| | | 1 | | // Copyright (c) Microsoft Corporation. All rights reserved. |
| | | 2 | | // Licensed under the MIT License. |
| | | 3 | | |
| | | 4 | | using System; |
| | | 5 | | using System.Collections.Generic; |
| | | 6 | | using System.Linq; |
| | | 7 | | using System.Security.Cryptography; |
| | | 8 | | using System.Text; |
| | | 9 | | using System.Web; |
| | | 10 | | using System.Xml; |
| | | 11 | | using System.Xml.Linq; |
| | | 12 | | using Azure.Core; |
| | | 13 | | using Azure.Messaging.ServiceBus.Authorization; |
| | | 14 | | |
| | | 15 | | namespace Azure.Messaging.ServiceBus.Management |
| | | 16 | | { |
| | | 17 | | /// <summary> |
| | | 18 | | /// Defines the authorization rule for an entity using SAS. |
| | | 19 | | /// </summary> |
| | | 20 | | public class SharedAccessAuthorizationRule : AuthorizationRule |
| | | 21 | | { |
| | | 22 | | private const int SupportedSASKeyLength = 44; |
| | | 23 | | private const string FixedClaimType = "SharedAccessKey"; |
| | | 24 | | |
| | | 25 | | private string internalKeyName; |
| | | 26 | | private string internalPrimaryKey; |
| | | 27 | | private string internalSecondaryKey; |
| | | 28 | | private List<AccessRights> internalRights; |
| | | 29 | | |
| | 40 | 30 | | internal SharedAccessAuthorizationRule() |
| | | 31 | | { |
| | 40 | 32 | | } |
| | | 33 | | |
| | | 34 | | /// <summary>Initializes a new instance of the <see cref="SharedAccessAuthorizationRule" /> class.</summary> |
| | | 35 | | /// <param name="keyName">The authorization rule key name.</param> |
| | | 36 | | /// <param name="rights">The list of rights.</param> |
| | | 37 | | public SharedAccessAuthorizationRule(string keyName, IEnumerable<AccessRights> rights) |
| | 12 | 38 | | : this(keyName, SharedAccessAuthorizationRule.GenerateRandomKey(), SharedAccessAuthorizationRule.GenerateRan |
| | | 39 | | { |
| | 12 | 40 | | } |
| | | 41 | | |
| | | 42 | | /// <summary>Initializes a new instance of the <see cref="SharedAccessAuthorizationRule" /> class.</summary> |
| | | 43 | | /// <param name="keyName">The authorization rule key name.</param> |
| | | 44 | | /// <param name="primaryKey">The primary key for the authorization rule.</param> |
| | | 45 | | /// <param name="rights">The list of rights.</param> |
| | | 46 | | public SharedAccessAuthorizationRule(string keyName, string primaryKey, IEnumerable<AccessRights> rights) |
| | 0 | 47 | | : this(keyName, primaryKey, SharedAccessAuthorizationRule.GenerateRandomKey(), rights) |
| | | 48 | | { |
| | 0 | 49 | | } |
| | | 50 | | |
| | | 51 | | /// <summary>Initializes a new instance of the <see cref="SharedAccessAuthorizationRule" /> class.</summary> |
| | | 52 | | /// <param name="keyName">The authorization rule key name.</param> |
| | | 53 | | /// <param name="primaryKey">The primary key for the authorization rule.</param> |
| | | 54 | | /// <param name="secondaryKey">The secondary key for the authorization rule.</param> |
| | | 55 | | /// <param name="rights">The list of rights.</param> |
| | 32 | 56 | | public SharedAccessAuthorizationRule(string keyName, string primaryKey, string secondaryKey, IEnumerable<AccessR |
| | | 57 | | { |
| | 32 | 58 | | PrimaryKey = primaryKey; |
| | 32 | 59 | | SecondaryKey = secondaryKey; |
| | 32 | 60 | | Rights = new List<AccessRights>(rights); |
| | 32 | 61 | | KeyName = keyName; |
| | 32 | 62 | | } |
| | | 63 | | |
| | | 64 | | internal override AuthorizationRule Clone() => |
| | 20 | 65 | | new SharedAccessAuthorizationRule(KeyName, PrimaryKey, SecondaryKey, Rights); |
| | | 66 | | |
| | | 67 | | /// <inheritdoc/> |
| | 16 | 68 | | public override string ClaimType => FixedClaimType; |
| | 16 | 69 | | internal override string ClaimValue => "None"; |
| | | 70 | | |
| | | 71 | | /// <summary>Gets or sets the authorization rule key name.</summary> |
| | | 72 | | /// <value>The authorization rule key name.</value> |
| | | 73 | | public sealed override string KeyName |
| | | 74 | | { |
| | 132 | 75 | | get { return internalKeyName; } |
| | | 76 | | set |
| | | 77 | | { |
| | 72 | 78 | | Argument.AssertNotNullOrWhiteSpace(value, nameof(KeyName)); |
| | 72 | 79 | | Argument.AssertNotTooLong( |
| | 72 | 80 | | value, |
| | 72 | 81 | | SharedAccessSignature.MaximumKeyNameLength, |
| | 72 | 82 | | nameof(KeyName)); |
| | | 83 | | |
| | 72 | 84 | | if (!string.Equals(value, HttpUtility.UrlEncode(value), StringComparison.InvariantCulture)) |
| | | 85 | | { |
| | | 86 | | #pragma warning disable CA2208 // Instantiate argument exceptions correctly |
| | 0 | 87 | | throw new ArgumentException( |
| | 0 | 88 | | "The key name specified contains invalid characters", |
| | 0 | 89 | | nameof(KeyName)); |
| | | 90 | | #pragma warning restore CA2208 // Instantiate argument exceptions correctly |
| | | 91 | | } |
| | | 92 | | |
| | 72 | 93 | | internalKeyName = value; |
| | 72 | 94 | | } |
| | | 95 | | } |
| | | 96 | | |
| | | 97 | | /// <summary>Gets or sets the primary key for the authorization rule.</summary> |
| | | 98 | | /// <value>The primary key for the authorization rule.</value> |
| | | 99 | | public string PrimaryKey |
| | | 100 | | { |
| | 84 | 101 | | get { return internalPrimaryKey; } |
| | | 102 | | set |
| | | 103 | | { |
| | 72 | 104 | | Argument.AssertNotNullOrWhiteSpace(value, nameof(PrimaryKey)); |
| | | 105 | | |
| | 72 | 106 | | if (Encoding.ASCII.GetByteCount(value) != SupportedSASKeyLength) |
| | | 107 | | { |
| | | 108 | | #pragma warning disable CA2208 // Instantiate argument exceptions correctly |
| | 0 | 109 | | throw new ArgumentOutOfRangeException( |
| | 0 | 110 | | nameof(PrimaryKey), |
| | 0 | 111 | | $"{nameof(SharedAccessAuthorizationRule)} only supports keys of size {SupportedSASKeyLength} byt |
| | | 112 | | #pragma warning restore CA2208 // Instantiate argument exceptions correctly |
| | | 113 | | } |
| | | 114 | | |
| | 72 | 115 | | if (!CheckBase64(value)) |
| | | 116 | | { |
| | | 117 | | #pragma warning disable CA2208 // Instantiate argument exceptions correctly |
| | 0 | 118 | | throw new ArgumentException($"{nameof(SharedAccessAuthorizationRule)} only supports base64 keys.", |
| | 0 | 119 | | nameof(PrimaryKey)); |
| | | 120 | | #pragma warning restore CA2208 // Instantiate argument exceptions correctly |
| | | 121 | | } |
| | | 122 | | |
| | 72 | 123 | | internalPrimaryKey = value; |
| | 72 | 124 | | } |
| | | 125 | | } |
| | | 126 | | |
| | | 127 | | /// <summary>Gets or sets the secondary key for the authorization rule.</summary> |
| | | 128 | | /// <value>The secondary key for the authorization rule.</value> |
| | | 129 | | public string SecondaryKey |
| | | 130 | | { |
| | 84 | 131 | | get { return internalSecondaryKey; } |
| | | 132 | | set |
| | | 133 | | { |
| | 72 | 134 | | Argument.AssertNotNullOrWhiteSpace(value, nameof(SecondaryKey)); |
| | | 135 | | |
| | 72 | 136 | | if (Encoding.ASCII.GetByteCount(value) != SupportedSASKeyLength) |
| | | 137 | | { |
| | | 138 | | #pragma warning disable CA2208 // Instantiate argument exceptions correctly |
| | 0 | 139 | | throw new ArgumentOutOfRangeException( |
| | 0 | 140 | | nameof(SecondaryKey), |
| | 0 | 141 | | $"{nameof(SharedAccessAuthorizationRule)} only supports keys of size {SupportedSASKeyLength} byt |
| | | 142 | | #pragma warning restore CA2208 // Instantiate argument exceptions correctly |
| | | 143 | | } |
| | | 144 | | |
| | 72 | 145 | | if (!CheckBase64(value)) |
| | | 146 | | { |
| | | 147 | | #pragma warning disable CA2208 // Instantiate argument exceptions correctly |
| | 0 | 148 | | throw new ArgumentException( |
| | 0 | 149 | | $"{nameof(SharedAccessAuthorizationRule)} only supports base64 keys.", |
| | 0 | 150 | | nameof(SecondaryKey)); |
| | | 151 | | #pragma warning restore CA2208 // Instantiate argument exceptions correctly |
| | | 152 | | } |
| | | 153 | | |
| | 72 | 154 | | internalSecondaryKey = value; |
| | 72 | 155 | | } |
| | | 156 | | } |
| | | 157 | | |
| | | 158 | | /// <inheritdoc/> |
| | | 159 | | [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "CA2227:Collection properties should be read only", Ju |
| | | 160 | | public override List<AccessRights> Rights |
| | | 161 | | { |
| | 228 | 162 | | get => internalRights; |
| | | 163 | | set |
| | | 164 | | { |
| | 72 | 165 | | if (value == null || value.Count < 0 || value.Count > ManagementClientConstants.SupportedClaimsCount) |
| | | 166 | | { |
| | 0 | 167 | | throw new ArgumentException($"Rights cannot be null, empty or greater than {ManagementClientConstant |
| | | 168 | | } |
| | | 169 | | |
| | 72 | 170 | | HashSet<AccessRights> dedupedAccessRights = new HashSet<AccessRights>(value); |
| | 72 | 171 | | if (value.Count != dedupedAccessRights.Count) |
| | | 172 | | { |
| | 0 | 173 | | throw new ArgumentException("Access rights on an authorization rule must be unique"); |
| | | 174 | | } |
| | | 175 | | |
| | 72 | 176 | | if (value.Contains(AccessRights.Manage) && value.Count != 3) |
| | | 177 | | { |
| | 0 | 178 | | throw new ArgumentException("Manage permission should also include Send and Listen"); |
| | | 179 | | } |
| | | 180 | | |
| | 72 | 181 | | internalRights = value; |
| | 72 | 182 | | } |
| | | 183 | | } |
| | | 184 | | |
| | | 185 | | /// <summary>Returns the hash code for this instance.</summary> |
| | | 186 | | public override int GetHashCode() |
| | | 187 | | { |
| | 0 | 188 | | int hash = 13; |
| | | 189 | | unchecked |
| | | 190 | | { |
| | 0 | 191 | | hash = (hash * 7) + KeyName?.GetHashCode() ?? 0; |
| | 0 | 192 | | hash = (hash * 7) + PrimaryKey?.GetHashCode() ?? 0; |
| | 0 | 193 | | hash = (hash * 7) + SecondaryKey?.GetHashCode() ?? 0; |
| | 0 | 194 | | hash = (hash * 7) + Rights.GetHashCode(); |
| | | 195 | | } |
| | | 196 | | |
| | 0 | 197 | | return hash; |
| | | 198 | | } |
| | | 199 | | |
| | | 200 | | /// <summary>Determines whether the specified object is equal to the current object.</summary> |
| | | 201 | | public override bool Equals(object obj) |
| | | 202 | | { |
| | 0 | 203 | | var other = obj as AuthorizationRule; |
| | 0 | 204 | | return Equals(other); |
| | | 205 | | } |
| | | 206 | | |
| | | 207 | | /// <summary>Determines whether the specified object is equal to the current object.</summary> |
| | | 208 | | /// <param name="other">The object to compare with the current object.</param> |
| | | 209 | | /// <returns>true if the specified object is equal to the current object; otherwise, false.</returns> |
| | | 210 | | public override bool Equals(AuthorizationRule other) |
| | | 211 | | { |
| | 24 | 212 | | if (!(other is SharedAccessAuthorizationRule)) |
| | | 213 | | { |
| | 0 | 214 | | return false; |
| | | 215 | | } |
| | | 216 | | |
| | 24 | 217 | | SharedAccessAuthorizationRule comparand = (SharedAccessAuthorizationRule)other; |
| | 24 | 218 | | if (!string.Equals(KeyName, comparand.KeyName, StringComparison.OrdinalIgnoreCase) || |
| | 24 | 219 | | !string.Equals(PrimaryKey, comparand.PrimaryKey, StringComparison.Ordinal) || |
| | 24 | 220 | | !string.Equals(SecondaryKey, comparand.SecondaryKey, StringComparison.Ordinal)) |
| | | 221 | | { |
| | 0 | 222 | | return false; |
| | | 223 | | } |
| | | 224 | | |
| | 24 | 225 | | if ((Rights != null && comparand.Rights == null) || |
| | 24 | 226 | | (Rights == null && comparand.Rights != null)) |
| | | 227 | | { |
| | 0 | 228 | | return false; |
| | | 229 | | } |
| | | 230 | | |
| | 24 | 231 | | if (Rights != null && comparand.Rights != null) |
| | | 232 | | { |
| | 24 | 233 | | HashSet<AccessRights> thisRights = new HashSet<AccessRights>(Rights); |
| | 24 | 234 | | if (comparand.Rights.Count != thisRights.Count) |
| | | 235 | | { |
| | 0 | 236 | | return false; |
| | | 237 | | } |
| | | 238 | | |
| | 24 | 239 | | return thisRights.SetEquals(comparand.Rights); |
| | | 240 | | } |
| | | 241 | | |
| | 0 | 242 | | return true; |
| | | 243 | | } |
| | | 244 | | |
| | | 245 | | /// <summary></summary> |
| | | 246 | | public static bool operator ==(SharedAccessAuthorizationRule left, SharedAccessAuthorizationRule right) |
| | | 247 | | { |
| | 0 | 248 | | if (ReferenceEquals(left, right)) |
| | | 249 | | { |
| | 0 | 250 | | return true; |
| | | 251 | | } |
| | | 252 | | |
| | 0 | 253 | | if (ReferenceEquals(left, null) || ReferenceEquals(right, null)) |
| | | 254 | | { |
| | 0 | 255 | | return false; |
| | | 256 | | } |
| | | 257 | | |
| | 0 | 258 | | return left.Equals(right); |
| | | 259 | | } |
| | | 260 | | |
| | | 261 | | /// <summary></summary> |
| | | 262 | | public static bool operator !=(SharedAccessAuthorizationRule left, SharedAccessAuthorizationRule right) |
| | | 263 | | { |
| | 0 | 264 | | return !(left == right); |
| | | 265 | | } |
| | | 266 | | |
| | | 267 | | /// <summary>Generates the random key for the authorization rule.</summary> |
| | | 268 | | private static string GenerateRandomKey() |
| | | 269 | | { |
| | 24 | 270 | | byte[] key256 = new byte[32]; |
| | 24 | 271 | | using (var rngCryptoServiceProvider = new RNGCryptoServiceProvider()) |
| | | 272 | | { |
| | 24 | 273 | | rngCryptoServiceProvider.GetBytes(key256); |
| | 24 | 274 | | } |
| | | 275 | | |
| | 24 | 276 | | return Convert.ToBase64String(key256); |
| | | 277 | | } |
| | | 278 | | |
| | | 279 | | private static bool CheckBase64(string base64EncodedString) |
| | | 280 | | { |
| | | 281 | | try |
| | | 282 | | { |
| | 144 | 283 | | Convert.FromBase64String(base64EncodedString); |
| | 144 | 284 | | return true; |
| | | 285 | | } |
| | 0 | 286 | | catch (Exception) |
| | | 287 | | { |
| | 0 | 288 | | return false; |
| | | 289 | | } |
| | 144 | 290 | | } |
| | | 291 | | |
| | | 292 | | internal static new SharedAccessAuthorizationRule ParseFromXElement(XElement xElement) |
| | | 293 | | { |
| | 40 | 294 | | var rule = new SharedAccessAuthorizationRule(); |
| | 560 | 295 | | foreach (var element in xElement.Elements()) |
| | | 296 | | { |
| | 240 | 297 | | switch (element.Name.LocalName) |
| | | 298 | | { |
| | | 299 | | case "CreatedTime": |
| | 0 | 300 | | rule.CreatedTime = XmlConvert.ToDateTime(element.Value, XmlDateTimeSerializationMode.Utc); |
| | 0 | 301 | | break; |
| | | 302 | | case "ModifiedTime": |
| | 0 | 303 | | rule.ModifiedTime = XmlConvert.ToDateTime(element.Value, XmlDateTimeSerializationMode.Utc); |
| | 0 | 304 | | break; |
| | | 305 | | case "KeyName": |
| | 40 | 306 | | rule.KeyName = element.Value; |
| | 40 | 307 | | break; |
| | | 308 | | case "PrimaryKey": |
| | 40 | 309 | | rule.PrimaryKey = element.Value; |
| | 40 | 310 | | break; |
| | | 311 | | case "SecondaryKey": |
| | 40 | 312 | | rule.SecondaryKey = element.Value; |
| | 40 | 313 | | break; |
| | | 314 | | case "Rights": |
| | 40 | 315 | | var rights = new List<AccessRights>(); |
| | 40 | 316 | | var xRights = element.Elements(XName.Get("AccessRights", ManagementClientConstants.ServiceBusNam |
| | 296 | 317 | | foreach (var xRight in xRights) |
| | | 318 | | { |
| | 108 | 319 | | rights.Add((AccessRights)Enum.Parse(typeof(AccessRights), xRight.Value)); |
| | | 320 | | } |
| | 40 | 321 | | rule.Rights = rights; |
| | | 322 | | break; |
| | | 323 | | } |
| | | 324 | | } |
| | | 325 | | |
| | 40 | 326 | | return rule; |
| | | 327 | | } |
| | | 328 | | |
| | | 329 | | internal override XElement Serialize() |
| | | 330 | | { |
| | 16 | 331 | | XElement rule = new XElement( |
| | 16 | 332 | | XName.Get("AuthorizationRule", ManagementClientConstants.ServiceBusNamespace), |
| | 16 | 333 | | new XAttribute(XName.Get("type", ManagementClientConstants.XmlSchemaInstanceNamespace), nameof(SharedAcc |
| | 16 | 334 | | new XElement(XName.Get("ClaimType", ManagementClientConstants.ServiceBusNamespace), ClaimType), |
| | 16 | 335 | | new XElement(XName.Get("ClaimValue", ManagementClientConstants.ServiceBusNamespace), ClaimValue), |
| | 16 | 336 | | new XElement(XName.Get("Rights", ManagementClientConstants.ServiceBusNamespace), |
| | 60 | 337 | | Rights.Select(right => new XElement(XName.Get("AccessRights", ManagementClientConstants.ServiceBusNa |
| | 16 | 338 | | new XElement(XName.Get("KeyName", ManagementClientConstants.ServiceBusNamespace), KeyName), |
| | 16 | 339 | | new XElement(XName.Get("PrimaryKey", ManagementClientConstants.ServiceBusNamespace), PrimaryKey), |
| | 16 | 340 | | new XElement(XName.Get("SecondaryKey", ManagementClientConstants.ServiceBusNamespace), SecondaryKey) |
| | 16 | 341 | | ); |
| | | 342 | | |
| | 16 | 343 | | return rule; |
| | | 344 | | } |
| | | 345 | | } |
| | | 346 | | } |