Add new Account SAS Token cmdlet, and add IPacl/Protocal support to B/T/Q/F new SAS cmdlets

ChangeLog.md

@@ -12,6 +12,16 @@
   * Set-AzureLogicAppAccessKey
   * Set-AzureLogicApp
   * Stop-AzureLogicAppRun
+ * Azure Storage
+  * Added cmdlet to generate SAS token against storage account
+    - New-AzureStorageAccountSASToken
+  * Added IPAddressOrRange/Protocol support in cmdlets to generate SAS token against blob, container, file, share, table, queue
+    - New-AzureStorageBlobSASToken
+    - New-AzureStorageContainerSASToken
+    - New-AzureStorageFileSASToken
+    - New-AzureStorageShareSASToken
+    - New-AzureStorageQueueSASToken
+    - New-AzureStorageTableSASToken
 
 ## 2016.02.04 version 1.2.1
 * Fix installer issue - remove PSGallery modules on install

src/Common/Storage/Commands.Storage.Test/Service/MockStorageBlobManagement.cs

@@ -685,6 +685,16 @@ public Task<string> StartCopyAsync(CloudBlob blob, Uri source, AccessCondition s
             throw new NotImplementedException();
         }
 
+        /// <summary>
+        /// Get the SAS token for an account.
+        /// </summary>
+        /// <param name="sharedAccessAccountPolicy">Shared access policy to generate the SAS token.</param>
+        /// <returns>Account SAS token.</returns>
+        public string GetStorageAccountSASToken(SharedAccessAccountPolicy sharedAccessAccountPolicy)
+        {
+            throw new NotImplementedException();
+        }
+
         /// <summary>
         /// The storage context
         /// </summary>

src/Common/Storage/Commands.Storage/Blob/Cmdlet/NewAzureStorageBlobSasToken.cs

@@ -20,6 +20,7 @@ namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
     using Microsoft.WindowsAzure.Commands.Storage.Common;
     using Microsoft.WindowsAzure.Commands.Storage.Model.Contract;
     using Microsoft.WindowsAzure.Storage.Blob;
+    using Microsoft.WindowsAzure.Storage;
 
     [Cmdlet(VerbsCommon.New, StorageNouns.BlobSas, DefaultParameterSetName = BlobNamePipelineParmeterSetWithPermission), OutputType(typeof(String))]
     public class NewAzureStorageBlobSasTokenCommand : StorageCloudBlobCmdletBase
@@ -80,6 +81,12 @@ public string Policy
             ParameterSetName = BlobPipelineParameterSetWithPermision)]
         public string Permission { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Protocol can be used in the request with this SAS token.")]
+        public SharedAccessProtocol Protocol { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "IP, or IP range ACL (access control list) that the request would be accepted from by Azure Storage.")]
+        public string IPAddressOrRange { get; set; }
+
         [Parameter(HelpMessage = "Start Time")]
         public DateTime? StartTime { get; set; }
 
@@ -133,7 +140,7 @@ public override void ExecuteCmdlet()
             SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy();
             bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, blob.Container.Name, accessPolicy, accessPolicyIdentifier);
             SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
-            string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier);
+            string sasToken = GetBlobSharedAccessSignature(blob, accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange));
 
             if (FullUri)
             {
@@ -154,10 +161,10 @@ public override void ExecuteCmdlet()
         /// <param name="accessPolicy">SharedAccessBlobPolicy object</param>
         /// <param name="policyIdentifier">The existing policy identifier.</param>
         /// <returns></returns>
-        private string GetBlobSharedAccessSignature(CloudBlob blob, SharedAccessBlobPolicy accessPolicy, string policyIdentifier)
+        private string GetBlobSharedAccessSignature(CloudBlob blob, SharedAccessBlobPolicy accessPolicy, string policyIdentifier, SharedAccessProtocol protocol, IPAddressOrRange iPAddressOrRange)
         {
             CloudBlobContainer container = blob.Container;
-            return blob.GetSharedAccessSignature(accessPolicy, policyIdentifier);
+            return blob.GetSharedAccessSignature(accessPolicy, null, policyIdentifier, protocol, iPAddressOrRange);
         }
 
         /// <summary>

src/Common/Storage/Commands.Storage/Blob/Cmdlet/NewAzureStorageContainerSasToken.cs

@@ -20,6 +20,7 @@ namespace Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet
     using Microsoft.WindowsAzure.Commands.Storage.Common;
     using Microsoft.WindowsAzure.Commands.Storage.Model.Contract;
     using Microsoft.WindowsAzure.Storage.Blob;
+    using Microsoft.WindowsAzure.Storage;
 
     [Cmdlet(VerbsCommon.New, StorageNouns.ContainerSas), OutputType(typeof(String))]
     public class NewAzureStorageContainerSasTokenCommand : StorageCloudBlobCmdletBase
@@ -51,9 +52,15 @@ public string Policy
         private string accessPolicyIdentifier;
 
         [Parameter(HelpMessage = "Permissions for a container. Permissions can be any not-empty subset of \"rwdl\".",
-            ParameterSetName = SasPermissionParameterSet)]
+        ParameterSetName = SasPermissionParameterSet)]
         public string Permission { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Protocol can be used in the request with this SAS token.")]
+        public SharedAccessProtocol Protocol { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "IP, or IP range ACL (access control list) that the request would be accepted from by Azure Storage.")]
+        public string IPAddressOrRange { get; set; }
+
         [Parameter(HelpMessage = "Start Time")]
         public DateTime? StartTime { get; set; }
 
@@ -98,7 +105,7 @@ public override void ExecuteCmdlet()
             SharedAccessBlobPolicy accessPolicy = new SharedAccessBlobPolicy();
             bool shouldSetExpiryTime = SasTokenHelper.ValidateContainerAccessPolicy(Channel, container.Name, accessPolicy, accessPolicyIdentifier);
             SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
-            string sasToken = container.GetSharedAccessSignature(accessPolicy, accessPolicyIdentifier);
+            string sasToken = container.GetSharedAccessSignature(accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange));
 
             if (FullUri)
             {

src/Common/Storage/Commands.Storage/Blob/Cmdlet/StartAzureStorageBlobCopy.cs

@@ -489,6 +489,10 @@ private async Task StartCopyFromBlob(long taskId, IStorageBlobManagement destCha
                     // Opened workitem 1487579 to track this.
                     throw new InvalidOperationException(Resources.DestinationBlobTypeNotMatch);
                 }
+                else
+                {
+                    throw;
+                }
             }
         }
 

src/Common/Storage/Commands.Storage/Commands.Storage.csproj

@@ -173,6 +173,7 @@
     <Compile Include="Common\BlobToFileSystemNameResolver.cs" />
     <Compile Include="Blob\Cmdlet\StartAzureStorageBlobCopy.cs" />
     <Compile Include="Blob\Cmdlet\StopAzureStorageBlobCopy.cs" />
+    <Compile Include="Common\Cmdlet\NewAzureStorageAccountSasToken.cs" />
     <Compile Include="Common\Cmdlet\SetAzureStorageCORSRule.cs" />
     <Compile Include="Common\Cmdlet\GetAzureStorageCORSRule.cs" />
     <Compile Include="Common\Cmdlet\GetAzureStorageServiceLogging.cs" />

src/Common/Storage/Commands.Storage/Common/Cmdlet/NewAzureStorageAccountSasToken.cs

@@ -0,0 +1,143 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet
+{
+    using System;
+    using System.Management.Automation;
+    using System.Security.Permissions;
+    using Microsoft.WindowsAzure.Commands.Storage.Model.Contract;
+    using Microsoft.WindowsAzure.Storage;
+
+    [Cmdlet(VerbsCommon.New, StorageNouns.AccountSas), OutputType(typeof(String))]
+    public class NewAzureStorageAccountSasTokenCommand : StorageCloudBlobCmdletBase
+    {
+        [Parameter(Mandatory = true, HelpMessage = "Service type that this SAS token applies to.")]
+        public SharedAccessAccountServices Service { get; set; }
+
+        [Parameter(Mandatory = true, HelpMessage = "Resource type that this SAS token applies to.")]
+        public SharedAccessAccountResourceTypes ResourceType { get; set; }
+
+        [Parameter(Mandatory = true, HelpMessage = "Permissions.")]
+        public string Permission { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Protocol can be used in the request with this SAS token.")]
+        public SharedAccessProtocol Protocol { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "IP, or IP range ACL (access control list) that the request would be accepted from by Azure Storage.")]
+        public string IPAddressOrRange { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Start Time")]
+        public DateTime? StartTime { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Expiry Time")]
+        public DateTime? ExpiryTime { get; set; }
+
+        // Overwrite the useless parameter
+        public override int? ServerTimeoutPerRequest { get; set; }
+        public override int? ClientTimeoutPerRequest { get; set; }
+        public override int? ConcurrentTaskCount { get; set; }
+
+        /// <summary>
+        /// Initializes a new instance of the NewAzureStorageAccountSasTokenCommand class.
+        /// </summary>
+        public NewAzureStorageAccountSasTokenCommand()
+            : this(null)
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the NewAzureStorageAccountSasTokenCommand class.
+        /// </summary>
+        /// <param name="channel">IStorageBlobManagement channel</param>
+        public NewAzureStorageAccountSasTokenCommand(IStorageBlobManagement channel)
+        {
+            Channel = channel;
+            EnableMultiThread = false;
+        }
+
+        /// <summary>
+        /// Execute command
+        /// </summary>
+        [PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
+        public override void ExecuteCmdlet()
+        {
+            var sharedAccessPolicy = new SharedAccessAccountPolicy()
+            {
+                Permissions = SetupAccessPolicyPermission(this.Permission),
+                Services = Service,
+                ResourceTypes = ResourceType,
+                Protocols = Protocol,
+                IPAddressOrRange = Util.SetupIPAddressOrRangeForSAS(this.IPAddressOrRange)
+            };
+
+            DateTimeOffset? accessStartTime;
+            DateTimeOffset? accessEndTime;
+            SasTokenHelper.SetupAccessPolicyLifeTime(StartTime, ExpiryTime,
+                out accessStartTime, out accessEndTime, true);
+            sharedAccessPolicy.SharedAccessStartTime = accessStartTime;
+            sharedAccessPolicy.SharedAccessExpiryTime = accessEndTime;
+
+            this.WriteObject(Channel.GetStorageAccountSASToken(sharedAccessPolicy));
+        }
+
+        /// <summary>
+        /// Set up access policy permission
+        /// </summary>
+        /// <param name="policy">SharedAccessBlobPolicy object</param>
+        /// <param name="permission">Permisson</param>
+        internal SharedAccessAccountPermissions SetupAccessPolicyPermission(string permission)
+        {
+            if (string.IsNullOrEmpty(permission)) return SharedAccessAccountPermissions.None;
+
+            SharedAccessAccountPermissions accountPermission = SharedAccessAccountPermissions.None;
+            permission = permission.ToLower();
+            foreach (char op in permission)
+            {
+                switch (op)
+                {
+                    case StorageNouns.Permission.Read:
+                    case StorageNouns.Permission.Query:
+                        accountPermission |= SharedAccessAccountPermissions.Read;
+                        break;
+                    case StorageNouns.Permission.Process:
+                        accountPermission |= SharedAccessAccountPermissions.ProcessMessages;
+                        break;
+                    case StorageNouns.Permission.Write:
+                        accountPermission |= SharedAccessAccountPermissions.Write;
+                        break;
+                    case StorageNouns.Permission.Add:
+                        accountPermission |= SharedAccessAccountPermissions.Add;
+                        break;
+                    case StorageNouns.Permission.Create:
+                        accountPermission |= SharedAccessAccountPermissions.Create;
+                        break;
+                    case StorageNouns.Permission.Update:
+                        accountPermission |= SharedAccessAccountPermissions.Update;
+                        break;
+                    case StorageNouns.Permission.Delete:
+                        accountPermission |= SharedAccessAccountPermissions.Delete;
+                        break;
+                    case StorageNouns.Permission.List:
+                        accountPermission |= SharedAccessAccountPermissions.List;
+                        break;
+                    default:
+                        throw new ArgumentException(string.Format(Resources.InvalidAccessPermission, op));
+                }
+            }
+
+            return accountPermission;
+        }
+    }
+}

src/Common/Storage/Commands.Storage/Common/StorageNouns.cs

@@ -104,6 +104,11 @@ public static class StorageNouns
         /// </summary>
         public const string StorageCORSRule = "AzureStorageCORSRule";
 
+        /// <summary>
+        /// Azure storage account sas
+        /// </summary>
+        public const string AccountSas = "AzureStorageAccountSASToken";
+
         /// <summary>
         /// Azure storage container sas
         /// </summary>
@@ -214,6 +219,11 @@ public static class Permission
             /// Query permission
             /// </summary>
             public const char Query = 'q';
+
+            /// <summary>
+            /// Create permission.
+            /// </summary>
+            public const char Create = 'c';
         }
     }
 }

src/Common/Storage/Commands.Storage/Common/Util.cs

@@ -161,5 +161,21 @@ public static CloudBlob GetBlobReference(Uri blobUri, StorageCredentials storage
                         blobUri));
             }
         }
+
+        public static IPAddressOrRange SetupIPAddressOrRangeForSAS(string inputIPACL)
+        {
+            if (string.IsNullOrEmpty(inputIPACL)) return null;
+
+            int separator = inputIPACL.IndexOf('-');
+
+            if (-1 == separator)
+            {
+                return new IPAddressOrRange(inputIPACL);
+            }
+            else
+            {
+                return new IPAddressOrRange(inputIPACL.Substring(0, separator), inputIPACL.Substring(separator + 1));
+            }
+        }
     }
 }

src/Common/Storage/Commands.Storage/File/Cmdlet/NewAzureStorageFileSasToken.cs

@@ -24,6 +24,7 @@
 using Microsoft.WindowsAzure.Commands.Storage.Common;
 using Microsoft.WindowsAzure.Commands.Storage.Model.Contract;
 using Microsoft.WindowsAzure.Storage.File;
+using Microsoft.WindowsAzure.Storage;
 
 namespace Microsoft.WindowsAzure.Commands.Storage.File.Cmdlet
 {
@@ -104,6 +105,12 @@ public string Policy
             ParameterSetName = CloudFileSasPermissionParameterSet)]
         public string Permission { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Protocol can be used in the request with this SAS token.")]
+        public SharedAccessProtocol Protocol { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "IP, or IP range ACL (access control list) that the request would be accepted from by Azure Storage.")]
+        public string IPAddressOrRange { get; set; }
+
         [Parameter(HelpMessage = "Start Time")]
         public DateTime? StartTime { get; set; }
 
@@ -123,6 +130,11 @@ public string Policy
             ParameterSetName = NameSasPolicyParmeterSet)]
         public override AzureStorageContext Context { get; set; }
 
+        // Overwrite the useless parameter
+        public override int? ServerTimeoutPerRequest { get; set; }
+        public override int? ClientTimeoutPerRequest { get; set; }
+        public override int? ConcurrentTaskCount { get; set; }
+
         /// <summary>
         /// Execute command
         /// </summary>
@@ -158,7 +170,7 @@ public override void ExecuteCmdlet()
 
             SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
 
-            string sasToken = file.GetSharedAccessSignature(accessPolicy, accessPolicyIdentifier);
+            string sasToken = file.GetSharedAccessSignature(accessPolicy, null, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange));
 
             if (FullUri)
             {

src/Common/Storage/Commands.Storage/File/Cmdlet/NewAzureStorageShareSasToken.cs

@@ -22,6 +22,7 @@ namespace Microsoft.WindowsAzure.Commands.Storage.File.Cmdlet
     using Microsoft.WindowsAzure.Commands.Storage.Common;
     using Microsoft.WindowsAzure.Commands.Storage.Model.Contract;
     using Microsoft.WindowsAzure.Storage.File;
+    using Microsoft.WindowsAzure.Storage;
 
     [Cmdlet(VerbsCommon.New, StorageNouns.ShareSas), OutputType(typeof(String))]
     public class NewAzureStorageShareSasToken : AzureStorageFileCmdletBase
@@ -56,6 +57,12 @@ public string Policy
             ParameterSetName = SasPermissionParameterSet)]
         public string Permission { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Protocol can be used in the request with this SAS token.")]
+        public SharedAccessProtocol Protocol { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "IP, or IP range ACL (access control list) that the request would be accepted from by Azure Storage.")]
+        public string IPAddressOrRange { get; set; }
+
         [Parameter(HelpMessage = "Start Time")]
         public DateTime? StartTime { get; set; }
 
@@ -95,7 +102,7 @@ public override void ExecuteCmdlet()
                 this.ExpiryTime.HasValue);
 
             SetupAccessPolicy(accessPolicy, shouldSetExpiryTime);
-            string sasToken = fileShare.GetSharedAccessSignature(accessPolicy, accessPolicyIdentifier);
+            string sasToken = fileShare.GetSharedAccessSignature(accessPolicy, accessPolicyIdentifier, Protocol, Util.SetupIPAddressOrRangeForSAS(IPAddressOrRange));
 
             if (FullUri)
             {