fix for sas token parsing

Author: idseefeld

src/UmbracoFileSystemProviders.Azure/AzureFileSystem.cs

@@ -615,26 +615,60 @@ private static CloudBlobContainer CreateContainer(CloudBlobClient cloudBlobClien
             }
 
             CloudBlobContainer container = cloudBlobClient.GetContainerReference(containerName.ToLowerInvariant());
-            if (cloudBlobClient.Credentials.IsSAS)
+            if (!container.Exists())
             {
-                // Shared access signatures (SAS) have some limitations compared to shared access keys
-                // read more on: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
-                string[] sasTokenProperties = cloudBlobClient.Credentials.SASToken.Split("&".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
-                bool isAccountSas = sasTokenProperties.Where(k => k.ToLowerInvariant().StartsWith("si=")).FirstOrDefault() == null;
-                if (isAccountSas)
+                if (cloudBlobClient.Credentials.IsSAS)
                 {
-                    container.CreateIfNotExists();
+                    // Shared access signatures (SAS) have some limitations compared to shared access keys
+                    // read more on: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
+                    string[] sasTokenProperties = cloudBlobClient.Credentials.SASToken.Split("&".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
+                    bool isAccountSas = sasTokenProperties.Where(k => k.ToLowerInvariant().StartsWith("ss=")).FirstOrDefault() != null;
 
-                    // permissions can't be set!
-                }
+                    string allowedServices = sasTokenProperties.Where(k => k.ToLowerInvariant().StartsWith("ss=")).FirstOrDefault();
+                    if (allowedServices != null)
+                    {
+                        allowedServices = allowedServices.Split('=')[1].ToLower();
+                    }
+                    else
+                    {
+                        allowedServices = string.Empty;
+                    }
 
-                return container;
-            }
+                    string resourceTypes = sasTokenProperties.Where(k => k.ToLowerInvariant().StartsWith("srt=")).FirstOrDefault();
+                    if (resourceTypes != null)
+                    {
+                        resourceTypes = resourceTypes.Split('=')[1].ToLower();
+                    }
+                    else
+                    {
+                        resourceTypes = string.Empty;
+                    }
 
-            if (!container.Exists())
-            {
-                container.CreateIfNotExists();
-                container.SetPermissions(new BlobContainerPermissions { PublicAccess = accessType });
+                    string permissions = sasTokenProperties.Where(k => k.ToLowerInvariant().StartsWith("sp=")).FirstOrDefault();
+                    if (permissions != null)
+                    {
+                        permissions = permissions.Split('=')[1].ToLower();
+                    }
+                    else
+                    {
+                        permissions = string.Empty;
+                    }
+
+                    bool canCreateContainer = allowedServices.Contains('b') && resourceTypes.Contains('c') && permissions.Contains('c');
+                    if (canCreateContainer)
+                    {
+                        container.CreateIfNotExists();
+
+                        // cannot set permissions with sas access
+                    }
+                }
+                else
+                {
+                    container.CreateIfNotExists();
+                    BlobContainerPermissions newPermissions = container.GetPermissions();
+                    newPermissions.PublicAccess = accessType;
+                    container.SetPermissions(newPermissions);
+                }
             }
 
             return container;