Merge pull request #70 from ZeroMagic/sas_token

feat: add SAS token support

Author: andyzhangx

pkg/blobfuse/blobfuse.go

@@ -159,12 +159,13 @@ func appendDefaultMountOptions(mountOptions []string) []string {
 }
 
 // get storage account from secrets map
-func getStorageAccount(secrets map[string]string) (string, string, error) {
+// returns <accountName, accountKey, accountSasToken>
+func getStorageAccount(secrets map[string]string) (string, string, string, error) {
 	if secrets == nil {
-		return "", "", fmt.Errorf("unexpected: getStorageAccount secrets is nil")
+		return "", "", "", fmt.Errorf("unexpected: getStorageAccount secrets is nil")
 	}
 
-	var accountName, accountKey string
+	var accountName, accountKey, accountSasToken string
 	for k, v := range secrets {
 		switch strings.ToLower(k) {
 		case "accountname":
@@ -175,17 +176,22 @@ func getStorageAccount(secrets map[string]string) (string, string, error) {
 			accountKey = v
 		case "azurestorageaccountkey": // for compatability with built-in blobfuse plugin
 			accountKey = v
+		case "azurestorageaccountsastoken":
+			accountSasToken = v
 		}
 	}
 
 	if accountName == "" {
-		return "", "", fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", secrets)
+		return "", "", "", fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", secrets)
 	}
-	if accountKey == "" {
-		return "", "", fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", secrets)
+	if accountKey == "" && accountSasToken == "" {
+		return "", "", "", fmt.Errorf("could not find accountkey, azurestorageaccountkey or azurestorageaccountsastoken field in secrets(%v)", secrets)
+	}
+	if accountKey != "" && accountSasToken != "" {
+		return "", "", "", fmt.Errorf("could not specify Access Key and SAS Token together")
 	}
 
-	return accountName, accountKey, nil
+	return accountName, accountKey, accountSasToken, nil
 }
 
 // A container name must be a valid DNS name, conforming to the following naming rules:

pkg/blobfuse/blobfuse_test.go

@@ -123,8 +123,8 @@ func TestGetStorageAccount(t *testing.T) {
 	}
 
 	emptyAccountNameMap := map[string]string{
-		"azurestorageaccountname": "",
-		"azurestorageaccountkey":  "testkey",
+		"accountname": "",
+		"accountkey":  "testkey",
 	}
 
 	emptyAzureAccountKeyMap := map[string]string{
@@ -137,11 +137,23 @@ func TestGetStorageAccount(t *testing.T) {
 		"azurestorageaccountkey":  "testkey",
 	}
 
+	emptyAccountSasTokenMap := map[string]string{
+		"azurestorageaccountname":     "testaccount",
+		"azurestorageaccountsastoken": "",
+	}
+
+	accesskeyAndaccountSasTokenMap := map[string]string{
+		"azurestorageaccountname":     "testaccount",
+		"azurestorageaccountkey":      "testkey",
+		"azurestorageaccountsastoken": "testkey",
+	}
+
 	tests := []struct {
 		options   map[string]string
 		expected1 string
 		expected2 string
-		expected3 error
+		expected3 string
+		expected4 error
 	}{
 		{
 			options: map[string]string{
@@ -150,7 +162,8 @@ func TestGetStorageAccount(t *testing.T) {
 			},
 			expected1: "testaccount",
 			expected2: "testkey",
-			expected3: nil,
+			expected3: "",
+			expected4: nil,
 		},
 		{
 			options: map[string]string{
@@ -159,7 +172,8 @@ func TestGetStorageAccount(t *testing.T) {
 			},
 			expected1: "testaccount",
 			expected2: "testkey",
-			expected3: nil,
+			expected3: "",
+			expected4: nil,
 		},
 		{
 			options: map[string]string{
@@ -168,48 +182,68 @@ func TestGetStorageAccount(t *testing.T) {
 			},
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(map[accountname: accountkey:])"),
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(map[accountname: accountkey:])"),
 		},
 		{
 			options:   emptyAccountKeyMap,
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", emptyAccountKeyMap),
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountkey, azurestorageaccountkey or azurestorageaccountsastoken field in secrets(%v)", emptyAccountKeyMap),
 		},
 		{
 			options:   emptyAccountNameMap,
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAccountNameMap),
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAccountNameMap),
 		},
 		{
 			options:   emptyAzureAccountKeyMap,
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", emptyAzureAccountKeyMap),
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountkey, azurestorageaccountkey or azurestorageaccountsastoken field in secrets(%v)", emptyAzureAccountKeyMap),
 		},
 		{
 			options:   emptyAzureAccountNameMap,
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAzureAccountNameMap),
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAzureAccountNameMap),
+		},
+		{
+			options:   emptyAccountSasTokenMap,
+			expected1: "",
+			expected2: "",
+			expected3: "",
+			expected4: fmt.Errorf("could not find accountkey, azurestorageaccountkey or azurestorageaccountsastoken field in secrets(%v)", emptyAzureAccountKeyMap),
+		},
+		{
+			options:   accesskeyAndaccountSasTokenMap,
+			expected1: "",
+			expected2: "",
+			expected3: "",
+			expected4: fmt.Errorf("could not specify Access Key and SAS Token together"),
 		},
 		{
 			options:   nil,
 			expected1: "",
 			expected2: "",
-			expected3: fmt.Errorf("unexpected: getStorageAccount secrets is nil"),
+			expected3: "",
+			expected4: fmt.Errorf("unexpected: getStorageAccount secrets is nil"),
 		},
 	}
 
 	for _, test := range tests {
-		result1, result2, result3 := getStorageAccount(test.options)
-		if !reflect.DeepEqual(result1, test.expected1) || !reflect.DeepEqual(result2, test.expected2) {
-			t.Errorf("input: %q, getStorageAccount result1: %q, expected1: %q, result2: %q, expected2: %q, result3: %q, expected3: %q", test.options, result1, test.expected1, result2, test.expected2,
-				result3, test.expected3)
+		result1, result2, result3, result4 := getStorageAccount(test.options)
+		if !reflect.DeepEqual(result1, test.expected1) || !reflect.DeepEqual(result2, test.expected2) || !reflect.DeepEqual(result3, test.expected3) {
+			t.Errorf("input: %q, getStorageAccount result1: %q, expected1: %q, result2: %q, expected2: %q, result3: %q, expected3: %q, result4: %q, expected4: %q", test.options, result1, test.expected1, result2, test.expected2,
+				result3, test.expected3, result4, test.expected4)
 		} else {
-			if result1 == "" || result2 == "" {
-				assert.Error(t, result3)
+			if result1 == "" || (result2 == "" && result3 == "") {
+				assert.Error(t, result4)
 			}
 		}
 	}

pkg/blobfuse/nodeserver.go

@@ -77,7 +77,7 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	attrib := req.GetVolumeContext()
 	mountFlags := req.GetVolumeCapability().GetMount().GetMountFlags()
 
-	var accountName, accountKey, containerName string
+	var accountName, accountKey, accountSasToken, containerName string
 
 	secrets := req.GetSecrets()
 	if len(secrets) == 0 {
@@ -106,7 +106,7 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 			return nil, fmt.Errorf("could not find containerName from attributes(%v)", attrib)
 		}
 
-		accountName, accountKey, err = getStorageAccount(secrets)
+		accountName, accountKey, accountSasToken, err = getStorageAccount(secrets)
 		if err != nil {
 			return nil, err
 		}
@@ -126,7 +126,14 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 		args = args + " " + opt
 	}
 	cmd := exec.Command("/usr/blob/blobfuse", strings.Split(args, " ")...)
-	cmd.Env = append(os.Environ(), "AZURE_STORAGE_ACCOUNT="+accountName, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	cmd.Env = append(os.Environ(), "AZURE_STORAGE_ACCOUNT="+accountName)
+
+	if accountSasToken != "" {
+		cmd.Env = append(cmd.Env, "AZURE_STORAGE_SAS_TOKEN="+accountSasToken)
+	} else {
+		cmd.Env = append(cmd.Env, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	}
+
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		err = fmt.Errorf("Mount failed with error: %v, output: %v", err, string(output))