azurite/dist/src/blob/authentication/IBlobSASSignatureValues.js

An open source Azure Storage API compatible server

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.generateBlobSASSignatureWithUDK = exports.generateBlobSASSignature = void 0;
const utils_1 = require("../../common/utils/utils");
const BlobSASResourceType_1 = require("./BlobSASResourceType");
const IIPRange_1 = require("../../common/authentication/IIPRange");
/**
 * Creates an instance of SASQueryParameters.
 *
 * Only accepts required settings needed to create a SAS. For optional settings please
 * set corresponding properties directly, such as permissions, startTime and identifier.
 *
 * WARNING: When identifier is not provided, permissions and expiryTime are required.
 * You MUST assign value to identifier or expiryTime & permissions manually if you initial with
 * this constructor.
 *
 * @export
 * @param {IBlobSASSignatureValues} blobSASSignatureValues
 * @param {BlobSASResourceType} resource
 * @param {string} accountName
 * @param {Buffer} sharedKey
 * @returns {[string, string]} signature and stringToSign
 */
function generateBlobSASSignature(blobSASSignatureValues, resource, accountName, sharedKey) {
    if (blobSASSignatureValues.version >= "2020-12-06") {
        return generateBlobSASSignature20201206(blobSASSignatureValues, resource, accountName, sharedKey);
    }
    else if (blobSASSignatureValues.version >= "2018-11-09") {
        return generateBlobSASSignature20181109(blobSASSignatureValues, resource, accountName, sharedKey);
    }
    else {
        return generateBlobSASSignature20150405(blobSASSignatureValues, resource, accountName, sharedKey);
    }
}
exports.generateBlobSASSignature = generateBlobSASSignature;
/**
 * Creates an instance of SASQueryParameters.
 *
 * Only accepts required settings needed to create a SAS. For optional settings please
 * set corresponding properties directly, such as permissions, startTime and identifier.
 *
 * WARNING: When identifier is not provided, permissions and expiryTime are required.
 * You MUST assign value to identifier or expiryTime & permissions manually if you initial with
 * this constructor.
 *
 * @export
 * @param {IBlobSASSignatureValues} blobSASSignatureValues
 * @param {BlobSASResourceType} resource
 * @param {string} accountName
 * @param {Buffer} udkValue
 * @returns {[string, string]} signature and stringToSign
 */
function generateBlobSASSignatureWithUDK(blobSASSignatureValues, resource, accountName, udkValue) {
    if (blobSASSignatureValues.version >= "2020-12-06") {
        return generateBlobSASBlobSASSignatureWithUDK20201206(blobSASSignatureValues, resource, accountName, udkValue);
    }
    else if (blobSASSignatureValues.version >= "2020-02-10") {
        return generateBlobSASSignatureWithUDK20200210(blobSASSignatureValues, resource, accountName, udkValue);
    }
    else if (blobSASSignatureValues.version >= "2018-11-09") {
        return generateBlobSASSignatureUDK20181109(blobSASSignatureValues, resource, accountName, udkValue);
    }
    else {
        throw new RangeError("SAS token version is not valid");
    }
}
exports.generateBlobSASSignatureWithUDK = generateBlobSASSignatureWithUDK;
function generateBlobSASSignature20201206(blobSASSignatureValues, resource, accountName, sharedKey) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const version = blobSASSignatureValues.version;
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    // TODO: Check whether validating the snapshot is necessary.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, resource === BlobSASResourceType_1.BlobSASResourceType.Blob ||
            resource === BlobSASResourceType_1.BlobSASResourceType.BlobSnapshot
            ? blobSASSignatureValues.blobName
            : ""),
        blobSASSignatureValues.identifier, // TODO: ? blobSASSignatureValues.identifier : "",
        blobSASSignatureValues.ipRange
            ? typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange)
            : "",
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        version,
        blobSASSignatureValues.signedResource,
        blobSASSignatureValues.snapshot,
        blobSASSignatureValues.encryptionScope
            ? blobSASSignatureValues.encryptionScope
            : "",
        blobSASSignatureValues.cacheControl
            ? blobSASSignatureValues.cacheControl
            : "",
        blobSASSignatureValues.contentDisposition
            ? blobSASSignatureValues.contentDisposition
            : "",
        blobSASSignatureValues.contentEncoding
            ? blobSASSignatureValues.contentEncoding
            : "",
        blobSASSignatureValues.contentLanguage
            ? blobSASSignatureValues.contentLanguage
            : "",
        blobSASSignatureValues.contentType ? blobSASSignatureValues.contentType : ""
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, sharedKey);
    return [signature, stringToSign];
}
function generateBlobSASSignature20181109(blobSASSignatureValues, resource, accountName, sharedKey) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const version = blobSASSignatureValues.version;
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    // TODO: Check whether validating the snapshot is necessary.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, resource === BlobSASResourceType_1.BlobSASResourceType.Blob ||
            resource === BlobSASResourceType_1.BlobSASResourceType.BlobSnapshot
            ? blobSASSignatureValues.blobName
            : ""),
        blobSASSignatureValues.identifier, // TODO: ? blobSASSignatureValues.identifier : "",
        blobSASSignatureValues.ipRange
            ? typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange)
            : "",
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        version,
        blobSASSignatureValues.signedResource,
        blobSASSignatureValues.snapshot,
        blobSASSignatureValues.cacheControl
            ? blobSASSignatureValues.cacheControl
            : "",
        blobSASSignatureValues.contentDisposition
            ? blobSASSignatureValues.contentDisposition
            : "",
        blobSASSignatureValues.contentEncoding
            ? blobSASSignatureValues.contentEncoding
            : "",
        blobSASSignatureValues.contentLanguage
            ? blobSASSignatureValues.contentLanguage
            : "",
        blobSASSignatureValues.contentType ? blobSASSignatureValues.contentType : ""
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, sharedKey);
    return [signature, stringToSign];
}
function generateBlobSASSignature20150405(blobSASSignatureValues, resource, accountName, sharedKey) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const version = blobSASSignatureValues.version;
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, resource === BlobSASResourceType_1.BlobSASResourceType.Blob
            ? blobSASSignatureValues.blobName
            : ""),
        blobSASSignatureValues.identifier, // TODO: ? blobSASSignatureValues.identifier : "",
        blobSASSignatureValues.ipRange
            ? typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange)
            : "",
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        version,
        blobSASSignatureValues.cacheControl
            ? blobSASSignatureValues.cacheControl
            : "",
        blobSASSignatureValues.contentDisposition
            ? blobSASSignatureValues.contentDisposition
            : "",
        blobSASSignatureValues.contentEncoding
            ? blobSASSignatureValues.contentEncoding
            : "",
        blobSASSignatureValues.contentLanguage
            ? blobSASSignatureValues.contentLanguage
            : "",
        blobSASSignatureValues.contentType ? blobSASSignatureValues.contentType : ""
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, sharedKey);
    return [signature, stringToSign];
}
function generateBlobSASSignatureUDK20181109(blobSASSignatureValues, resource, accountName, userDelegationKeyValue) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, blobSASSignatureValues.blobName),
        blobSASSignatureValues.signedObjectId,
        blobSASSignatureValues.signedTenantId,
        blobSASSignatureValues.signedStartsOn,
        blobSASSignatureValues.signedExpiresOn,
        blobSASSignatureValues.signedService,
        blobSASSignatureValues.signedVersion,
        blobSASSignatureValues.ipRange === undefined
            ? ""
            : typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange),
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        blobSASSignatureValues.version,
        resource,
        undefined, // blob version timestamp,
        blobSASSignatureValues.cacheControl,
        blobSASSignatureValues.contentDisposition,
        blobSASSignatureValues.contentEncoding,
        blobSASSignatureValues.contentLanguage,
        blobSASSignatureValues.contentType,
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, userDelegationKeyValue);
    return [signature, stringToSign];
}
function generateBlobSASSignatureWithUDK20200210(blobSASSignatureValues, resource, accountName, userDelegationKeyValue) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, blobSASSignatureValues.blobName),
        blobSASSignatureValues.signedObjectId,
        blobSASSignatureValues.signedTenantId,
        blobSASSignatureValues.signedStartsOn,
        blobSASSignatureValues.signedExpiresOn,
        blobSASSignatureValues.signedService,
        blobSASSignatureValues.signedVersion,
        undefined, // blobSASSignatureValues.preauthorizedAgentObjectId,
        undefined, // agentObjectId
        undefined, // blobSASSignatureValues.correlationId,
        blobSASSignatureValues.ipRange === undefined
            ? ""
            : typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange),
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        blobSASSignatureValues.version,
        resource,
        undefined, // blob versiontimestamp,
        blobSASSignatureValues.cacheControl,
        blobSASSignatureValues.contentDisposition,
        blobSASSignatureValues.contentEncoding,
        blobSASSignatureValues.contentLanguage,
        blobSASSignatureValues.contentType,
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, userDelegationKeyValue);
    return [signature, stringToSign];
}
function generateBlobSASBlobSASSignatureWithUDK20201206(blobSASSignatureValues, resource, accountName, userDelegationKeyValue) {
    if (!blobSASSignatureValues.identifier &&
        (!blobSASSignatureValues.permissions && !blobSASSignatureValues.expiryTime)) {
        throw new RangeError(
        // tslint:disable-next-line:max-line-length
        "generateBlobSASSignature(): Must provide 'permissions' and 'expiryTime' for Blob SAS generation when 'identifier' is not provided.");
    }
    const verifiedPermissions = blobSASSignatureValues.permissions;
    // Signature is generated on the un-url-encoded values.
    const stringToSign = [
        verifiedPermissions ? verifiedPermissions : "",
        blobSASSignatureValues.startTime === undefined
            ? ""
            : typeof blobSASSignatureValues.startTime === "string"
                ? blobSASSignatureValues.startTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.startTime, false),
        blobSASSignatureValues.expiryTime === undefined
            ? ""
            : typeof blobSASSignatureValues.expiryTime === "string"
                ? blobSASSignatureValues.expiryTime
                : (0, utils_1.truncatedISO8061Date)(blobSASSignatureValues.expiryTime, false),
        getCanonicalName(accountName, blobSASSignatureValues.containerName, resource === BlobSASResourceType_1.BlobSASResourceType.Blob
            ? blobSASSignatureValues.blobName
            : ""),
        blobSASSignatureValues.signedObjectId,
        blobSASSignatureValues.signedTenantId,
        blobSASSignatureValues.signedStartsOn,
        blobSASSignatureValues.signedExpiresOn,
        blobSASSignatureValues.signedService,
        blobSASSignatureValues.signedVersion,
        undefined, // blobSASSignatureValues.preauthorizedAgentObjectId,
        undefined, // agentObjectId
        undefined, // blobSASSignatureValues.correlationId,
        blobSASSignatureValues.ipRange === undefined
            ? ""
            : typeof blobSASSignatureValues.ipRange === "string"
                ? blobSASSignatureValues.ipRange
                : (0, IIPRange_1.ipRangeToString)(blobSASSignatureValues.ipRange),
        blobSASSignatureValues.protocol ? blobSASSignatureValues.protocol : "",
        blobSASSignatureValues.version,
        resource,
        undefined, // blob version timestamp,
        blobSASSignatureValues.encryptionScope,
        blobSASSignatureValues.cacheControl,
        blobSASSignatureValues.contentDisposition,
        blobSASSignatureValues.contentEncoding,
        blobSASSignatureValues.contentLanguage,
        blobSASSignatureValues.contentType,
    ].join("\n");
    const signature = (0, utils_1.computeHMACSHA256)(stringToSign, userDelegationKeyValue);
    return [signature, stringToSign];
}
function getCanonicalName(accountName, containerName, blobName) {
    // Container: "/blob/account/containerName"
    // Blob:      "/blob/account/containerName/blobName"
    const elements = [`/blob/${accountName}/${containerName}`];
    if (blobName) {
        elements.push(`/${blobName}`);
    }
    return elements.join("");
}
//# sourceMappingURL=IBlobSASSignatureValues.js.map