-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathSample02_Auth.cs
204 lines (182 loc) · 8.7 KB
/
Sample02_Auth.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using System.IO;
using System.Text;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.Storage;
using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Models;
using Azure.Storage.Sas;
using NUnit.Framework;
namespace Azure.Storage.Blobs.Samples
{
/// <summary>
/// Demonstrate various authorization and authentication mechanisms.
///
/// For more information, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
/// </summary>
public class Sample02_Auth : SampleTest
{
/// <summary>
/// Use a connection string to connect to a Storage account.
///
/// A connection string includes the authentication information
/// required for your application to access data in an Azure Storage
/// account at runtime using Shared Key authorization.
/// </summary>
[Test]
public async Task ConnectionStringAsync()
{
// Get a connection string to our Azure Storage account. You can
// obtain your connection string from the Azure Portal (click
// Access Keys under Settings in the Portal Storage account blade)
// or using the Azure CLI with:
//
// az storage account show-connection-string --name <account_name> --resource-group <resource_group>
//
// And you can provide the connection string to your application
// using an environment variable.
string connectionString = ConnectionString;
// Create a client that can authenticate with a connection string
BlobServiceClient service = new BlobServiceClient(connectionString);
// Make a service request to verify we've successfully authenticated
await service.GetPropertiesAsync();
}
/// <summary>
/// Anonymously access a public blob.
///
/// You can enable anonymous, public read access to a container and its
/// blobs in Azure Blob storage. By doing so, you can grant read-only
/// access to these resources without sharing your account key, and
/// without requiring a shared access signature (SAS).
///
/// Public read access is best for scenarios where you want certain
/// blobs to always be available for anonymous read access. For more
/// fine-grained control, you can create a shared access signature.
/// </summary>
[Test]
public async Task AnonymousAuthAsync()
{
BlobContainerClient container = new BlobContainerClient(ConnectionString, Randomize("sample-container"));
try
{
// Create a blob that can be accessed publicly
await container.CreateAsync(PublicAccessType.Blob);
BlobClient blob = container.GetBlobClient(Randomize("sample-blob"));
await blob.UploadAsync(BinaryData.FromString("Blob Content"));
// Anonymously access a blob given its URI
Uri endpoint = blob.Uri;
BlobClient anonymous = new BlobClient(endpoint);
// Make a service request to verify we've successfully authenticated
await anonymous.GetPropertiesAsync();
}
finally
{
await container.DeleteAsync();
}
}
/// <summary>
/// Use a shared key to access a Storage Account.
///
/// Shared Key authorization relies on your account access keys and
/// other parameters to produce an encrypted signature string that is
/// passed on the request in the Authorization header.
/// </summary>
[Test]
public async Task SharedKeyAuthAsync()
{
// Get a Storage account name, shared key, and endpoint Uri.
//
// You can obtain both from the Azure Portal by clicking Access
// Keys under Settings in the Portal Storage account blade.
//
// You can also get access to your account keys from the Azure CLI
// with:
//
// az storage account keys list --account-name <account_name> --resource-group <resource_group>
//
string accountName = StorageAccountName;
string accountKey = StorageAccountKey;
Uri serviceUri = StorageAccountBlobUri;
// Create a SharedKeyCredential that we can use to authenticate
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
// Create a client that can authenticate with a connection string
BlobServiceClient service = new BlobServiceClient(serviceUri, credential);
// Make a service request to verify we've successfully authenticated
await service.GetPropertiesAsync();
}
/// <summary>
/// Use a shared access signature to access a Storage Account.
///
/// A shared access signature (SAS) is a URI that grants restricted
/// access rights to Azure Storage resources. You can provide a shared
/// access signature to clients who should not be trusted with your
/// storage account key but to whom you wish to delegate access to
/// certain storage account resources. By distributing a shared access
/// signature URI to these clients, you can grant them access to a
/// resource for a specified period of time, with a specified set of
/// permissions.
/// </summary>
[Test]
public async Task SharedAccessSignatureAuthAsync()
{
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to the service level APIs
ResourceTypes = AccountSasResourceTypes.Service,
// Access expires in 1 hour!
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Allow read access
sas.SetPermissions(AccountSasPermissions.Read);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(StorageAccountName, StorageAccountKey);
// Build a SAS URI
UriBuilder sasUri = new UriBuilder(StorageAccountBlobUri);
sasUri.Query = sas.ToSasQueryParameters(credential).ToString();
// Create a client that can authenticate with the SAS URI
BlobServiceClient service = new BlobServiceClient(sasUri.Uri);
// Make a service request to verify we've successfully authenticated
await service.GetPropertiesAsync();
// Try to create a new container (which is beyond our
// delegated permission)
RequestFailedException ex =
Assert.ThrowsAsync<RequestFailedException>(
async () => await service.CreateBlobContainerAsync(Randomize("sample-container")));
Assert.AreEqual(403, ex.Status);
}
/// <summary>
/// Use an Active Directory token to access a Storage account.
///
/// Azure Storage provides integration with Azure Active Directory
/// (Azure AD) for identity-based authentication of requests to the
/// Blob and Queue services. With Azure AD, you can use role-based
/// access control (RBAC) to grant access to your Azure Storage
/// resources to users, groups, or applications. You can grant
/// permissions that are scoped to the level of an individual
/// container or queue.
///
/// To learn more about Azure AD integration in Azure Storage, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad
/// </summary>
[Test]
public async Task ActiveDirectoryAuthAsync()
{
// Create a token credential that can use our Azure Active
// Directory application to authenticate with Azure Storage
TokenCredential credential = new DefaultAzureCredential();
// Create a client that can authenticate using our token credential
BlobServiceClient service = new BlobServiceClient(ActiveDirectoryBlobUri, credential);
// Make a service request to verify we've successfully authenticated
await service.GetPropertiesAsync();
}
}
}