| | 1 | | // Copyright (c) Microsoft Corporation. All rights reserved. |
| | 2 | | // Licensed under the MIT License. |
| | 3 | |
|
| | 4 | | using System; |
| | 5 | | using System.Globalization; |
| | 6 | | using System.Net; |
| | 7 | | using System.Security.Cryptography; |
| | 8 | | using System.Text; |
| | 9 | | using Azure.Core; |
| | 10 | |
|
| | 11 | | namespace Azure.Messaging.EventHubs.Authorization |
| | 12 | | { |
| | 13 | | /// <summary> |
| | 14 | | /// A shared access signature, which can be used for authorization to an Event Hubs namespace |
| | 15 | | /// or a specific Event Hub. |
| | 16 | | /// </summary> |
| | 17 | | /// |
| | 18 | | internal class SharedAccessSignature |
| | 19 | | { |
| | 20 | | /// <summary>The maximum allowed length of the SAS key name.</summary> |
| | 21 | | private const int MaximumKeyNameLength = 256; |
| | 22 | |
|
| | 23 | | /// <summary>The maximum allowed length of the SAS key.</summary> |
| | 24 | | private const int MaximumKeyLength = 256; |
| | 25 | |
|
| | 26 | | /// <summary>The token that represents the type of authentication used.</summary> |
| | 27 | | private const string AuthenticationTypeToken = "SharedAccessSignature"; |
| | 28 | |
|
| | 29 | | /// <summary>The token that identifies the signed component of the shared access signature.</summary> |
| | 30 | | private const string SignedResourceToken = "sr"; |
| | 31 | |
|
| | 32 | | /// <summary>The token that identifies the signature component of the shared access signature.</summary> |
| | 33 | | private const string SignatureToken = "sig"; |
| | 34 | |
|
| | 35 | | /// <summary>The token that identifies the signed SAS key component of the shared access signature.</summary> |
| | 36 | | private const string SignedKeyNameToken = "skn"; |
| | 37 | |
|
| | 38 | | /// <summary>The token that identifies the signed expiration time of the shared access signature.</summary> |
| | 39 | | private const string SignedExpiryToken = "se"; |
| | 40 | |
|
| | 41 | | /// <summary>The token that fully identifies the signed resource within the signature.</summary> |
| | 42 | | private const string SignedResourceFullIdentifierToken = AuthenticationTypeToken + " " + SignedResourceToken; |
| | 43 | |
|
| | 44 | | /// <summary>The character used to separate a token and its value in the connection string.</summary> |
| | 45 | | private const char TokenValueSeparator = '='; |
| | 46 | |
|
| | 47 | | /// <summary>The character used to mark the beginning of a new token/value pair in the signature.</summary> |
| | 48 | | private const char TokenValuePairDelimiter = '&'; |
| | 49 | |
|
| | 50 | | /// <summary>The default length of time to consider a signature valid, if not otherwise specified.</summary> |
| 2 | 51 | | private static readonly TimeSpan DefaultSignatureValidityDuration = TimeSpan.FromMinutes(30); |
| | 52 | |
|
| | 53 | | /// <summary>Represents the Unix epoch time value, January 1, 1970 12:00:00, UTC.</summary> |
| 2 | 54 | | private static readonly DateTimeOffset Epoch = new DateTimeOffset(1970, 1, 1, 0, 0, 0, TimeSpan.Zero); |
| | 55 | |
|
| | 56 | | /// <summary> |
| | 57 | | /// The name of the shared access key, either for the Event Hubs namespace |
| | 58 | | /// or the Event Hub. |
| | 59 | | /// </summary> |
| | 60 | | /// |
| 160 | 61 | | public string SharedAccessKeyName { get; private set; } |
| | 62 | |
|
| | 63 | | /// <summary> |
| | 64 | | /// The value of the shared access key, either for the Event Hubs namespace |
| | 65 | | /// or the Event Hub. |
| | 66 | | /// </summary> |
| | 67 | | /// |
| 162 | 68 | | public string SharedAccessKey { get; private set; } |
| | 69 | |
|
| | 70 | | /// <summary> |
| | 71 | | /// The date and time that the shared access signature expires, in UTC. |
| | 72 | | /// </summary> |
| | 73 | | /// |
| 320 | 74 | | public DateTimeOffset SignatureExpiration { get; private set; } |
| | 75 | |
|
| | 76 | | /// <summary> |
| | 77 | | /// The resource to which the shared access signature is intended to serve as |
| | 78 | | /// authorization. |
| | 79 | | /// </summary> |
| | 80 | | /// |
| 316 | 81 | | public string Resource { get; private set; } |
| | 82 | |
|
| | 83 | | /// <summary> |
| | 84 | | /// The shared access signature to be used for authorization, either for the Event Hubs namespace |
| | 85 | | /// or the Event Hub. |
| | 86 | | /// </summary> |
| | 87 | | /// |
| 160 | 88 | | public string Value { get; private set; } |
| | 89 | |
|
| | 90 | | /// <summary> |
| | 91 | | /// Initializes a new instance of the <see cref="SharedAccessSignature"/> class. |
| | 92 | | /// </summary> |
| | 93 | | /// |
| | 94 | | /// <param name="eventHubResource">The Event Hubs resource to which the token is intended to serve as authorizat |
| | 95 | | /// <param name="sharedAccessKeyName">The name of the shared access key that the signature should be based on.</ |
| | 96 | | /// <param name="sharedAccessKey">The value of the shared access key for the signature.</param> |
| | 97 | | /// <param name="signatureValidityDuration">The duration that the signature should be considered valid; if not s |
| | 98 | | /// |
| 156 | 99 | | public SharedAccessSignature(string eventHubResource, |
| 156 | 100 | | string sharedAccessKeyName, |
| 156 | 101 | | string sharedAccessKey, |
| 156 | 102 | | TimeSpan? signatureValidityDuration = default) |
| | 103 | | { |
| 156 | 104 | | signatureValidityDuration ??= DefaultSignatureValidityDuration; |
| | 105 | |
|
| 156 | 106 | | Argument.AssertNotNullOrEmpty(eventHubResource, nameof(eventHubResource)); |
| 156 | 107 | | Argument.AssertNotNullOrEmpty(sharedAccessKeyName, nameof(sharedAccessKeyName)); |
| 156 | 108 | | Argument.AssertNotNullOrEmpty(sharedAccessKey, nameof(sharedAccessKey)); |
| | 109 | |
|
| 156 | 110 | | Argument.AssertNotTooLong(sharedAccessKeyName, MaximumKeyNameLength, nameof(sharedAccessKeyName)); |
| 156 | 111 | | Argument.AssertNotTooLong(sharedAccessKey, MaximumKeyLength, nameof(sharedAccessKey)); |
| 156 | 112 | | Argument.AssertNotNegative(signatureValidityDuration.Value, nameof(signatureValidityDuration)); |
| | 113 | |
|
| 156 | 114 | | SharedAccessKeyName = sharedAccessKeyName; |
| 156 | 115 | | SharedAccessKey = sharedAccessKey; |
| 156 | 116 | | SignatureExpiration = DateTimeOffset.UtcNow.Add(signatureValidityDuration.Value); |
| 156 | 117 | | Resource = eventHubResource; |
| 156 | 118 | | Value = BuildSignature(Resource, sharedAccessKeyName, sharedAccessKey, SignatureExpiration); |
| 156 | 119 | | } |
| | 120 | |
|
| | 121 | | /// <summary> |
| | 122 | | /// Initializes a new instance of the <see cref="SharedAccessSignature"/> class. |
| | 123 | | /// </summary> |
| | 124 | | /// |
| | 125 | | /// <param name="sharedAccessSignature">The shared access signature that will be parsed as the basis of this ins |
| | 126 | | /// <param name="sharedAccessKey">The value of the shared access key for the signature.</param> |
| | 127 | | /// |
| 0 | 128 | | public SharedAccessSignature(string sharedAccessSignature, |
| 0 | 129 | | string sharedAccessKey) |
| | 130 | | { |
| 0 | 131 | | Argument.AssertNotNullOrEmpty(sharedAccessSignature, nameof(sharedAccessSignature)); |
| 0 | 132 | | Argument.AssertNotTooLong(sharedAccessKey, MaximumKeyLength, nameof(sharedAccessKey)); |
| | 133 | |
|
| 0 | 134 | | (SharedAccessKeyName, Resource, SignatureExpiration) = ParseSignature(sharedAccessSignature); |
| | 135 | |
|
| 0 | 136 | | SharedAccessKey = sharedAccessKey; |
| 0 | 137 | | Value = sharedAccessSignature; |
| 0 | 138 | | } |
| | 139 | |
|
| | 140 | | /// <summary> |
| | 141 | | /// Initializes a new instance of the <see cref="SharedAccessSignature"/> class. |
| | 142 | | /// </summary> |
| | 143 | | /// |
| | 144 | | /// <param name="sharedAccessSignature">The shared access signature that will be parsed as the basis of this ins |
| | 145 | | /// |
| 0 | 146 | | public SharedAccessSignature(string sharedAccessSignature) : this(sharedAccessSignature, null) |
| | 147 | | { |
| 0 | 148 | | } |
| | 149 | |
|
| | 150 | | /// <summary> |
| | 151 | | /// Initializes a new instance of the <see cref="SharedAccessSignature" /> class. |
| | 152 | | /// </summary> |
| | 153 | | /// |
| | 154 | | /// <param name="eventHubResource">The Event Hubs resource to which the token is intended to serve as authorizat |
| | 155 | | /// <param name="sharedAccessKeyName">The name of the shared access key that the signature should be based on.</ |
| | 156 | | /// <param name="sharedAccessKey">The value of the shared access key for the signature.</param> |
| | 157 | | /// <param name="value">The shared access signature to be used for authorization.</param> |
| | 158 | | /// <param name="signatureExpiration">The date and time that the shared access signature expires, in UTC.</param |
| | 159 | | /// |
| 2 | 160 | | public SharedAccessSignature(string eventHubResource, |
| 2 | 161 | | string sharedAccessKeyName, |
| 2 | 162 | | string sharedAccessKey, |
| 2 | 163 | | string value, |
| 2 | 164 | | DateTimeOffset signatureExpiration) |
| | 165 | | { |
| 2 | 166 | | Argument.AssertNotNullOrEmpty(eventHubResource, nameof(eventHubResource)); |
| 2 | 167 | | Argument.AssertNotNullOrEmpty(sharedAccessKeyName, nameof(sharedAccessKeyName)); |
| 2 | 168 | | Argument.AssertNotNullOrEmpty(sharedAccessKey, nameof(sharedAccessKey)); |
| | 169 | |
|
| 2 | 170 | | Argument.AssertNotTooLong(sharedAccessKeyName, MaximumKeyNameLength, nameof(sharedAccessKeyName)); |
| 2 | 171 | | Argument.AssertNotTooLong(sharedAccessKey, MaximumKeyLength, nameof(sharedAccessKey)); |
| | 172 | |
|
| 2 | 173 | | Resource = eventHubResource; |
| 2 | 174 | | SharedAccessKeyName = sharedAccessKeyName; |
| 2 | 175 | | SharedAccessKey = sharedAccessKey; |
| 2 | 176 | | Value = value; |
| 2 | 177 | | SignatureExpiration = signatureExpiration; |
| 2 | 178 | | } |
| | 179 | |
|
| | 180 | | /// <summary> |
| | 181 | | /// Creates a new signature with the specified period for which the shared access signature is considered vali |
| | 182 | | /// </summary> |
| | 183 | | /// |
| | 184 | | /// <param name="signatureValidityDuration">The duration that the signature should be considered valid.</param> |
| | 185 | | /// |
| | 186 | | /// <returns>A new <see cref="SharedAccessSignature" /> based on the same key, but with a new expiration time.</ |
| | 187 | | /// |
| | 188 | | public SharedAccessSignature CloneWithNewExpiration(TimeSpan signatureValidityDuration) |
| | 189 | | { |
| 2 | 190 | | Argument.AssertNotNegative(signatureValidityDuration, nameof(signatureValidityDuration)); |
| | 191 | |
|
| | 192 | | // The key must have been provided at construction in order to manipulate the signature. |
| | 193 | |
|
| 2 | 194 | | if (string.IsNullOrEmpty(SharedAccessKey)) |
| | 195 | | { |
| 0 | 196 | | throw new InvalidOperationException(Resources.SharedAccessKeyIsRequired); |
| | 197 | | } |
| | 198 | |
|
| 2 | 199 | | return new SharedAccessSignature(Resource, SharedAccessKeyName, SharedAccessKey, signatureValidityDuration); |
| | 200 | | } |
| | 201 | |
|
| | 202 | | /// <summary> |
| | 203 | | /// Converts the instance to string representation. |
| | 204 | | /// </summary> |
| | 205 | | /// |
| | 206 | | /// <returns>A <see cref="System.String" /> that represents this instance.</returns> |
| | 207 | | /// |
| 0 | 208 | | public override string ToString() => Value; |
| | 209 | |
|
| | 210 | | /// <summary> |
| | 211 | | /// Parses a shared access signature into its component parts. |
| | 212 | | /// </summary> |
| | 213 | | /// |
| | 214 | | /// <param name="sharedAccessSignature">The shared access signature to parse.</param> |
| | 215 | | /// |
| | 216 | | /// <returns>The set of composite properties parsed from the signature.</returns> |
| | 217 | | /// |
| | 218 | | private static (string KeyName, string Resource, DateTimeOffset ExpirationTime) ParseSignature(string sharedAcce |
| | 219 | | { |
| 0 | 220 | | int tokenPositionModifier = (sharedAccessSignature[0] == TokenValuePairDelimiter) ? 0 : 1; |
| 0 | 221 | | int lastPosition = 0; |
| 0 | 222 | | int currentPosition = 0; |
| | 223 | | int valueStart; |
| | 224 | |
|
| | 225 | | string slice; |
| | 226 | | string token; |
| | 227 | | string value; |
| | 228 | |
|
| 0 | 229 | | var parsedValues = |
| 0 | 230 | | ( |
| 0 | 231 | | KeyName: default(string), |
| 0 | 232 | | Resource: default(string), |
| 0 | 233 | | ExpirationTime: default(DateTimeOffset) |
| 0 | 234 | | ); |
| | 235 | |
|
| 0 | 236 | | while (currentPosition != -1) |
| | 237 | | { |
| | 238 | | // Slice the string into the next token/value pair. |
| | 239 | |
|
| 0 | 240 | | currentPosition = sharedAccessSignature.IndexOf(TokenValuePairDelimiter, lastPosition + 1); |
| | 241 | |
|
| 0 | 242 | | if (currentPosition >= 0) |
| | 243 | | { |
| 0 | 244 | | slice = sharedAccessSignature.Substring(lastPosition, (currentPosition - lastPosition)); |
| | 245 | | } |
| | 246 | | else |
| | 247 | | { |
| 0 | 248 | | slice = sharedAccessSignature.Substring(lastPosition); |
| | 249 | | } |
| | 250 | |
|
| | 251 | | // Break the token and value apart, if this is a legal pair. |
| | 252 | |
|
| 0 | 253 | | valueStart = slice.IndexOf(TokenValueSeparator); |
| | 254 | |
|
| 0 | 255 | | if (valueStart >= 0) |
| | 256 | | { |
| 0 | 257 | | token = slice.Substring((1 - tokenPositionModifier), (valueStart - 1 + tokenPositionModifier)); |
| 0 | 258 | | value = slice.Substring(valueStart + 1); |
| | 259 | |
|
| | 260 | | // Guard against leading and trailing spaces, only trimming if there is a need. |
| | 261 | |
|
| 0 | 262 | | if ((!string.IsNullOrEmpty(token)) && (char.IsWhiteSpace(token[0])) || char.IsWhiteSpace(token[token |
| | 263 | | { |
| 0 | 264 | | token = token.Trim(); |
| | 265 | | } |
| | 266 | |
|
| 0 | 267 | | if ((!string.IsNullOrEmpty(value)) && (char.IsWhiteSpace(value[0]) || char.IsWhiteSpace(value[value. |
| | 268 | | { |
| 0 | 269 | | value = value.Trim(); |
| | 270 | | } |
| | 271 | |
|
| | 272 | | // If there was no value for a key, then consider the signature to be malformed. |
| | 273 | |
|
| 0 | 274 | | if (string.IsNullOrEmpty(value)) |
| | 275 | | { |
| 0 | 276 | | throw new ArgumentException(Resources.InvalidSharedAccessSignature, nameof(sharedAccessSignature |
| | 277 | | } |
| | 278 | |
|
| | 279 | | // Compare the token against the known signature properties and capture the |
| | 280 | | // pair if they are a known attribute. |
| | 281 | |
|
| 0 | 282 | | if (string.Compare(SignedResourceFullIdentifierToken, token, StringComparison.OrdinalIgnoreCase) == |
| | 283 | | { |
| 0 | 284 | | parsedValues.Resource = WebUtility.UrlDecode(value); |
| | 285 | | } |
| 0 | 286 | | else if (string.Compare(SignedKeyNameToken, token, StringComparison.OrdinalIgnoreCase) == 0) |
| | 287 | | { |
| 0 | 288 | | parsedValues.KeyName = WebUtility.UrlDecode(value); |
| | 289 | | } |
| 0 | 290 | | else if (string.Compare(SignedExpiryToken, token, StringComparison.OrdinalIgnoreCase) == 0) |
| | 291 | | { |
| 0 | 292 | | if (!long.TryParse(WebUtility.UrlDecode(value), NumberStyles.Integer, CultureInfo.InvariantCultu |
| | 293 | | { |
| 0 | 294 | | throw new ArgumentException(Resources.InvalidSharedAccessSignature, nameof(sharedAccessSigna |
| | 295 | | } |
| | 296 | |
|
| 0 | 297 | | parsedValues.ExpirationTime = ConvertFromUnixTime(unixTime); |
| | 298 | | } |
| | 299 | | } |
| 0 | 300 | | else if ((slice.Length != 1) || (slice[0] != TokenValuePairDelimiter)) |
| | 301 | | { |
| | 302 | | // This wasn't a legal pair and it is not simply a trailing delimiter; consider |
| | 303 | | // the signature to be malformed. |
| | 304 | |
|
| 0 | 305 | | throw new ArgumentException(Resources.InvalidSharedAccessSignature, nameof(sharedAccessSignature)); |
| | 306 | | } |
| | 307 | |
|
| 0 | 308 | | tokenPositionModifier = 0; |
| 0 | 309 | | lastPosition = currentPosition; |
| | 310 | | } |
| | 311 | |
|
| | 312 | | // Validate that the required components were able to be parsed from the |
| | 313 | | // signature. |
| | 314 | |
|
| 0 | 315 | | if ((string.IsNullOrEmpty(parsedValues.Resource)) |
| 0 | 316 | | || (string.IsNullOrEmpty(parsedValues.KeyName)) |
| 0 | 317 | | || (parsedValues.ExpirationTime == default)) |
| | 318 | | { |
| 0 | 319 | | throw new ArgumentException(Resources.InvalidSharedAccessSignature, nameof(sharedAccessSignature)); |
| | 320 | | } |
| | 321 | |
|
| 0 | 322 | | return parsedValues; |
| | 323 | | } |
| | 324 | |
|
| | 325 | | /// <summary> |
| | 326 | | /// Builds the shared access signature value, which can be used as a token for |
| | 327 | | /// access to the Event Hubs service. |
| | 328 | | /// </summary> |
| | 329 | | /// |
| | 330 | | /// <param name="audience">The audience scope to which this signature applies.</param> |
| | 331 | | /// <param name="sharedAccessKeyName">The name of the shared access key that the signature should be based on.</ |
| | 332 | | /// <param name="sharedAccessKey">The value of the shared access key for the signature.</param> |
| | 333 | | /// <param name="expirationTime">The date/time, in UTC, that the signature expires.</param> |
| | 334 | | /// |
| | 335 | | /// <returns>The value of the shared access signature.</returns> |
| | 336 | | /// |
| | 337 | | private static string BuildSignature(string audience, |
| | 338 | | string sharedAccessKeyName, |
| | 339 | | string sharedAccessKey, |
| | 340 | | DateTimeOffset expirationTime) |
| | 341 | | { |
| 156 | 342 | | using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(sharedAccessKey))) |
| | 343 | | { |
| 156 | 344 | | var encodedAudience = WebUtility.UrlEncode(audience); |
| 156 | 345 | | var expiration = Convert.ToString(ConvertToUnixTime(expirationTime), CultureInfo.InvariantCulture); |
| 156 | 346 | | var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes($"{ encodedAudience }\n{ |
| | 347 | |
|
| 156 | 348 | | return string.Format(CultureInfo.InvariantCulture, "{0} {1}={2}&{3}={4}&{5}={6}&{7}={8}", |
| 156 | 349 | | AuthenticationTypeToken, |
| 156 | 350 | | SignedResourceToken, encodedAudience, |
| 156 | 351 | | SignatureToken, WebUtility.UrlEncode(signature), |
| 156 | 352 | | SignedExpiryToken, WebUtility.UrlEncode(expiration), |
| 156 | 353 | | SignedKeyNameToken, WebUtility.UrlEncode(sharedAccessKeyName)); |
| | 354 | | } |
| 156 | 355 | | } |
| | 356 | |
|
| | 357 | | /// <summary> |
| | 358 | | /// Converts a Unix-style timestamp into the corresponding <see cref="DateTimeOffset" /> |
| | 359 | | /// value. |
| | 360 | | /// </summary> |
| | 361 | | /// |
| | 362 | | /// <param name="unixTime">The timestamp to convert.</param> |
| | 363 | | /// |
| | 364 | | /// <returns>The date/time, in UTC, which corresponds to the specified timestamp.</returns> |
| | 365 | | /// |
| | 366 | | private static DateTimeOffset ConvertFromUnixTime(long unixTime) => |
| 0 | 367 | | Epoch.AddSeconds(unixTime); |
| | 368 | |
|
| | 369 | | /// <summary> |
| | 370 | | /// Converts a <see cref="DateTimeOffset" /> value to the corresponding Unix-style timestamp. |
| | 371 | | /// </summary> |
| | 372 | | /// |
| | 373 | | /// <param name="dateTimeOffset">The date/time to convert.</param> |
| | 374 | | /// |
| | 375 | | /// <returns>The Unix-style timestamp which corresponds to the specified date/time.</returns> |
| | 376 | | /// |
| | 377 | | private static long ConvertToUnixTime(DateTimeOffset dateTimeOffset) => |
| 156 | 378 | | Convert.ToInt64((dateTimeOffset - Epoch).TotalSeconds); |
| | 379 | | } |
| | 380 | | } |