/
Sample02_Auth.cs
181 lines (159 loc) · 7.76 KB
/
Sample02_Auth.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using System.Collections.Generic;
using Azure.Core;
using Azure.Identity;
using Azure.Storage.Sas;
using NUnit.Framework;
namespace Azure.Storage.Blobs.ChangeFeed.Samples
{
/// <summary>
/// Demonstrate various authorization and authentication mechanisms.
///
/// For more information, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
/// </summary>
public class Sample02_Auth : SampleTest
{
/// <summary>
/// Use a connection string to connect to a Storage account.
///
/// A connection string includes the authentication information
/// required for your application to access data in an Azure Storage
/// account at runtime using Shared Key authorization.
/// </summary>
[Test]
public void ConnectionStringAuth()
{
// Get a connection string to our Azure Storage account. You can
// obtain your connection string from the Azure Portal (click
// Access Keys under Settings in the Portal Storage account blade)
// or using the Azure CLI with:
//
// az storage account show-connection-string --name <account_name> --resource-group <resource_group>
//
// And you can provide the connection string to your application
// using an environment variable.
string connectionString = ConnectionString;
// Create a client that can authenticate with a connection string
BlobChangeFeedClient service = new BlobChangeFeedClient(connectionString);
List<BlobChangeFeedEvent> changeFeedEvents = new List<BlobChangeFeedEvent>();
// Make a service request to verify we've successfully authenticated
foreach (BlobChangeFeedEvent changeFeedEvent in service.GetChanges())
{
changeFeedEvents.Add(changeFeedEvent);
}
}
/// <summary>
/// Use a shared key to access a Storage Account.
///
/// Shared Key authorization relies on your account access keys and
/// other parameters to produce an encrypted signature string that is
/// passed on the request in the Authorization header.
/// </summary>
[Test]
public void SharedKeyAuth()
{
// Get a Storage account name, shared key, and endpoint Uri.
//
// You can obtain both from the Azure Portal by clicking Access
// Keys under Settings in the Portal Storage account blade.
//
// You can also get access to your account keys from the Azure CLI
// with:
//
// az storage account keys list --account-name <account_name> --resource-group <resource_group>
//
string accountName = StorageAccountName;
string accountKey = StorageAccountKey;
Uri serviceUri = StorageAccountBlobUri;
// Create a SharedKeyCredential that we can use to authenticate
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
// Create a client that can authenticate with a connection string
BlobChangeFeedClient service = new BlobChangeFeedClient(serviceUri, credential);
List<BlobChangeFeedEvent> changeFeedEvents = new List<BlobChangeFeedEvent>();
// Make a service request to verify we've successfully authenticated
foreach (BlobChangeFeedEvent changeFeedEvent in service.GetChanges())
{
changeFeedEvents.Add(changeFeedEvent);
}
}
/// <summary>
/// Use a shared access signature to acces a Storage Account.
///
/// A shared access signature (SAS) is a URI that grants restricted
/// access rights to Azure Storage resources. You can provide a shared
/// access signature to clients who should not be trusted with your
/// storage account key but to whom you wish to delegate access to
/// certain storage account resources. By distributing a shared access
/// signature URI to these clients, you can grant them access to a
/// resource for a specified period of time, with a specified set of
/// permissions.
/// </summary>
[Test]
public void SharedAccessSignatureAuth()
{
// Create a blob level SAS that allows reading change events from blob
// level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
// Allow access to blobs
Services = AccountSasServices.Blobs,
// Allow access to the service level APIs
ResourceTypes = AccountSasResourceTypes.All,
// Access expires in 1 hour!
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Allow all access
sas.SetPermissions(AccountSasPermissions.All);
// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(StorageAccountName, StorageAccountKey);
// Build a SAS URI
UriBuilder sasUri = new UriBuilder(StorageAccountBlobUri);
sasUri.Query = sas.ToSasQueryParameters(credential).ToString();
// Create a client that can authenticate with the SAS URI
BlobChangeFeedClient service = new BlobChangeFeedClient(sasUri.Uri);
List<BlobChangeFeedEvent> changeFeedEvents = new List<BlobChangeFeedEvent>();
// Make a service request to verify we've successfully authenticated
foreach (BlobChangeFeedEvent changeFeedEvent in service.GetChanges())
{
changeFeedEvents.Add(changeFeedEvent);
}
}
/// <summary>
/// Use an Active Directory token to access a Storage account.
///
/// Azure Storage provides integration with Azure Active Directory
/// (Azure AD) for identity-based authentication of requests to the
/// Blob and Queue services. With Azure AD, you can use role-based
/// access control (RBAC) to grant access to your Azure Storage
/// resources to users, groups, or applications. You can grant
/// permissions that are scoped to the level of an individual
/// container or queue.
///
/// To learn more about Azure AD integration in Azure Storage, see
/// https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad
/// </summary>
[Test]
public void ActiveDirectoryAuth()
{
// Create a token credential that can use our Azure Active
// Directory application to authenticate with Azure Storage
TokenCredential credential =
new ClientSecretCredential(
ActiveDirectoryTenantId,
ActiveDirectoryApplicationId,
ActiveDirectoryApplicationSecret,
new TokenCredentialOptions() { AuthorityHost = ActiveDirectoryAuthEndpoint });
// Create a client that can authenticate using our token credential
BlobChangeFeedClient service = new BlobChangeFeedClient(ActiveDirectoryBlobUri, credential);
List<BlobChangeFeedEvent> changeFeedEvents = new List<BlobChangeFeedEvent>();
// Make a service request to verify we've successfully authenticated
foreach (BlobChangeFeedEvent changeFeedEvent in service.GetChanges())
{
changeFeedEvents.Add(changeFeedEvent);
}
}
}
}