forked from cerc-io/plugeth
57d9c93dcd
* bump azure-storage-blob-go dependency to 0.3.0 release * update azure-storage-blob-go module import path * fix multiple return values on azblob.NewSharedKeyCredential * vendor: bump Azure libs to latest from upstream
257 lines
7.4 KiB
Go
257 lines
7.4 KiB
Go
package azblob
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// BlobSASSignatureValues is used to generate a Shared Access Signature (SAS) for an Azure Storage container or blob.
|
|
// For more information, see https://docs.microsoft.com/rest/api/storageservices/constructing-a-service-sas
|
|
type BlobSASSignatureValues struct {
|
|
Version string `param:"sv"` // If not specified, this defaults to SASVersion
|
|
Protocol SASProtocol `param:"spr"` // See the SASProtocol* constants
|
|
StartTime time.Time `param:"st"` // Not specified if IsZero
|
|
ExpiryTime time.Time `param:"se"` // Not specified if IsZero
|
|
SnapshotTime time.Time
|
|
Permissions string `param:"sp"` // Create by initializing a ContainerSASPermissions or BlobSASPermissions and then call String()
|
|
IPRange IPRange `param:"sip"`
|
|
Identifier string `param:"si"`
|
|
ContainerName string
|
|
BlobName string // Use "" to create a Container SAS
|
|
CacheControl string // rscc
|
|
ContentDisposition string // rscd
|
|
ContentEncoding string // rsce
|
|
ContentLanguage string // rscl
|
|
ContentType string // rsct
|
|
}
|
|
|
|
// NewSASQueryParameters uses an account's StorageAccountCredential to sign this signature values to produce
|
|
// the proper SAS query parameters.
|
|
// See: StorageAccountCredential. Compatible with both UserDelegationCredential and SharedKeyCredential
|
|
func (v BlobSASSignatureValues) NewSASQueryParameters(credential StorageAccountCredential) (SASQueryParameters, error) {
|
|
resource := "c"
|
|
if credential == nil {
|
|
return SASQueryParameters{}, fmt.Errorf("cannot sign SAS query without StorageAccountCredential")
|
|
}
|
|
|
|
if !v.SnapshotTime.IsZero() {
|
|
resource = "bs"
|
|
//Make sure the permission characters are in the correct order
|
|
perms := &BlobSASPermissions{}
|
|
if err := perms.Parse(v.Permissions); err != nil {
|
|
return SASQueryParameters{}, err
|
|
}
|
|
v.Permissions = perms.String()
|
|
} else if v.BlobName == "" {
|
|
// Make sure the permission characters are in the correct order
|
|
perms := &ContainerSASPermissions{}
|
|
if err := perms.Parse(v.Permissions); err != nil {
|
|
return SASQueryParameters{}, err
|
|
}
|
|
v.Permissions = perms.String()
|
|
} else {
|
|
resource = "b"
|
|
// Make sure the permission characters are in the correct order
|
|
perms := &BlobSASPermissions{}
|
|
if err := perms.Parse(v.Permissions); err != nil {
|
|
return SASQueryParameters{}, err
|
|
}
|
|
v.Permissions = perms.String()
|
|
}
|
|
if v.Version == "" {
|
|
v.Version = SASVersion
|
|
}
|
|
startTime, expiryTime, snapshotTime := FormatTimesForSASSigning(v.StartTime, v.ExpiryTime, v.SnapshotTime)
|
|
|
|
signedIdentifier := v.Identifier
|
|
|
|
udk := credential.getUDKParams()
|
|
|
|
if udk != nil {
|
|
udkStart, udkExpiry, _ := FormatTimesForSASSigning(udk.SignedStart, udk.SignedExpiry, time.Time{})
|
|
//I don't like this answer to combining the functions
|
|
//But because signedIdentifier and the user delegation key strings share a place, this is an _OK_ way to do it.
|
|
signedIdentifier = strings.Join([]string{
|
|
udk.SignedOid,
|
|
udk.SignedTid,
|
|
udkStart,
|
|
udkExpiry,
|
|
udk.SignedService,
|
|
udk.SignedVersion,
|
|
}, "\n")
|
|
}
|
|
|
|
// String to sign: http://msdn.microsoft.com/en-us/library/azure/dn140255.aspx
|
|
stringToSign := strings.Join([]string{
|
|
v.Permissions,
|
|
startTime,
|
|
expiryTime,
|
|
getCanonicalName(credential.AccountName(), v.ContainerName, v.BlobName),
|
|
signedIdentifier,
|
|
v.IPRange.String(),
|
|
string(v.Protocol),
|
|
v.Version,
|
|
resource,
|
|
snapshotTime, // signed timestamp
|
|
v.CacheControl, // rscc
|
|
v.ContentDisposition, // rscd
|
|
v.ContentEncoding, // rsce
|
|
v.ContentLanguage, // rscl
|
|
v.ContentType}, // rsct
|
|
"\n")
|
|
|
|
signature := ""
|
|
signature = credential.ComputeHMACSHA256(stringToSign)
|
|
|
|
p := SASQueryParameters{
|
|
// Common SAS parameters
|
|
version: v.Version,
|
|
protocol: v.Protocol,
|
|
startTime: v.StartTime,
|
|
expiryTime: v.ExpiryTime,
|
|
permissions: v.Permissions,
|
|
ipRange: v.IPRange,
|
|
|
|
// Container/Blob-specific SAS parameters
|
|
resource: resource,
|
|
identifier: v.Identifier,
|
|
cacheControl: v.CacheControl,
|
|
contentDisposition: v.ContentDisposition,
|
|
contentEncoding: v.ContentEncoding,
|
|
contentLanguage: v.ContentLanguage,
|
|
contentType: v.ContentType,
|
|
snapshotTime: v.SnapshotTime,
|
|
|
|
// Calculated SAS signature
|
|
signature: signature,
|
|
}
|
|
|
|
//User delegation SAS specific parameters
|
|
if udk != nil {
|
|
p.signedOid = udk.SignedOid
|
|
p.signedTid = udk.SignedTid
|
|
p.signedStart = udk.SignedStart
|
|
p.signedExpiry = udk.SignedExpiry
|
|
p.signedService = udk.SignedService
|
|
p.signedVersion = udk.SignedVersion
|
|
}
|
|
|
|
return p, nil
|
|
}
|
|
|
|
// getCanonicalName computes the canonical name for a container or blob resource for SAS signing.
|
|
func getCanonicalName(account string, containerName string, blobName string) string {
|
|
// Container: "/blob/account/containername"
|
|
// Blob: "/blob/account/containername/blobname"
|
|
elements := []string{"/blob/", account, "/", containerName}
|
|
if blobName != "" {
|
|
elements = append(elements, "/", strings.Replace(blobName, "\\", "/", -1))
|
|
}
|
|
return strings.Join(elements, "")
|
|
}
|
|
|
|
// The ContainerSASPermissions type simplifies creating the permissions string for an Azure Storage container SAS.
|
|
// Initialize an instance of this type and then call its String method to set BlobSASSignatureValues's Permissions field.
|
|
type ContainerSASPermissions struct {
|
|
Read, Add, Create, Write, Delete, List bool
|
|
}
|
|
|
|
// String produces the SAS permissions string for an Azure Storage container.
|
|
// Call this method to set BlobSASSignatureValues's Permissions field.
|
|
func (p ContainerSASPermissions) String() string {
|
|
var b bytes.Buffer
|
|
if p.Read {
|
|
b.WriteRune('r')
|
|
}
|
|
if p.Add {
|
|
b.WriteRune('a')
|
|
}
|
|
if p.Create {
|
|
b.WriteRune('c')
|
|
}
|
|
if p.Write {
|
|
b.WriteRune('w')
|
|
}
|
|
if p.Delete {
|
|
b.WriteRune('d')
|
|
}
|
|
if p.List {
|
|
b.WriteRune('l')
|
|
}
|
|
return b.String()
|
|
}
|
|
|
|
// Parse initializes the ContainerSASPermissions's fields from a string.
|
|
func (p *ContainerSASPermissions) Parse(s string) error {
|
|
*p = ContainerSASPermissions{} // Clear the flags
|
|
for _, r := range s {
|
|
switch r {
|
|
case 'r':
|
|
p.Read = true
|
|
case 'a':
|
|
p.Add = true
|
|
case 'c':
|
|
p.Create = true
|
|
case 'w':
|
|
p.Write = true
|
|
case 'd':
|
|
p.Delete = true
|
|
case 'l':
|
|
p.List = true
|
|
default:
|
|
return fmt.Errorf("Invalid permission: '%v'", r)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// The BlobSASPermissions type simplifies creating the permissions string for an Azure Storage blob SAS.
|
|
// Initialize an instance of this type and then call its String method to set BlobSASSignatureValues's Permissions field.
|
|
type BlobSASPermissions struct{ Read, Add, Create, Write, Delete bool }
|
|
|
|
// String produces the SAS permissions string for an Azure Storage blob.
|
|
// Call this method to set BlobSASSignatureValues's Permissions field.
|
|
func (p BlobSASPermissions) String() string {
|
|
var b bytes.Buffer
|
|
if p.Read {
|
|
b.WriteRune('r')
|
|
}
|
|
if p.Add {
|
|
b.WriteRune('a')
|
|
}
|
|
if p.Create {
|
|
b.WriteRune('c')
|
|
}
|
|
if p.Write {
|
|
b.WriteRune('w')
|
|
}
|
|
if p.Delete {
|
|
b.WriteRune('d')
|
|
}
|
|
return b.String()
|
|
}
|
|
|
|
// Parse initializes the BlobSASPermissions's fields from a string.
|
|
func (p *BlobSASPermissions) Parse(s string) error {
|
|
*p = BlobSASPermissions{} // Clear the flags
|
|
for _, r := range s {
|
|
switch r {
|
|
case 'r':
|
|
p.Read = true
|
|
case 'a':
|
|
p.Add = true
|
|
case 'c':
|
|
p.Create = true
|
|
case 'w':
|
|
p.Write = true
|
|
case 'd':
|
|
p.Delete = true
|
|
default:
|
|
return fmt.Errorf("Invalid permission: '%v'", r)
|
|
}
|
|
}
|
|
return nil
|
|
}
|