def table_acl(self):
table_name = self._create_table()
# Basic
access_policy = AccessPolicy(permission=TablePermissions.QUERY,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
self.service.set_table_acl(table_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_table_acl(table_name) # {id: AccessPolicy()}
# Replaces values, does not merge
access_policy = AccessPolicy(permission=TablePermissions.QUERY,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id2': access_policy}
self.service.set_table_acl(table_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_table_acl(table_name) # {id2: AccessPolicy()}
# Clear
self.service.set_table_acl(table_name)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_table_acl(table_name) # {}
self.service.delete_table(table_name)
def container_acl(self):
container_name = self._create_container()
# Create a READ level access policy and set it on the container
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
self.service.set_container_acl(container_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_container_acl(container_name) # {id: AccessPolicy()}
# Replaces values, does not merge
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id2': access_policy}
self.service.set_container_acl(container_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_container_acl(container_name) # {id2: AccessPolicy()}
# Clear
self.service.set_container_acl(container_name)
# Wait 30 seconds for acl to propagate
time.sleep(30)
acl = self.service.get_container_acl(container_name) # {}
self.service.delete_container(container_name)
def sas_with_signed_identifiers(self):
share_name = self._create_share()
self.service.create_directory(share_name, 'dir1')
self.service.create_file_from_text(share_name, 'dir1', 'file1', b'hello world')
# Set access policy on share
access_policy = AccessPolicy(permission=SharePermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
acl = self.service.set_share_acl(share_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
# Indicates to use the access policy set on the share
token = self.service.generate_share_shared_access_signature(
share_name,
id='id'
)
# Create a service and use the SAS
sas_service = FileService(
account_name=self.account.account_name,
sas_token=token,
)
file = sas_service.get_file_to_text(share_name, 'dir1', 'file1')
content = file.content # hello world
self.service.delete_share(share_name)
def url(self, name):
if hasattr(self.connection, 'make_blob_url'):
if self.auto_sign:
access_policy = AccessPolicy()
access_policy.start = (
datetime.utcnow() +
timedelta(seconds=-120)).strftime('%Y-%m-%dT%H:%M:%SZ')
access_policy.expiry = (datetime.utcnow() + timedelta(
seconds=self.ap_expiry)).strftime('%Y-%m-%dT%H:%M:%SZ')
access_policy.permission = self.azure_access_policy_permission
sap = SharedAccessPolicy(access_policy)
sas_token = self.connection.generate_shared_access_signature(
self.azure_container,
blob_name=name,
shared_access_policy=sap,
)
else:
sas_token = None
return self.connection.make_blob_url(
container_name=self.azure_container,
blob_name=name,
protocol=self.azure_protocol,
sas_token=sas_token,
)
else:
return "{}{}/{}".format(setting('MEDIA_URL'), self.azure_container,
name)
def test_sas_signed_identifier(self):
# SAS URL is calculated from storage key, so this test runs live only
if TestMode.need_recording_file(self.test_mode):
return
# Arrange
file_name = self._create_file()
access_policy = AccessPolicy()
access_policy.start = '2011-10-11'
access_policy.expiry = '2018-10-12'
access_policy.permission = FilePermissions.READ
identifiers = {'testid': access_policy}
resp = self.fs.set_share_acl(self.share_name, identifiers)
token = self.fs.generate_file_shared_access_signature(self.share_name,
None,
file_name,
id='testid')
# Act
service = FileService(
self.settings.STORAGE_ACCOUNT_NAME,
sas_token=token,
request_session=requests.Session(),
)
self._set_test_proxy(service, self.settings)
result = service.get_file_to_bytes(self.share_name, None, file_name)
# Assert
self.assertEqual(self.short_byte_data, result.content)
def test_generate_signed_query_dict_blob_with_access_policy_and_headers(
self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11T11:03:40Z'
accss_plcy.expiry = '2011-10-12T11:53:40Z'
accss_plcy.permission = 'r'
query = self.sas._generate_signed_query_dict(
'images/pic1.png',
ResourceType.RESOURCE_BLOB,
SharedAccessPolicy(accss_plcy),
content_disposition='file; attachment',
content_type='binary',
)
self.assertEqual(query[QueryStringConstants.SIGNED_START],
'2011-10-11T11:03:40Z')
self.assertEqual(query[QueryStringConstants.SIGNED_EXPIRY],
'2011-10-12T11:53:40Z')
self.assertEqual(query[QueryStringConstants.SIGNED_RESOURCE],
ResourceType.RESOURCE_BLOB)
self.assertEqual(query[QueryStringConstants.SIGNED_PERMISSION], 'r')
self.assertEqual(
query[QueryStringConstants.SIGNED_CONTENT_DISPOSITION],
'file; attachment')
self.assertEqual(query[QueryStringConstants.SIGNED_CONTENT_TYPE],
'binary')
self.assertEqual(query[QueryStringConstants.SIGNED_SIGNATURE],
'uHckUC6T+BwUsc+DgrreyIS1k6au7uUd7LSSs/z+/+w=')
def sas_with_signed_identifiers(self):
container_name = self._create_container()
self.service.create_blob_from_text(container_name, 'blob1', b'hello world')
# Set access policy on container
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
acl = self.service.set_container_acl(container_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
# Indicates to use the access policy set on the container
token = self.service.generate_container_shared_access_signature(
container_name,
id='id'
)
# Create a service and use the SAS
sas_service = BlockBlobService(
account_name=self.account.account_name,
sas_token=token,
)
blob = sas_service.get_blob_to_text(container_name, 'blob1')
content = blob.content # hello world
self.service.delete_container(container_name)
def test_sas_signed_identifier(self):
# SAS URL is calculated from storage key, so this test runs live only
if TestMode.need_recordingfile(self.test_mode):
return
# Arrange
entity = self._insert_random_entity()
access_policy = AccessPolicy()
access_policy.start = '2011-10-11'
access_policy.expiry = '2018-10-12'
access_policy.permission = TablePermissions.QUERY
identifiers = {'testid': access_policy}
entities = self.ts.set_table_acl(self.table_name, identifiers)
token = self.ts.generate_table_shared_access_signature(
self.table_name,
id='testid',
)
# Act
service = TableService(
account_name=self.settings.STORAGE_ACCOUNT_NAME,
sas_token=token,
)
self._set_service_options(service, self.settings)
entities = list(
self.ts.query_entities(self.table_name,
filter="PartitionKey eq '{}'".format(
entity.PartitionKey)))
# Assert
self.assertEqual(len(entities), 1)
self._assert_default_entity(entities[0])
def test_sign_request(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'r'
sap = SharedAccessPolicy(accss_plcy)
qry_str = self.sas.generate_signed_query_string('images/pic1.png',
RESOURCE_BLOB,
sap)
permission = Permission()
permission.path = '/images/pic1.png'
permission.query_string = qry_str
self.sas.permission_set = [permission]
web_rsrc = WebResource()
web_rsrc.properties[SIGNED_RESOURCE_TYPE] = RESOURCE_BLOB
web_rsrc.properties[SHARED_ACCESS_PERMISSION] = 'r'
web_rsrc.path = '/images/pic1.png?comp=metadata'
web_rsrc.request_url = '/images/pic1.png?comp=metadata'
web_rsrc = self.sas.sign_request(web_rsrc)
self.assertEqual(web_rsrc.request_url,
'/images/pic1.png?comp=metadata&' +
self.sas._convert_query_string(qry_str))
def queue_acl_operations(self, queue_service):
queue_name = 'aclqueue' + self.random_data.get_random_name(6)
try:
print('1. Create a queue with name - ' + queue_name)
queue_service.create_queue(queue_name)
print('2. Set access policy for queue')
access_policy = AccessPolicy(permission=QueuePermissions.READ,
expiry=datetime.datetime.utcnow() +
datetime.timedelta(hours=1))
identifiers = {'id': access_policy}
queue_service.set_queue_acl(queue_name, identifiers)
print('3. Get access policy from queue')
acl = queue_service.get_queue_acl(queue_name)
print('4. Clear access policy in queue')
# Clear
queue_service.set_queue_acl(queue_name)
finally:
print('5. Delete queue')
if queue_service.exists(queue_name):
queue_service.delete_queue(queue_name)
print("Queue ACL operations sample completed")
def table_acl_operations(self, table_service):
table_name = 'acltable' + self.random_data.get_random_name(6)
try:
print('1. Create a table with name - ' + table_name)
table_service.create_table(table_name)
print('2. Set access policy for table')
access_policy = AccessPolicy(permission=TablePermissions.QUERY,
expiry=datetime.datetime.utcnow() + datetime.timedelta(hours=1))
identifiers = {'id': access_policy}
table_service.set_table_acl(table_name, identifiers)
print('3. Wait 30 seconds for acl to propagate')
time.sleep(30)
print('4. Get access policy from table')
acl = table_service.get_table_acl(table_name)
print('5. Clear access policy in table')
table_service.set_table_acl(table_name)
finally:
print('5. Delete table')
if(table_service.exists(table_name)):
table_service.delete_table(table_name)
print("Table ACL operations sample completed")
def container_acl_operations(self, account):
container_name = 'aclblockblobcontainer' + self.random_data.get_random_name(
6)
# Create a Block Blob Service object
blockblob_service = account.create_block_blob_service()
try:
print('1. Create a container with name - ' + container_name)
blockblob_service.create_container(container_name)
print('2. Set access policy for container')
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.datetime.utcnow() +
datetime.timedelta(hours=1))
identifiers = {'id': access_policy}
blockblob_service.set_container_acl(container_name, identifiers)
print('3. Get access policy from container')
acl = blockblob_service.get_container_acl(container_name)
print('4. Clear access policy in container')
# Clear
blockblob_service.set_container_acl(container_name)
finally:
print('5. Delete container')
blockblob_service.delete_container(container_name)
print("Container ACL operations sample completed")
def sas_with_signed_identifiers(self):
queue_name = self._create_queue()
self.service.put_message(queue_name, u'message1')
# Set access policy on queue
access_policy = AccessPolicy(permission=QueuePermissions.PROCESS,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
acl = self.service.set_queue_acl(queue_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
# Indicates to use the access policy set on the queue
token = self.service.generate_queue_shared_access_signature(
queue_name,
id='id'
)
# Create a service and use the SAS
sas_service = QueueService(
account_name=self.account.account_name,
sas_token=token,
)
messages = sas_service.get_messages(queue_name)
for message in messages:
print(message.content) # message1
self.service.delete_queue(queue_name)
def make_blob_sas_url(account_name,
account_key,
container_name,
blob_name,
permission='w',
duration=16):
"""
Generate a Blob SAS URL to allow a client to upload a file.
account_name: Storage account name.
account_key: Storage account key.
container_name: Storage container.
blob_name: Blob name.
duration: A timedelta representing duration until SAS expiration.
SAS start date will be utcnow() minus one minute. Expiry date
is start date plus duration.
Returns the SAS URL.
"""
sas = SharedAccessSignature(account_name, account_key)
resource_path = '%s/%s' % (container_name, blob_name)
date_format = "%Y-%m-%dT%H:%M:%SZ"
start = datetime.datetime.utcnow() - datetime.timedelta(minutes=5)
expiry = start + datetime.timedelta(minutes=duration)
sap = SharedAccessPolicy(AccessPolicy(
start.strftime(date_format),
expiry.strftime(date_format),
permission))
sas_token = sas.generate_signed_query_string(resource_path, 'b', sap)
blob_url = BlobService(account_name, account_key)
url = blob_url.make_blob_url(container_name=container_name, blob_name=blob_name, sas_token=sas_token)
return url
def _get_shared_access_policy(self, permission):
date_format = "%Y-%m-%dT%H:%M:%SZ"
start = datetime.datetime.utcnow() - datetime.timedelta(minutes=1)
expiry = start + datetime.timedelta(hours=1)
return SharedAccessPolicy(
AccessPolicy(start.strftime(date_format),
expiry.strftime(date_format), permission))
def sas_with_signed_identifiers(self):
table_name = self._create_table()
entity = {
'PartitionKey': 'test',
'RowKey': 'test1',
'text': 'hello world',
}
self.service.insert_entity(table_name, entity)
# Set access policy on table
access_policy = AccessPolicy(permission=TablePermissions.QUERY,
expiry=datetime.utcnow() + timedelta(hours=1))
identifiers = {'id': access_policy}
acl = self.service.set_table_acl(table_name, identifiers)
# Wait 30 seconds for acl to propagate
time.sleep(30)
# Indicates to use the access policy set on the table
token = self.service.generate_table_shared_access_signature(
table_name,
id='id'
)
# Create a service and use the SAS
sas_service = TableService(
account_name=self.account.account_name,
sas_token=token,
)
entities = list(sas_service.query_entities(table_name))
for entity in entities:
print(entity.text) # hello world
self.service.delete_table(table_name)
def url(self, name):
"""
Override this method so that we can add SAS authorization tokens
"""
sas_token = None
if self.url_expiry_secs:
now = datetime.utcnow().replace(tzinfo=pytz.utc)
expire_at = now + timedelta(seconds=self.url_expiry_secs)
policy = AccessPolicy()
# generate an ISO8601 time string and use split() to remove the sub-second
# components as Azure will reject them. Plus add the timezone at the end.
policy.expiry = expire_at.isoformat().split('.')[0] + 'Z'
policy.permission = 'r'
sas_token = self.connection.generate_shared_access_signature(
self.azure_container,
blob_name=name,
shared_access_policy=SharedAccessPolicy(access_policy=policy),
)
return self.connection.make_blob_url(
container_name=self.azure_container,
blob_name=name,
protocol=self.azure_protocol,
sas_token=sas_token)
def test_generate_signature_container(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'r'
signed_identifier = 'YWJjZGVmZw=='
sap = SharedAccessPolicy(accss_plcy, signed_identifier)
signature = self.sas._generate_signature('images', sap, X_MS_VERSION,
None, None, None, None, None)
self.assertEqual(signature,
'Md+SHy9BQNucdHnmDOEwlAkIWU5YxwlTq6gA9yJKE6w=')
def test_generate_signature_blob(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11T11:03:40Z'
accss_plcy.expiry = '2011-10-12T11:53:40Z'
accss_plcy.permission = 'r'
sap = SharedAccessPolicy(accss_plcy)
signature = self.sas._generate_signature('images/pic1.png',
RESOURCE_BLOB, sap)
self.assertEqual(signature,
'7NIEip+VOrQ5ZV80pORPK1MOsJc62wwCNcbMvE+lQ0s=')
def test_generate_signature_container(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'r'
signed_identifier = 'YWJjZGVmZw=='
sap = SharedAccessPolicy(accss_plcy, signed_identifier)
signature = self.sas._generate_signature('images', RESOURCE_CONTAINER,
sap)
self.assertEqual(signature,
'VdlALM4TYEYYNf94Bvt3dn48TsA01wk45ltwP3zeKp4=')
def test_generate_signature_blob(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11T11:03:40Z'
accss_plcy.expiry = '2011-10-12T11:53:40Z'
accss_plcy.permission = 'r'
sap = SharedAccessPolicy(accss_plcy)
signature = self.sas._generate_signature('images/pic1.png',
sap,
X_MS_VERSION)
self.assertEqual(signature,
'ju4tX0G79vPxMOkBb7UfNVEgrj9+ZnSMutpUemVYHLY=')
def test_generate_signature_container(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'r'
signed_identifier = 'YWJjZGVmZw=='
sap = SharedAccessPolicy(accss_plcy, signed_identifier)
signature = self.sas._generate_signature('images',
sap,
X_MS_VERSION)
self.assertEqual(signature,
'1AWckmWSNrNCjh9krPXoD4exAgZWQQr38gG6z/ymkhQ=')
def test_set_queue_acl_too_many_ids(self):
# Arrange
queue_name = self._create_queue()
# Act
identifiers = dict()
for i in range(0, 6):
identifiers['id{}'.format(i)] = AccessPolicy()
# Assert
with self.assertRaisesRegexp(AzureException, 'Too many access policies provided. The server does not support setting more than 5 access policies on a single resource.'):
self.qs.set_queue_acl(queue_name, identifiers)
def request_upload(upload_location):
filetype = request.args.get("filetype")
filesize = request.args.get("filesize")
if filetype not in ['png', 'jpg', 'jpeg', 'gif', 'pdf']:
return "Invalid filetype", 400
# TODO: Check filesize
if upload_location not in ["event", "user", "project"]:
return "Invalid upload location", 400
token = request.headers.get('session')
user_id = sessions.get('session:' + token)
if not user_id:
return "Session invalid", 40
user = User.find_id(user_id)
if not user:
return "Session invalid", 401
if upload_location == "event" and user.type != "organizer":
return "You don't have permission to upload", 401
upload_policy = SharedAccessPolicy(
AccessPolicy(
start=(
datetime.datetime.utcnow() -
datetime.timedelta(minutes=15)).strftime("%Y-%m-%dT%H:%M:%SZ"),
expiry=(
datetime.datetime.utcnow() +
datetime.timedelta(minutes=15)).strftime("%Y-%m-%dT%H:%M:%SZ"),
permission=BlobSharedAccessPermissions.WRITE,
))
destination_url = upload_location + "/" + create_filename(
) + '.' + filetype
# TODO: fix "Incorrect Padding" exception on this line
upload_token = azure_storage.generate_shared_access_signature(
container_name='user-files',
blob_name=destination_url,
shared_access_policy=upload_policy,
)
print("Created Destination Url " + destination_url)
print("Created upload token " + upload_token)
return json.dumps({
"upload_url": files_url + destination_url + "?" + upload_token,
"file_url": files_url + destination_url
}), 200, jsonType
def test_generate_signature_blob(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11T11:03:40Z'
accss_plcy.expiry = '2011-10-12T11:53:40Z'
accss_plcy.permission = 'r'
sap = SharedAccessPolicy(accss_plcy)
signature = self.sas._generate_signature('images/pic1.png', sap,
X_MS_VERSION, None,
'file; attachment', None,
None, 'binary')
self.assertEqual(signature,
'uHckUC6T+BwUsc+DgrreyIS1k6au7uUd7LSSs/z+/+w=')
def url(self, name):
ap = AccessPolicy(expiry=(timezone.datetime.utcnow() + timezone.timedelta(seconds=600)).strftime('%Y-%m-%dT%H:%M:%SZ'), \
start=(timezone.datetime.utcnow() + timezone.timedelta(seconds=-600)).strftime('%Y-%m-%dT%H:%M:%SZ'), \
permission='r')
sap = SharedAccessPolicy(ap)
sas = SharedAccessSignature(self.account_name, self.account_key)
url = sas.generate_signed_query_string(path=self.azure_container +
'/' + name,
resource_type='b',
shared_access_policy=sap)
return self.connection.make_blob_url(self.azure_container,
name) + "?" + url
def getPublicUrl(self, jobStoreFileID):
try:
self.files.get_blob_properties(blob_name=jobStoreFileID)
except AzureMissingResourceHttpError:
raise NoSuchFileException(jobStoreFileID)
# Compensate of a little bit of clock skew
startTimeStr = (datetime.utcnow() - timedelta(minutes=5)).strftime(self._azureTimeFormat)
endTime = datetime.utcnow() + self.publicUrlExpiration
endTimeStr = endTime.strftime(self._azureTimeFormat)
sap = SharedAccessPolicy(AccessPolicy(startTimeStr, endTimeStr,
BlobSharedAccessPermissions.READ))
sas_token = self.files.generate_shared_access_signature(blob_name=jobStoreFileID,
shared_access_policy=sap)
return self.files.make_blob_url(blob_name=jobStoreFileID) + '?' + sas_token
def test_blob_signed_query_string(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'w'
sap = SharedAccessPolicy(accss_plcy)
qry_str = self.sas.generate_signed_query_string(
'images/pic1.png', RESOURCE_BLOB, sap)
self.assertEqual(qry_str[SIGNED_START], '2011-10-11')
self.assertEqual(qry_str[SIGNED_EXPIRY], '2011-10-12')
self.assertEqual(qry_str[SIGNED_RESOURCE], RESOURCE_BLOB)
self.assertEqual(qry_str[SIGNED_PERMISSION], 'w')
self.assertEqual(qry_str[SIGNED_SIGNATURE],
'k8uyTrn3pgLXuhwgZhxeAH6mZ/es9k2vqHPJEuIH4CE=')
def test_blob_signed_query_string(self):
accss_plcy = AccessPolicy()
accss_plcy.start = '2011-10-11'
accss_plcy.expiry = '2011-10-12'
accss_plcy.permission = 'w'
sap = SharedAccessPolicy(accss_plcy)
qry_str = self.sas.generate_signed_query_string(
'images/pic1.png', RESOURCE_BLOB, sap)
self.assertEqual(qry_str[SIGNED_START], '2011-10-11')
self.assertEqual(qry_str[SIGNED_EXPIRY], '2011-10-12')
self.assertEqual(qry_str[SIGNED_RESOURCE], RESOURCE_BLOB)
self.assertEqual(qry_str[SIGNED_PERMISSION], 'w')
self.assertEqual(qry_str[SIGNED_SIGNATURE],
'Fqt8tNcyUOp30qYRtSFNcImrRMcxlk6IF17O4l96KT8=')
def test_set_table_acl_with_empty_signed_identifier(self):
# Arrange
table_name = self._create_table()
# Act
self.ts.set_table_acl(table_name, {'empty': AccessPolicy()})
# Assert
acl = self.ts.get_table_acl(table_name)
self.assertIsNotNone(acl)
self.assertEqual(len(acl), 1)
self.assertIsNotNone(acl['empty'])
self.assertIsNone(acl['empty'].permission)
self.assertIsNone(acl['empty'].expiry)
self.assertIsNone(acl['empty'].start)