1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372 |
1
1
1
1
1
1
1
1
1
1
1
74
74
74
74
1
1531
16841
1336
15505
13703
1802
1531
1531
1531
1531
1
1531
1531
1531
1531
1531
1531
1531
1531
1264
1531
1531
1264
1531
1
1531
1531
1531
1531
13073
5346
1531
1531
5346
5346
5264
1531
1
4
48
19
4
4
4
4
4
1
1
1
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
1
4
40
40
31
40
36
40
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
1 | //
// Copyright (c) Microsoft and contributors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Module dependencies.
var _ = require('underscore');
var qs = require('querystring');
var azureutil = require('../util/util');
var HmacSha256Sign = require('./hmacsha256sign');
var SR = require('../util/sr');
var Constants = require('../util/constants');
var HeaderConstants = Constants.HeaderConstants;
var QueryStringConstants = Constants.QueryStringConstants;
var HeaderConstants = Constants.HeaderConstants;
var CompatibleVersionConstants = Constants.CompatibleVersionConstants;
/**
* Creates a new SharedKey object.
*
* @constructor
* @param {string} storageAccount The storage account.
* @param {string} storageAccessKey The storage account's access key.
* @param {bool} usePathStyleUri Boolean value indicating if the path, or the hostname, should include the storage account.
*/
function SharedKey(storageAccount, storageAccessKey, usePathStyleUri) {
this.storageAccount = storageAccount;
this.storageAccessKey = storageAccessKey;
this.usePathStyleUri = usePathStyleUri;
this.signer = new HmacSha256Sign(storageAccessKey);
}
/**
* Signs a request with the Authentication header.
*
* @param {WebResource} The webresource to be signed.
* @param {function(error)} callback The callback function.
* @return {undefined}
*/
SharedKey.prototype.signRequest = function (webResource, callback) {
var getvalueToAppend = function (value, headerName) {
// Do not sign content-length 0 in 2014-08-16 and later
if (headerName === HeaderConstants.CONTENT_LENGTH && (azureutil.objectIsNull(value[headerName]) || value[headerName] === 0)) {
return '\n';
} else if (azureutil.objectIsNull(value) || azureutil.objectIsNull(value[headerName])) {
return '\n';
} else {
return value[headerName] + '\n';
}
};
var stringToSign =
webResource.method + '\n' +
getvalueToAppend(webResource.headers, HeaderConstants.CONTENT_ENCODING) +
getvalueToAppend(webResource.headers, HeaderConstants.CONTENT_LANGUAGE) +
getvalueToAppend(webResource.headers, HeaderConstants.CONTENT_LENGTH) +
getvalueToAppend(webResource.headers, HeaderConstants.CONTENT_MD5) +
getvalueToAppend(webResource.headers, HeaderConstants.CONTENT_TYPE) +
getvalueToAppend(webResource.headers, HeaderConstants.DATE) +
getvalueToAppend(webResource.headers, HeaderConstants.IF_MODIFIED_SINCE) +
getvalueToAppend(webResource.headers, HeaderConstants.IF_MATCH) +
getvalueToAppend(webResource.headers, HeaderConstants.IF_NONE_MATCH) +
getvalueToAppend(webResource.headers, HeaderConstants.IF_UNMODIFIED_SINCE) +
getvalueToAppend(webResource.headers, HeaderConstants.RANGE) +
this._getCanonicalizedHeaders(webResource) +
this._getCanonicalizedResource(webResource);
var signature = this.signer.sign(stringToSign);
webResource.withHeader(HeaderConstants.AUTHORIZATION, 'SharedKey ' + this.storageAccount + ':' + signature);
callback(null);
};
/*
* Retrieves the webresource's canonicalized resource string.
* @param {WebResource} webResource The webresource to get the canonicalized resource string from.
* @return {string} The canonicalized resource string.
*/
SharedKey.prototype._getCanonicalizedResource = function (webResource) {
var path = '/';
Eif (webResource.path) {
path = webResource.path;
}
var canonicalizedResource = '/' + this.storageAccount + path;
// Get the raw query string values for signing
var queryStringValues = webResource.queryString;
// Build the canonicalized resource by sorting the values by name.
Eif (queryStringValues) {
var paramNames = [];
Object.keys(queryStringValues).forEach(function (n) {
paramNames.push(n);
});
paramNames = paramNames.sort();
Object.keys(paramNames).forEach(function (name) {
canonicalizedResource += '\n' + paramNames[name] + ':' + queryStringValues[paramNames[name]];
});
}
return canonicalizedResource;
};
/*
* Constructs the Canonicalized Headers string.
*
* To construct the CanonicalizedHeaders portion of the signature string,
* follow these steps: 1. Retrieve all headers for the resource that begin
* with x-ms-, including the x-ms-date header. 2. Convert each HTTP header
* name to lowercase. 3. Sort the headers lexicographically by header name,
* in ascending order. Each header may appear only once in the
* string. 4. Unfold the string by replacing any breaking white space with a
* single space. 5. Trim any white space around the colon in the header. 6.
* Finally, append a new line character to each canonicalized header in the
* resulting list. Construct the CanonicalizedHeaders string by
* concatenating all headers in this list into a single string.
*
* @param {object} The webresource object.
* @return {string} The canonicalized headers.
*/
SharedKey.prototype._getCanonicalizedHeaders = function (webResource) {
// Build canonicalized headers
var canonicalizedHeaders = '';
Eif (webResource.headers) {
var canonicalizedHeadersArray = [];
for (var header in webResource.headers) {
if (header.indexOf(HeaderConstants.PREFIX_FOR_STORAGE) === 0) {
canonicalizedHeadersArray.push(header);
}
}
canonicalizedHeadersArray.sort();
_.each(canonicalizedHeadersArray, function (currentHeader) {
var value = webResource.headers[currentHeader];
if (!azureutil.IsNullOrEmptyOrUndefinedOrWhiteSpace(value)) {
canonicalizedHeaders += currentHeader.toLowerCase() + ':' + value + '\n';
}
});
}
return canonicalizedHeaders;
};
/**
* Generates the query string for a shared access signature signing.
*
* @this {SharedAccessSignature}
* @param {string} serviceType The service type.
* @param {string} path The path to the resource.
* @param {object} sharedAccessPolicy The shared access policy.
* @param {string} [sharedAccessPolicy.Id] The signed identifier.
* @param {SharedAccessPermissions} sharedAccessPolicy.AccessPolicy.Permissions The permission type.
* @param {date} [sharedAccessPolicy.AccessPolicy.Start] The time at which the Shared Access Signature becomes valid.
* @param {date} sharedAccessPolicy.AccessPolicy.Expiry The time at which the Shared Access Signature becomes expired.
* @param {string} sasVersion A string indicating the desired SAS Version to use, in storage service version format. Value must be 2012-02-12 or later.
* @parma {ResourceTypes} [args.resourceType] The resource type, if the resource is a blob or container. Null if the resource is a queue or table.
* @parma {ResourceTypes} [args.tableName] The table name, if the resource is a table. Null if the resource is a blob orqueue.
* @parma {ResourceTypes} [args.queryString] The query string, if additional parameters are desired.
* @param {object} [args.headers] The optional header values to set for a blob returned wth this SAS.
* @param {string} [args.headers.CacheControl] The value of the Cache-Control response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentType] The value of the Content-Type response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentEncoding] The value of the Content-Encoding response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentLanguage] The value of the Content-Language response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentDisposition] The value of the Content-Disposition response header to be returned when this SAS is used.
* @return {object} The shared access signature query string.
*/
SharedKey.prototype.generateSignedQueryString = function (serviceType, path, sharedAccessPolicy, sasVersion, args) {
var addIfNotNull = function (queryString, name, value) {
if (!azureutil.objectIsNull(name) && !azureutil.objectIsNull(value)) {
queryString[name] = value;
}
};
var validateVersion = function (sasVersion) {
// validate and add version
Eif (azureutil.objectIsNull(sasVersion)) {
return HeaderConstants.TARGET_STORAGE_VERSION;
} else {
var values = _.values(CompatibleVersionConstants);
if (values.some(function(version) {
return version.toLowerCase() === sasVersion.toLowerCase();
})) {
return sasVersion;
} else {
throw new Error(azureutil.stringFormat(SR.INVALID_SAS_VERSION, sasVersion, values));
}
}
};
var formatAccessPolicyDates = function (accessPolicy) {
if (!azureutil.objectIsNull(accessPolicy.Start)) {
Eif (!_.isDate(accessPolicy.Start)) {
accessPolicy.Start = new Date(accessPolicy.Start);
}
accessPolicy.Start = azureutil.truncatedISO8061Date(accessPolicy.Start);
}
Eif (!azureutil.objectIsNull(accessPolicy.Expiry)) {
Eif (!_.isDate(accessPolicy.Expiry)) {
accessPolicy.Expiry = new Date(accessPolicy.Expiry);
}
accessPolicy.Expiry = azureutil.truncatedISO8061Date(accessPolicy.Expiry);
}
};
// set up optional args
var queryString;
var resourceType;
var headers;
var tableName;
Eif(args) {
queryString = args.queryString;
resourceType = args.resourceType;
tableName = args.tableName;
headers = args.headers;
}
Eif(!queryString) {
queryString = {};
}
// add shared access policy params
Eif (sharedAccessPolicy.AccessPolicy) {
formatAccessPolicyDates(sharedAccessPolicy.AccessPolicy);
addIfNotNull(queryString, QueryStringConstants.SIGNED_START, sharedAccessPolicy.AccessPolicy.Start);
addIfNotNull(queryString, QueryStringConstants.SIGNED_EXPIRY, sharedAccessPolicy.AccessPolicy.Expiry);
addIfNotNull(queryString, QueryStringConstants.SIGNED_PERMISSIONS, sharedAccessPolicy.AccessPolicy.Permissions);
// tables only
addIfNotNull(queryString, QueryStringConstants.STARTPK, sharedAccessPolicy.AccessPolicy.StartPk);
addIfNotNull(queryString, QueryStringConstants.ENDPK, sharedAccessPolicy.AccessPolicy.EndPk);
addIfNotNull(queryString, QueryStringConstants.STARTRK, sharedAccessPolicy.AccessPolicy.StartRk);
addIfNotNull(queryString, QueryStringConstants.ENDRK, sharedAccessPolicy.AccessPolicy.EndRk);
}
// validate and add version
var validatedSASVersionString = validateVersion(sasVersion);
addIfNotNull(queryString, QueryStringConstants.SIGNED_VERSION, validatedSASVersionString);
// add signed identifier
addIfNotNull(queryString, QueryStringConstants.SIGNED_IDENTIFIER, sharedAccessPolicy.Id);
// blobs only
addIfNotNull(queryString, QueryStringConstants.SIGNED_RESOURCE, resourceType);
Iif (headers) {
addIfNotNull(queryString, QueryStringConstants.CACHE_CONTROL, headers.cacheControl);
addIfNotNull(queryString, QueryStringConstants.CONTENT_TYPE, headers.contentType);
addIfNotNull(queryString, QueryStringConstants.CONTENT_ENCODING, headers.contentEncoding);
addIfNotNull(queryString, QueryStringConstants.CONTENT_LANGUAGE, headers.contentLanguage);
addIfNotNull(queryString, QueryStringConstants.CONTENT_DISPOSITION, headers.contentDisposition);
}
// tables only
addIfNotNull(queryString, QueryStringConstants.TABLENAME, tableName);
// add signature
addIfNotNull(queryString, QueryStringConstants.SIGNATURE, this._generateSignature(serviceType, path, sharedAccessPolicy, validatedSASVersionString, {resourceType: resourceType, headers: headers, tableName: tableName}));
return qs.stringify(queryString);
};
/**
* Generates the shared access signature for a resource.
*
* @this {SharedAccessSignature}
* @param {string} serviceType The service type.
* @param {string} path The path to the resource.
* @param {object} sharedAccessPolicy The shared access policy.
* @param {string} [sharedAccessPolicy.Id] The signed identifier.
* @param {SharedAccessPermissions} sharedAccessPolicy.AccessPolicy.Permissions The permission type.
* @param {date} [sharedAccessPolicy.AccessPolicy.Start] The time at which the Shared Access Signature becomes valid.
* @param {date} sharedAccessPolicy.AccessPolicy.Expiry The time at which the Shared Access Signature becomes expired.
* @param {string} sasVersion A string indicating the desired SAS Version to use, in storage service version format. Value must be 2012-02-12 or later.
* @parma {ResourceTypes} [args.resourceType] The resource type, if the resource is a blob or container. Null if the resource is a queue or table.
* @parma {ResourceTypes} [args.tableName] The table name, if the resource is a table. Null if the resource is a blob or queue.
* @param {object} [args.headers] The optional header values to set for a blob returned wth this SAS.
* @param {string} [args.headers.CacheControl] The value of the Cache-Control response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentType] The value of the Content-Type response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentEncoding] The value of the Content-Encoding response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentLanguage] The value of the Content-Language response header to be returned when this SAS is used.
* @param {string} [args.headers.ContentDisposition] The value of the Content-Disposition response header to be returned when this SAS is used.
* @return {string} The shared access signature.
*/
SharedKey.prototype._generateSignature = function (serviceType, path, sharedAccessPolicy, sasVersion, args) {
var getvalueToAppend = function (value, noNewLine) {
var returnValue = '';
if (!azureutil.objectIsNull(value)) {
returnValue = value;
}
if (noNewLine !== true) {
returnValue += '\n';
}
return returnValue;
};
// set up optional args
var resourceType;
var tableName;
var headers;
Eif(args) {
resourceType = args.resourceType;
tableName = args.tableName;
headers = args.headers;
}
// Add leading slash to path
Eif (path.substr(0, 1) !== '/') {
path = '/' + path;
}
var canonicalizedResource;
Iif (sasVersion === CompatibleVersionConstants.FEBRUARY_2012 || sasVersion === CompatibleVersionConstants.AUGUST_2013) {
// Do not prepend service name for older versions
canonicalizedResource = '/' + this.storageAccount + path;
} else {
canonicalizedResource = '/' + serviceType + '/' + this.storageAccount + path;
}
var stringToSign = getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.Permissions : '') +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.Start : '') +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.Expiry : '') +
getvalueToAppend(canonicalizedResource) +
getvalueToAppend(sharedAccessPolicy.Id) +
sasVersion;
Iif(sasVersion == CompatibleVersionConstants.FEBRUARY_2012) {
if(headers) {
throw new Error(SR.INVALID_HEADERS);
}
} else Eif (resourceType) {
stringToSign += '\n' +
getvalueToAppend(headers ? headers.cacheControl : '') +
getvalueToAppend(headers ? headers.contentDisposition : '') +
getvalueToAppend(headers ? headers.contentEncoding : '') +
getvalueToAppend(headers ? headers.contentLanguage : '') +
getvalueToAppend(headers ? headers.contentType : '', true);
}
Iif(tableName) {
stringToSign += '\n' +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.StartPk : '') +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.StartRk : '') +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.EndPk : '') +
getvalueToAppend(sharedAccessPolicy.AccessPolicy ? sharedAccessPolicy.AccessPolicy.EndRk : '', true);
}
return this.signer.sign(stringToSign);
};
module.exports = SharedKey; |