[Datalake] SAS Support (#21019)

* Enable gocritic during linting (#20715) Enabled gocritic's evalOrder to catch dependencies on undefined behavior on return statements. Updated to latest version of golangci-lint. Fixed issue in azblob flagged by latest linter. * Cosmos DB: Enable merge support (#20716) * Adding header and value * Wiring and tests * format * Fixing value * change log * [azservicebus, azeventhubs] Stress test and logging improvement (#20710) Logging improvements: * Updating the logging to print more tracing information (per-link) in prep for the bigger release coming up. * Trimming out some of the verbose logging, seeing if I can get it a bit more reasonable. Stress tests: * Add a timestamp to the log name we generate and also default to append, not overwrite. * Use 0.5 cores, 0.5GB as our baseline. Some pods use more and I'll tune them more later. * update proxy version (#20712) Co-authored-by: Scott Beddall <scbedd@microsoft.com> * Return an error when you try to send a message that's too large. (#20721) This now works just like the message batch - you'll get an ErrMessageTooLarge if you attempt to send a message that's too large for the link's configured size. NOTE: there's a patch to `internal/go-amqp/Sender.go` to match what's in go-amqp's main so it returns a programmatically useful error when the message is too large. Fixes #20647 * Changes in test that is failing in pipeline (#20693) * [azservicebus, azeventhubs] Treat 'entity full' as a fatal error (#20722) When the remote entity is full we get a resource-limit-exceeded condition. This isn't something we should keep retrying on and it's best to just abort and let the user know immediately, rather than hoping it might eventually clear out. This affected both Event Hubs and Service Bus. Fixes #20647 * [azservicebus/azeventhubs] Redirect stderr and stdout to tee (#20726) * Update changelog with latest features (#20730) * Update changelog with latest features Prepare for upcoming release. * bump minor version * pass along the artifact name so we can override it later (#20732) Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> * [azeventhubs] Fixing checkpoint store race condition (#20727) The checkpoint store wasn't guarding against multiple owners claiming for the first time - fixing this by using IfNoneMatch Fixes #20717 * Fix azidentity troubleshooting guide link (#20736) * [Release] sdk/resourcemanager/paloaltonetworksngfw/armpanngfw/0.1.0 (#20437) * [Release] sdk/resourcemanager/paloaltonetworksngfw/armpanngfw/0.1.0 generation from spec commit: 85fb4ac6f8bfefd179e6c2632976a154b5c9ff04 * client factory * fix * fix * update * add sdk/resourcemanager/postgresql/armpostgresql live test (#20685) * add sdk/resourcemanager/postgresql/armpostgresql live test * update assets.json * set subscriptionId default value * format * add sdk/resourcemanager/eventhub/armeventhub live test (#20686) * add sdk/resourcemanager/eventhub/armeventhub live test * update assets * add sdk/resourcemanager/compute/armcompute live test (#20048) * add sdk/resourcemanager/compute/armcompute live test * skus filter * fix subscriptionId default value * fix * gofmt * update recording * sdk/resourcemanager/network/armnetwork live test (#20331) * sdk/resourcemanager/network/armnetwork live test * update subscriptionId default value * update recording * add sdk/resourcemanager/cosmos/armcosmos live test (#20705) * add sdk/resourcemanager/cosmos/armcosmos live test * update assets.json * update assets.json * update assets.json * update assets.json * Increment package version after release of azcore (#20740) * [azeventhubs] Improperly resetting etag in the checkpoint store (#20737) We shouldn't be resetting the etag to nil - it's what we use to enforce a "single winner" when doing ownership claims. The bug here was two-fold: I had bad logic in my previous claim ownership, which I fixed in a previous PR, but we need to reflect that same constraint properly in our in-memory checkpoint store for these tests. * Eng workflows sync and branch cleanup additions (#20743) Co-authored-by: James Suplizio <jasupliz@microsoft.com> * [azeventhubs] Latest start position can also be inclusive (ie, get the latest message) (#20744) * Update GitHubEventProcessor version and remove pull_request_review procesing (#20751) Co-authored-by: James Suplizio <jasupliz@microsoft.com> * Rename DisableAuthorityValidationAndInstanceDiscovery (#20746) * fix (#20707) * AzFile (#20739) * azfile: Fixing connection string parsing logic (#20798) * Fixing connection string parse logic * Update README * [azadmin] fix flaky test (#20758) * fix flaky test * charles suggestion * Prepare azidentity v1.3.0 for release (#20756) * Fix broken podman link (#20801) Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com> * [azquery] update doc comments (#20755) * update doc comments * update statistics and visualization generation * prep-for-release * Fixed contribution section (#20752) Co-authored-by: Bob Tabor <rotabor@microsoft.com> * [azeventhubs,azservicebus] Some API cleanup, renames (#20754) * Adding options to UpdateCheckpoint(), just for future potential expansion * Make Offset an int64, not a *int64 (it's not optional, it'll always come back with ReceivedEvents) * Adding more logging into the checkpoint store. * Point all imports at the production go-amqp * Add supporting features to enable distributed tracing (#20301) (#20708) * Add supporting features to enable distributed tracing This includes new internal pipeline policies and other supporting types. See the changelog for a full description. Added some missing doc comments. * fix linter issue * add net.peer.name trace attribute sequence custom HTTP header policy before logging policy. sequence logging policy after HTTP trace policy. keep body download policy at the end. * add span for iterating over pages * Restore ARM CAE support for azcore beta (#20657) This reverts commit 9020972. * Upgrade to stable azcore (#20808) * Increment package version after release of data/azcosmos (#20807) * Updating changelog (#20810) * Add fake package to azcore (#20711) * Add fake package to azcore This is the supporting infrastructure for the generated SDK fakes. * fix doc comment * Updating CHANGELOG.md (#20809) * changelog (#20811) * Increment package version after release of storage/azfile (#20813) * Update changelog (azblob) (#20815) * Updating CHANGELOG.md * Update the changelog with correct version * [azquery] migration guide (#20742) * migration guide * Charles feedback * Richard feedback --------- Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com> * Increment package version after release of monitor/azquery (#20820) * [keyvault] prep for release (#20819) * prep for release * perf tests * update date * added sas support * small fix * query params fix * fix * added some tests * added more tests * resolved some comments * added encoding --------- Co-authored-by: Joel Hendrix <jhendrix@microsoft.com> Co-authored-by: Matias Quaranta <ealsur@users.noreply.github.com> Co-authored-by: Richard Park <51494936+richardpark-msft@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: Scott Beddall <scbedd@microsoft.com> Co-authored-by: siminsavani-msft <77068571+siminsavani-msft@users.noreply.github.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com> Co-authored-by: Peng Jiahui <46921893+Alancere@users.noreply.github.com> Co-authored-by: James Suplizio <jasupliz@microsoft.com> Co-authored-by: Sourav Gupta <98318303+souravgupta-msft@users.noreply.github.com> Co-authored-by: gracewilcox <43627800+gracewilcox@users.noreply.github.com> Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com> Co-authored-by: Bob Tabor <bob.tabor@microsoft.com> Co-authored-by: Bob Tabor <rotabor@microsoft.com>
Azure · Jun 19, 2023 · c09de0b · c09de0b
1 parent bcd2b48
commit c09de0b
Show file tree

Hide file tree

Showing 11 changed files with 2,012 additions and 2 deletions.
diff --git a/sdk/storage/azdatalake/common.go b/sdk/storage/azdatalake/common.go
@@ -16,8 +16,6 @@ type ClientOptions struct {
 	azcore.ClientOptions
 }
 
-const SnapshotTimeFormat = "2006-01-02T15:04:05.0000000Z07:00"
-
 // AccessConditions identifies container-specific access conditions which you optionally set.
 type AccessConditions struct {
 	ModifiedAccessConditions *ModifiedAccessConditions

diff --git a/sdk/storage/azdatalake/internal/exported/exported.go b/sdk/storage/azdatalake/internal/exported/exported.go
@@ -11,6 +11,8 @@ import (
 	"strconv"
 )
 
+const SnapshotTimeFormat = "2006-01-02T15:04:05.0000000Z07:00"
+
 // HTTPRange defines a range of bytes within an HTTP resource, starting at offset and
 // ending at offset+count. A zero-value HTTPRange indicates the entire resource. An HTTPRange
 // which has an offset but no zero value count indicates from the offset to the resource's end.

diff --git a/sdk/storage/azdatalake/internal/exported/user_delegation_credential.go b/sdk/storage/azdatalake/internal/exported/user_delegation_credential.go
@@ -0,0 +1,64 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package exported
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
+)
+
+// NewUserDelegationCredential creates a new UserDelegationCredential using a Storage account's Name and a user delegation Key from it
+func NewUserDelegationCredential(accountName string, udk UserDelegationKey) *UserDelegationCredential {
+	return &UserDelegationCredential{
+		accountName:       accountName,
+		userDelegationKey: udk,
+	}
+}
+
+// UserDelegationKey contains UserDelegationKey.
+type UserDelegationKey = service.UserDelegationKey
+
+// UserDelegationCredential contains an account's name and its user delegation key.
+type UserDelegationCredential struct {
+	accountName       string
+	userDelegationKey UserDelegationKey
+}
+
+// getAccountName returns the Storage account's Name
+func (f *UserDelegationCredential) getAccountName() string {
+	return f.accountName
+}
+
+// GetAccountName is a helper method for accessing the user delegation key parameters outside this package.
+func GetAccountName(udc *UserDelegationCredential) string {
+	return udc.getAccountName()
+}
+
+// computeHMACSHA256 generates a hash signature for an HTTP request or for a SAS.
+func (f *UserDelegationCredential) computeHMACSHA256(message string) (string, error) {
+	bytes, _ := base64.StdEncoding.DecodeString(*f.userDelegationKey.Value)
+	h := hmac.New(sha256.New, bytes)
+	_, err := h.Write([]byte(message))
+	return base64.StdEncoding.EncodeToString(h.Sum(nil)), err
+}
+
+// ComputeUDCHMACSHA256 is a helper method for computing the signed string outside this package.
+func ComputeUDCHMACSHA256(udc *UserDelegationCredential, message string) (string, error) {
+	return udc.computeHMACSHA256(message)
+}
+
+// getUDKParams returns UserDelegationKey
+func (f *UserDelegationCredential) getUDKParams() *UserDelegationKey {
+	return &f.userDelegationKey
+}
+
+// GetUDKParams is a helper method for accessing the user delegation key parameters outside this package.
+func GetUDKParams(udc *UserDelegationCredential) *UserDelegationKey {
+	return udc.getUDKParams()
+}
diff --git a/sdk/storage/azdatalake/sas/account.go b/sdk/storage/azdatalake/sas/account.go
@@ -0,0 +1,226 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+package sas
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azdatalake/internal/exported"
+)
+
+// SharedKeyCredential contains an account's name and its primary or secondary key.
+type SharedKeyCredential = exported.SharedKeyCredential
+
+// UserDelegationCredential contains an account's name and its user delegation key.
+type UserDelegationCredential = exported.UserDelegationCredential
+
+// AccountSignatureValues is used to generate a Shared Access Signature (SAS) for an Azure Storage account.
+// For more information, see https://docs.microsoft.com/rest/api/storageservices/constructing-an-account-sas
+type AccountSignatureValues struct {
+	Version       string    `param:"sv"`  // If not specified, this format to SASVersion
+	Protocol      Protocol  `param:"spr"` // See the SASProtocol* constants
+	StartTime     time.Time `param:"st"`  // Not specified if IsZero
+	ExpiryTime    time.Time `param:"se"`  // Not specified if IsZero
+	Permissions   string    `param:"sp"`  // Create by initializing AccountPermissions and then call String()
+	IPRange       IPRange   `param:"sip"`
+	ResourceTypes string    `param:"srt"` // Create by initializing AccountResourceTypes and then call String()
+}
+
+// SignWithSharedKey uses an account's shared key credential to sign this signature values to produce
+// the proper SAS query parameters.
+func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error) {
+	// https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS
+	if v.ExpiryTime.IsZero() || v.Permissions == "" || v.ResourceTypes == "" {
+		return QueryParameters{}, errors.New("account SAS is missing at least one of these: ExpiryTime, Permissions, Service, or ResourceType")
+	}
+	if v.Version == "" {
+		v.Version = Version
+	}
+	perms, err := parseAccountPermissions(v.Permissions)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+	v.Permissions = perms.String()
+
+	resources, err := parseAccountResourceTypes(v.ResourceTypes)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+	v.ResourceTypes = resources.String()
+
+	startTime, expiryTime := formatTimesForSigning(v.StartTime, v.ExpiryTime)
+
+	stringToSign := strings.Join([]string{
+		sharedKeyCredential.AccountName(),
+		v.Permissions,
+		"b", // blob service
+		v.ResourceTypes,
+		startTime,
+		expiryTime,
+		v.IPRange.String(),
+		string(v.Protocol),
+		v.Version,
+		""}, // That is right, the account SAS requires a terminating extra newline
+		"\n")
+
+	signature, err := exported.ComputeHMACSHA256(sharedKeyCredential, stringToSign)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+	p := QueryParameters{
+		// Common SAS parameters
+		version:     v.Version,
+		protocol:    v.Protocol,
+		startTime:   v.StartTime,
+		expiryTime:  v.ExpiryTime,
+		permissions: v.Permissions,
+		ipRange:     v.IPRange,
+
+		// Account-specific SAS parameters
+		services:      "b", // will always be "b"
+		resourceTypes: v.ResourceTypes,
+
+		// Calculated SAS signature
+		signature: signature,
+	}
+
+	return p, nil
+}
+
+// AccountPermissions type simplifies creating the permissions string for an Azure Storage Account SAS.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' Permissions field.
+type AccountPermissions struct {
+	Read, Write, Delete, DeletePreviousVersion, PermanentDelete, List, Add, Create, Update, Process, FilterByTags, Tag, SetImmutabilityPolicy bool
+}
+
+// String produces the SAS permissions string for an Azure Storage account.
+// Call this method to set AccountSignatureValues' Permissions field.
+func (p *AccountPermissions) String() string {
+	var buffer bytes.Buffer
+	if p.Read {
+		buffer.WriteRune('r')
+	}
+	if p.Write {
+		buffer.WriteRune('w')
+	}
+	if p.Delete {
+		buffer.WriteRune('d')
+	}
+	if p.DeletePreviousVersion {
+		buffer.WriteRune('x')
+	}
+	if p.PermanentDelete {
+		buffer.WriteRune('y')
+	}
+	if p.List {
+		buffer.WriteRune('l')
+	}
+	if p.Add {
+		buffer.WriteRune('a')
+	}
+	if p.Create {
+		buffer.WriteRune('c')
+	}
+	if p.Update {
+		buffer.WriteRune('u')
+	}
+	if p.Process {
+		buffer.WriteRune('p')
+	}
+	if p.FilterByTags {
+		buffer.WriteRune('f')
+	}
+	if p.Tag {
+		buffer.WriteRune('t')
+	}
+	if p.SetImmutabilityPolicy {
+		buffer.WriteRune('i')
+	}
+	return buffer.String()
+}
+
+// Parse initializes the AccountPermissions' fields from a string.
+func parseAccountPermissions(s string) (AccountPermissions, error) {
+	p := AccountPermissions{} // Clear out the flags
+	for _, r := range s {
+		switch r {
+		case 'r':
+			p.Read = true
+		case 'w':
+			p.Write = true
+		case 'd':
+			p.Delete = true
+		case 'x':
+			p.DeletePreviousVersion = true
+		case 'y':
+			p.PermanentDelete = true
+		case 'l':
+			p.List = true
+		case 'a':
+			p.Add = true
+		case 'c':
+			p.Create = true
+		case 'u':
+			p.Update = true
+		case 'p':
+			p.Process = true
+		case 't':
+			p.Tag = true
+		case 'f':
+			p.FilterByTags = true
+		case 'i':
+			p.SetImmutabilityPolicy = true
+		default:
+			return AccountPermissions{}, fmt.Errorf("invalid permission character: '%v'", r)
+		}
+	}
+	return p, nil
+}
+
+// AccountResourceTypes type simplifies creating the resource types string for an Azure Storage Account SAS.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' ResourceTypes field.
+type AccountResourceTypes struct {
+	Service, Container, Object bool
+}
+
+// String produces the SAS resource types string for an Azure Storage account.
+// Call this method to set AccountSignatureValues' ResourceTypes field.
+func (rt *AccountResourceTypes) String() string {
+	var buffer bytes.Buffer
+	if rt.Service {
+		buffer.WriteRune('s')
+	}
+	if rt.Container {
+		buffer.WriteRune('c')
+	}
+	if rt.Object {
+		buffer.WriteRune('o')
+	}
+	return buffer.String()
+}
+
+// parseAccountResourceTypes initializes the AccountResourceTypes' fields from a string.
+func parseAccountResourceTypes(s string) (AccountResourceTypes, error) {
+	rt := AccountResourceTypes{}
+	for _, r := range s {
+		switch r {
+		case 's':
+			rt.Service = true
+		case 'c':
+			rt.Container = true
+		case 'o':
+			rt.Object = true
+		default:
+			return AccountResourceTypes{}, fmt.Errorf("invalid resource type character: '%v'", r)
+		}
+	}
+	return rt, nil
+}