4

My application allows users to enter an Azure Blob Storage SAS URL. How would I go about validating it? I'm using the Azure Storage Blobs client library, and there doesn't seem to be any way of validating SAS URLs without actually performing a blob operation (which I don't want to do).

The validation operation can be asynchronous and involve an API call if necessary (ie it can be triggered with a button).

public class SASURLValidator
{
    public async Task<bool> ValidateSASURL(string sasURL)
    {
        // What goes here?
    }

    public async Task Test()
    {
        var result = await ValidateSASURL("https://blobstorageaccountname.blob.core.windows.net/containerName?sp=w&st=2022-02-15T02:07:49Z&se=2022-03-15T10:07:49Z&spr=https&sv=2020-08-04&sr=c&sig=JDFJEF342JDSFJIERJsdjfkajiwSKDFJIQWJIFJSKDFJWE%3D")
        // result should be true if the above is a valid SAS
    }
}
Daniel Elkington
  • 2,560
  • 6
  • 22
  • 35
  • _Why_ do you want to do this? – Dai Feb 18 '22 at 01:07
  • @Dai A client app is used to transfer files to Azure Storage. In the settings screen of this app there is a field to enter a SAS URL. Given this will occasionally expire, someone will need to occasionally copy and paste a new SAS URL into this field. It would be good to validate it as much as possible so the user knows immediately if there is a problem with it, as opposed to later when the app tries to upload files. – Daniel Elkington Feb 18 '22 at 02:01
  • You can check the expiry by extracting and parsing the `se=` query-string parameter. – Dai Feb 18 '22 at 02:31
  • Btw, your string has doubly-HTML-encoded ampersands. You need to unencode them first. – Dai Feb 18 '22 at 02:32
  • @Dai Fixed the ampersands. I want to validate more than the expiry - I want to know if it's a valid SAS (ie I want to detect if someone messed up the copy/paste and left a few characters of the signature off). – Daniel Elkington Feb 18 '22 at 02:34
  • The `sig` parameter is (I believe) a HMAC-signed opaque blob, so you cannot verify it without having the private-key (the Primary+Secondary keys associated with your Azure account - which you must never expose or distribute). What’s the harm in making a HTTP request to test it? Add a button to your UI that says “Test”. – Dai Feb 18 '22 at 02:37
  • @Dai I am happy to do that, but I can't find any HTTP request to validate an SAS. The application will be using SAS URLs with write-only permission, and I don't want to upload dummy files into my Azure Storage account. – Daniel Elkington Feb 18 '22 at 03:00
  • Please edit your question to add detail and avoid using comments for extended discussion. You can use [chat] if needed. – David Makogon Feb 18 '22 at 04:58

1 Answers1

0

You man test the list or write and delete access. Depending on your scenario you can use on of both. It would be also possible to modify the sample for testing. read access to a singe file.

private async Task TestSasAsync(String uri, bool testWriteAndDelete, bool testList)
        {
            try
            {
                var cloudBlobContainer = new CloudBlobContainer(new Uri(uri));

                if (testList)
                {
                    foreach (var blob in cloudBlobContainer.ListBlobs())
                    {
                        Console.WriteLine(blob.Uri);
                    }
                }

                if (testWriteAndDelete)
                {
                    var blockBlob = cloudBlobContainer.GetBlockBlobReference("testBlob.txt");
                    await blockBlob.UploadTextAsync("Hello world");
                    await blockBlob.DeleteAsync();
                }
            }
            catch (Exception ex)
            {
                throw new Exception("Failed to validate SAS Uri: " + ex.Message, ex);
            }
        }
Daniel W.
  • 938
  • 8
  • 21
  • Thanks for your suggestion, however as mentioned in the question I don't want to perform any real blob operations. In my case I am dealing with SASs that _only_ have write permission, so they wouldn't be able to list blobs or delete any blobs that they create. – Daniel Elkington Apr 21 '22 at 23:36