Skip to content

encryption scope sas #3936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
microzchang merged 4 commits into from
Sep 21, 2022
Merged

encryption scope sas #3936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
079686a
encryption scope sas
microzchang Sep 16, 2022
b72559a
format
microzchang Sep 16, 2022
a428384
remove EncryptionScope properties
microzchang Sep 19, 2022
1de59b3
update scope
microzchang Sep 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ...ge/azure-storage-files-datalake/inc/azure/storage/files/datalake/datalake_sas_builder.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,11 @@ namespace Azure { namespace Storage { namespace Sas {
*/
std::string CorrelationId;

/**
* @brief Optional encryption scope to use when sending requests authorized with this SAS url.
*/
std::string EncryptionScope;

/**
* @brief Sets the permissions for the filesystem SAS.
*
Expand Down
19 changes: 14 additions & 5 deletions sdk/storage/azure-storage-files-datalake/src/datalake_sas_builder.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

namespace Azure { namespace Storage { namespace Sas {
namespace {
constexpr static const char* SasVersion = "2020-02-10";
constexpr static const char* SasVersion = "2021-06-08";

std::string DataLakeSasResourceToString(DataLakeSasResource resource)
{
Expand Down Expand Up @@ -138,8 +138,9 @@ namespace Azure { namespace Storage { namespace Sas {

std::string stringToSign = Permissions + "\n" + startsOnStr + "\n" + expiresOnStr + "\n"
+ canonicalName + "\n" + Identifier + "\n" + (IPRange.HasValue() ? IPRange.Value() : "")
+ "\n" + protocol + "\n" + SasVersion + "\n" + resource + "\n" + "\n" + CacheControl + "\n"
+ ContentDisposition + "\n" + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;
+ "\n" + protocol + "\n" + SasVersion + "\n" + resource + "\n" + "\n" + EncryptionScope
+ "\n" + CacheControl + "\n" + ContentDisposition + "\n" + ContentEncoding + "\n"
+ ContentLanguage + "\n" + ContentType;

std::string signature = Azure::Core::Convert::Base64Encode(_internal::HmacSha256(
std::vector<uint8_t>(stringToSign.begin(), stringToSign.end()),
Expand Down Expand Up @@ -190,6 +191,10 @@ namespace Azure { namespace Storage { namespace Sas {
{
builder.AppendQueryParameter("rsct", _internal::UrlEncodeQueryParameter(ContentType));
}
if (!EncryptionScope.empty())
{
builder.AppendQueryParameter("ses", _internal::UrlEncodeQueryParameter(EncryptionScope));
}

return builder.GetAbsoluteUrl();
}
Expand Down Expand Up @@ -223,8 +228,8 @@ namespace Azure { namespace Storage { namespace Sas {
+ "\n" + userDelegationKey.SignedService + "\n" + userDelegationKey.SignedVersion + "\n"
+ PreauthorizedAgentObjectId + "\n" + AgentObjectId + "\n" + CorrelationId + "\n"
+ (IPRange.HasValue() ? IPRange.Value() : "") + "\n" + protocol + "\n" + SasVersion + "\n"
+ resource + "\n" + "\n" + CacheControl + "\n" + ContentDisposition + "\n" + ContentEncoding
+ "\n" + ContentLanguage + "\n" + ContentType;
+ resource + "\n" + "\n" + EncryptionScope + "\n" + CacheControl + "\n" + ContentDisposition
+ "\n" + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;

std::string signature = Azure::Core::Convert::Base64Encode(_internal::HmacSha256(
std::vector<uint8_t>(stringToSign.begin(), stringToSign.end()),
Expand Down Expand Up @@ -292,6 +297,10 @@ namespace Azure { namespace Storage { namespace Sas {
{
builder.AppendQueryParameter("rsct", _internal::UrlEncodeQueryParameter(ContentType));
}
if (!EncryptionScope.empty())
{
builder.AppendQueryParameter("ses", _internal::UrlEncodeQueryParameter(EncryptionScope));
}
builder.AppendQueryParameter("sig", _internal::UrlEncodeQueryParameter(signature));

return builder.GetAbsoluteUrl();
Expand Down
33 changes: 33 additions & 0 deletions sdk/storage/azure-storage-files-datalake/test/ut/datalake_sas_test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,39 @@ namespace Azure { namespace Storage { namespace Test {
EXPECT_EQ(p.Value.HttpHeaders.CacheControl, headers.CacheControl);
EXPECT_EQ(p.Value.HttpHeaders.ContentEncoding, headers.ContentEncoding);
}

// Encryption scope
const auto encryptionScope = GetTestEncryptionScope();
{
auto sasBuilderWithEncryptionScope = fileSasBuilder;
sasBuilderWithEncryptionScope.EncryptionScope = encryptionScope;
sasBuilderWithEncryptionScope.SetPermissions(Sas::DataLakeSasPermissions::All);
auto fileClientEncryptionScopeSas = Files::DataLake::DataLakeFileClient(
fileUrl + sasBuilderWithEncryptionScope.GenerateSasToken(*keyCredential));
fileClientEncryptionScopeSas.Create();
auto pRawResponse = fileClientEncryptionScopeSas.GetProperties().RawResponse;
ASSERT_TRUE(pRawResponse->GetHeaders().count("x-ms-encryption-scope") != 0);
EXPECT_EQ(pRawResponse->GetHeaders().at("x-ms-encryption-scope"), encryptionScope);

fileClientEncryptionScopeSas = Files::DataLake::DataLakeFileClient(
fileUrl + sasBuilderWithEncryptionScope.GenerateSasToken(userDelegationKey, accountName));
fileClientEncryptionScopeSas.Create();
pRawResponse = fileClientEncryptionScopeSas.GetProperties().RawResponse;
ASSERT_TRUE(pRawResponse->GetHeaders().count("x-ms-encryption-scope") != 0);
EXPECT_EQ(pRawResponse->GetHeaders().at("x-ms-encryption-scope"), encryptionScope);
}
{
auto sasBuilderWithEncryptionScope = directorySasBuilder;
sasBuilderWithEncryptionScope.EncryptionScope = encryptionScope;
sasBuilderWithEncryptionScope.SetPermissions(Sas::DataLakeSasPermissions::All);
auto directoryClientEncryptionScopeSas = Files::DataLake::DataLakeDirectoryClient(
directory1Url
+ sasBuilderWithEncryptionScope.GenerateSasToken(userDelegationKey, accountName));
directoryClientEncryptionScopeSas.Create();
auto pRawResponse = directoryClientEncryptionScopeSas.GetProperties().RawResponse;
ASSERT_TRUE(pRawResponse->GetHeaders().count("x-ms-encryption-scope") != 0);
EXPECT_EQ(pRawResponse->GetHeaders().at("x-ms-encryption-scope"), encryptionScope);
}
}

}}} // namespace Azure::Storage::Test
2 changes: 2 additions & 0 deletions sdk/storage/test-resources-post.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ param(

New-AzStorageEncryptionScope -ResourceGroupName $ResourceGroupName -StorageAccountName $DeploymentOutputs['ACCOUNT_NAME'] -EncryptionScopeName "EncryptionScopeForTest" -StorageEncryption

New-AzStorageEncryptionScope -ResourceGroupName $ResourceGroupName -StorageAccountName $DeploymentOutputs['DATALAKE_ACCOUNT_NAME'] -EncryptionScopeName "EncryptionScopeForTest" -StorageEncryption

# This script is used to wait until XCache is refreshed for the service properties (30s), and role assignment takes effect (300s).

Start-Sleep -s 300