package sas

import "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"

Example (ServiceSAS)

Code:play  

package main

import (
	"context"
	"fmt"
	"io"
	"log"
	"os"
	"strings"
	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
)

func handleError(err error) {
	if err != nil {
		log.Fatal(err.Error())
	}
}

func main() {
	accountName, accountKey := os.Getenv("AZURE_STORAGE_ACCOUNT_NAME"), os.Getenv("AZURE_STORAGE_ACCOUNT_KEY")
	const containerName = "testContainer"

	credential, err := azblob.NewSharedKeyCredential(accountName, accountKey)
	handleError(err)

	sasQueryParams, err := sas.BlobSignatureValues{
		Protocol:      sas.ProtocolHTTPS,
		StartTime:     time.Now().UTC(),
		ExpiryTime:    time.Now().UTC().Add(48 * time.Hour),
		Permissions:   to.Ptr(sas.BlobPermissions{Read: true, Create: true, Write: true, Tag: true}).String(),
		ContainerName: containerName,
	}.SignWithSharedKey(credential)
	handleError(err)

	sasURL := fmt.Sprintf("https://%s.blob.core.windows.net/?%s", accountName, sasQueryParams.Encode())
	fmt.Println(sasURL)

	// This URL can be used to authenticate requests now
	azClient, err := azblob.NewClientWithNoCredential(sasURL, nil)
	handleError(err)

	const blobData, blobName = "test data", "testBlob"
	uploadResp, err := azClient.UploadStream(context.TODO(),
		containerName,
		blobName,
		strings.NewReader(blobData),
		&azblob.UploadStreamOptions{
			Metadata: map[string]string{"Foo": "Bar"},
			Tags:     map[string]string{"Year": "2022"},
		})
	handleError(err)
	fmt.Println(uploadResp)

	blobDownloadResponse, err := azClient.DownloadStream(context.TODO(), containerName, blobName, nil)
	handleError(err)

	reader := blobDownloadResponse.Body
	downloadData, err := io.ReadAll(reader)
	handleError(err)
	fmt.Println(string(downloadData))
	if string(downloadData) != blobData {
		log.Fatal("Uploaded data should be same as downloaded data")
	}

	err = reader.Close()
	if err != nil {
		return
	}
}
Example (UserDelegationSAS)

Code:play  

package main

import (
	"context"
	"fmt"
	"log"
	"os"
	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
)

func handleError(err error) {
	if err != nil {
		log.Fatal(err.Error())
	}
}

func main() {
	accountName, ok := os.LookupEnv("AZURE_STORAGE_ACCOUNT_NAME")
	if !ok {
		panic("AZURE_STORAGE_ACCOUNT_NAME could not be found")
	}
	tenantID, ok := os.LookupEnv("AZURE_TENANT_ID")
	if !ok {
		panic("AZURE_TENANT_ID could not be found")
	}
	clientID, ok := os.LookupEnv("AZURE_CLIENT_ID")
	if !ok {
		panic("AZURE_CLIENT_ID could not be found")
	}
	clientSecret, ok := os.LookupEnv("AZURE_CLIENT_SECRET")
	if !ok {
		panic("AZURE_CLIENT_SECRET could not be found")
	}
	const containerName = "testcontainer"

	cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)
	handleError(err)

	svcClient, err := service.NewClient(
		fmt.Sprintf("https://%s.blob.core.windows.net/", accountName),
		cred,
		&service.ClientOptions{},
	)
	handleError(err)

	// Set current and past time and create key
	now := time.Now().UTC().Add(-10 * time.Second)
	expiry := now.Add(48 * time.Hour)
	info := service.KeyInfo{
		Start:  to.Ptr(now.UTC().Format(sas.TimeFormat)),
		Expiry: to.Ptr(expiry.UTC().Format(sas.TimeFormat)),
	}

	udc, err := svcClient.GetUserDelegationCredential(context.Background(), info, nil)
	handleError(err)

	// Create Blob Signature Values with desired permissions and sign with user delegation credential
	sasQueryParams, err := sas.BlobSignatureValues{
		Protocol:      sas.ProtocolHTTPS,
		StartTime:     time.Now().UTC().Add(time.Second * -10),
		ExpiryTime:    time.Now().UTC().Add(15 * time.Minute),
		Permissions:   to.Ptr(sas.ContainerPermissions{Read: true, List: true}).String(),
		ContainerName: containerName,
	}.SignWithUserDelegation(udc)
	handleError(err)

	sasURL := fmt.Sprintf("https://%s.blob.core.windows.net/?%s", accountName, sasQueryParams.Encode())

	// This URL can be used to authenticate requests now
	azClient, err := azblob.NewClientWithNoCredential(sasURL, nil)
	handleError(err)

	// list blobs in container
	pager := azClient.NewListBlobsFlatPager(containerName, nil)
	for pager.More() {
		resp, err := pager.NextPage(context.Background())
		handleError(err)
		for _, b := range resp.Segment.BlobItems {
			fmt.Println(*b.Name)
		}
	}

	// User Delegation SAS doesn't support operations like creation, deletion or listing of containers
	// For more details, see https://docs.microsoft.com/rest/api/storageservices/create-user-delegation-sas#specify-permissions
	_, err = azClient.CreateContainer(context.Background(), "newcontainer", nil)
	if err != nil {
		fmt.Println("Containers can't be created using User Delegation SAS")
	}

	_, err = azClient.DeleteContainer(context.Background(), containerName, nil)
	if err != nil {
		fmt.Println("Containers can't be deleted using User Delegation SAS")
	}
}

Index

Examples

Constants 

const (
	TimeFormat = "2006-01-02T15:04:05Z" // "2017-07-27T00:00:00Z" // ISO 8601
)

TimeFormat represents the format of a SAS start or expiry time. Use it when formatting/parsing a time.Time.

Variables 

var (
	// Version is the default version encoded in the SAS token.
	Version = "2020-02-10"
)

Types

type AccountPermissions 

type AccountPermissions struct {
	Read, Write, Delete, DeletePreviousVersion, List, Add, Create, Update, Process, Tag, FilterByTags, PermanentDelete bool
}

AccountPermissions type simplifies creating the permissions string for an Azure Storage Account SAS. Initialize an instance of this type and then call its String method to set AccountSASSignatureValues's Permissions field.

func (*AccountPermissions) String 

func (p *AccountPermissions) String() string

String produces the SAS permissions string for an Azure Storage account. Call this method to set AccountSASSignatureValues's Permissions field.

type AccountResourceTypes 

type AccountResourceTypes struct {
	Service, Container, Object bool
}

AccountResourceTypes type simplifies creating the resource types string for an Azure Storage Account SAS. Initialize an instance of this type and then call its String method to set AccountSASSignatureValues's ResourceTypes field.

func (*AccountResourceTypes) String 

func (rt *AccountResourceTypes) String() string

String produces the SAS resource types string for an Azure Storage account. Call this method to set AccountSASSignatureValues's ResourceTypes field.

type AccountServices 

type AccountServices struct {
	Blob, Queue, File bool
}

AccountServices type simplifies creating the services string for an Azure Storage Account SAS. Initialize an instance of this type and then call its String method to set AccountSASSignatureValues's Services field.

func (*AccountServices) String 

func (s *AccountServices) String() string

String produces the SAS services string for an Azure Storage account. Call this method to set AccountSASSignatureValues's Services field.

type AccountSignatureValues 

type AccountSignatureValues struct {
	Version       string    `param:"sv"`  // If not specified, this format to SASVersion
	Protocol      Protocol  `param:"spr"` // See the SASProtocol* constants
	StartTime     time.Time `param:"st"`  // Not specified if IsZero
	ExpiryTime    time.Time `param:"se"`  // Not specified if IsZero
	Permissions   string    `param:"sp"`  // Create by initializing a AccountSASPermissions and then call String()
	IPRange       IPRange   `param:"sip"`
	Services      string    `param:"ss"`  // Create by initializing AccountSASServices and then call String()
	ResourceTypes string    `param:"srt"` // Create by initializing AccountSASResourceTypes and then call String()
}

AccountSignatureValues is used to generate a Shared Access Signature (SAS) for an Azure Storage account. For more information, see https://docs.microsoft.com/rest/api/storageservices/constructing-an-account-sas

func (AccountSignatureValues) SignWithSharedKey 

func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error)

SignWithSharedKey uses an account's shared key credential to sign this signature values to produce the proper SAS query parameters.

type BlobPermissions 

type BlobPermissions struct {
	Read, Add, Create, Write, Delete, DeletePreviousVersion, Tag, List, Move, Execute, Ownership, Permissions, PermanentDelete bool
}

BlobPermissions type simplifies creating the permissions string for an Azure Storage blob SAS. Initialize an instance of this type and then call its String method to set BlobSASSignatureValues's Permissions field.

func (*BlobPermissions) String 

func (p *BlobPermissions) String() string

String produces the SAS permissions string for an Azure Storage blob. Call this method to set BlobSignatureValues's Permissions field.

type BlobSignatureValues 

type BlobSignatureValues struct {
	Version              string    `param:"sv"`  // If not specified, this defaults to Version
	Protocol             Protocol  `param:"spr"` // See the Protocol* constants
	StartTime            time.Time `param:"st"`  // Not specified if IsZero
	ExpiryTime           time.Time `param:"se"`  // Not specified if IsZero
	SnapshotTime         time.Time
	Permissions          string  `param:"sp"` // Create by initializing a ContainerSASPermissions or BlobSASPermissions and then call String()
	IPRange              IPRange `param:"sip"`
	Identifier           string  `param:"si"`
	ContainerName        string
	BlobName             string // Use "" to create a Container SAS
	Directory            string // Not nil for a directory SAS (ie sr=d)
	CacheControl         string // rscc
	ContentDisposition   string // rscd
	ContentEncoding      string // rsce
	ContentLanguage      string // rscl
	ContentType          string // rsct
	BlobVersion          string // sr=bv
	AuthorizedObjectID   string // saoid
	UnauthorizedObjectID string // suoid
	CorrelationID        string // scid
}

BlobSignatureValues is used to generate a Shared Access Signature (SAS) for an Azure Storage container or blob. For more information on creating service sas, see https://docs.microsoft.com/rest/api/storageservices/constructing-a-service-sas For more information on creating user delegation sas, see https://docs.microsoft.com/rest/api/storageservices/create-user-delegation-sas

func (BlobSignatureValues) SignWithSharedKey 

func (v BlobSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error)

SignWithSharedKey uses an account's SharedKeyCredential to sign this signature values to produce the proper SAS query parameters.

func (BlobSignatureValues) SignWithUserDelegation 

func (v BlobSignatureValues) SignWithUserDelegation(userDelegationCredential *UserDelegationCredential) (QueryParameters, error)

SignWithUserDelegation uses an account's UserDelegationCredential to sign this signature values to produce the proper SAS query parameters.

type ContainerPermissions 

type ContainerPermissions struct {
	Read, Add, Create, Write, Delete, DeletePreviousVersion, List, FilterByTags bool
	Execute, ModifyOwnership, ModifyPermissions, SetImmutabilityPolicy          bool // Hierarchical Namespace only
}

ContainerPermissions type simplifies creating the permissions string for an Azure Storage container SAS. Initialize an instance of this type and then call its String method to set BlobSASSignatureValues's Permissions field. All permissions descriptions can be found here: https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-directory-container-or-blob

func (*ContainerPermissions) String 

func (p *ContainerPermissions) String() string

String produces the SAS permissions string for an Azure Storage container. Call this method to set BlobSASSignatureValues's Permissions field.

type IPEndpointStyleInfo 

type IPEndpointStyleInfo struct {
	AccountName string // "" if not using IP endpoint style
}

IPEndpointStyleInfo is used for IP endpoint style URL when working with Azure storage emulator. Ex: "https://10.132.141.33/accountname/containername"

type IPRange 

type IPRange struct {
	Start net.IP // Not specified if length = 0
	End   net.IP // Not specified if length = 0
}

IPRange represents a SAS IP range's start IP and (optionally) end IP.

func (*IPRange) String 

func (ipr *IPRange) String() string

String returns a string representation of an IPRange.

type Protocol 

type Protocol string

Protocol indicates the http/https. 

const (
	// ProtocolHTTPS can be specified for a SAS protocol
	ProtocolHTTPS Protocol = "https"

	// ProtocolHTTPSandHTTP can be specified for a SAS protocol
	ProtocolHTTPSandHTTP Protocol = "https,http"
)

type QueryParameters 

type QueryParameters struct {
	// contains filtered or unexported fields
}

QueryParameters object represents the components that make up an Azure Storage SAS' query parameters. You parse a map of query parameters into its fields by calling NewQueryParameters(). You add the components to a query parameter map by calling AddToValues(). NOTE: Changing any field requires computing a new SAS signature using a XxxSASSignatureValues type. This type defines the components used by all Azure Storage resources (Containers, Blobs, Files, & Queues).

func NewQueryParameters 

func NewQueryParameters(values url.Values, deleteSASParametersFromValues bool) QueryParameters

NewQueryParameters creates and initializes a QueryParameters object based on the query parameter map's passed-in values. If deleteSASParametersFromValues is true, all SAS-related query parameters are removed from the passed-in map. If deleteSASParametersFromValues is false, the map passed-in map is unaltered.

func (*QueryParameters) AuthorizedObjectID 

func (p *QueryParameters) AuthorizedObjectID() string

AuthorizedObjectID returns authorizedObjectID

func (*QueryParameters) CacheControl 

func (p *QueryParameters) CacheControl() string

CacheControl returns cacheControl

func (*QueryParameters) ContentDisposition 

func (p *QueryParameters) ContentDisposition() string

ContentDisposition returns contentDisposition

func (*QueryParameters) ContentEncoding 

func (p *QueryParameters) ContentEncoding() string

ContentEncoding returns contentEncoding

func (*QueryParameters) ContentLanguage 

func (p *QueryParameters) ContentLanguage() string

ContentLanguage returns contentLanguage

func (*QueryParameters) ContentType 

func (p *QueryParameters) ContentType() string

ContentType returns sontentType

func (*QueryParameters) Encode 

func (p *QueryParameters) Encode() string

Encode encodes the SAS query parameters into URL encoded form sorted by key.

func (*QueryParameters) ExpiryTime 

func (p *QueryParameters) ExpiryTime() time.Time

ExpiryTime returns expiryTime

func (*QueryParameters) IPRange 

func (p *QueryParameters) IPRange() IPRange

IPRange returns ipRange

func (*QueryParameters) Identifier 

func (p *QueryParameters) Identifier() string

Identifier returns identifier

func (*QueryParameters) Permissions 

func (p *QueryParameters) Permissions() string

Permissions returns permissions

func (*QueryParameters) Protocol 

func (p *QueryParameters) Protocol() Protocol

Protocol returns protocol

func (*QueryParameters) Resource 

func (p *QueryParameters) Resource() string

Resource returns resource

func (*QueryParameters) ResourceTypes 

func (p *QueryParameters) ResourceTypes() string

ResourceTypes returns resourceTypes

func (*QueryParameters) Services 

func (p *QueryParameters) Services() string

Services returns services

func (*QueryParameters) Signature 

func (p *QueryParameters) Signature() string

Signature returns signature

func (*QueryParameters) SignedCorrelationID 

func (p *QueryParameters) SignedCorrelationID() string

SignedCorrelationID returns signedCorrelationID

func (*QueryParameters) SignedDirectoryDepth 

func (p *QueryParameters) SignedDirectoryDepth() string

SignedDirectoryDepth returns signedDirectoryDepth

func (*QueryParameters) SignedExpiry 

func (p *QueryParameters) SignedExpiry() time.Time

SignedExpiry returns signedExpiry

func (*QueryParameters) SignedOID 

func (p *QueryParameters) SignedOID() string

SignedOID returns signedOID

func (*QueryParameters) SignedService 

func (p *QueryParameters) SignedService() string

SignedService returns signedService

func (*QueryParameters) SignedStart 

func (p *QueryParameters) SignedStart() time.Time

SignedStart returns signedStart

func (*QueryParameters) SignedTID 

func (p *QueryParameters) SignedTID() string

SignedTID returns signedTID

func (*QueryParameters) SignedVersion 

func (p *QueryParameters) SignedVersion() string

SignedVersion returns signedVersion

func (*QueryParameters) SnapshotTime 

func (p *QueryParameters) SnapshotTime() time.Time

SnapshotTime returns snapshotTime

func (*QueryParameters) StartTime 

func (p *QueryParameters) StartTime() time.Time

StartTime returns startTime

func (*QueryParameters) UnauthorizedObjectID 

func (p *QueryParameters) UnauthorizedObjectID() string

UnauthorizedObjectID returns unauthorizedObjectID

func (*QueryParameters) Version 

func (p *QueryParameters) Version() string

Version returns version

type SharedKeyCredential 

type SharedKeyCredential = exported.SharedKeyCredential

SharedKeyCredential contains an account's name and its primary or secondary key.

type URLParts 

type URLParts struct {
	Scheme              string // Ex: "https://"
	Host                string // Ex: "account.blob.core.windows.net", "10.132.141.33", "10.132.141.33:80"
	IPEndpointStyleInfo IPEndpointStyleInfo
	ContainerName       string // "" if no container
	BlobName            string // "" if no blob
	Snapshot            string // "" if not a snapshot
	SAS                 QueryParameters
	UnparsedParams      string
	VersionID           string // "" if not versioning enabled
}

URLParts object represents the components that make up an Azure Storage Container/Blob URL. NOTE: Changing any SAS-related field requires computing a new SAS signature.

func ParseURL 

func ParseURL(u string) (URLParts, error)

ParseURL parses a URL initializing URLParts' fields including any SAS-related & snapshot query parameters. Any other query parameters remain in the UnparsedParams field.

func (URLParts) String 

func (up URLParts) String() string

String returns a URL object whose fields are initialized from the URLParts fields. The URL's RawQuery field contains the SAS, snapshot, and unparsed query parameters.

type UserDelegationCredential 

type UserDelegationCredential = exported.UserDelegationCredential

UserDelegationCredential contains an account's name and its user delegation key.

Source Files

account.go query_params.go service.go url_parts.go

Version
v0.6.1
Published
Dec 9, 2022
Platform
windows/amd64
Imports
9 packages
Last checked
35 minutes ago

Tools for package owners.