
| | | 182 | | /// </returns> |
| | | 183 | | public string Sign(TableSharedKeyCredential sharedKeyCredential) => |
| | 32 | 184 | | ToSasQueryParameters(sharedKeyCredential).ToString(); |
| | | 185 | | |
| | | 186 | | /// <summary> |
| | | 187 | | /// Returns a string that represents the current object. |
| | | 188 | | /// </summary> |
| | | 189 | | /// <returns>A string that represents the current object.</returns> |
| | | 190 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 191 | | public override string ToString() => base.ToString(); |
| | | 192 | | |
| | | 193 | | /// <summary> |
| | | 194 | | /// Check if two TablesSasBuilder instances are equal. |
| | | 195 | | /// </summary> |
| | | 196 | | /// <param name="obj">The instance to compare to.</param> |
| | | 197 | | /// <returns>True if they're equal, false otherwise.</returns> |
| | | 198 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 199 | | public override bool Equals(object obj) => base.Equals(obj); |
| | | 200 | | |
| | | 201 | | /// <summary> |
| | | 202 | | /// Get a hash code for the TablesSasBuilder. |
| | | 203 | | /// </summary> |
| | | 204 | | /// <returns>Hash code for the TablesSasBuilder.</returns> |
| | | 205 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 206 | | public override int GetHashCode() => base.GetHashCode(); |
| | | 207 | | |
| | | 208 | | /// <summary> |
| | | 209 | | /// Ensure the <see cref="TableAccountSasBuilder"/>'s properties are in a |
| | | 210 | | /// consistent state. |
| | | 211 | | /// </summary> |
| | | 212 | | private void EnsureState() |
| | | 213 | | { |
| | 32 | 214 | | if (ResourceTypes == default) |
| | | 215 | | { |
| | 0 | 216 | | throw Errors.SasMissingData(nameof(ResourceTypes)); |
| | | 217 | | } |
| | 32 | 218 | | if (ExpiresOn == default) |
| | | 219 | | { |
| | 0 | 220 | | throw Errors.SasMissingData(nameof(ExpiresOn)); |
| | | 221 | | } |
| | 32 | 222 | | if (string.IsNullOrEmpty(Permissions)) |
| | | 223 | | { |
| | 0 | 224 | | throw Errors.SasMissingData(nameof(Permissions)); |
| | | 225 | | } |
| | 32 | 226 | | if (string.IsNullOrEmpty(Version)) |
| | | 227 | | { |
| | 0 | 228 | | Version = TableAccountSasQueryParameters.DefaultSasVersion; |
| | | 229 | | } |
| | 32 | 230 | | } |
| | | 231 | | } |
| | | 232 | | } |