Azure · souravgupta-msft · Mar 14, 2023 · Mar 9, 2023 · Mar 10, 2023 · Mar 10, 2023
@@ -29,9 +29,9 @@ type AccountSignatureValues struct {
 	Protocol      Protocol  `param:"spr"` // See the SASProtocol* constants
 	StartTime     time.Time `param:"st"`  // Not specified if IsZero
 	ExpiryTime    time.Time `param:"se"`  // Not specified if IsZero
-	Permissions   string    `param:"sp"`  // Create by initializing a AccountSASPermissions and then call String()
+	Permissions   string    `param:"sp"`  // Create by initializing AccountPermissions and then call String()
 	IPRange       IPRange   `param:"sip"`
-	ResourceTypes string    `param:"srt"` // Create by initializing AccountSASResourceTypes and then call String()
+	ResourceTypes string    `param:"srt"` // Create by initializing AccountResourceTypes and then call String()
 }
 
 // SignWithSharedKey uses an account's shared key credential to sign this signature values to produce
@@ -50,6 +50,12 @@ func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKey
 	}
 	v.Permissions = perms.String()
 
+	resources, err := parseAccountResourceTypes(v.ResourceTypes)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+	v.ResourceTypes = resources.String()
+
 	startTime, expiryTime, _ := formatTimesForSigning(v.StartTime, v.ExpiryTime, time.Time{})
 
 	stringToSign := strings.Join([]string{
@@ -90,13 +96,13 @@ func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKey
 }
 
 // AccountPermissions type simplifies creating the permissions string for an Azure Storage Account SAS.
-// Initialize an instance of this type and then call its String method to set AccountSASSignature value's Permissions field.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' Permissions field.
 type AccountPermissions struct {
 	Read, Write, Delete, DeletePreviousVersion, PermanentDelete, List, Add, Create, Update, Process, FilterByTags, Tag, SetImmutabilityPolicy bool
 }
 
 // String produces the SAS permissions string for an Azure Storage account.
-// Call this method to set AccountSASSignatureValues' Permissions field.
+// Call this method to set AccountSignatureValues' Permissions field.
 func (p *AccountPermissions) String() string {
 	var buffer bytes.Buffer
 	if p.Read {
@@ -141,7 +147,7 @@ func (p *AccountPermissions) String() string {
 	return buffer.String()
 }
 
-// Parse initializes the AccountSASPermissions' fields from a string.
+// Parse initializes the AccountPermissions' fields from a string.
 func parseAccountPermissions(s string) (AccountPermissions, error) {
 	p := AccountPermissions{} // Clear out the flags
 	for _, r := range s {
@@ -180,13 +186,13 @@ func parseAccountPermissions(s string) (AccountPermissions, error) {
 }
 
 // AccountResourceTypes type simplifies creating the resource types string for an Azure Storage Account SAS.
-// Initialize an instance of this type and then call its String method to set AccountSASSignatureValues' ResourceTypes field.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' ResourceTypes field.
 type AccountResourceTypes struct {
 	Service, Container, Object bool
 }
 
 // String produces the SAS resource types string for an Azure Storage account.
-// Call this method to set AccountSASSignatureValues' ResourceTypes field.
+// Call this method to set AccountSignatureValues' ResourceTypes field.
 func (rt *AccountResourceTypes) String() string {
 	var buffer bytes.Buffer
 	if rt.Service {
@@ -200,3 +206,21 @@ func (rt *AccountResourceTypes) String() string {
 	}
 	return buffer.String()
 }
+
+// parseAccountResourceTypes initializes the AccountResourceTypes' fields from a string.
+func parseAccountResourceTypes(s string) (AccountResourceTypes, error) {
+	rt := AccountResourceTypes{}
+	for _, r := range s {
+		switch r {
+		case 's':
+			rt.Service = true
+		case 'c':
+			rt.Container = true
+		case 'o':
+			rt.Object = true
+		default:
+			return AccountResourceTypes{}, fmt.Errorf("invalid resource type character: '%v'", r)
+		}
+	}
+	return rt, nil
+}
@@ -131,6 +131,38 @@ func TestAccountResourceTypes_String(t *testing.T) {
 	}
 }
 
+func TestAccountResourceTypes_Parse(t *testing.T) {
+	testdata := []struct {
+		input    string
+		expected AccountResourceTypes
+	}{
+		{expected: AccountResourceTypes{Service: true}, input: "s"},
+		{expected: AccountResourceTypes{Container: true}, input: "c"},
+		{expected: AccountResourceTypes{Object: true}, input: "o"},
+		{expected: AccountResourceTypes{
+			Service:   true,
+			Container: true,
+			Object:    true,
+		}, input: "sco"},
+		{expected: AccountResourceTypes{
+			Service:   true,
+			Container: true,
+			Object:    true,
+		}, input: "osc"},
+	}
+	for _, c := range testdata {
+		permissions, err := parseAccountResourceTypes(c.input)
+		require.Nil(t, err)
+		require.Equal(t, c.expected, permissions)
+	}
+}
+
+func TestAccountResourceTypes_ParseNegative(t *testing.T) {
+	_, err := parseAccountResourceTypes("scoz") // Here 'z' is invalid
+	require.NotNil(t, err)
+	require.Contains(t, err.Error(), "122")
+}
+
 // TODO: Sign With Shared Key
 // Negative Case
 // Version not provided

@@ -8,6 +8,7 @@ package sas
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -24,7 +25,7 @@ type BlobSignatureValues struct {
 	StartTime            time.Time `param:"st"`  // Not specified if IsZero
 	ExpiryTime           time.Time `param:"se"`  // Not specified if IsZero
 	SnapshotTime         time.Time
-	Permissions          string  `param:"sp"` // Create by initializing a ContainerSASPermissions or BlobSASPermissions and then call String()
+	Permissions          string  `param:"sp"` // Create by initializing ContainerPermissions or BlobPermissions and then call String()
 	IPRange              IPRange `param:"sip"`
 	Identifier           string  `param:"si"`
 	ContainerName        string
@@ -50,8 +51,8 @@ func getDirectoryDepth(path string) string {
 
 // SignWithSharedKey uses an account's SharedKeyCredential to sign this signature values to produce the proper SAS query parameters.
 func (v BlobSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error) {
-	if sharedKeyCredential == nil {
-		return QueryParameters{}, fmt.Errorf("cannot sign SAS query without Shared Key Credential")
+	if v.ExpiryTime.IsZero() || v.Permissions == "" {
+		return QueryParameters{}, errors.New("service SAS is missing at least one of these: ExpiryTime or Permissions")
 	}
 
 	//Make sure the permission characters are in the correct order
@@ -141,6 +142,10 @@ func (v BlobSignatureValues) SignWithUserDelegation(userDelegationCredential *Us
 		return QueryParameters{}, fmt.Errorf("cannot sign SAS query without User Delegation Key")
 	}
 
+	if v.ExpiryTime.IsZero() || v.Permissions == "" {
+		return QueryParameters{}, errors.New("user delegation SAS is missing at least one of these: ExpiryTime or Permissions")
+	}
+
 	// Parse the resource
 	resource := "c"
 	if !v.SnapshotTime.IsZero() {
@@ -261,15 +266,15 @@ func getCanonicalName(account string, containerName string, blobName string, dir
 }
 
 // ContainerPermissions type simplifies creating the permissions string for an Azure Storage container SAS.
-// Initialize an instance of this type and then call its String method to set BlobSASSignatureValues' Permissions field.
+// Initialize an instance of this type and then call its String method to set BlobSignatureValues' Permissions field.
 // All permissions descriptions can be found here: https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-directory-container-or-blob
 type ContainerPermissions struct {
 	Read, Add, Create, Write, Delete, DeletePreviousVersion, List, FilterByTags, Move, SetImmutabilityPolicy bool
 	Execute, ModifyOwnership, ModifyPermissions                                                              bool // Meant for hierarchical namespace accounts
 }
 
 // String produces the SAS permissions string for an Azure Storage container.
-// Call this method to set BlobSASSignatureValues' Permissions field.
+// Call this method to set BlobSignatureValues' Permissions field.
 func (p *ContainerPermissions) String() string {
 	var b bytes.Buffer
 	if p.Read {
@@ -353,7 +358,7 @@ func parseContainerPermissions(s string) (ContainerPermissions, error) {
 }
 
 // BlobPermissions type simplifies creating the permissions string for an Azure Storage blob SAS.
-// Initialize an instance of this type and then call its String method to set BlobSASSignatureValues' Permissions field.
+// Initialize an instance of this type and then call its String method to set BlobSignatureValues' Permissions field.
 type BlobPermissions struct {
 	Read, Add, Create, Write, Delete, DeletePreviousVersion, PermanentDelete, List, Tag, Move, Execute, Ownership, Permissions, SetImmutabilityPolicy bool
 }

@@ -26,9 +26,9 @@ type AccountSignatureValues struct {
 	Protocol      Protocol  `param:"spr"` // See the SASProtocol* constants
 	StartTime     time.Time `param:"st"`  // Not specified if IsZero
 	ExpiryTime    time.Time `param:"se"`  // Not specified if IsZero
-	Permissions   string    `param:"sp"`  // Create by initializing a AccountSASPermissions and then call String()
+	Permissions   string    `param:"sp"`  // Create by initializing a AccountPermissions and then call String()
 	IPRange       IPRange   `param:"sip"`
-	ResourceTypes string    `param:"srt"` // Create by initializing AccountSASResourceTypes and then call String()
+	ResourceTypes string    `param:"srt"` // Create by initializing AccountResourceTypes and then call String()
 }
 
 // SignWithSharedKey uses an account's shared key credential to sign this signature values to produce
@@ -47,6 +47,12 @@ func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKey
 	}
 	v.Permissions = perms.String()
 
+	resources, err := parseAccountResourceTypes(v.ResourceTypes)
+	if err != nil {
+		return QueryParameters{}, err
+	}
+	v.ResourceTypes = resources.String()
+
 	startTime, expiryTime := formatTimesForSigning(v.StartTime, v.ExpiryTime)
 
 	stringToSign := strings.Join([]string{
@@ -87,13 +93,13 @@ func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKey
 }
 
 // AccountPermissions type simplifies creating the permissions string for an Azure Storage Account SAS.
-// Initialize an instance of this type and then call its String method to set AccountSASSignatureValues' Permissions field.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' Permissions field.
 type AccountPermissions struct {
 	Read, Write, Delete, DeletePreviousVersion, PermanentDelete, List, Add, Create, Update, Process, Tag, FilterByTags, SetImmutabilityPolicy bool
 }
 
 // String produces the SAS permissions string for an Azure Storage account.
-// Call this method to set AccountSASSignatureValues's Permissions field.
+// Call this method to set AccountSignatureValues' Permissions field.
 func (p *AccountPermissions) String() string {
 	var buffer bytes.Buffer
 	if p.Read {
@@ -138,7 +144,7 @@ func (p *AccountPermissions) String() string {
 	return buffer.String()
 }
 
-// Parse initializes the AccountSASPermissions' fields from a string.
+// Parse initializes the AccountPermissions' fields from a string.
 func parseAccountPermissions(s string) (AccountPermissions, error) {
 	p := AccountPermissions{} // Clear out the flags
 	for _, r := range s {
@@ -177,13 +183,13 @@ func parseAccountPermissions(s string) (AccountPermissions, error) {
 }
 
 // AccountResourceTypes type simplifies creating the resource types string for an Azure Storage Account SAS.
-// Initialize an instance of this type and then call its String method to set AccountSASSignatureValues' ResourceTypes field.
+// Initialize an instance of this type and then call its String method to set AccountSignatureValues' ResourceTypes field.
 type AccountResourceTypes struct {
 	Service, Container, Object bool
 }
 
 // String produces the SAS resource types string for an Azure Storage account.
-// Call this method to set AccountSASSignatureValues' ResourceTypes field.
+// Call this method to set AccountSignatureValues' ResourceTypes field.
 func (rt *AccountResourceTypes) String() string {
 	var buffer bytes.Buffer
 	if rt.Service {
@@ -197,3 +203,21 @@ func (rt *AccountResourceTypes) String() string {
 	}
 	return buffer.String()
 }
+
+// parseAccountResourceTypes initializes the AccountResourceTypes' fields from a string.
+func parseAccountResourceTypes(s string) (AccountResourceTypes, error) {
+	rt := AccountResourceTypes{}
+	for _, r := range s {
+		switch r {
+		case 's':
+			rt.Service = true
+		case 'c':
+			rt.Container = true
+		case 'o':
+			rt.Object = true
+		default:
+			return AccountResourceTypes{}, fmt.Errorf("invalid resource type character: '%v'", r)
+		}
+	}
+	return rt, nil
+}
@@ -131,6 +131,38 @@ func TestAccountResourceTypes_String(t *testing.T) {
 	}
 }
 
+func TestAccountResourceTypes_Parse(t *testing.T) {
+	testdata := []struct {
+		input    string
+		expected AccountResourceTypes
+	}{
+		{expected: AccountResourceTypes{Service: true}, input: "s"},
+		{expected: AccountResourceTypes{Container: true}, input: "c"},
+		{expected: AccountResourceTypes{Object: true}, input: "o"},
+		{expected: AccountResourceTypes{
+			Service:   true,
+			Container: true,
+			Object:    true,
+		}, input: "sco"},
+		{expected: AccountResourceTypes{
+			Service:   true,
+			Container: true,
+			Object:    true,
+		}, input: "osc"},
+	}
+	for _, c := range testdata {
+		permissions, err := parseAccountResourceTypes(c.input)
+		require.Nil(t, err)
+		require.Equal(t, c.expected, permissions)
+	}
+}
+
+func TestAccountResourceTypes_ParseNegative(t *testing.T) {
+	_, err := parseAccountResourceTypes("scoz") // Here 'z' is invalid
+	require.NotNil(t, err)
+	require.Contains(t, err.Error(), "122")
+}
+
 // TODO: Sign With Shared Key
 // Negative Case
 // Version not provided

@@ -87,13 +87,13 @@ func getCanonicalName(account string, queueName string) string {
 }
 
 // QueuePermissions type simplifies creating the permissions string for an Azure Storage Queue SAS.
-// Initialize an instance of this type and then call its String method to set QueueSASSignatureValues' Permissions field.
+// Initialize an instance of this type and then call its String method to set QueueSignatureValues' Permissions field.
 type QueuePermissions struct {
 	Read, Add, Update, Process bool
 }
 
 // String produces the SAS permissions string for an Azure Storage Queue.
-// Call this method to set QueueSASSignatureValues' Permissions field.
+// Call this method to set QueueSignatureValues' Permissions field.
 func (p *QueuePermissions) String() string {
 	var b bytes.Buffer
 	if p.Read {
@@ -111,7 +111,7 @@ func (p *QueuePermissions) String() string {
 	return b.String()
 }
 
-// Parse initializes the QueueSASPermissions' fields from a string.
+// Parse initializes the QueuePermissions' fields from a string.
 func parseQueuePermissions(s string) (QueuePermissions, error) {
 	p := QueuePermissions{}
 	for _, r := range s {