Fixed issue of not requiring SAS permission for some specific operations. (#2305)

Author: EmmaZhu

ChangeLog.md

@@ -8,6 +8,13 @@ General:
 
 - Add `--inMemoryPersistence`  and `--extentMemoryLimit` options and related configs to store all data in-memory without disk persistence. (issue #2227)
 
+Blob:
+
+- Fixed issue of not requiring SAS permission for some specific operations. (issue #2299)
+
+Table:
+- Fixed table sas request failure with table name include upper case letter (Issue #1359)
+
 ## 2023.10 Version 3.27.0
 
 General:
@@ -35,7 +42,6 @@ Table:
 - Fixed the errorCode returned, when malformed Etag is provided for table Update/Delete calls. (issue #2013)
 - Fixed an issue when comparing `'' eq guid'00000000-0000-0000-0000-000000000000'` which would erroneously report these as equal. (issue #2169)
 - Fixed authentication error in production style URL for secondary location (issue #2208)
-- Fixed table sas request failure with table name include upper case letter (Issue #1359)
 
 ## 2023.08 Version 3.26.0
 

src/blob/authentication/BlobSASPermissions.ts

@@ -4,10 +4,10 @@ export enum BlobSASPermission {
   Create = "c",
   Write = "w",
   Delete = "d",
-  DeleteVersion  = "x",
-  Tag  = "t",
-  Move  = "m",
-  execute  = "e",
-  SetImmutabilityPolicy  = "i",
-  permanentDelete  = "y"
+  DeleteVersion = "x",
+  Tag = "t",
+  Move = "m",
+  execute = "e",
+  SetImmutabilityPolicy = "i",
+  permanentDelete = "y"
 }

src/blob/authentication/ContainerSASPermissions.ts

@@ -4,5 +4,6 @@ export enum ContainerSASPermission {
   Create = "c",
   Write = "w",
   Delete = "d",
-  List = "l"
+  List = "l",
+  Any = "AnyPermission" // This is only for blob batch operation.
 }

src/blob/authentication/OperationAccountSASPermission.ts

@@ -12,9 +12,9 @@ import { AccountSASService } from "../../common/authentication/AccountSASService
 export class OperationAccountSASPermission {
   constructor(
     public readonly service: string,
-    public readonly resourceType?: string,
-    public readonly permission?: string
-  ) {}
+    public readonly resourceType: string,
+    public readonly permission: string
+  ) { }
 
   public validate(
     services: AccountSASServices | string,
@@ -35,33 +35,33 @@ export class OperationAccountSASPermission {
   public validateResourceTypes(
     resourceTypes: AccountSASResourceTypes | string
   ): boolean {
-    if (this.resourceType) {
-      for (const p of this.resourceType) {
-        if (resourceTypes.toString().includes(p)) {
-          return true;
-        }
-      }
-      return false;
-    }
-    else {
+    // Only blob batch operation allows Any resource types.
+    if (this.resourceType === AccountSASResourceType.Any) {
       return resourceTypes.toString() !== "";
     }
+
+    for (const p of this.resourceType) {
+      if (resourceTypes.toString().includes(p)) {
+        return true;
+      }
+    }
+    return false;
   }
 
   public validatePermissions(
     permissions: AccountSASPermissions | string
   ): boolean {
-    if (this.permission) {
-      for (const p of this.permission) {
-        if (permissions.toString().includes(p)) {
-          return true;
-        }
-      }
-      return false;
-    }
-    else {
+    // Only blob batch operation allows Any permissions.
+    if (this.permission === AccountSASPermission.Any) {
       return permissions.toString() !== "";
     }
+
+    for (const p of this.permission) {
+      if (permissions.toString().includes(p)) {
+        return true;
+      }
+    }
+    return false;
   }
 }
 
@@ -77,16 +77,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
+    AccountSASPermission.Read +
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -95,16 +95,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
+    AccountSASPermission.Read +
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -113,16 +113,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
+    AccountSASPermission.Read +
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -131,16 +131,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
+    AccountSASPermission.Read +
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -149,16 +149,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
+    AccountSASPermission.Read +
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -167,16 +167,16 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   new OperationAccountSASPermission(
     AccountSASService.Blob,
     AccountSASResourceType.Service +
-      AccountSASResourceType.Container +
-      AccountSASResourceType.Object,
+    AccountSASResourceType.Container +
+    AccountSASResourceType.Object,
     AccountSASPermission.Read +
-      AccountSASPermission.Create +
-      AccountSASPermission.Delete +
-      AccountSASPermission.List +
-      AccountSASPermission.Process +
-      AccountSASPermission.Read +
-      AccountSASPermission.Update +
-      AccountSASPermission.Write
+    AccountSASPermission.Create +
+    AccountSASPermission.Delete +
+    AccountSASPermission.List +
+    AccountSASPermission.Process +
+    AccountSASPermission.Read +
+    AccountSASPermission.Update +
+    AccountSASPermission.Write
   )
 );
 
@@ -211,8 +211,8 @@ OPERATION_ACCOUNT_SAS_PERMISSIONS.set(
   Operation.Service_SubmitBatch,
   new OperationAccountSASPermission(
     AccountSASService.Blob,
-    "",
-    "" // NOT ALLOWED
+    AccountSASResourceType.Any,
+    AccountSASPermission.Any
   )
 );
 

src/blob/authentication/OperationBlobSASPermission.ts

@@ -3,24 +3,24 @@ import { BlobSASPermission } from "./BlobSASPermissions";
 import { ContainerSASPermission } from "./ContainerSASPermissions";
 
 export class OperationBlobSASPermission {
-  constructor(public readonly permission: string = "") {}
+  constructor(public readonly permission: string = "") { }
 
   public validate(permissions: string): boolean {
     return this.validatePermissions(permissions);
   }
 
   public validatePermissions(permissions: string): boolean {
-    if (this.permission !== "") {
-      for (const p of this.permission) {
-        if (permissions.toString().includes(p)) {
-          return true;
-        }
-      }
-      return false;
-    }
-    else {
+    // Only blob batch operation allows Any permissions.
+    if (this.permission === ContainerSASPermission.Any) {
       return permissions.toString() !== "";
     }
+
+    for (const p of this.permission) {
+      if (permissions.toString().includes(p)) {
+        return true;
+      }
+    }
+    return false;
   }
 }
 
@@ -335,7 +335,7 @@ OPERATION_BLOB_SAS_CONTAINER_PERMISSIONS.set(
 );
 OPERATION_BLOB_SAS_CONTAINER_PERMISSIONS.set(
   Operation.Container_SubmitBatch,
-  new OperationBlobSASPermission()
+  new OperationBlobSASPermission(ContainerSASPermission.Any)
 );
 OPERATION_BLOB_SAS_CONTAINER_PERMISSIONS.set(
   Operation.Container_GetAccessPolicy,

src/common/authentication/AccountSASPermissions.ts

@@ -10,8 +10,9 @@ export enum AccountSASPermission {
   Process = "p",
   Tag = "t",
   Filter = "f",
-  SetImmutabilityPolicy  = "i",
-  PermanentDelete = "y"
+  SetImmutabilityPolicy = "i",
+  PermanentDelete = "y",
+  Any = "AnyPermission"  // This is only used for blob batch operation.
 }
 
 /**

src/common/authentication/AccountSASResourceTypes.ts

@@ -1,7 +1,8 @@
 export enum AccountSASResourceType {
   Service = "s",
   Container = "c",
-  Object = "o"
+  Object = "o",
+  Any = "AnyResourceType" // This is only used for blob batch operation.
 }
 
 /**