azure-storage-blob - sas tokens for azurite container invalid in version 2.1.0

kuba-lilz commented 4 years ago

Package Name: azure-storage-blob
Package Version: 2.1.0
Operating System: OSX 10.15.5
Python Version: 3.8 Describe the bug sas tokens generated for files stored in azurite container (arafato/azurite:2.6.5) are invalid and container returns 403 response. For same code and data, but with azure-storage-blob==1.5.0 valid tokens are generated and data can be accessed. (sas tokens generated for real azure storage blob are valid with azure-storage-blob==2.1.0)

To Reproduce Steps to reproduce the behavior:

Sample code:

import datetime

import azure.storage.blob
import azure.storage.blob.sharedaccesssignature
import flask

APP = flask.Flask("my_app")

@APP.route("/")
def index():

    # Account credentials for azurite container ccount
    connection_string = "AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;DefaultEndpointsProtocol=http;BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;"
    container_name = "sketchpad"
    account_name = "devstoreaccount1"
    account_key = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="

    shared_access = azure.storage.blob.sharedaccesssignature.BlobSharedAccessSignature(
        account_name=account_name,
        account_key=account_key)

    blob_storage = azure.storage.blob.BlockBlobService(connection_string=connection_string)

    urls = []

    images_blobs = [blob for blob in blob_storage.list_blobs(container_name=container_name) if ".jpg" in blob.name]

    for image_blob in images_blobs:

        access_signature = shared_access.generate_blob(
            container_name=container_name, blob_name=image_blob.name,
            permission=azure.storage.blob.BlobPermissions.READ,
            start=datetime.datetime.utcnow() - datetime.timedelta(minutes=10),
            expiry=datetime.datetime.utcnow() + datetime.timedelta(hours=1),
            content_type='image/jpeg'
        )

        url = blob_storage.make_blob_url(
            container_name=container_name,
            blob_name=image_blob.name,
            sas_token=access_signature)

        urls.append('<a href="{}">Image here</a>'.format(url))

    images_data = "<br>".join(urls)

    response = ("""
    <html>
    <body>
    {}
    </body>
    </html>
    """.format(images_data))

    return response

APP.run(use_reloader=True)

Expected behavior Generated URLs should be valid.

Screenshots Access log (from azurite container) and URL generated for file kitty_2.jpg in container sketchpad with azure-storage-blob==2.1.0

GET /devstoreaccount1/sketchpad/kitty_2.jpg?st=2020-06-24T05%3A58%3A04Z&se=2020-06-24T07%3A08%3A04Z&sp=r&sv=2019-02-02&sr=b&rsct=image/jpeg&sig=f21aCsoNKYVAKql%2BwvLHalvx6SP5nxylxu4sBlak%2Bkk%3D 403 0.889 ms - 240

URL generated for the same file with azure-storage-blob==1.5.0:

GET /devstoreaccount1/sketchpad/kitty_2.jpg?st=2020-06-24T06%3A02%3A31Z&se=2020-06-24T07%3A12%3A31Z&sp=r&sv=2018-03-28&sr=b&rsct=image/jpeg&sig=uSO6uFlEVGJm8A9cJQ8bnZdHjapd3LmX4eFgSpy6sT0%3D 200 4.385 ms - 9767

ghost commented 4 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

xiafu-msft commented 4 years ago

Hi @kuba-lilz

Thanks for reporting this, we will investigate a bit offline and get back to you!

Azure / azure-storage-python

azure-storage-blob - sas tokens for azurite container invalid in version 2.1.0 #668