support account and service level SAS signatures (#433)

bmc-msft · web-flow · commit 91eeb4e9fce0 · 2021-10-26T22:09:17.000-04:00
diff --git a/sdk/storage/examples/copy_blob.rs b/sdk/storage/examples/copy_blob.rs
@@ -57,11 +57,11 @@ async fn main() -> Result<(), Box<dyn Error + Send + Sync>> {
         let later = now + Duration::hours(1);
         let sas = source_storage_account_client
             .shared_access_signature()?
-            .with_resource(SasResource::Blob)
-            .with_resource_type(SasResourceType::Object)
+            .with_resource(AccountSasResource::Blob)
+            .with_resource_type(AccountSasResourceType::Object)
             .with_start(now)
             .with_expiry(later)
-            .with_permissions(SasPermissions {
+            .with_permissions(AccountSasPermissions {
                 read: true,
                 ..Default::default()
             })
diff --git a/sdk/storage/examples/shared_access_signature.rs b/sdk/storage/examples/shared_access_signature.rs
@@ -23,33 +23,67 @@ fn code() -> Result<(), Box<dyn Error + Sync + Send>> {
         .nth(2)
         .expect("please specify blob name as command line parameter");
 
+    // allow for some time skew
+    let now = Utc::now() - Duration::minutes(15);
+    let later = now + Duration::hours(1);
+
     let http_client = new_http_client();
 
     let storage_account_client =
         StorageAccountClient::new_access_key(http_client.clone(), &account, &master_key);
-    let blob = storage_account_client
+
+    let container_client = storage_account_client
         .as_storage_client()
-        .as_container_client(&container_name)
-        .as_blob_client(&blob_name);
+        .as_container_client(&container_name);
+
+    let blob_client = container_client.as_blob_client(&blob_name);
 
-    let now = Utc::now();
-    let later = now + Duration::hours(1);
     let sas = storage_account_client
         .shared_access_signature()?
-        .with_resource(SasResource::Blob)
-        .with_resource_type(SasResourceType::Object)
+        .with_resource(AccountSasResource::Blob)
+        .with_resource_type(AccountSasResourceType::Object)
         .with_start(now)
         .with_expiry(later)
-        .with_permissions(SasPermissions {
+        .with_permissions(AccountSasPermissions {
+            read: true,
+            ..Default::default()
+        })
+        .with_protocol(SasProtocol::Https)
+        .finalize();
+
+    println!("blob account level token: '{}'", sas.token());
+    let url = blob_client.generate_signed_blob_url(&sas)?;
+    println!("blob account level url: '{}'", url);
+
+    let sas = blob_client
+        .shared_access_signature()?
+        .with_expiry(later)
+        .with_start(now)
+        .with_permissions(BlobSasPermissions {
+            write: true,
+            ..Default::default()
+        })
+        .finalize();
+    println!("blob service token: {}", sas.token());
+    let url = blob_client.generate_signed_blob_url(&sas)?;
+    println!("blob service level url: '{}'", url);
+
+    let sas = container_client
+        .shared_access_signature()?
+        .with_expiry(later)
+        .with_start(now)
+        .with_permissions(BlobSasPermissions {
             read: true,
+            list: true,
+            write: true,
             ..Default::default()
         })
         .with_protocol(SasProtocol::HttpHttps)
         .finalize();
-    println!("token: '{}'", sas.token());
 
-    let url = blob.generate_signed_blob_url(&sas)?;
-    println!("url: '{}'", url);
+    println!("container sas token: {}", sas.token());
+    let url = container_client.generate_signed_container_url(&sas)?;
+    println!("container level url: '{}'", url);
 
     Ok(())
 }
diff --git a/sdk/storage/src/blob/clients/blob_client.rs b/sdk/storage/src/blob/clients/blob_client.rs
@@ -1,7 +1,11 @@
 use crate::blob::blob::requests::*;
 use crate::blob::prelude::*;
+use crate::core::clients::StorageCredentials;
 use crate::core::prelude::*;
-use crate::shared_access_signature::SharedAccessSignature;
+use crate::shared_access_signature::{
+    service_sas::{BlobSharedAccessSignatureBuilder, BlobSignedResource, SetResources},
+    SasToken,
+};
 use azure_core::prelude::*;
 use azure_core::HttpClient;
 use bytes::Bytes;
@@ -159,10 +163,35 @@ impl BlobClient {
         BreakLeaseBuilder::new(self)
     }
 
-    pub fn generate_signed_blob_url(
+    pub fn shared_access_signature(
         &self,
-        signature: &SharedAccessSignature,
-    ) -> Result<url::Url, Box<dyn std::error::Error + Send + Sync>> {
+    ) -> Result<BlobSharedAccessSignatureBuilder<(), SetResources, ()>, crate::Error> {
+        let canonicalized_resource = format!(
+            "/blob/{}/{}/{}",
+            self.container_client.storage_account_client().account(),
+            self.container_client.container_name(),
+            self.blob_name()
+        );
+
+        match self.storage_account_client().storage_credentials() {
+            StorageCredentials::Key(ref _account, ref key) => Ok(
+                BlobSharedAccessSignatureBuilder::new(key.to_string(), canonicalized_resource)
+                    .with_resources(BlobSignedResource::Blob),
+            ),
+            _ => Err(crate::Error::OperationNotSupported(
+                "Shared access signature generation".to_owned(),
+                "SAS can be generated only from key and account clients".to_owned(),
+            )),
+        }
+    }
+
+    pub fn generate_signed_blob_url<T>(
+        &self,
+        signature: &T,
+    ) -> Result<url::Url, Box<dyn std::error::Error + Send + Sync>>
+    where
+        T: SasToken,
+    {
         let mut url = self.url_with_segments(None)?;
         url.set_query(Some(&signature.token()));
         Ok(url)
diff --git a/sdk/storage/src/blob/clients/container_client.rs b/sdk/storage/src/blob/clients/container_client.rs
@@ -1,6 +1,10 @@
 use crate::blob::prelude::PublicAccess;
 use crate::container::requests::*;
-use crate::core::clients::{StorageAccountClient, StorageClient};
+use crate::core::clients::{StorageAccountClient, StorageClient, StorageCredentials};
+use crate::shared_access_signature::{
+    service_sas::{BlobSharedAccessSignatureBuilder, BlobSignedResource, SetResources},
+    SasToken,
+};
 use azure_core::prelude::*;
 use bytes::Bytes;
 use http::method::Method;
@@ -106,6 +110,39 @@ impl ContainerClient {
         self.storage_client
             .prepare_request(url, method, http_header_adder, request_body)
     }
+
+    pub fn shared_access_signature(
+        &self,
+    ) -> Result<BlobSharedAccessSignatureBuilder<(), SetResources, ()>, crate::Error> {
+        let canonicalized_resource = format!(
+            "/blob/{}/{}",
+            self.storage_account_client().account(),
+            self.container_name(),
+        );
+
+        match self.storage_account_client().storage_credentials() {
+            StorageCredentials::Key(ref _account, ref key) => Ok(
+                BlobSharedAccessSignatureBuilder::new(key.to_string(), canonicalized_resource)
+                    .with_resources(BlobSignedResource::Container),
+            ),
+            _ => Err(crate::Error::OperationNotSupported(
+                "Shared access signature generation".to_owned(),
+                "SAS can be generated only from key and account clients".to_owned(),
+            )),
+        }
+    }
+
+    pub fn generate_signed_container_url<T>(
+        &self,
+        signature: &T,
+    ) -> Result<url::Url, Box<dyn std::error::Error + Send + Sync>>
+    where
+        T: SasToken,
+    {
+        let mut url = self.url_with_segments(None)?;
+        url.set_query(Some(&signature.token()));
+        Ok(url)
+    }
 }
 
 #[cfg(test)]
diff --git a/sdk/storage/src/core/clients/storage_account_client.rs b/sdk/storage/src/core/clients/storage_account_client.rs
@@ -1,7 +1,9 @@
 use crate::headers::CONTENT_MD5;
 use crate::{
     core::{ConnectionString, No},
-    shared_access_signature::SharedAccessSignatureBuilder,
+    shared_access_signature::account_sas::{
+        AccountSharedAccessSignatureBuilder, ClientAccountSharedAccessSignature,
+    },
 };
 use azure_core::headers::*;
 use azure_core::prelude::*;
@@ -53,6 +55,7 @@ pub struct StorageAccountClient {
     queue_storage_url: Url,
     queue_storage_secondary_url: Url,
     filesystem_url: Url,
+    account: String,
 }
 
 fn get_sas_token_parms(sas_token: &str) -> Result<Vec<(String, String)>, url::ParseError> {
@@ -98,8 +101,9 @@ impl StorageAccountClient {
             .unwrap(),
             filesystem_url: Url::parse(&format!("https://{}.dfs.core.windows.net", &account))
                 .unwrap(),
-            storage_credentials: StorageCredentials::Key(account, key.into()),
+            storage_credentials: StorageCredentials::Key(account.clone(), key.into()),
             http_client,
+            account,
         })
     }
 
@@ -167,8 +171,9 @@ impl StorageAccountClient {
             queue_storage_url: queue_storage_url.clone(),
             queue_storage_secondary_url: queue_storage_url,
             filesystem_url,
-            storage_credentials: StorageCredentials::Key(account, key.into()),
+            storage_credentials: StorageCredentials::Key(account.clone(), key.into()),
             http_client,
+            account,
         })
     }
 
@@ -196,6 +201,7 @@ impl StorageAccountClient {
                 sas_token.as_ref(),
             )?),
             http_client,
+            account,
         }))
     }
 
@@ -227,6 +233,7 @@ impl StorageAccountClient {
                 .unwrap(),
             storage_credentials: StorageCredentials::BearerToken(bearer_token),
             http_client,
+            account,
         })
     }
 
@@ -257,6 +264,7 @@ impl StorageAccountClient {
                     queue_storage_secondary_url: get_endpoint_uri(queue_endpoint, &format!("{}-secondary", account), "queue")?,
                     filesystem_url: get_endpoint_uri(file_endpoint, account, "dfs")?,
                     http_client,
+                    account: account.to_string(),
                 }))
             }
             ConnectionString {
@@ -275,6 +283,7 @@ impl StorageAccountClient {
                 queue_storage_secondary_url: get_endpoint_uri(queue_endpoint, &format!("{}-secondary", account), "queue")?,
                 filesystem_url: get_endpoint_uri(file_endpoint, account, "dfs")?,
                 http_client,
+                    account: account.to_string(),
             })),
             ConnectionString {
                 account_name: Some(account),
@@ -292,6 +301,7 @@ impl StorageAccountClient {
                 queue_storage_secondary_url: get_endpoint_uri(queue_endpoint, &format!("{}-secondary", account), "queue")?,
                 filesystem_url: get_endpoint_uri(file_endpoint, account, "dfs")?,
                 http_client,
+                    account: account.to_string(),
             })),
            _ => {
                 Err(crate::Error::GenericErrorWithText(
@@ -326,18 +336,12 @@ impl StorageAccountClient {
         &self.filesystem_url
     }
 
-    pub fn shared_access_signature(
-        &self,
-    ) -> Result<SharedAccessSignatureBuilder<No, No, No, No>, crate::Error> {
-        match self.storage_credentials {
-            StorageCredentials::Key(ref account, ref key) => {
-                Ok(SharedAccessSignatureBuilder::new(account, key))
-            }
-            _ => Err(crate::Error::OperationNotSupported(
-                "Shared access signature generation".to_owned(),
-                "SAS can be generated only from key and account clients".to_owned(),
-            )),
-        }
+    pub fn account(&self) -> &str {
+        &self.account
+    }
+
+    pub fn storage_credentials(&self) -> &StorageCredentials {
+        &self.storage_credentials
     }
 
     pub(crate) fn prepare_request(
@@ -418,6 +422,22 @@ impl StorageAccountClient {
     }
 }
 
+impl ClientAccountSharedAccessSignature for StorageAccountClient {
+    fn shared_access_signature(
+        &self,
+    ) -> Result<AccountSharedAccessSignatureBuilder<No, No, No, No>, crate::Error> {
+        match self.storage_credentials {
+            StorageCredentials::Key(ref account, ref key) => {
+                Ok(AccountSharedAccessSignatureBuilder::new(account, key))
+            }
+            _ => Err(crate::Error::OperationNotSupported(
+                "Shared access signature generation".to_owned(),
+                "SAS can be generated only from key and account clients".to_owned(),
+            )),
+        }
+    }
+}
+
 fn generate_authorization(
     h: &HeaderMap,
     u: &url::Url,
diff --git a/sdk/storage/src/core/prelude.rs b/sdk/storage/src/core/prelude.rs
@@ -1,7 +1,13 @@
-pub use crate::core::clients::{AsStorageClient, StorageAccountClient, StorageClient};
-pub use crate::core::shared_access_signature::{
-    ClientSharedAccessSignature, SasExpirySupport, SasIpSupport, SasPermissions,
-    SasPermissionsSupport, SasProtocol, SasProtocolSupport, SasResource, SasResourceSupport,
-    SasResourceType, SasResourceTypeSupport, SasService, SasStartSupport, SasVersion,
+pub use crate::core::{
+    clients::{AsStorageClient, StorageAccountClient, StorageClient},
+    shared_access_signature::{
+        account_sas::{
+            AccountSasPermissions, AccountSasResource, AccountSasResourceType,
+            ClientAccountSharedAccessSignature, SasExpirySupport, SasPermissionsSupport,
+            SasProtocolSupport, SasResourceSupport, SasResourceTypeSupport, SasStartSupport,
+        },
+        service_sas::{BlobSasPermissions, BlobSignedResource},
+        SasProtocol, SasToken,
+    },
+    {ConsistencyCRC64, ConsistencyMD5, CopyId, IPRange},
 };
-pub use crate::core::{ConsistencyCRC64, ConsistencyMD5, CopyId, IPRange};
diff --git a/sdk/storage/src/core/shared_access_signature/account_sas.rs b/sdk/storage/src/core/shared_access_signature/account_sas.rs
diff --git a/sdk/storage/src/core/shared_access_signature/mod.rs b/sdk/storage/src/core/shared_access_signature/mod.rs
diff --git a/sdk/storage/src/core/shared_access_signature/service_sas.rs b/sdk/storage/src/core/shared_access_signature/service_sas.rs
