mirror of
https://github.com/bitwarden/server.git
synced 2025-07-02 16:42:50 -05:00
Use sas token for attachment downloads (#1153)
* Get limited life attachment download URL This change limits url download to a 1min lifetime. This requires moving to a new container to allow for non-public blob access. Clients will have to call GetAttachmentData api function to receive the download URL. For backwards compatibility, attachment URLs are still present, but will not work for attachments stored in non-public access blobs. * Make GlobalSettings interface for testing * Test LocalAttachmentStorageService equivalence * Remove comment * Add missing globalSettings using * Simplify default attachment container * Default to attachments containe for existing methods A new upload method will be made for uploading to attachments-v2. For compatibility for clients which don't use these new methods, we need to still use the old container. The new container will be used only for new uploads * Remove Default MetaData fixture. * Keep attachments container blob-level security for all instances * Close unclosed FileStream * Favor default value for noop services
This commit is contained in:
Matt Gibson
@ -1,18 +1,22 @@
|
||||
using System.Threading.Tasks;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.Azure.Storage;
|
||||
using Microsoft.Azure.Storage.Blob;
|
||||
using System.IO;
|
||||
using System;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Models.Table;
|
||||
using Bit.Core.Settings;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace Bit.Core.Services
|
||||
{
|
||||
public class AzureAttachmentStorageService : IAttachmentStorageService
|
||||
{
|
||||
private const string AttchmentContainerName = "attachments";
|
||||
|
||||
private const string _defaultContainerName = "attachments";
|
||||
private readonly static string[] _attachmentContainerName = { "attachments", "attachments-v2" };
|
||||
private static readonly TimeSpan downloadLinkLiveTime = TimeSpan.FromMinutes(1);
|
||||
private readonly CloudBlobClient _blobClient;
|
||||
private CloudBlobContainer _attachmentsContainer;
|
||||
private readonly Dictionary<string, CloudBlobContainer> _attachmentContainers = new Dictionary<string, CloudBlobContainer>();
|
||||
|
||||
public AzureAttachmentStorageService(
|
||||
GlobalSettings globalSettings)
|
||||
@ -21,10 +25,24 @@ namespace Bit.Core.Services
|
||||
_blobClient = storageAccount.CreateCloudBlobClient();
|
||||
}
|
||||
|
||||
public async Task UploadNewAttachmentAsync(Stream stream, Cipher cipher, string attachmentId)
|
||||
public async Task<string> GetAttachmentDownloadUrlAsync(Cipher cipher, CipherAttachment.MetaData attachmentData)
|
||||
{
|
||||
await InitAsync();
|
||||
var blob = _attachmentsContainer.GetBlockBlobReference($"{cipher.Id}/{attachmentId}");
|
||||
await InitAsync(attachmentData.ContainerName);
|
||||
var blob = _attachmentContainers[attachmentData.ContainerName].GetBlockBlobReference($"{cipher.Id}/{attachmentData.AttachmentId}");
|
||||
var accessPolicy = new SharedAccessBlobPolicy()
|
||||
{
|
||||
SharedAccessExpiryTime = DateTime.UtcNow.Add(downloadLinkLiveTime),
|
||||
Permissions = SharedAccessBlobPermissions.Read
|
||||
};
|
||||
|
||||
return blob.Uri + blob.GetSharedAccessSignature(accessPolicy);
|
||||
}
|
||||
|
||||
public async Task UploadNewAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachment)
|
||||
{
|
||||
attachment.ContainerName = _defaultContainerName;
|
||||
await InitAsync(_defaultContainerName);
|
||||
var blob = _attachmentContainers[_defaultContainerName].GetBlockBlobReference($"{cipher.Id}/{attachment.AttachmentId}");
|
||||
blob.Metadata.Add("cipherId", cipher.Id.ToString());
|
||||
if (cipher.UserId.HasValue)
|
||||
{
|
||||
@ -34,36 +52,38 @@ namespace Bit.Core.Services
|
||||
{
|
||||
blob.Metadata.Add("organizationId", cipher.OrganizationId.Value.ToString());
|
||||
}
|
||||
blob.Properties.ContentDisposition = $"attachment; filename=\"{attachmentId}\"";
|
||||
blob.Properties.ContentDisposition = $"attachment; filename=\"{attachment.AttachmentId}\"";
|
||||
await blob.UploadFromStreamAsync(stream);
|
||||
}
|
||||
|
||||
public async Task UploadShareAttachmentAsync(Stream stream, Guid cipherId, Guid organizationId, string attachmentId)
|
||||
public async Task UploadShareAttachmentAsync(Stream stream, Guid cipherId, Guid organizationId, CipherAttachment.MetaData attachmentData)
|
||||
{
|
||||
await InitAsync();
|
||||
var blob = _attachmentsContainer.GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{attachmentId}");
|
||||
attachmentData.ContainerName = _defaultContainerName;
|
||||
await InitAsync(_defaultContainerName);
|
||||
var blob = _attachmentContainers[_defaultContainerName].GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{attachmentData.AttachmentId}");
|
||||
blob.Metadata.Add("cipherId", cipherId.ToString());
|
||||
blob.Metadata.Add("organizationId", organizationId.ToString());
|
||||
blob.Properties.ContentDisposition = $"attachment; filename=\"{attachmentId}\"";
|
||||
blob.Properties.ContentDisposition = $"attachment; filename=\"{attachmentData.AttachmentId}\"";
|
||||
await blob.UploadFromStreamAsync(stream);
|
||||
}
|
||||
|
||||
public async Task StartShareAttachmentAsync(Guid cipherId, Guid organizationId, string attachmentId)
|
||||
public async Task StartShareAttachmentAsync(Guid cipherId, Guid organizationId, CipherAttachment.MetaData data)
|
||||
{
|
||||
await InitAsync();
|
||||
var source = _attachmentsContainer.GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{attachmentId}");
|
||||
await InitAsync(data.ContainerName);
|
||||
var source = _attachmentContainers[data.ContainerName].GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{data.AttachmentId}");
|
||||
if (!(await source.ExistsAsync()))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var dest = _attachmentsContainer.GetBlockBlobReference($"{cipherId}/{attachmentId}");
|
||||
await InitAsync(_defaultContainerName);
|
||||
var dest = _attachmentContainers[_defaultContainerName].GetBlockBlobReference($"{cipherId}/{data.AttachmentId}");
|
||||
if (!(await dest.ExistsAsync()))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var original = _attachmentsContainer.GetBlockBlobReference($"temp/{cipherId}/{attachmentId}");
|
||||
var original = _attachmentContainers[_defaultContainerName].GetBlockBlobReference($"temp/{cipherId}/{data.AttachmentId}");
|
||||
await original.DeleteIfExistsAsync();
|
||||
await original.StartCopyAsync(dest);
|
||||
|
||||
@ -71,98 +91,88 @@ namespace Bit.Core.Services
|
||||
await dest.StartCopyAsync(source);
|
||||
}
|
||||
|
||||
public async Task RollbackShareAttachmentAsync(Guid cipherId, Guid organizationId, string attachmentId)
|
||||
public async Task RollbackShareAttachmentAsync(Guid cipherId, Guid organizationId, CipherAttachment.MetaData attachmentData, string originalContainer)
|
||||
{
|
||||
await InitAsync();
|
||||
var source = _attachmentsContainer.GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{attachmentId}");
|
||||
await InitAsync(attachmentData.ContainerName);
|
||||
var source = _attachmentContainers[attachmentData.ContainerName].GetBlockBlobReference($"temp/{cipherId}/{organizationId}/{attachmentData.AttachmentId}");
|
||||
await source.DeleteIfExistsAsync();
|
||||
|
||||
var original = _attachmentsContainer.GetBlockBlobReference($"temp/{cipherId}/{attachmentId}");
|
||||
await InitAsync(originalContainer);
|
||||
var original = _attachmentContainers[originalContainer].GetBlockBlobReference($"temp/{cipherId}/{attachmentData.AttachmentId}");
|
||||
if (!(await original.ExistsAsync()))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var dest = _attachmentsContainer.GetBlockBlobReference($"{cipherId}/{attachmentId}");
|
||||
var dest = _attachmentContainers[originalContainer].GetBlockBlobReference($"{cipherId}/{attachmentData.AttachmentId}");
|
||||
await dest.DeleteIfExistsAsync();
|
||||
await dest.StartCopyAsync(original);
|
||||
await original.DeleteIfExistsAsync();
|
||||
}
|
||||
|
||||
public async Task DeleteAttachmentAsync(Guid cipherId, string attachmentId)
|
||||
public async Task DeleteAttachmentAsync(Guid cipherId, CipherAttachment.MetaData attachment)
|
||||
{
|
||||
await InitAsync();
|
||||
var blobName = $"{cipherId}/{attachmentId}";
|
||||
var blob = _attachmentsContainer.GetBlockBlobReference(blobName);
|
||||
await InitAsync(attachment.ContainerName);
|
||||
var blobName = $"{cipherId}/{attachment.AttachmentId}";
|
||||
var blob = _attachmentContainers[attachment.ContainerName].GetBlockBlobReference(blobName);
|
||||
await blob.DeleteIfExistsAsync();
|
||||
}
|
||||
|
||||
public async Task CleanupAsync(Guid cipherId)
|
||||
private async Task DeleteAttachmentsForPathAsync(string path)
|
||||
{
|
||||
await InitAsync();
|
||||
var segment = await _attachmentsContainer.ListBlobsSegmentedAsync($"temp/{cipherId}", true,
|
||||
BlobListingDetails.None, 100, null, null, null);
|
||||
|
||||
while (true)
|
||||
foreach (var container in _attachmentContainerName)
|
||||
{
|
||||
foreach (var blob in segment.Results)
|
||||
await InitAsync(container);
|
||||
var segment = await _attachmentContainers[container].ListBlobsSegmentedAsync(path, true, BlobListingDetails.None, 100, null, null, null);
|
||||
|
||||
while (true)
|
||||
{
|
||||
if (blob is CloudBlockBlob blockBlob)
|
||||
foreach (var blob in segment.Results)
|
||||
{
|
||||
await blockBlob.DeleteIfExistsAsync();
|
||||
if (blob is CloudBlockBlob blockBlob)
|
||||
{
|
||||
await blockBlob.DeleteIfExistsAsync();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (segment.ContinuationToken == null)
|
||||
{
|
||||
break;
|
||||
}
|
||||
if (segment.ContinuationToken == null)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
segment = await _attachmentsContainer.ListBlobsSegmentedAsync(segment.ContinuationToken);
|
||||
segment = await _attachmentContainers[container].ListBlobsSegmentedAsync(segment.ContinuationToken);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task DeleteAttachmentsForCipherAsync(Guid cipherId)
|
||||
{
|
||||
await InitAsync();
|
||||
var segment = await _attachmentsContainer.ListBlobsSegmentedAsync(cipherId.ToString(), true,
|
||||
BlobListingDetails.None, 100, null, null, null);
|
||||
|
||||
while (true)
|
||||
{
|
||||
foreach (var blob in segment.Results)
|
||||
{
|
||||
if (blob is CloudBlockBlob blockBlob)
|
||||
{
|
||||
await blockBlob.DeleteIfExistsAsync();
|
||||
}
|
||||
}
|
||||
public async Task CleanupAsync(Guid cipherId) => await DeleteAttachmentsForPathAsync($"temp/{cipherId}");
|
||||
|
||||
if (segment.ContinuationToken == null)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
segment = await _attachmentsContainer.ListBlobsSegmentedAsync(segment.ContinuationToken);
|
||||
}
|
||||
}
|
||||
public async Task DeleteAttachmentsForCipherAsync(Guid cipherId) => await DeleteAttachmentsForPathAsync(cipherId.ToString());
|
||||
|
||||
public async Task DeleteAttachmentsForOrganizationAsync(Guid organizationId)
|
||||
{
|
||||
await InitAsync();
|
||||
await InitAsync(_defaultContainerName);
|
||||
}
|
||||
|
||||
public async Task DeleteAttachmentsForUserAsync(Guid userId)
|
||||
{
|
||||
await InitAsync();
|
||||
await InitAsync(_defaultContainerName);
|
||||
}
|
||||
|
||||
private async Task InitAsync()
|
||||
private async Task InitAsync(string containerName)
|
||||
{
|
||||
if (_attachmentsContainer == null)
|
||||
if (!_attachmentContainers.ContainsKey(containerName) || _attachmentContainers[containerName] == null)
|
||||
{
|
||||
_attachmentsContainer = _blobClient.GetContainerReference(AttchmentContainerName);
|
||||
await _attachmentsContainer.CreateIfNotExistsAsync(BlobContainerPublicAccessType.Blob, null, null);
|
||||
_attachmentContainers[containerName] = _blobClient.GetContainerReference(containerName);
|
||||
if (containerName == "attachments")
|
||||
{
|
||||
await _attachmentContainers[containerName].CreateIfNotExistsAsync(BlobContainerPublicAccessType.Blob, null, null);
|
||||
}
|
||||
else
|
||||
{
|
||||
await _attachmentContainers[containerName].CreateIfNotExistsAsync(BlobContainerPublicAccessType.Off, null, null);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user