mirror of
https://github.com/restic/restic.git
synced 2024-12-21 23:33:03 +00:00
Merge pull request #5093 from Seefin/fix-containerSAS
Fix Azure Container Token Auth
This commit is contained in:
commit
7c02141548
3 changed files with 103 additions and 0 deletions
12
changelog/unreleased/issue-4004
Normal file
12
changelog/unreleased/issue-4004
Normal file
|
@ -0,0 +1,12 @@
|
|||
Bugfix: Allow use of container level SAS/SAT tokens with Azure backend
|
||||
|
||||
When using a SAS/SAT token for authentication with Azure, restic was expecting
|
||||
the provided token to be generated at the account level, granting permissions
|
||||
to the storage account and all its containers. This caused an error that did
|
||||
not allow tokens that were generated at the container level to be used to
|
||||
initalize a repository.
|
||||
Restic now allows SAS/SAT tokens that were generated at the account or
|
||||
container level to be used to initalize a repository.
|
||||
|
||||
https://github.com/restic/restic/issues/4004
|
||||
https://github.com/restic/restic/pull/5093
|
|
@ -157,6 +157,12 @@ func Create(ctx context.Context, cfg Config, rt http.RoundTripper) (*Backend, er
|
|||
if err != nil {
|
||||
return nil, errors.Wrap(err, "container.Create")
|
||||
}
|
||||
} else if err != nil && bloberror.HasCode(err, bloberror.AuthorizationFailure) {
|
||||
// We ignore this Auth. Failure, as the failure is related to the type
|
||||
// of SAS/SAT, not an actual real failure. If the token is invalid, we
|
||||
// fail later on anyway.
|
||||
// For details see Issue #4004.
|
||||
debug.Log("Ignoring AuthorizationFailure when calling GetProperties")
|
||||
} else if err != nil {
|
||||
return be, errors.Wrap(err, "container.GetProperties")
|
||||
}
|
||||
|
|
|
@ -80,6 +80,91 @@ func BenchmarkBackendAzure(t *testing.B) {
|
|||
newAzureTestSuite().RunBenchmarks(t)
|
||||
}
|
||||
|
||||
// TestBackendAzureAccountToken tests that a Storage Account SAS/SAT token can authorize.
|
||||
// This test ensures that restic can use a token that was generated using the storage
|
||||
// account keys can be used to authorize the azure connection.
|
||||
// Requires the RESTIC_TEST_AZURE_ACCOUNT_NAME, RESTIC_TEST_AZURE_REPOSITORY, and the
|
||||
// RESTIC_TEST_AZURE_ACCOUNT_SAS environment variables to be set, otherwise this test
|
||||
// will be skipped.
|
||||
func TestBackendAzureAccountToken(t *testing.T) {
|
||||
vars := []string{
|
||||
"RESTIC_TEST_AZURE_ACCOUNT_NAME",
|
||||
"RESTIC_TEST_AZURE_REPOSITORY",
|
||||
"RESTIC_TEST_AZURE_ACCOUNT_SAS",
|
||||
}
|
||||
|
||||
for _, v := range vars {
|
||||
if os.Getenv(v) == "" {
|
||||
t.Skipf("set %v to test SAS/SAT Token Authentication", v)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithCancel(context.TODO())
|
||||
defer cancel()
|
||||
|
||||
cfg, err := azure.ParseConfig(os.Getenv("RESTIC_TEST_AZURE_REPOSITORY"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
cfg.AccountName = os.Getenv("RESTIC_TEST_AZURE_ACCOUNT_NAME")
|
||||
cfg.AccountSAS = options.NewSecretString(os.Getenv("RESTIC_TEST_AZURE_ACCOUNT_SAS"))
|
||||
|
||||
tr, err := backend.Transport(backend.TransportOptions{})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err = azure.Create(ctx, *cfg, tr)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestBackendAzureContainerToken tests that a container SAS/SAT token can authorize.
|
||||
// This test ensures that restic can use a token that was generated using a user
|
||||
// delegation key against the container we are storing data in can be used to
|
||||
// authorize the azure connection.
|
||||
// Requires the RESTIC_TEST_AZURE_ACCOUNT_NAME, RESTIC_TEST_AZURE_REPOSITORY, and the
|
||||
// RESTIC_TEST_AZURE_CONTAINER_SAS environment variables to be set, otherwise this test
|
||||
// will be skipped.
|
||||
func TestBackendAzureContainerToken(t *testing.T) {
|
||||
vars := []string{
|
||||
"RESTIC_TEST_AZURE_ACCOUNT_NAME",
|
||||
"RESTIC_TEST_AZURE_REPOSITORY",
|
||||
"RESTIC_TEST_AZURE_CONTAINER_SAS",
|
||||
}
|
||||
|
||||
for _, v := range vars {
|
||||
if os.Getenv(v) == "" {
|
||||
t.Skipf("set %v to test SAS/SAT Token Authentication", v)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithCancel(context.TODO())
|
||||
defer cancel()
|
||||
|
||||
cfg, err := azure.ParseConfig(os.Getenv("RESTIC_TEST_AZURE_REPOSITORY"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
cfg.AccountName = os.Getenv("RESTIC_TEST_AZURE_ACCOUNT_NAME")
|
||||
cfg.AccountSAS = options.NewSecretString(os.Getenv("RESTIC_TEST_AZURE_CONTAINER_SAS"))
|
||||
|
||||
tr, err := backend.Transport(backend.TransportOptions{})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err = azure.Create(ctx, *cfg, tr)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestUploadLargeFile(t *testing.T) {
|
||||
if os.Getenv("RESTIC_AZURE_TEST_LARGE_UPLOAD") == "" {
|
||||
t.Skip("set RESTIC_AZURE_TEST_LARGE_UPLOAD=1 to test large uploads")
|
||||
|
|
Loading…
Reference in a new issue