1package storage 2 3// Copyright 2017 Microsoft Corporation 4// 5// Licensed under the Apache License, Version 2.0 (the "License"); 6// you may not use this file except in compliance with the License. 7// You may obtain a copy of the License at 8// 9// http://www.apache.org/licenses/LICENSE-2.0 10// 11// Unless required by applicable law or agreed to in writing, software 12// distributed under the License is distributed on an "AS IS" BASIS, 13// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14// See the License for the specific language governing permissions and 15// limitations under the License. 16 17import ( 18 "errors" 19 "fmt" 20 "net/url" 21 "strings" 22 "time" 23) 24 25// QueueSASOptions are options to construct a blob SAS 26// URI. 27// See https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-a-service-sas 28type QueueSASOptions struct { 29 QueueSASPermissions 30 SASOptions 31} 32 33// QueueSASPermissions includes the available permissions for 34// a queue SAS URI. 35type QueueSASPermissions struct { 36 Read bool 37 Add bool 38 Update bool 39 Process bool 40} 41 42func (q QueueSASPermissions) buildString() string { 43 permissions := "" 44 45 if q.Read { 46 permissions += "r" 47 } 48 if q.Add { 49 permissions += "a" 50 } 51 if q.Update { 52 permissions += "u" 53 } 54 if q.Process { 55 permissions += "p" 56 } 57 return permissions 58} 59 60// GetSASURI creates an URL to the specified queue which contains the Shared 61// Access Signature with specified permissions and expiration time. 62// 63// See https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-a-service-sas 64func (q *Queue) GetSASURI(options QueueSASOptions) (string, error) { 65 canonicalizedResource, err := q.qsc.client.buildCanonicalizedResource(q.buildPath(), q.qsc.auth, true) 66 if err != nil { 67 return "", err 68 } 69 70 // "The canonicalizedresouce portion of the string is a canonical path to the signed resource. 71 // It must include the service name (blob, table, queue or file) for version 2015-02-21 or 72 // later, the storage account name, and the resource name, and must be URL-decoded. 73 // -- https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx 74 // We need to replace + with %2b first to avoid being treated as a space (which is correct for query strings, but not the path component). 75 canonicalizedResource = strings.Replace(canonicalizedResource, "+", "%2b", -1) 76 canonicalizedResource, err = url.QueryUnescape(canonicalizedResource) 77 if err != nil { 78 return "", err 79 } 80 81 signedStart := "" 82 if options.Start != (time.Time{}) { 83 signedStart = options.Start.UTC().Format(time.RFC3339) 84 } 85 signedExpiry := options.Expiry.UTC().Format(time.RFC3339) 86 87 protocols := "https,http" 88 if options.UseHTTPS { 89 protocols = "https" 90 } 91 92 permissions := options.QueueSASPermissions.buildString() 93 stringToSign, err := queueSASStringToSign(q.qsc.client.apiVersion, canonicalizedResource, signedStart, signedExpiry, options.IP, permissions, protocols, options.Identifier) 94 if err != nil { 95 return "", err 96 } 97 98 sig := q.qsc.client.computeHmac256(stringToSign) 99 sasParams := url.Values{ 100 "sv": {q.qsc.client.apiVersion}, 101 "se": {signedExpiry}, 102 "sp": {permissions}, 103 "sig": {sig}, 104 } 105 106 if q.qsc.client.apiVersion >= "2015-04-05" { 107 sasParams.Add("spr", protocols) 108 addQueryParameter(sasParams, "sip", options.IP) 109 } 110 111 uri := q.qsc.client.getEndpoint(queueServiceName, q.buildPath(), nil) 112 sasURL, err := url.Parse(uri) 113 if err != nil { 114 return "", err 115 } 116 sasURL.RawQuery = sasParams.Encode() 117 return sasURL.String(), nil 118} 119 120func queueSASStringToSign(signedVersion, canonicalizedResource, signedStart, signedExpiry, signedIP, signedPermissions, protocols, signedIdentifier string) (string, error) { 121 122 if signedVersion >= "2015-02-21" { 123 canonicalizedResource = "/queue" + canonicalizedResource 124 } 125 126 // https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx#Anchor_12 127 if signedVersion >= "2015-04-05" { 128 return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s", 129 signedPermissions, 130 signedStart, 131 signedExpiry, 132 canonicalizedResource, 133 signedIdentifier, 134 signedIP, 135 protocols, 136 signedVersion), nil 137 138 } 139 140 // reference: http://msdn.microsoft.com/en-us/library/azure/dn140255.aspx 141 if signedVersion >= "2013-08-15" { 142 return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", signedPermissions, signedStart, signedExpiry, canonicalizedResource, signedIdentifier, signedVersion), nil 143 } 144 145 return "", errors.New("storage: not implemented SAS for versions earlier than 2013-08-15") 146} 147