Add AzureSasCredential #17636
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.ComponentModel; | ||
| using System.Threading; | ||
| using Azure.Core; | ||
|
|
||
| namespace Azure | ||
| { | ||
| /// <summary> | ||
| /// Shared access signature credential used to authenticate to an Azure Service. | ||
| /// It provides the ability to update the shared access signature without creating a new client. | ||
| /// </summary> | ||
| public class AzureSasCredential | ||
| { | ||
| private string _signature; | ||
|
|
||
| /// <summary> | ||
| /// Shared access signature used to authenticate to an Azure service. | ||
| /// </summary> | ||
| [EditorBrowsable(EditorBrowsableState.Never)] | ||
| public string Signature | ||
| { | ||
| get => Volatile.Read(ref _signature); | ||
| private set => Volatile.Write(ref _signature, value); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Initializes a new instance of the <see cref="AzureSasCredential"/> class. | ||
| /// </summary> | ||
| /// <param name="signature">Shared access signature to use to authenticate with the Azure service.</param> | ||
| /// <exception cref="System.ArgumentNullException"> | ||
| /// Thrown when the <paramref name="signature"/> is null. | ||
| /// </exception> | ||
| /// <exception cref="System.ArgumentException"> | ||
| /// Thrown when the <paramref name="signature"/> is empty. | ||
| /// </exception> | ||
| #pragma warning disable CS8618 // Non-nullable field is uninitialized. Consider declaring as nullable. | ||
| public AzureSasCredential(string signature) => Update(signature); | ||
| #pragma warning restore CS8618 // Non-nullable field is uninitialized. Consider declaring as nullable. | ||
|
|
||
| /// <summary> | ||
| /// Updates the shared access signature. | ||
| /// This is intended to be used when you've regenerated your shared access signature | ||
| /// and want to update long lived clients. | ||
| /// </summary> | ||
| /// <param name="signature">Shared access signature to authenticate the service against.</param> | ||
| /// <exception cref="System.ArgumentNullException"> | ||
| /// Thrown when the <paramref name="signature"/> is null. | ||
| /// </exception> | ||
| /// <exception cref="System.ArgumentException"> | ||
| /// Thrown when the <paramref name="signature"/> is empty. | ||
| /// </exception> | ||
| public void Update(string signature) | ||
| { | ||
| Argument.AssertNotNullOrEmpty(signature, nameof(signature)); | ||
| Signature = signature; | ||
| } | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Text; | ||
| using Azure.Core.Pipeline; | ||
|
|
||
| namespace Azure.Core | ||
| { | ||
| internal class AzureSasCredentialPolicy : HttpPipelineSynchronousPolicy | ||
|
There was a problem hiding this comment. We should consider deriving from the base policy class so we can eventually:
There was a problem hiding this comment. Pedantically, by REST conventions, retries should only be performed on a 401. A 403 should be considered terminal and indicating "we know who you are and you'll never be allowed to do this." Do we have services not returning 401 for expired credentials? There was a problem hiding this comment. Since AzureSasCredentialPolicy is internal class - can this be deferred until it's actually implemented? We'd be doing same thing synchronous policy does in SAS policy. There was a problem hiding this comment. I think it's fine. I would just rename this class to AzureSasCredentialSynchronousPolicy. It's shared source and it might be easier to transition to a base policy by adding a new subclass and removing this one overtime. |
||
| { | ||
| private readonly AzureSasCredential _credential; | ||
|
|
||
| /// <summary> | ||
| /// Initializes a new instance of the <see cref="AzureSasCredentialPolicy"/> class. | ||
| /// </summary> | ||
| /// <param name="credential">The <see cref="AzureSasCredentialPolicy"/> used to authenticate requests.</param> | ||
| public AzureSasCredentialPolicy(AzureSasCredential credential) | ||
| { | ||
| Argument.AssertNotNull(credential, nameof(credential)); | ||
| _credential = credential; | ||
| } | ||
|
|
||
| /// <inheritdoc/> | ||
| public override void OnSendingRequest(HttpMessage message) | ||
| { | ||
| string query = message.Request.Uri.Query; | ||
| string signature = _credential.Signature; | ||
| if (signature.StartsWith("?", StringComparison.InvariantCulture)) | ||
| { | ||
| signature = signature.AsSpan().Slice(1).ToString(); | ||
|
There was a problem hiding this comment. nit: Substring would result in the same amount of allocations. |
||
| } | ||
| if (!query.Contains(signature)) | ||
|
There was a problem hiding this comment. Why is this check needed? Won't we validate no SAS URI on the client .ctor? There was a problem hiding this comment. It's not related to presence of the SAS in client's URI. In storage auth policy is per-retry in all languages. We had issues where requests were so long that retry could end up with expired token. Query is empty string in worst case. There was a problem hiding this comment. Java SDK handles this problem in an interesting way. Its retry policy makes a copy of its HttpMessage equivalent before calling rest of pipeline chain, so that retries won't step on each other. Maybe doing something like that in .NET would be right solution to this problem. |
||
| { | ||
| var newQuery = new StringBuilder(query, query.Length + signature.Length + 1); | ||
| newQuery.Append(string.IsNullOrEmpty(query) ? '?' : '&'); | ||
| newQuery.Append(signature); | ||
| message.Request.Uri.Query = newQuery.ToString(); | ||
|
There was a problem hiding this comment. The StringBuilder version is actually more allocating than the code you had before. is compiled into The |
||
| } | ||
|
|
||
| base.OnSendingRequest(message); | ||
| } | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Threading; | ||
| using System.Threading.Tasks; | ||
| using Azure.Core.Pipeline; | ||
| using Azure.Core.TestFramework; | ||
| using NUnit.Framework; | ||
|
|
||
| namespace Azure.Core.Tests | ||
| { | ||
| public class AzureSasCredentialPolicyTests : PolicyTestBase | ||
| { | ||
| [TestCase("sig=test_signature_value")] | ||
| [TestCase("?sig=test_signature_value")] | ||
| public async Task SetsSignatureEmptyQuery(string signatureValue) | ||
| { | ||
| var transport = new MockTransport(new MockResponse(200)); | ||
| var sasPolicy = new AzureSasCredentialPolicy(new AzureSasCredential(signatureValue)); | ||
|
|
||
| await SendGetRequest(transport, sasPolicy); | ||
|
|
||
| Assert.AreEqual("?sig=test_signature_value", transport.SingleRequest.Uri.Query); | ||
| } | ||
|
|
||
| [TestCase("sig=test_signature_value")] | ||
| [TestCase("?sig=test_signature_value")] | ||
| public async Task SetsSignatureNonEmptyQuery(string signatureValue) | ||
| { | ||
| var transport = new MockTransport(new MockResponse(200)); | ||
| var sasPolicy = new AzureSasCredentialPolicy(new AzureSasCredential(signatureValue)); | ||
| string query = "?foo=bar"; | ||
|
|
||
| await SendGetRequest(transport, sasPolicy, query: query); | ||
|
|
||
| Assert.AreEqual($"?foo=bar&sig=test_signature_value", transport.SingleRequest.Uri.Query); | ||
| } | ||
|
|
||
| [TestCase("sig=test_signature_value")] | ||
| [TestCase("?sig=test_signature_value")] | ||
| public async Task VerifyRetryEmptyQuery(string signatureValue) | ||
| { | ||
| var transport = new MockTransport(new MockResponse(200), new MockResponse(200)); | ||
| var sasPolicy = new AzureSasCredentialPolicy(new AzureSasCredential(signatureValue)); | ||
|
|
||
| using (Request request = transport.CreateRequest()) | ||
| { | ||
| request.Method = RequestMethod.Get; | ||
| var pipeline = new HttpPipeline(transport, new[] { sasPolicy }); | ||
| await pipeline.SendRequestAsync(request, CancellationToken.None); | ||
| await pipeline.SendRequestAsync(request, CancellationToken.None); | ||
| } | ||
|
|
||
| Assert.AreEqual("?sig=test_signature_value", transport.Requests[0].Uri.Query); | ||
| } | ||
|
|
||
| [TestCase("sig=test_signature_value")] | ||
| [TestCase("?sig=test_signature_value")] | ||
| public async Task VerifyRetryNonEmptyQuery(string signatureValue) | ||
| { | ||
| var transport = new MockTransport(new MockResponse(200), new MockResponse(200)); | ||
| var sasPolicy = new AzureSasCredentialPolicy(new AzureSasCredential(signatureValue)); | ||
| string query = "?foo=bar"; | ||
|
|
||
| using (Request request = transport.CreateRequest()) | ||
| { | ||
| request.Method = RequestMethod.Get; | ||
| request.Uri.Query = query; | ||
| var pipeline = new HttpPipeline(transport, new[] { sasPolicy }); | ||
| await pipeline.SendRequestAsync(request, CancellationToken.None); | ||
| await pipeline.SendRequestAsync(request, CancellationToken.None); | ||
| } | ||
|
|
||
| Assert.AreEqual("?foo=bar&sig=test_signature_value", transport.Requests[0].Uri.Query); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we be using IsNullOrWhitespace for these? I think we use OrEmpty in other key credentails, but it seems like OrWhitespace would be better. @schaabs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I borrowed that from here
azure-sdk-for-net/sdk/core/Azure.Core/src/AzureKeyCredential.cs
Line 56 in 2b59433