Container_GetAccountInfoWithHead: With write-only container SAS , should success.

[blueww]

Which service(blob, file, queue, table) does this issue concern?

blob

Which version of the Azurite was used?

3.3.0-preview

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

VS code

What's the Node.js version?

v10.15.3

What problem was encountered?

Container_GetAccountInfoWithHead: With write-only container SAS , should success.

Steps to reproduce the issue?

Create a account SAS with following code, then new a container object with the SAS, and use the account SAS to get GetAccountInfo on the container object. Product server will success, Azurite will fail.

            SharedAccessAccountPolicy sasAccountPolicy = new SharedAccessAccountPolicy()
            {
                SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-15),
                SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(30),
                Permissions = SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.Delete,
                Services = SharedAccessAccountServices.Blob,
                ResourceTypes = SharedAccessAccountResourceTypes.Object | SharedAccessAccountResourceTypes.Container

            };

Have you found a mitigation/solution?

Test Case:

Test Name:  CloudBlobContainerGetAccountProperties
Test FullName:  Microsoft.Azure.Storage.Blob.CloudBlobContainerTest.CloudBlobContainerGetAccountProperties
Test Source:    C:\code\azure-storage-net\Test\ClassLibraryCommon\Blob\CloudBlobContainerTest.cs : line 3838
Test Outcome:   Failed
Test Duration:  0:00:00.4463204

Result StackTrace:  
at Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteAsync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token) in C:\code\azure-storage-net\Lib\ClassLibraryCommon\Core\Executor\Executor.cs:line 274
   at Microsoft.Azure.Storage.Core.Executor.Executor.<>c__DisplayClass0_0`1.<ExecuteSync>b__0() in C:\code\azure-storage-net\Lib\ClassLibraryCommon\Core\Executor\Executor.cs:line 41
   at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun) in C:\code\azure-storage-net\Lib\Common\Core\Util\CommonUtility.cs:line 378
   at Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext) in C:\code\azure-storage-net\Lib\ClassLibraryCommon\Core\Executor\Executor.cs:line 40
   at Microsoft.Azure.Storage.Blob.CloudBlobContainer.GetAccountProperties(BlobRequestOptions requestOptions, OperationContext operationContext) in C:\code\azure-storage-net\Lib\ClassLibraryCommon\Blob\CloudBlobContainer.cs:line 2833
   at Microsoft.Azure.Storage.Blob.CloudBlobContainerTest.CloudBlobContainerGetAccountProperties() in C:\code\azure-storage-net\Test\ClassLibraryCommon\Blob\CloudBlobContainerTest.cs:line 3845
Result Message: 
Test method Microsoft.Azure.Storage.Blob.CloudBlobContainerTest.CloudBlobContainerGetAccountProperties threw exception: 
Microsoft.Azure.Storage.StorageException: This request is not authorized to perform this operation using this resource type.

Debug Log:

2019-12-17T09:06:30.258Z a926ba63-5517-4325-910c-11beab33b267 info: BlobStorageContextMiddleware: RequestMethod=HEAD RequestURL=http://127.0.0.1/devstoreaccount1/nf09e48638e744e67b0f94ddca8e8644d?sv=2019-02-02&sig=PpMDAHX60jlEZ8XoEgKN0pBgwiqpMzlS5Nzxciipv7w%3D&st=2019-12-17T08%3A43%3A44Z&se=2019-12-17T09%3A28%3A44Z&srt=co&ss=b&sp=wd&api-version=2019-02-02&comp=properties&restype=account RequestHeaders:{"x-ms-client-request-id":"cd1f55ea-77de-4927-a04e-93a8cdbbd269","user-agent":"Azure-Storage/11.1.1 (.NET Core; Win32NT 6.2.9200.0)","x-ms-version":"2019-02-02","host":"127.0.0.1:10000"} ClientIP=127.0.0.1 Protocol=http HTTPVersion=1.1
2019-12-17T09:06:30.259Z a926ba63-5517-4325-910c-11beab33b267 info: BlobStorageContextMiddleware: Account=devstoreaccount1 Container=nf09e48638e744e67b0f94ddca8e8644d Blob=
2019-12-17T09:06:30.259Z a926ba63-5517-4325-910c-11beab33b267 verbose: DispatchMiddleware: Dispatching request...
2019-12-17T09:06:30.260Z a926ba63-5517-4325-910c-11beab33b267 info: DispatchMiddleware: Operation=Container_GetAccountInfoWithHead
2019-12-17T09:06:30.260Z a926ba63-5517-4325-910c-11beab33b267 verbose: AuthenticationMiddlewareFactory:createAuthenticationMiddleware() Validating authentications.
2019-12-17T09:06:30.260Z a926ba63-5517-4325-910c-11beab33b267 info: PublicAccessAuthenticator:validate() Start validation against public access.
2019-12-17T09:06:30.261Z a926ba63-5517-4325-910c-11beab33b267 debug: PublicAccessAuthenticator:validate() Getting account properties...
2019-12-17T09:06:30.261Z a926ba63-5517-4325-910c-11beab33b267 debug: PublicAccessAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: nf09e48638e744e67b0f94ddca8e8644d, blob: 
2019-12-17T09:06:30.264Z a926ba63-5517-4325-910c-11beab33b267 debug: PublicAccessAuthenticator:validate() Skip public access authentication. Cannot get public access type for container nf09e48638e744e67b0f94ddca8e8644d
2019-12-17T09:06:30.264Z a926ba63-5517-4325-910c-11beab33b267 info: BlobSharedKeyAuthenticator:validate() Start validation against account shared key authentication.
2019-12-17T09:06:30.265Z a926ba63-5517-4325-910c-11beab33b267 info: BlobSharedKeyAuthenticator:validate() Request doesn't include valid authentication header. Skip shared key authentication.
2019-12-17T09:06:30.265Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Start validation against account Shared Access Signature pattern.
2019-12-17T09:06:30.265Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Getting account properties...
2019-12-17T09:06:30.265Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: nf09e48638e744e67b0f94ddca8e8644d, blob: 
2019-12-17T09:06:30.265Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Got account properties successfully.
2019-12-17T09:06:30.266Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Retrieved signature from URL parameter sig: PpMDAHX60jlEZ8XoEgKN0pBgwiqpMzlS5Nzxciipv7w=
2019-12-17T09:06:30.266Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Successfully got valid account SAS values from request. {"version":"2019-02-02","startTime":"2019-12-17T08:43:44Z","expiryTime":"2019-12-17T09:28:44Z","permissions":"wd","services":"b","resourceTypes":"co"}
2019-12-17T09:06:30.266Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Validate signature based account key1.
2019-12-17T09:06:30.267Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() String to sign is: "devstoreaccount1\nwd\nb\nco\n2019-12-17T08:43:44Z\n2019-12-17T09:28:44Z\n\n\n2019-02-02\n"
2019-12-17T09:06:30.267Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Calculated signature is: PpMDAHX60jlEZ8XoEgKN0pBgwiqpMzlS5Nzxciipv7w=
2019-12-17T09:06:30.267Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Signature based on key1 validation passed.
2019-12-17T09:06:30.267Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Validate start and expiry time.
2019-12-17T09:06:30.267Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Validate IP range.
2019-12-17T09:06:30.268Z a926ba63-5517-4325-910c-11beab33b267 info: AccountSASAuthenticator:validate() Validate request protocol.
2019-12-17T09:06:30.268Z a926ba63-5517-4325-910c-11beab33b267 debug: AccountSASAuthenticator:validate() Got permission requirements for operation Container_GetAccountInfoWithHead - {"service":"b","resourceType":"s","permission":"r"}
2019-12-17T09:06:30.268Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Received a MiddlewareError, fill error information to HTTP response
2019-12-17T09:06:30.275Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: ErrorName=StorageError ErrorMessage=This request is not authorized to perform this operation using this resource type.  ErrorHTTPStatusCode=403 ErrorHTTPStatusMessage=This request is not authorized to perform this operation using this resource type. ErrorHTTPHeaders={"x-ms-error-code":"AuthorizationResourceTypeMismatch","x-ms-request-id":"a926ba63-5517-4325-910c-11beab33b267"} ErrorHTTPBody="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n  <Code>AuthorizationResourceTypeMismatch</Code>\n  <Message>This request is not authorized to perform this operation using this resource type.\nRequestId:a926ba63-5517-4325-910c-11beab33b267\nTime:2019-12-17T09:06:30.268Z</Message>\n</Error>" ErrorStack="StorageError: This request is not authorized to perform this operation using this resource type.\n    at Function.getAuthorizationResourceTypeMismatch (C:\\code\\azurite\\src\\blob\\errors\\StorageErrorFactory.ts:351:12)\n    at AccountSASAuthenticator.validate (C:\\code\\azurite\\src\\blob\\authentication\\AccountSASAuthenticator.ts:226:33)\n    at AuthenticationMiddlewareFactory.authenticate (C:\\code\\azurite\\src\\blob\\authentication\\AuthenticationMiddlewareFactory.ts:48:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"
2019-12-17T09:06:30.275Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set HTTP code: 403
2019-12-17T09:06:30.276Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set HTTP status message: This request is not authorized to perform this operation using this resource type.
2019-12-17T09:06:30.276Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set HTTP Header: x-ms-error-code=AuthorizationResourceTypeMismatch
2019-12-17T09:06:30.276Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set HTTP Header: x-ms-request-id=a926ba63-5517-4325-910c-11beab33b267
2019-12-17T09:06:30.276Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set content type: application/xml
2019-12-17T09:06:30.277Z a926ba63-5517-4325-910c-11beab33b267 error: ErrorMiddleware: Set HTTP body: "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n  <Code>AuthorizationResourceTypeMismatch</Code>\n  <Message>This request is not authorized to perform this operation using this resource type.\nRequestId:a926ba63-5517-4325-910c-11beab33b267\nTime:2019-12-17T09:06:30.268Z</Message>\n</Error>"
2019-12-17T09:06:30.277Z a926ba63-5517-4325-910c-11beab33b267 info: EndMiddleware: End response. TotalTimeInMS=19 StatusCode=403 StatusMessage=This request is not authorized to perform this operation using this resource type. Headers={"server":"Azurite-Blob/3.3.0-preview","x-ms-error-code":"AuthorizationResourceTypeMismatch","x-ms-request-id":"a926ba63-5517-4325-910c-11beab33b267","content-type":"application/xml"}

real server request:

HEAD https://***.blob.core.windows.net/test?sv=2019-02-02&sig=***&srt=co&ss=b&sp=wd&api-version=2019-02-02&comp=properties&restype=account HTTP/1.1
x-ms-client-request-id: 4d9c3e9e-f8ef-4524-b73b-d175ddfba9fd
User-Agent: Azure-Storage/11.2.0 (.NET Core; Win32NT 10.0.18363.0)
x-ms-version: 2019-02-02
Host: weistagelarge.blob.core.windows.net

HTTP/1.1 200 OK
Content-Length: 0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7bd4f111-901e-0049-4eb8-b4d0d0000000
x-ms-client-request-id: 4d9c3e9e-f8ef-4524-b73b-d175ddfba9fd
x-ms-version: 2019-02-02
x-ms-sku-name: Standard_LRS
x-ms-account-kind: StorageV2
Date: Tue, 17 Dec 2019 09:04:21 GMT

[XiaoningLiu]

Undocumented behavior, will fix post ga.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.