| | | 1 | | // Copyright (c) Microsoft Corporation. All rights reserved. |
| | | 2 | | // Licensed under the MIT License. |
| | | 3 | | |
| | | 4 | | using System; |
| | | 5 | | using System.ComponentModel; |
| | | 6 | | using Azure.Core; |
| | | 7 | | |
| | | 8 | | namespace Azure.Data.Tables.Sas |
| | | 9 | | { |
| | | 10 | | /// <summary> |
| | | 11 | | /// <see cref="TableSasBuilder"/> is used to generate a Shared Access |
| | | 12 | | /// Signature (SAS) for an Azure Storage table. |
| | | 13 | | /// For more information, see <see href="https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sa |
| | | 14 | | /// </summary> |
| | | 15 | | public class TableSasBuilder |
| | | 16 | | { |
| | | 17 | | /// <summary> |
| | | 18 | | /// Initializes an instance of a <see cref="TableSasBuilder"/>. |
| | | 19 | | /// </summary> |
| | | 20 | | /// <param name="tableName">The name of the table being made accessible with the shared access signature.</param |
| | | 21 | | /// <param name="permissions">The permissions associated with the shared access signature.</param> |
| | | 22 | | /// <param name="expiresOn">The time at which the shared access signature becomes invalid.</param> |
| | 12 | 23 | | public TableSasBuilder(string tableName, TableSasPermissions permissions, DateTimeOffset expiresOn) |
| | | 24 | | { |
| | 12 | 25 | | Argument.AssertNotNullOrEmpty(tableName, nameof(tableName)); |
| | | 26 | | |
| | 12 | 27 | | TableName = tableName; |
| | 12 | 28 | | ExpiresOn = expiresOn; |
| | 12 | 29 | | SetPermissions(permissions); |
| | 12 | 30 | | } |
| | | 31 | | |
| | | 32 | | /// <summary> |
| | | 33 | | /// Initializes an instance of a <see cref="TableSasBuilder"/>. |
| | | 34 | | /// </summary> |
| | | 35 | | /// <param name="tableName">The name of the table being made accessible with the shared access signature.</param |
| | | 36 | | /// <param name="rawPermissions">The permissions associated with the shared access signature. This string should |
| | | 37 | | /// <param name="expiresOn">The time at which the shared access signature becomes invalid.</param> |
| | 4 | 38 | | public TableSasBuilder(string tableName, string rawPermissions, DateTimeOffset expiresOn) |
| | | 39 | | { |
| | 4 | 40 | | Argument.AssertNotNullOrEmpty(tableName, nameof(tableName)); |
| | | 41 | | |
| | 4 | 42 | | TableName = tableName; |
| | 4 | 43 | | ExpiresOn = expiresOn; |
| | 4 | 44 | | Permissions = rawPermissions; |
| | 4 | 45 | | } |
| | | 46 | | |
| | | 47 | | /// <summary> |
| | | 48 | | /// The optional signed protocol field specifies the protocol |
| | | 49 | | /// permitted for a request made with the SAS. Possible values are |
| | | 50 | | /// <see cref="TableSasProtocol.HttpsAndHttp"/>, |
| | | 51 | | /// <see cref="TableSasProtocol.Https"/>, and |
| | | 52 | | /// <see cref="TableSasProtocol.None"/>. |
| | | 53 | | /// </summary> |
| | 0 | 54 | | public TableSasProtocol Protocol { get; set; } |
| | | 55 | | |
| | | 56 | | /// <summary> |
| | | 57 | | /// Optionally specify the time at which the shared access signature |
| | | 58 | | /// becomes valid. If omitted when DateTimeOffset.MinValue is used, |
| | | 59 | | /// start time for this call is assumed to be the time when the |
| | | 60 | | /// storage service receives the request. |
| | | 61 | | /// </summary> |
| | 0 | 62 | | public DateTimeOffset StartsOn { get; set; } |
| | | 63 | | |
| | | 64 | | /// <summary> |
| | | 65 | | /// The time at which the shared access signature becomes invalid. |
| | | 66 | | /// This field must be omitted if it has been specified in an |
| | | 67 | | /// associated stored access policy. |
| | | 68 | | /// </summary> |
| | 48 | 69 | | public DateTimeOffset ExpiresOn { get; set; } |
| | | 70 | | |
| | | 71 | | /// <summary> |
| | | 72 | | /// The permissions associated with the shared access signature. The |
| | | 73 | | /// user is restricted to operations allowed by the permissions. This |
| | | 74 | | /// field must be omitted if it has been specified in an associated |
| | | 75 | | /// stored access policy. <see cref="TableSasPermissions"/> can be used to create the |
| | | 76 | | /// permissions string. |
| | | 77 | | /// </summary> |
| | 48 | 78 | | public string Permissions { get; private set; } |
| | | 79 | | |
| | | 80 | | /// <summary> |
| | | 81 | | /// Specifies an IP address or a range of IP addresses from which to |
| | | 82 | | /// accept requests. If the IP address from which the request |
| | | 83 | | /// originates does not match the IP address or address range |
| | | 84 | | /// specified on the SAS token, the request is not authenticated. |
| | | 85 | | /// When specifying a range of IP addresses, note that the range is |
| | | 86 | | /// inclusive. |
| | | 87 | | /// </summary> |
| | 0 | 88 | | public TableSasIPRange IPRange { get; set; } |
| | | 89 | | |
| | | 90 | | /// <summary> |
| | | 91 | | /// An optional unique value up to 64 characters in length that |
| | | 92 | | /// correlates to an access policy specified for the container. |
| | | 93 | | /// </summary> |
| | 0 | 94 | | public string Identifier { get; set; } |
| | | 95 | | |
| | | 96 | | /// <summary> |
| | | 97 | | /// The name of the table being made accessible. |
| | | 98 | | /// </summary> |
| | 32 | 99 | | public string TableName { get; set; } |
| | | 100 | | |
| | | 101 | | /// <summary> |
| | | 102 | | /// The optional start of the partition key values range being made available. |
| | | 103 | | /// </summary> |
| | 0 | 104 | | public string PartitionKeyStart { get; set; } |
| | | 105 | | |
| | | 106 | | /// <summary> |
| | | 107 | | /// The optional start of the row key values range being made available. |
| | | 108 | | /// </summary> |
| | 0 | 109 | | public string RowKeyStart { get; set; } |
| | | 110 | | |
| | | 111 | | /// <summary> |
| | | 112 | | /// The optional end of the partition key values range being made available. |
| | | 113 | | /// <see cref="PartitionKeyStart"/> must be specified if this value is set. |
| | | 114 | | /// </summary> |
| | 0 | 115 | | public string PartitionKeyEnd { get; set; } |
| | | 116 | | |
| | | 117 | | /// <summary> |
| | | 118 | | /// The optional end of the partition key values range being made available. |
| | | 119 | | /// <see cref="RowKeyStart"/> must be specified if this value is set. |
| | | 120 | | /// </summary> |
| | 0 | 121 | | public string RowKeyEnd { get; set; } |
| | | 122 | | |
| | | 123 | | /// <summary> |
| | | 124 | | /// The storage service version to use to authenticate requests made |
| | | 125 | | /// with this shared access signature, and the service version to use |
| | | 126 | | /// when handling requests made with this shared access signature. |
| | | 127 | | /// </summary> |
| | 44 | 128 | | internal string Version { get; set; } |
| | | 129 | | |
| | | 130 | | /// <summary> |
| | | 131 | | /// Sets the permissions for a table SAS. |
| | | 132 | | /// </summary> |
| | | 133 | | /// <param name="permissions"> |
| | | 134 | | /// <see cref="TableSasPermissions"/> containing the allowed permissions. |
| | | 135 | | /// </param> |
| | | 136 | | public void SetPermissions(TableSasPermissions permissions) |
| | | 137 | | { |
| | 12 | 138 | | Permissions = permissions.ToPermissionsString(); |
| | 12 | 139 | | } |
| | | 140 | | |
| | | 141 | | /// <summary> |
| | | 142 | | /// Sets the permissions for the SAS using a raw permissions string. |
| | | 143 | | /// </summary> |
| | | 144 | | /// <param name="rawPermissions">Raw permissions string for the SAS.</param> |
| | | 145 | | public void SetPermissions(string rawPermissions) |
| | | 146 | | { |
| | 0 | 147 | | Permissions = rawPermissions; |
| | 0 | 148 | | } |
| | | 149 | | |
| | | 150 | | /// <summary> |
| | | 151 | | /// Use an account's <see cref="TableSharedKeyCredential"/> to sign this |
| | | 152 | | /// shared access signature values to produce the proper SAS query |
| | | 153 | | /// parameters for authenticating requests. |
| | | 154 | | /// </summary> |
| | | 155 | | /// <param name="sharedKeyCredential"> |
| | | 156 | | /// The storage account's <see cref="TableSharedKeyCredential"/>. |
| | | 157 | | /// </param> |
| | | 158 | | /// <returns> |
| | | 159 | | /// An instance of <see cref="TableSasQueryParameters"/>. |
| | | 160 | | /// </returns> |
| | | 161 | | public TableSasQueryParameters ToSasQueryParameters(TableSharedKeyCredential sharedKeyCredential) |
| | | 162 | | { |
| | 8 | 163 | | sharedKeyCredential = sharedKeyCredential ?? throw Errors.ArgumentNull(nameof(sharedKeyCredential)); |
| | | 164 | | |
| | 8 | 165 | | EnsureState(); |
| | | 166 | | |
| | 8 | 167 | | var startTime = TableSasExtensions.FormatTimesForSasSigning(StartsOn); |
| | 8 | 168 | | var expiryTime = TableSasExtensions.FormatTimesForSasSigning(ExpiresOn); |
| | | 169 | | |
| | | 170 | | // String to sign: http://msdn.microsoft.com/en-us/library/azure/dn140255.aspx |
| | 8 | 171 | | var stringToSign = string.Join("\n", |
| | 8 | 172 | | Permissions, |
| | 8 | 173 | | startTime, |
| | 8 | 174 | | expiryTime, |
| | 8 | 175 | | GetCanonicalName(sharedKeyCredential.AccountName, TableName), |
| | 8 | 176 | | Identifier, |
| | 8 | 177 | | IPRange.ToString(), |
| | 8 | 178 | | TableSasExtensions.ToProtocolString(Protocol), |
| | 8 | 179 | | Version, |
| | 8 | 180 | | PartitionKeyStart, |
| | 8 | 181 | | RowKeyStart, |
| | 8 | 182 | | PartitionKeyEnd, |
| | 8 | 183 | | RowKeyEnd); |
| | 8 | 184 | | var signature = TableSharedKeyCredential.ComputeSasSignature(sharedKeyCredential, stringToSign); |
| | 8 | 185 | | var p = new TableSasQueryParameters( |
| | 8 | 186 | | version: Version, |
| | 8 | 187 | | resourceTypes: default, |
| | 8 | 188 | | tableName: TableName, |
| | 8 | 189 | | partitionKeyStart: PartitionKeyStart, |
| | 8 | 190 | | partitionKeyEnd: PartitionKeyEnd, |
| | 8 | 191 | | rowKeyStart: RowKeyStart, |
| | 8 | 192 | | rowKeyEnd: RowKeyEnd, |
| | 8 | 193 | | protocol: Protocol, |
| | 8 | 194 | | startsOn: StartsOn, |
| | 8 | 195 | | expiresOn: ExpiresOn, |
| | 8 | 196 | | ipRange: IPRange, |
| | 8 | 197 | | identifier: Identifier, |
| | 8 | 198 | | resource: null, |
| | 8 | 199 | | permissions: Permissions, |
| | 8 | 200 | | signature: signature); |
| | 8 | 201 | | return p; |
| | | 202 | | } |
| | | 203 | | |
| | | 204 | | /// <summary> |
| | | 205 | | /// Use an account's <see cref="TableSharedKeyCredential"/> to sign this |
| | | 206 | | /// shared access signature values to produce the proper SAS query |
| | | 207 | | /// parameters for authenticating requests. |
| | | 208 | | /// </summary> |
| | | 209 | | /// <param name="sharedKeyCredential"> |
| | | 210 | | /// The storage account's <see cref="TableSharedKeyCredential"/>. |
| | | 211 | | /// </param> |
| | | 212 | | /// <returns> |
| | | 213 | | /// A URL encoded query string representing the SAS. |
| | | 214 | | /// </returns> |
| | | 215 | | public string Sign(TableSharedKeyCredential sharedKeyCredential) => |
| | 8 | 216 | | ToSasQueryParameters(sharedKeyCredential).ToString(); |
| | | 217 | | |
| | | 218 | | /// <summary> |
| | | 219 | | /// Computes the canonical name for a table resource for SAS signing. |
| | | 220 | | /// </summary> |
| | | 221 | | /// <param name="account"> |
| | | 222 | | /// Account. |
| | | 223 | | /// </param> |
| | | 224 | | /// <param name="tableName"> |
| | | 225 | | /// Name of table. |
| | | 226 | | /// </param> |
| | | 227 | | /// <returns> |
| | | 228 | | /// Canonical name as a string. |
| | | 229 | | /// </returns> |
| | | 230 | | private static string GetCanonicalName(string account, string tableName) => |
| | | 231 | | // Table: "/table/account/tablename" |
| | 8 | 232 | | string.Join("", new[] { "/table/", account, "/", tableName }); |
| | | 233 | | |
| | | 234 | | /// <summary> |
| | | 235 | | /// Returns a string that represents the current object. |
| | | 236 | | /// </summary> |
| | | 237 | | /// <returns>A string that represents the current object.</returns> |
| | | 238 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 239 | | public override string ToString() => base.ToString(); |
| | | 240 | | |
| | | 241 | | /// <summary> |
| | | 242 | | /// Check if two TablesSasBuilder instances are equal. |
| | | 243 | | /// </summary> |
| | | 244 | | /// <param name="obj">The instance to compare to.</param> |
| | | 245 | | /// <returns>True if they're equal, false otherwise.</returns> |
| | | 246 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 247 | | public override bool Equals(object obj) => base.Equals(obj); |
| | | 248 | | |
| | | 249 | | /// <summary> |
| | | 250 | | /// Get a hash code for the TablesSasBuilder. |
| | | 251 | | /// </summary> |
| | | 252 | | /// <returns>Hash code for the TablesSasBuilder.</returns> |
| | | 253 | | [EditorBrowsable(EditorBrowsableState.Never)] |
| | 0 | 254 | | public override int GetHashCode() => base.GetHashCode(); |
| | | 255 | | |
| | | 256 | | /// <summary> |
| | | 257 | | /// Ensure the <see cref="TableSasBuilder"/>'s properties are in a |
| | | 258 | | /// consistent state. |
| | | 259 | | /// </summary> |
| | | 260 | | private void EnsureState() |
| | | 261 | | { |
| | 8 | 262 | | if (Identifier == default) |
| | | 263 | | { |
| | 8 | 264 | | if (ExpiresOn == default) |
| | | 265 | | { |
| | 0 | 266 | | throw Errors.SasMissingData(nameof(ExpiresOn)); |
| | | 267 | | } |
| | 8 | 268 | | if (string.IsNullOrEmpty(Permissions)) |
| | | 269 | | { |
| | 0 | 270 | | throw Errors.SasMissingData(nameof(Permissions)); |
| | | 271 | | } |
| | | 272 | | } |
| | | 273 | | |
| | 8 | 274 | | if (string.IsNullOrEmpty(Version)) |
| | | 275 | | { |
| | 0 | 276 | | Version = TableSasQueryParameters.DefaultSasVersion; |
| | | 277 | | } |
| | 8 | 278 | | } |
| | | 279 | | } |
| | | 280 | | } |