299 lines
9.9 KiB
PHP
299 lines
9.9 KiB
PHP
<?php
|
|
/**
|
|
* Zend Framework
|
|
*
|
|
* LICENSE
|
|
*
|
|
* This source file is subject to the new BSD license that is bundled
|
|
* with this package in the file LICENSE.txt.
|
|
* It is also available through the world-wide-web at this URL:
|
|
* http://framework.zend.com/license/new-bsd
|
|
* If you did not receive a copy of the license and are unable to
|
|
* obtain it through the world-wide-web, please send an email
|
|
* to license@zend.com so we can send you a copy immediately.
|
|
*
|
|
* @category Zend
|
|
* @package Zend_Service_WindowsAzure
|
|
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
|
|
* @license http://framework.zend.com/license/new-bsd New BSD License
|
|
* @version $Id: SharedAccessSignature.php 24593 2012-01-05 20:35:02Z matthew $
|
|
*/
|
|
|
|
/**
|
|
* @see Zend_Service_WindowsAzure_Credentials_CredentialsAbstract
|
|
*/
|
|
require_once 'Zend/Service/WindowsAzure/Credentials/CredentialsAbstract.php';
|
|
|
|
/**
|
|
* @category Zend
|
|
* @package Zend_Service_WindowsAzure
|
|
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
|
|
* @license http://framework.zend.com/license/new-bsd New BSD License
|
|
*/
|
|
class Zend_Service_WindowsAzure_Credentials_SharedAccessSignature
|
|
extends Zend_Service_WindowsAzure_Credentials_CredentialsAbstract
|
|
{
|
|
/**
|
|
* Permission set
|
|
*
|
|
* @var array
|
|
*/
|
|
protected $_permissionSet = array();
|
|
|
|
/**
|
|
* Creates a new Zend_Service_WindowsAzure_Credentials_SharedAccessSignature instance
|
|
*
|
|
* @param string $accountName Account name for Windows Azure
|
|
* @param string $accountKey Account key for Windows Azure
|
|
* @param boolean $usePathStyleUri Use path-style URI's
|
|
* @param array $permissionSet Permission set
|
|
*/
|
|
public function __construct(
|
|
$accountName = Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::DEVSTORE_ACCOUNT,
|
|
$accountKey = Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::DEVSTORE_KEY,
|
|
$usePathStyleUri = false, $permissionSet = array()
|
|
) {
|
|
parent::__construct($accountName, $accountKey, $usePathStyleUri);
|
|
$this->_permissionSet = $permissionSet;
|
|
}
|
|
|
|
/**
|
|
* Get permission set
|
|
*
|
|
* @return array
|
|
*/
|
|
public function getPermissionSet()
|
|
{
|
|
return $this->_permissionSet;
|
|
}
|
|
|
|
/**
|
|
* Set permisison set
|
|
*
|
|
* Warning: fine-grained permissions should be added prior to coarse-grained permissions.
|
|
* For example: first add blob permissions, end with container-wide permissions.
|
|
*
|
|
* Warning: the signed access signature URL must match the account name of the
|
|
* Zend_Service_WindowsAzure_Credentials_Zend_Service_WindowsAzure_Credentials_SharedAccessSignature instance
|
|
*
|
|
* @param array $value Permission set
|
|
* @return void
|
|
*/
|
|
public function setPermissionSet($value = array())
|
|
{
|
|
foreach ($value as $url) {
|
|
if (strpos($url, $this->_accountName) === false) {
|
|
require_once 'Zend/Service/WindowsAzure/Exception.php';
|
|
throw new Zend_Service_WindowsAzure_Exception('The permission set can only contain URLs for the account name specified in the Zend_Service_WindowsAzure_Credentials_SharedAccessSignature instance.');
|
|
}
|
|
}
|
|
$this->_permissionSet = $value;
|
|
}
|
|
|
|
/**
|
|
* Create signature
|
|
*
|
|
* @param string $path Path for the request
|
|
* @param string $resource Signed resource - container (c) - blob (b)
|
|
* @param string $permissions Signed permissions - read (r), write (w), delete (d) and list (l)
|
|
* @param string $start The time at which the Shared Access Signature becomes valid.
|
|
* @param string $expiry The time at which the Shared Access Signature becomes invalid.
|
|
* @param string $identifier Signed identifier
|
|
* @return string
|
|
*/
|
|
public function createSignature(
|
|
$path = '/',
|
|
$resource = 'b',
|
|
$permissions = 'r',
|
|
$start = '',
|
|
$expiry = '',
|
|
$identifier = ''
|
|
) {
|
|
// Determine path
|
|
if ($this->_usePathStyleUri) {
|
|
$path = substr($path, strpos($path, '/'));
|
|
}
|
|
|
|
// Add trailing slash to $path
|
|
if (substr($path, 0, 1) !== '/') {
|
|
$path = '/' . $path;
|
|
}
|
|
|
|
// Build canonicalized resource string
|
|
$canonicalizedResource = '/' . $this->_accountName;
|
|
/*if ($this->_usePathStyleUri) {
|
|
$canonicalizedResource .= '/' . $this->_accountName;
|
|
}*/
|
|
$canonicalizedResource .= $path;
|
|
|
|
// Create string to sign
|
|
$stringToSign = array();
|
|
$stringToSign[] = $permissions;
|
|
$stringToSign[] = $start;
|
|
$stringToSign[] = $expiry;
|
|
$stringToSign[] = $canonicalizedResource;
|
|
$stringToSign[] = $identifier;
|
|
|
|
$stringToSign = implode("\n", $stringToSign);
|
|
$signature = base64_encode(hash_hmac('sha256', $stringToSign, $this->_accountKey, true));
|
|
|
|
return $signature;
|
|
}
|
|
|
|
/**
|
|
* Create signed query string
|
|
*
|
|
* @param string $path Path for the request
|
|
* @param string $queryString Query string for the request
|
|
* @param string $resource Signed resource - container (c) - blob (b)
|
|
* @param string $permissions Signed permissions - read (r), write (w), delete (d) and list (l)
|
|
* @param string $start The time at which the Shared Access Signature becomes valid.
|
|
* @param string $expiry The time at which the Shared Access Signature becomes invalid.
|
|
* @param string $identifier Signed identifier
|
|
* @return string
|
|
*/
|
|
public function createSignedQueryString(
|
|
$path = '/',
|
|
$queryString = '',
|
|
$resource = 'b',
|
|
$permissions = 'r',
|
|
$start = '',
|
|
$expiry = '',
|
|
$identifier = ''
|
|
) {
|
|
// Parts
|
|
$parts = array();
|
|
if ($start !== '') {
|
|
$parts[] = 'st=' . urlencode($start);
|
|
}
|
|
$parts[] = 'se=' . urlencode($expiry);
|
|
$parts[] = 'sr=' . $resource;
|
|
$parts[] = 'sp=' . $permissions;
|
|
if ($identifier !== '') {
|
|
$parts[] = 'si=' . urlencode($identifier);
|
|
}
|
|
$parts[] = 'sig=' . urlencode($this->createSignature($path, $resource, $permissions, $start, $expiry, $identifier));
|
|
|
|
// Assemble parts and query string
|
|
if ($queryString != '') {
|
|
$queryString .= '&';
|
|
}
|
|
$queryString .= implode('&', $parts);
|
|
|
|
return $queryString;
|
|
}
|
|
|
|
/**
|
|
* Permission matches request?
|
|
*
|
|
* @param string $permissionUrl Permission URL
|
|
* @param string $requestUrl Request URL
|
|
* @param string $resourceType Resource type
|
|
* @param string $requiredPermission Required permission
|
|
* @return string Signed request URL
|
|
*/
|
|
public function permissionMatchesRequest(
|
|
$permissionUrl = '',
|
|
$requestUrl = '',
|
|
$resourceType = Zend_Service_WindowsAzure_Storage::RESOURCE_UNKNOWN,
|
|
$requiredPermission = Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_READ
|
|
) {
|
|
// Build requirements
|
|
$requiredResourceType = $resourceType;
|
|
if ($requiredResourceType == Zend_Service_WindowsAzure_Storage::RESOURCE_BLOB) {
|
|
$requiredResourceType .= Zend_Service_WindowsAzure_Storage::RESOURCE_CONTAINER;
|
|
}
|
|
|
|
// Parse permission url
|
|
$parsedPermissionUrl = parse_url($permissionUrl);
|
|
|
|
// Parse permission properties
|
|
$permissionParts = explode('&', $parsedPermissionUrl['query']);
|
|
|
|
// Parse request url
|
|
$parsedRequestUrl = parse_url($requestUrl);
|
|
|
|
// Check if permission matches request
|
|
$matches = true;
|
|
foreach ($permissionParts as $part) {
|
|
list($property, $value) = explode('=', $part, 2);
|
|
|
|
if ($property == 'sr') {
|
|
$matches = $matches && (strpbrk($value, $requiredResourceType) !== false);
|
|
}
|
|
|
|
if ($property == 'sp') {
|
|
$matches = $matches && (strpbrk($value, $requiredPermission) !== false);
|
|
}
|
|
}
|
|
|
|
// Ok, but... does the resource match?
|
|
$matches = $matches && (strpos($parsedRequestUrl['path'], $parsedPermissionUrl['path']) !== false);
|
|
|
|
// Return
|
|
return $matches;
|
|
}
|
|
|
|
/**
|
|
* Sign request URL with credentials
|
|
*
|
|
* @param string $requestUrl Request URL
|
|
* @param string $resourceType Resource type
|
|
* @param string $requiredPermission Required permission
|
|
* @return string Signed request URL
|
|
*/
|
|
public function signRequestUrl(
|
|
$requestUrl = '',
|
|
$resourceType = Zend_Service_WindowsAzure_Storage::RESOURCE_UNKNOWN,
|
|
$requiredPermission = Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_READ
|
|
) {
|
|
// Look for a matching permission
|
|
foreach ($this->getPermissionSet() as $permittedUrl) {
|
|
if ($this->permissionMatchesRequest($permittedUrl, $requestUrl, $resourceType, $requiredPermission)) {
|
|
// This matches, append signature data
|
|
$parsedPermittedUrl = parse_url($permittedUrl);
|
|
|
|
if (strpos($requestUrl, '?') === false) {
|
|
$requestUrl .= '?';
|
|
} else {
|
|
$requestUrl .= '&';
|
|
}
|
|
|
|
$requestUrl .= $parsedPermittedUrl['query'];
|
|
|
|
// Return url
|
|
return $requestUrl;
|
|
}
|
|
}
|
|
|
|
// Return url, will be unsigned...
|
|
return $requestUrl;
|
|
}
|
|
|
|
/**
|
|
* Sign request with credentials
|
|
*
|
|
* @param string $httpVerb HTTP verb the request will use
|
|
* @param string $path Path for the request
|
|
* @param string $queryString Query string for the request
|
|
* @param array $headers x-ms headers to add
|
|
* @param boolean $forTableStorage Is the request for table storage?
|
|
* @param string $resourceType Resource type
|
|
* @param string $requiredPermission Required permission
|
|
* @param mixed $rawData Raw post data
|
|
* @return array Array of headers
|
|
*/
|
|
public function signRequestHeaders(
|
|
$httpVerb = Zend_Http_Client::GET,
|
|
$path = '/',
|
|
$queryString = '',
|
|
$headers = null,
|
|
$forTableStorage = false,
|
|
$resourceType = Zend_Service_WindowsAzure_Storage::RESOURCE_UNKNOWN,
|
|
$requiredPermission = Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_READ,
|
|
$rawData = null
|
|
) {
|
|
return $headers;
|
|
}
|
|
}
|