从 APIM 策略获取 Azure 表存储实体

Question

我正在尝试使用 API 管理策略获取表实体。所以我在那里生成共享访问签名，但响应了 403 Forbidden。

APIM 政策 (C#)

    <set-variable name="presentTime" value="@( (DateTime.UtcNow).ToString("ddd, dd MMM yyyy hh:mm:ss ") + "GMT" )" />
    <set-variable name="getTableEntityToken" value="@{
            var storage_account = "XXXXXX";
            var table = "XXXXXXXX";
            var access_key = "XXXXXXXXXXXXXXXXXXXXXXXXXX";
            var canonicalized_headers = "\n/" + storage_account + "/" + table;
            string[] stringToSignArray = {
                                      // VERB
                                      "GET",
                                      // Content-MD5
                                      "",
                                      // Content-Type
                                      "",
                                      // Date
                                      context.Variables.GetValueOrDefault<string>("presentTime"),
                                    };
            string stringToSign = String.Join("\n", stringToSignArray) + canonicalized_headers;
            using (var encoder = new HMACSH256(Convert.FromBase64String(access_key))) {
                var hash = encoder.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
                var signature = Convert.ToBase64String(hash);
                return signature;
            }
    }" />
    <set-header name="Authorization" exists-action="override">
        <value>@( "SharedKey " + "XXXXXXX:" + context.Variables.GetValueOrDefault<string>("getTableEntityToken") )</value>
    </set-header>
    <set-header name="x-ms-date" exists-action="override">
        <value>@( context.Variables.GetValueOrDefault<string>("presentTime") )</value>
    </set-header>
    <set-header name="x-ms-version" exists-action="override">
        <value>2015-12-11</value>
    </set-header>
    <set-header name="Accept" exists-action="override">
        <value>application/json;odata=nometadata</value>
    </set-header>

回应

{
"odata.error": {
"code": "AuthenticationFailed",
"message": {
  "lang": "en-US",
  "value": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:21877d9e-a002-0022-0dea-bc7d70000000\nTime:2018-03-16T05:50:10.3226402Z"
  }
 }
}

但是，我已经验证了下面的php代码可以获取表格实体。

PHP 代码

$account = "XXXXXX";
$tablestoragename = "XXXXXXX";
$accessKey = "XXXXXXXXX";
$date = gmdate('D, d M Y H:i:s T',time());
$api_version = "2015-12-11";
$url = "https://$account.table.core.windows.net/$tablestoragename";
$method = "GET";
$accept = "application/json;odata=nometadata";

$stringToSign = [
// VERB
$method,
// Content-MD5
'',
// Content-Type
'',
// Date
$date,
];

$stringToSign = array_merge($stringToSign, ["/$account/$tablestoragename"]);
$stringToSign = implode("\n", $stringToSign);
$signature = base64_encode(hash_hmac('sha256', $stringToSign, base64_decode($accessKey), true));

$headers = [
"x-ms-date:{$date}",
"x-ms-version:$api_version",
"Authorization:SharedKey $account:{$signature}",
"Accept:$accept",
];

$ch = curl_init();

$options = array(
CURLOPT_URL => $url,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_SSL_VERIFYPEER => FALSE,
CURLOPT_RETURNTRANSFER => TRUE,
);

$proxy_options = array(
CURLOPT_PROXY => 'http://XXXXXXXXXX',
CURLOPT_PROXYPORT => 'XXXX',
);

curl_setopt_array($ch, $proxy_options);
curl_setopt_array($ch, $options);

$response  = curl_exec($ch);
var_dump($response);
echo curl_error($ch);
curl_close($ch);

所以看来我无法将上面的 php 代码转换为 c#。如果您有任何意见，请帮助我。

Answer 1

请更改这行代码：

using (var encoder = new HMACSHA512(Encoding.UTF8.GetBytes(access_key)))

到

using (var encoder = new HMACSHA512(Convert.FromBase64String(access_key)))

这应该可以解决问题。

更新

您在错误的地方进行了更改。请看下面的正确代码：

            using (var encoder = new HMACSHA512(Convert.FromBase64String(access_key))) {
                var hash = encoder.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
                var signature = Convert.ToBase64String(hash);
                return signature;
            }