Microsoft Azure and SAS for PHP

2019-07-21 07:59发布

站内问答 / PHP
1569 2 5

i trying to create SAS link to blob resource using PHP. Unfortunately currently in azure SDK there is no method for creating SAS signature. I wrote a code for generating SAS but when i'm trying to get a resource by the link generated by this method i'm getting this message: Signature fields not well formed.

    public function getSharedAccessSignatureURL($container, $blob)
{
    $signedStart = date('c', strtotime('-1 day'));
    $signedExpiry = date('c', strtotime('+1 day'));
    $signedResource = 'b';
    $signedPermission = 'r';
    $signedIdentifier = '';
    $responseContent = "file; attachment";
    $responseType = "binary";

    $canonicalizedResource = '/'.$this->account['accountName'].'/'.$container.'/'.$blob;
    $signedVersion = '2014-02-14';

    $stringToSign =
        $signedPermission."\n".
        $signedStart."\n".
        $signedExpiry."\n".
        $canonicalizedResource."\n".
        $signedIdentifier."\n".
        $signedVersion;

    $signature = base64_encode(
        hash_hmac(
            'sha256',
            urldecode(utf8_encode($stringToSign)),
            $this->account['primaryKey'],
            true
        )
    );

    $arrayToUrl = [
        'sv='.urlencode($signedVersion),
        'st='.urlencode($signedStart),
        'se='.urlencode($signedExpiry),
        'sr='.urlencode($signedResource),
        'sp='.urlencode($signedPermission),
        'rscd='.urlencode($responseContent),
        'rsct='.urlencode($responseType),
        'sig='.urlencode($signature)
    ];

    $url =  'https://'.$this->account['accountName'].'.blob.core.windows.net'.'/'
        .$container.'/'
        .$blob.'?'.implode('&', $arrayToUrl);

    return $url;
}

Any suggest what i am doing wrong? I am commpletle newbie at Microsoft Azure

2条回答
看我几分像从前
2楼-- · 2019-07-21 08:05

I run into exactly the same problem. But now you can use MicrosoftAzure\Storage\Common\SharedAccessSignatureHelper which can handle a lot of problems for you. I has been added to the common libary 2 years ago in this PR (https://github.com/Azure/azure-storage-php/pull/73/files).

And it should be solved very simple like this:

$sasHelper = new SharedAccessSignatureHelper(
    'nameofyouraccount',
    'H...your-token...=='
);

$sas = $sasHelper->generateAccountSharedAccessSignatureToken(
    '2018-11-09',
    'rwl',
    'b',
    'sco',
    (new \DateTime())->modify('+10 minute'),
    (new \DateTime())->modify('-5 minute'),
    '',
    'https'
);

$connectionString = "BlobEndpoint=https://nameofyouraccount.blob.core.windows.net/;SharedAccessSignature={$sas}";

And you got your connection string!

查看更多
0人赞 添加讨论(0) 举报
爱情/是我丢掉的垃圾
3楼-- · 2019-07-21 08:26

I believe there's an issue with your $stringToSign variable. Based on the documentation here: http://msdn.microsoft.com/en-US/library/azure/dn140255.aspx, your string to sign should be constructed like the following:

StringToSign = signedpermissions + "\n"
               signedstart + "\n"
               signedexpiry + "\n"
               canonicalizedresource + "\n"
               signedidentifier + "\n"
               signedversion + "\n"
               rscc + "\n"
               rscd + "\n"
               rsce + "\n"
               rscl + "\n"
               rsct

considering you're including rscd and rsct in your SAS querystring. Please try the following and see if that makes the difference:

    $stringToSign =
            $signedPermission."\n".
            $signedStart."\n".
            $signedExpiry."\n".
            $canonicalizedResource."\n".
            $signedIdentifier."\n".
            $signedVersion."\n".
            "\n".
            $responseContent."\n".
            "\n".
            "\n".
            $responseType;

UPDATE

Please try the code below. Replace the account name/key, container name and blob name with appropriate values:

<?php
$signedStart = gmdate('Y-m-d\TH:i:s\Z', strtotime('-1 day'));
echo $signedStart."\n";
$signedExpiry = gmdate('Y-m-d\TH:i:s\Z', strtotime('+1 day'));
echo $signedExpiry."\n";
$signedResource = 'b';
$signedPermission = 'r';
$signedIdentifier = '';
$accountName = "[account name]";
$accountKey = "[account key]";
$container = "[container name]";
$blob = "[blob name]";
$canonicalizedResource = '/'.$accountName.'/'.$container.'/'.$blob;
$signedVersion = '2014-02-14';  
echo $canonicalizedResource."\n";
$rscc = '';
$rscd = 'file; attachment';//Content disposition
$rsce = '';
$rscl = '';
$rsct = 'binary';//Content type
$stringToSign = 
                $signedPermission."\n".
                $signedStart."\n".
                $signedExpiry."\n".
                $canonicalizedResource."\n".
                $signedIdentifier."\n".
                $signedVersion."\n".
                $rscc."\n".
                $rscd."\n".
                $rsce."\n".
                $rscl."\n".
                $rsct;


echo $stringToSign."\n";

$signature = base64_encode(
        hash_hmac(
            'sha256',
            $stringToSign,
            base64_decode($accountKey),
            true
        )
    );

echo $signature."\n";


$arrayToUrl = [
        'sv='.urlencode($signedVersion),
        'st='.urlencode($signedStart),
        'se='.urlencode($signedExpiry),
        'sr='.urlencode($signedResource),
        'sp='.urlencode($signedPermission),
        'rscd='.urlencode($rscd),
        'rsct='.urlencode($rsct),
        'sig='.urlencode($signature)
    ];

    $url =  'https://'.$accountName.'.blob.core.windows.net'.'/'
        .$container.'/'
        .$blob.'?'.implode('&', $arrayToUrl);

echo $url."\n";
?>

Essentially there were two issues (apart from incorrect $stringToSign variable):

  1. Start/End date time were not properly formatted.
  2. We would need to base64_decode the account key for calculating signature.
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)