Azure Blob 映像授权共享访问

Question

我正在尝试使用授权标头读取图像，但生成的授权标头字符串似乎存在错误。我收到以下错误。

 <?xml version="1.0" encoding="utf-8"?>
    <Error>
        <Code>AuthenticationFailed</Code>
        <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
    RequestId:a5e98b3e-c01e-002e-19ad-be5c0e000000
    Time:2019-02-07T06:22:40.0625641Z</Message>
        <AuthenticationErrorDetail>The MAC signature found in the HTTP request 'm+68ihJL2+Wl0Cm1vuXOHnzq4ma56utn/62hSCv6rjo=' is not the same as any computed signature. Server used following string to sign: 'GET




    image/jpeg






    x-ms-blob-type:Block blob
    x-ms-date:Thu, 07 Feb 2019 06:21:44 GMT
    x-ms-version:2018-03-28
    /<accountName>/<container>/<image.jpg>'.</AuthenticationErrorDetail>
    </Error> 

这是我用于生成标头的代码。

namespace ShaKey
{
    class Program
    {
        static void Main(string[] args)
        {

            string stringToSign = "GET\n\n\n\n\nimage/jpeg\n\n\n\n\n\n\nx- 
                                   ms-date:" + DateTime.UtcNow.ToString("R", 
                                   CultureInfo.InvariantCulture) + "\nx-ms- 
                                    version:2018-03-28\n/<accountName>/<container>/<image.jpg>";

            Console.WriteLine(SharedKey.CreateAuthorizationHeader(stringToSign));
            string date = DateTime.UtcNow.ToString("R", CultureInfo.InvariantCulture);
            Console.WriteLine(date);

        }

    }

    public class SharedKey
    {


        public static String CreateAuthorizationHeader(String canonicalizedString)
        {
            String signature = String.Empty;
            string storageAccountKey = "accountKey"

            using (HMACSHA256 hmacSha256 = new HMACSHA256(Convert.FromBase64String(storageAccountKey)))
            {
                Byte[] dataToHmac = System.Text.Encoding.UTF8.GetBytes(canonicalizedString);
                signature = Convert.ToBase64String(hmacSha256.ComputeHash(dataToHmac));
            }

            String authorizationHeader = String.Format(
                CultureInfo.InvariantCulture,
                "{0} {1}:{2}",
                AzureStorageConstants.SharedKeyAuthorizationScheme,
                AzureStorageConstants.Account,
                signature
            );

            return authorizationHeader;
        }

    }

    public class AzureStorageConstants
    {
        public static string SharedKeyAuthorizationScheme = "SharedKey";
        public static string Account ="accountname";
    }
}

正在生成的标头中有错误。代码中的错误在哪里？

Answer 1

身份验证失败，因为您添加了 x-ms-blob-type 标头（显示在错误中）但未将其放入 stringToSign。

事实上，Get Blob 在请求头中不需要x-ms-blob-type 和Content-Type，它们在Put Blob 中使用。所以解决办法就是去掉x-ms-blob-type和Content-Type这两个header，把stringToSign里面的image/jpeg删掉。

Answer 2

查看documentation，您可以为这样的 blob 生成 SAS 令牌：

（需要先安装这个nuget包：WindowsAzure.Storage）

using Microsoft.WindowsAzure.Storage.Blob;
using Microsoft.WindowsAzure.Storage;
...
var connectionString = "DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>";
var storageAccount = CloudStorageAccount.Parse(connectionString);

var container = storageAccount.CreateCloudBlobClient().GetContainerReference("<container-name>");
var blob = container.GetBlobReference("<blob-name>");

var sasBlobToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy {
    Permissions = SharedAccessBlobPermissions.Read,
    SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-15),
    SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(60)
});