forked from Azure/azure-sdk-for-net
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Sample02_Auth.cs
172 lines (152 loc) · 7.52 KB
/
Sample02_Auth.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License. See License.txt in the project root for
// license information.
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.Storage;
using Azure.Storage.Queues;
using Azure.Storage.Sas;
using NUnit.Framework;
namespace Azure.Storage.Queues.Samples
{
/// <summary>
/// Demonstrate various authorization and authentication mechanisms.
///
/// For more information, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
/// </summary>
public class Sample02_Auth : SampleTest
{
/// <summary>
/// Use a connection string to connect to a Storage account.
///
/// A connection string includes the authentication information
/// required for your application to access data in an Azure Storage
/// account at runtime using Shared Key authorization.
/// </summary>
[Test]
public async Task ConnectionStringAsync()
{
// Get a connection string to our Azure Storage account. You can
// obtain your connection string from the Azure Portal (click
// Access Keys under Settings in the Portal Storage account blade)
// or using the Azure CLI with:
//
// az storage account show-connection-string --name <account_name> --resource-group <resource_group>
//
// And you can provide the connection string to your application
// using an environment variable.
string connectionString = ConnectionString;
// Create a client that can authenticate with a connection string
QueueServiceClient service = new QueueServiceClient(connectionString);
// Make a service request to verify we've succesfully authenticated
await service.GetPropertiesAsync();
}
/// <summary>
/// Use a shared key to access a Storage Account.
///
/// Shared Key authorization relies on your account access keys and
/// other parameters to produce an encrypted signature string that is
/// passed on the request in the Authorization header.
/// </summary>
[Test]
public async Task SharedKeyAuthAsync()
{
// Get a Storage account name, shared key, and endpoint Uri.
//
// You can obtain both from the Azure Portal by clicking Access
// Keys under Settings in the Portal Storage account blade.
//
// You can also get access to your account keys from the Azure CLI
// with:
//
// az storage account keys list --account-name <account_name> --resource-group <resource_group>
//
string accountName = StorageAccountName;
string accountKey = StorageAccountKey;
Uri serviceUri = StorageAccountQueueUri;
// Create a SharedKeyCredential that we can use to authenticate
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
// Create a client that can authenticate with a connection string
QueueServiceClient service = new QueueServiceClient(serviceUri, credential);
// Make a service request to verify we've succesfully authenticated
await service.GetPropertiesAsync();
}
/// <summary>
/// Use a shared access signature to acces a Storage Account.
///
/// A shared access signature (SAS) is a URI that grants restricted
/// access rights to Azure Storage resources. You can provide a shared
/// access signature to clients who should not be trusted with your
/// storage account key but to whom you wish to delegate access to
/// certain storage account resources. By distributing a shared access
/// signature URI to these clients, you can grant them access to a
/// resource for a specified period of time, with a specified set of
/// permissions.
/// </summary>
[Test]
public async Task SharedAccessSignatureAuthAsync()
{
// Create a service level SAS that only allows reading from service
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to queues
Services = new AccountSasServices() { Queues = true }.ToString(),
// Allow access to the service level APIs
ResourceTypes = new AccountSasResourceTypes() { Service = true }.ToString(),
// Allow read access
Permissions = new AccountSasPermissions() { Read = true }.ToString(),
// Access expires in 1 hour!
ExpiryTime = DateTimeOffset.UtcNow.AddHours(1)
};
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(StorageAccountName, StorageAccountKey);
// Build a SAS URI
UriBuilder sasUri = new UriBuilder(StorageAccountQueueUri);
sasUri.Query = sas.ToSasQueryParameters(credential).ToString();
// Create a client that can authenticate with the SAS URI
QueueServiceClient service = new QueueServiceClient(sasUri.Uri);
// Make a service request to verify we've succesfully authenticated
await service.GetPropertiesAsync();
// Try to create a new container (which is beyond our
// delegated permission)
StorageRequestFailedException ex =
Assert.ThrowsAsync<StorageRequestFailedException>(
async () => await service.CreateQueueAsync(Randomize("sample-queue")));
Assert.AreEqual(403, ex.Status);
}
/// <summary>
/// Use an Active Directory token to access a Storage account.
///
/// Azure Storage provides integration with Azure Active Directory
/// (Azure AD) for identity-based authentication of requests to the
/// Queue and Queue services. With Azure AD, you can use role-based
/// access control (RBAC) to grant access to your Azure Storage
/// resources to users, groups, or applications. You can grant
/// permissions that are scoped to the level of an individual
/// container or queue.
///
/// To learn more about Azure AD integration in Azure Storage, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad
/// </summary>
[Test]
public async Task ActiveDirectoryAuthAsync()
{
// Create a token credential that can use our Azure Active
// Directory application to authenticate with Azure Storage
TokenCredential credential =
new ClientSecretCredential(
ActiveDirectoryTenantId,
ActiveDirectoryApplicationId,
ActiveDirectoryApplicationSecret,
new IdentityClientOptions() { AuthorityHost = ActiveDirectoryAuthEndpoint });
// Create a client that can authenticate using our token credential
QueueServiceClient service = new QueueServiceClient(ActiveDirectoryQueueUri, credential);
// Make a service request to verify we've succesfully authenticated
await service.GetPropertiesAsync();
}
}
}