Closed dkarlovi closed 4 years ago
@dkarlovi Currently a proxy can be created with storage account key or SAS.
If we integrate SharedAccessSignatureHelper into Proxy, however, we will find out that only proxies created with account key are able to generate SAS URLs. Proxies created with SAS are not able to generate a SAS URL. It's decided by the SAS token generation algorithm. https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-an-account-sas
Integrating SharedAccessSignatureHelper into Proxy won't help solve the above problem.
@XiaoningLiu thanks for your reply.
I feel like having the proxy method throw an exception if not able to generate the SAS URL would suffice here: you (the developer) get informed the operation failed and why, also how to fix it if desired.
On the other hand, if you have created a proxy with storage credentials, you get the benefit of using the SAS generator easily, without tracking down how to use it somewhere else, wrapping in helper methods, etc. It seems reasonable to me.
As suggested in https://github.com/Azure/azure-storage-php/issues/97#issuecomment-321783198:
Might consider introducing a new class, SharedAccessSignatureRequest (or similar) which could simplify the code here. Functionally the same as a TLS CSR sent to a CA when requesting a new HTTPS key.
To expand on this: as it stands, creating a SAS is quite involved, as evidenced by the params required in the helper method.
My suggestion is: create a value object ("model") SharedAccessSignatureRequest
which would encapsulate all the SAS params validation and normalization. It would mean your method would accept exactly one param and be much easier to proxy in the... well, Proxy. :) A reasonable thing would be to also introduce a SharedAccessSignature
response which can provide either the token or the full URL, as mentioned before.
Rough idea outline:
class SharedAccessSignatureRequest
{
public function__construct($resourceName, $permissions, \DateTime $expiry)
public function setStart(\DateTime $start);
// etc.
}
class SharedAccessSignature
{
// full SAS URL, so there's no need to concatenate strings in user app
public function getResourceUrl(): string
// only the token, so there's no need to parse the URL for it
public function getToken(): string
// etc.
}
class BlobProxy
{
public function generateSharedAccessSignature(SharedAccessSignatureRequest $request): SharedAccessSignature
}
Sorry for late response. Actually I'm still concern about the "throw an exception if not able to generate the SAS URL". In the future, the client library will add support for OAuth, which could create a proxy using OAuth token. In this case, it still cannot generate a SAS token.
Since there is no more actionable items on this issue, we will close this issue. Feel free to reopen or submit another issue.
Just found this issue again since I'm looking to generate a SAS URL again from the blob proxy. It being unable to do it is quite a PITA.
Currently I'm using the SDK from within a Symfony app and need to generate the \MicrosoftAzure\Storage\Common\Internal\StorageServiceSettings
as a service which I then inject into a factory for the shared signature helper.
Should be able to generate SAS URLs directly from Proxy. See https://github.com/Azure/azure-storage-php/issues/78#issuecomment-320588632