Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add shared access signature (SAS) authorization for Azure.
A shared access signature (SAS) provides granular, delegated access to resources in a storage account. This is often preferable to using a shared key which provides more access and is a greater security risk if compromised.
  • Loading branch information
dwsteele committed Jul 9, 2020
1 parent 511e5db commit 2f7823c
Show file tree
Hide file tree
Showing 14 changed files with 310 additions and 94 deletions.
12 changes: 12 additions & 0 deletions build/lib/pgBackRestBuild/Config/Data.pm
Expand Up @@ -219,6 +219,7 @@ use constant CFGOPT_REPO_AZURE_CA_PATH => CFGDEF_RE
use constant CFGOPT_REPO_AZURE_CONTAINER => CFGDEF_REPO_AZURE . '-container';
use constant CFGOPT_REPO_AZURE_HOST => CFGDEF_REPO_AZURE . '-host';
use constant CFGOPT_REPO_AZURE_KEY => CFGDEF_REPO_AZURE . '-key';
use constant CFGOPT_REPO_AZURE_KEY_TYPE => CFGDEF_REPO_AZURE . '-key-type';
use constant CFGOPT_REPO_AZURE_PORT => CFGDEF_REPO_AZURE . '-port';
use constant CFGOPT_REPO_AZURE_VERIFY_TLS => CFGDEF_REPO_AZURE . '-verify-tls';

Expand Down Expand Up @@ -1813,6 +1814,17 @@ my %hConfigDefine =
&CFGDEF_INHERIT => CFGOPT_REPO_AZURE_ACCOUNT,
},

&CFGOPT_REPO_AZURE_KEY_TYPE =>
{
&CFGDEF_INHERIT => CFGOPT_REPO_AZURE_CONTAINER,
&CFGDEF_DEFAULT => 'shared',
&CFGDEF_ALLOW_LIST =>
[
'shared',
'sas',
],
},

&CFGOPT_REPO_AZURE_PORT =>
{
&CFGDEF_SECTION => CFGDEF_SECTION_GLOBAL,
Expand Down
19 changes: 16 additions & 3 deletions doc/xml/reference.xml
Expand Up @@ -357,14 +357,27 @@
</config-key>

<!-- ======================================================================================================= -->
<config-key id="repo-azure-key" name="Azure Repository Shared Key">
<summary>Azure repository shared key.</summary>
<config-key id="repo-azure-key" name="Azure Repository Key">
<summary>Azure repository key.</summary>

<text>Azure shared key used to access the container.</text>
<text>A shared key or shared access signature depending on the <br-option>repo-azure-key-type</br-option> option.</text>

<example>T+9+aov82qNhrcXSNGZCzm9mjd4d75/oxxOr6r1JVpgTLA==</example>
</config-key>

<!-- ======================================================================================================= -->
<config-key id="repo-azure-key-type" name="Azure Repository Key Type">
<summary>Azure repository key type.</summary>

<text>The following types are supported for authorization:
<ul>
<li><id>shared</id> - Shared key</li>
<li><id>sas</id> - Shared access signature</li>
</ul></text>

<example>sas</example>
</config-key>

<!-- ======================================================================================================= -->
<config-key id="repo-azure-port" name="Azure Repository Server Port">
<summary>Azure repository server port.</summary>
Expand Down
3 changes: 3 additions & 0 deletions doc/xml/release.xml
Expand Up @@ -28,6 +28,9 @@

<release-feature-list>
<release-item>
<commit subject="Azure support for repository storage."/>
<commit subject="Add shared access signature (SAS) authorization for Azure."/>

<release-item-contributor-list>
<release-item-reviewer id="cynthia.shang"/>
<!-- Actually tester, but we don't have a tag for that yet -->
Expand Down
4 changes: 4 additions & 0 deletions doc/xml/user-guide.xml
Expand Up @@ -140,6 +140,7 @@
<variable key="azure-account">pgbackrest</variable>
<variable key="azure-container">demo-container</variable>
<variable key="azure-repo">demo-repo</variable>
<variable key="azure-key-type">shared</variable>
<variable key="azure-key">YXpLZXk=</variable>

<!-- S3 Settings -->
Expand Down Expand Up @@ -626,6 +627,7 @@
<backrest-config-option section="global" key="repo1-type">azure</backrest-config-option>
<backrest-config-option section="global" key="repo1-path">/{[azure-repo]}</backrest-config-option>
<backrest-config-option section="global" key="repo1-azure-account">{[azure-account]}</backrest-config-option>
<backrest-config-option if="'{[azure-key-type]}' ne 'shared'" section="global" key="repo1-azure-key-type">{[azure-key-type]}</backrest-config-option>
<backrest-config-option section="global" key="repo1-azure-key">{[azure-key]}</backrest-config-option>
<backrest-config-option section="global" key="repo1-azure-container">{[azure-container]}</backrest-config-option>
<backrest-config-option if="'{[azure-local]}' eq 'y'" section="global" key="repo1-azure-host">blob.core.windows.net</backrest-config-option>
Expand All @@ -645,6 +647,8 @@
<exe-cmd>{[project-exe]} repo-create</exe-cmd>
</execute>
</execute-list>

<p>Shared access signatures may be used by setting the <br-option>repo1-azure-key-type</br-option> option to <id>sas</id> and the <br-option>repo1-azure-key</br-option> option to the shared access signature token.</p>
</block-define>

<!-- ======================================================================================================================= -->
Expand Down
9 changes: 9 additions & 0 deletions src/config/config.auto.c
Expand Up @@ -433,6 +433,7 @@ STRING_EXTERN(CFGOPT_REPO1_AZURE_CA_PATH_STR, CFGOPT_REPO1
STRING_EXTERN(CFGOPT_REPO1_AZURE_CONTAINER_STR, CFGOPT_REPO1_AZURE_CONTAINER);
STRING_EXTERN(CFGOPT_REPO1_AZURE_HOST_STR, CFGOPT_REPO1_AZURE_HOST);
STRING_EXTERN(CFGOPT_REPO1_AZURE_KEY_STR, CFGOPT_REPO1_AZURE_KEY);
STRING_EXTERN(CFGOPT_REPO1_AZURE_KEY_TYPE_STR, CFGOPT_REPO1_AZURE_KEY_TYPE);
STRING_EXTERN(CFGOPT_REPO1_AZURE_PORT_STR, CFGOPT_REPO1_AZURE_PORT);
STRING_EXTERN(CFGOPT_REPO1_AZURE_VERIFY_TLS_STR, CFGOPT_REPO1_AZURE_VERIFY_TLS);
STRING_EXTERN(CFGOPT_REPO1_CIPHER_PASS_STR, CFGOPT_REPO1_CIPHER_PASS);
Expand Down Expand Up @@ -1690,6 +1691,14 @@ static ConfigOptionData configOptionData[CFG_OPTION_TOTAL] = CONFIG_OPTION_LIST
CONFIG_OPTION_DEFINE_ID(cfgDefOptRepoAzureKey)
)

//------------------------------------------------------------------------------------------------------------------------------
CONFIG_OPTION
(
CONFIG_OPTION_NAME(CFGOPT_REPO1_AZURE_KEY_TYPE)
CONFIG_OPTION_INDEX(0)
CONFIG_OPTION_DEFINE_ID(cfgDefOptRepoAzureKeyType)
)

//------------------------------------------------------------------------------------------------------------------------------
CONFIG_OPTION
(
Expand Down
5 changes: 4 additions & 1 deletion src/config/config.auto.h
Expand Up @@ -353,6 +353,8 @@ Option constants
STRING_DECLARE(CFGOPT_REPO1_AZURE_HOST_STR);
#define CFGOPT_REPO1_AZURE_KEY "repo1-azure-key"
STRING_DECLARE(CFGOPT_REPO1_AZURE_KEY_STR);
#define CFGOPT_REPO1_AZURE_KEY_TYPE "repo1-azure-key-type"
STRING_DECLARE(CFGOPT_REPO1_AZURE_KEY_TYPE_STR);
#define CFGOPT_REPO1_AZURE_PORT "repo1-azure-port"
STRING_DECLARE(CFGOPT_REPO1_AZURE_PORT_STR);
#define CFGOPT_REPO1_AZURE_VERIFY_TLS "repo1-azure-verify-tls"
Expand Down Expand Up @@ -456,7 +458,7 @@ Option constants
#define CFGOPT_TYPE "type"
STRING_DECLARE(CFGOPT_TYPE_STR);

#define CFG_OPTION_TOTAL 201
#define CFG_OPTION_TOTAL 202

/***********************************************************************************************************************************
Command enum
Expand Down Expand Up @@ -640,6 +642,7 @@ typedef enum
cfgOptRepoAzureContainer,
cfgOptRepoAzureHost,
cfgOptRepoAzureKey,
cfgOptRepoAzureKeyType,
cfgOptRepoAzurePort,
cfgOptRepoAzureVerifyTls,
cfgOptRepoCipherPass,
Expand Down
66 changes: 64 additions & 2 deletions src/config/define.auto.c
Expand Up @@ -3167,10 +3167,10 @@ static ConfigDefineOptionData configDefineOptionData[] = CFGDEFDATA_OPTION_LIST
CFGDEFDATA_OPTION_SECURE(true)

CFGDEFDATA_OPTION_HELP_SECTION("repository")
CFGDEFDATA_OPTION_HELP_SUMMARY("Azure repository shared key.")
CFGDEFDATA_OPTION_HELP_SUMMARY("Azure repository key.")
CFGDEFDATA_OPTION_HELP_DESCRIPTION
(
"Azure shared key used to access the container."
"A shared key or shared access signature depending on the repo-azure-key-type option."
)

CFGDEFDATA_OPTION_COMMAND_LIST
Expand Down Expand Up @@ -3206,6 +3206,68 @@ static ConfigDefineOptionData configDefineOptionData[] = CFGDEFDATA_OPTION_LIST
)
)

// -----------------------------------------------------------------------------------------------------------------------------
CFGDEFDATA_OPTION
(
CFGDEFDATA_OPTION_NAME("repo-azure-key-type")
CFGDEFDATA_OPTION_REQUIRED(true)
CFGDEFDATA_OPTION_SECTION(cfgDefSectionGlobal)
CFGDEFDATA_OPTION_TYPE(cfgDefOptTypeString)
CFGDEFDATA_OPTION_INTERNAL(false)

CFGDEFDATA_OPTION_INDEX_TOTAL(1)
CFGDEFDATA_OPTION_SECURE(false)

CFGDEFDATA_OPTION_HELP_SECTION("repository")
CFGDEFDATA_OPTION_HELP_SUMMARY("Azure repository key type.")
CFGDEFDATA_OPTION_HELP_DESCRIPTION
(
"The following types are supported for authorization:\n"
"\n"
"* shared - Shared key\n"
"* sas - Shared access signature"
)

CFGDEFDATA_OPTION_COMMAND_LIST
(
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdArchiveGet)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdArchivePush)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdBackup)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdCheck)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdExpire)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdInfo)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRepoCreate)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRepoGet)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRepoLs)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRepoPut)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRepoRm)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdRestore)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdStanzaCreate)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdStanzaDelete)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdStanzaUpgrade)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdStart)
CFGDEFDATA_OPTION_COMMAND(cfgDefCmdStop)
)

CFGDEFDATA_OPTION_OPTIONAL_LIST
(
CFGDEFDATA_OPTION_OPTIONAL_ALLOW_LIST
(
"shared",
"sas"
)

CFGDEFDATA_OPTION_OPTIONAL_DEPEND_LIST
(
cfgDefOptRepoType,
"azure"
)

CFGDEFDATA_OPTION_OPTIONAL_DEFAULT("shared")
CFGDEFDATA_OPTION_OPTIONAL_PREFIX("repo")
)
)

// -----------------------------------------------------------------------------------------------------------------------------
CFGDEFDATA_OPTION
(
Expand Down
1 change: 1 addition & 0 deletions src/config/define.auto.h
Expand Up @@ -118,6 +118,7 @@ typedef enum
cfgDefOptRepoAzureContainer,
cfgDefOptRepoAzureHost,
cfgDefOptRepoAzureKey,
cfgDefOptRepoAzureKeyType,
cfgDefOptRepoAzurePort,
cfgDefOptRepoAzureVerifyTls,
cfgDefOptRepoCipherPass,
Expand Down
13 changes: 13 additions & 0 deletions src/config/parse.auto.c
Expand Up @@ -1925,6 +1925,18 @@ static const struct option optionList[] =
.val = PARSE_OPTION_FLAG | PARSE_RESET_FLAG | cfgOptRepoAzureKey,
},

// repo-azure-key-type option
// -----------------------------------------------------------------------------------------------------------------------------
{
.name = CFGOPT_REPO1_AZURE_KEY_TYPE,
.has_arg = required_argument,
.val = PARSE_OPTION_FLAG | cfgOptRepoAzureKeyType,
},
{
.name = "reset-" CFGOPT_REPO1_AZURE_KEY_TYPE,
.val = PARSE_OPTION_FLAG | PARSE_RESET_FLAG | cfgOptRepoAzureKeyType,
},

// repo-azure-port option
// -----------------------------------------------------------------------------------------------------------------------------
{
Expand Down Expand Up @@ -2845,6 +2857,7 @@ static const ConfigOption optionResolveOrder[] =
cfgOptRepoAzureContainer,
cfgOptRepoAzureHost,
cfgOptRepoAzureKey,
cfgOptRepoAzureKeyType,
cfgOptRepoAzurePort,
cfgOptRepoAzureVerifyTls,
cfgOptRepoCipherPass,
Expand Down

0 comments on commit 2f7823c

Please sign in to comment.