diff --git a/iothub/service/src/IoTHubSasCredential.cs b/iothub/service/src/IoTHubSasCredential.cs deleted file mode 100644 index a21179f98b..0000000000 --- a/iothub/service/src/IoTHubSasCredential.cs +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright (c) Microsoft. All rights reserved. -// Licensed under the MIT license. See LICENSE file in the project root for full license information. -using System; -using System.Collections.Generic; -using System.Text; - -#if !NET451 - -using Azure; - -namespace Microsoft.Azure.Devices -{ - /// - /// Shared access signature credential used to authenticate with IoT hub. - /// - public class IotHubSasCredential - : AzureSasCredential - { - /// - /// Creates an instance of . - /// - /// Shared access signature used to authenticate with IoT hub. - /// The shared access signature expiry in UTC. - public IotHubSasCredential(string signature, DateTime expiresOnUtc) : base(signature) - { - ExpiresOnUtc = expiresOnUtc; - } - - /// - /// The shared access signature expiry in UTC. - /// - public DateTime ExpiresOnUtc { get; private set; } - - /// - /// Updates the shared access signature. This is intended to be used when you've - /// regenerated your shared access signature and want to update clients. - /// - /// Shared access signature used to authenticate with IoT hub. - /// The shared access signature expiry in UTC. - public void Update(string signature, DateTime expiresOnUtc) - { - Update(signature); - ExpiresOnUtc = expiresOnUtc; - } - } -} - -#endif diff --git a/iothub/service/src/IotHubSasCredentialProperties.cs b/iothub/service/src/IotHubSasCredentialProperties.cs index 44b37bf9c8..756fe3865a 100644 --- a/iothub/service/src/IotHubSasCredentialProperties.cs +++ b/iothub/service/src/IotHubSasCredentialProperties.cs @@ -5,6 +5,8 @@ using System.Text; using System.Threading.Tasks; using Microsoft.Azure.Amqp; +using System.Globalization; +using System.Linq; #if !NET451 @@ -23,9 +25,9 @@ public IotHubSasCredentialProperties() throw new InvalidOperationException("IotHubSasCredential is not supported on NET451"); } #else - private readonly IotHubSasCredential _credential; + private readonly AzureSasCredential _credential; - public IotHubSasCredentialProperties(string hostName, IotHubSasCredential credential) : base(hostName) + public IotHubSasCredentialProperties(string hostName, AzureSasCredential credential) : base(hostName) { _credential = credential; } @@ -48,10 +50,28 @@ public override Task GetTokenAsync(Uri namespaceAddress, string applie throw new InvalidOperationException($"IotHubSasCredential is not supported on NET451"); #else + // Parse the SAS token to find the expiration date and time. + // SharedAccessSignature sr=ENCODED(dh://myiothub.azure-devices.net/a/b/c?myvalue1=a)&sig=&se=[&skn=] + var tokenParts = _credential.Signature.Split('&').ToList(); + var expiresAtTokenPart = tokenParts.Where(tokenPart => tokenPart.StartsWith("se=", StringComparison.OrdinalIgnoreCase)); + + if (!expiresAtTokenPart.Any()) + { + throw new InvalidOperationException($"There is no expiration time on {nameof(AzureSasCredential)} signature."); + } + + string expiresAtStr = expiresAtTokenPart.First().Split('=')[1]; + bool isSuccess = DateTime.TryParse(expiresAtStr, out DateTime expiresAt); + + if (!isSuccess) + { + throw new InvalidOperationException($"Invalid expiration time on {nameof(AzureSasCredential)} signature."); + } + var token = new CbsToken( _credential.Signature, CbsConstants.IotHubSasTokenType, - _credential.ExpiresOnUtc); + expiresAt); return Task.FromResult(token); #endif } diff --git a/iothub/service/src/JobClient/JobClient.cs b/iothub/service/src/JobClient/JobClient.cs index 671790e72e..6c963c30c9 100644 --- a/iothub/service/src/JobClient/JobClient.cs +++ b/iothub/service/src/JobClient/JobClient.cs @@ -79,12 +79,12 @@ public static JobClient Create( /// Creates an instance of . /// /// IoT hub host name. - /// Credential that generates a SAS token to authenticate with IoT hub. See . + /// Credential that generates a SAS token to authenticate with IoT hub. See . /// The HTTP transport settings. /// An instance of . public static JobClient Create( string hostName, - IotHubSasCredential credential, + AzureSasCredential credential, HttpTransportSettings transportSettings = default) { if (string.IsNullOrEmpty(hostName)) diff --git a/iothub/service/src/RegistryManager.cs b/iothub/service/src/RegistryManager.cs index 1aca479b39..3683a0e0ca 100644 --- a/iothub/service/src/RegistryManager.cs +++ b/iothub/service/src/RegistryManager.cs @@ -85,12 +85,12 @@ public static RegistryManager Create( /// Creates an instance of . /// /// IoT hub host name. - /// Credential that generates a SAS token to authenticate with IoT hub. See . + /// Credential that generates a SAS token to authenticate with IoT hub. See . /// The HTTP transport settings. /// An instance of . public static RegistryManager Create( string hostName, - IotHubSasCredential credential, + AzureSasCredential credential, HttpTransportSettings transportSettings = default) { if (string.IsNullOrEmpty(hostName)) diff --git a/iothub/service/src/ServiceClient.cs b/iothub/service/src/ServiceClient.cs index 94ab557ad7..e8032f79eb 100644 --- a/iothub/service/src/ServiceClient.cs +++ b/iothub/service/src/ServiceClient.cs @@ -102,14 +102,14 @@ public static ServiceClient Create( /// Creates a using SAS token and the specified transport type. /// /// IoT hub host name. - /// Credential that generates a SAS token to authenticate with IoT hub. See . + /// Credential that generates a SAS token to authenticate with IoT hub. See . /// Specifies whether Amqp or Amqp_WebSocket_Only transport is used. /// Specifies the AMQP_WS and HTTP proxy settings for service client. /// The options that allow configuration of the service client instance during initialization. /// An instance of . public static ServiceClient Create( string hostName, - IotHubSasCredential credential, + AzureSasCredential credential, TransportType transportType, ServiceClientTransportSettings transportSettings = default, ServiceClientOptions options = default) diff --git a/iothub/service/tests/IotHubSasCredentialPropertiesTests.cs b/iothub/service/tests/IotHubSasCredentialPropertiesTests.cs new file mode 100644 index 0000000000..45d5ed8f6e --- /dev/null +++ b/iothub/service/tests/IotHubSasCredentialPropertiesTests.cs @@ -0,0 +1,121 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. +using System; +using System.Collections.Generic; +using System.Text; +using Microsoft.VisualStudio.TestTools.UnitTesting; +using System.Net; +using System.Globalization; +using System.Threading.Tasks; +using Microsoft.Azure.Amqp; +using FluentAssertions; + +#if !NET451 + +using Azure; + +#endif + +namespace Microsoft.Azure.Devices.Tests +{ + [TestClass] + [TestCategory("Unit")] + public class IotHubSasCredentialPropertiesTests + { + private const string _hostName = "myiothub.azure-devices.net"; + +#if !NET451 + + [TestMethod] + public async Task TestCbsTokenGeneration_Succeeds() + { + // arrange + DateTime expiresAtUtc = DateTime.UtcNow; + DateTime updatedExpiresAtUtc = DateTime.UtcNow.AddDays(1); + + string token = string.Format( + CultureInfo.InvariantCulture, + "SharedAccessSignature sr={0}&sig={1}&se={2}", + WebUtility.UrlEncode(_hostName), + WebUtility.UrlEncode("signature"), + expiresAtUtc); + + string updatedToken = string.Format( + CultureInfo.InvariantCulture, + "SharedAccessSignature sr={0}&sig={1}&se={2}", + WebUtility.UrlEncode(_hostName), + WebUtility.UrlEncode("signature"), + updatedExpiresAtUtc); + + var azureSasCredential = new AzureSasCredential(token); + var iotHubSasCredentialProperties = new IotHubSasCredentialProperties(_hostName, azureSasCredential); + + // act + + CbsToken cbsToken = await iotHubSasCredentialProperties.GetTokenAsync(null, null, null).ConfigureAwait(false); + azureSasCredential.Update(updatedToken); + CbsToken updatedCbsToken = await iotHubSasCredentialProperties.GetTokenAsync(null, null, null).ConfigureAwait(false); + + // assert + cbsToken.ExpiresAtUtc.ToString().Should().Be(expiresAtUtc.ToString()); + updatedCbsToken.ExpiresAtUtc.ToString().Should().Be(updatedExpiresAtUtc.ToString()); + } + + [TestMethod] + public async Task TestCbsTokenGeneration_InvalidExpirationDateTimeFormat_Fails() + { + // arrange + string token = string.Format( + CultureInfo.InvariantCulture, + "SharedAccessSignature sr={0}&sig={1}&se={2}", + WebUtility.UrlEncode(_hostName), + WebUtility.UrlEncode("signature"), + "01:01:2021"); + + var azureSasCredential = new AzureSasCredential(token); + var iotHubSasCredentialProperties = new IotHubSasCredentialProperties(_hostName, azureSasCredential); + + try + { + // act + await iotHubSasCredentialProperties.GetTokenAsync(null, null, null).ConfigureAwait(false); + + Assert.Fail("The parsing of date time in invalid format on the SAS token should have caused an exception."); + } + catch (InvalidOperationException ex) + { + // assert + ex.Message.Should().Be($"Invalid expiration time on {nameof(AzureSasCredential)} signature."); + } + } + + [TestMethod] + public async Task TestCbsTokenGeneration_MissingExpiration_Fails() + { + // arrange + string token = string.Format( + CultureInfo.InvariantCulture, + "SharedAccessSignature sr={0}&sig={1}", + WebUtility.UrlEncode(_hostName), + WebUtility.UrlEncode("signature")); + + var azureSasCredential = new AzureSasCredential(token); + var iotHubSasCredentialProperties = new IotHubSasCredentialProperties(_hostName, azureSasCredential); + + try + { + // act + await iotHubSasCredentialProperties.GetTokenAsync(null, null, null).ConfigureAwait(false); + + Assert.Fail("The missing expiry on the SAS token should have caused an exception."); + } + catch (InvalidOperationException ex) + { + // assert + ex.Message.Should().Be($"There is no expiration time on {nameof(AzureSasCredential)} signature."); + } + } + +#endif + } +}