Unit test for SAS computation which matches the Azure Portal

passes - 2
hashicorp · Mar 20, 2018 · 47534b2 · 47534b2
1 parent f19d716
commit 47534b2
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/azurerm/provider.go b/azurerm/provider.go
@@ -192,6 +192,7 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_sql_active_directory_administrator":  resourceArmSqlAdministrator(),
 			"azurerm_sql_server":                          resourceArmSqlServer(),
 			"azurerm_storage_account":                     resourceArmStorageAccount(),
+			"azurerm_storage_account_sas":                 resourceArmStorageAccountSharedAccessSignature(),
 			"azurerm_storage_blob":                        resourceArmStorageBlob(),
 			"azurerm_storage_container":                   resourceArmStorageContainer(),
 			"azurerm_storage_share":                       resourceArmStorageShare(),

diff --git a/azurerm/resource_arm_storage_account_sas.go b/azurerm/resource_arm_storage_account_sas.go
@@ -145,9 +145,14 @@ func validateArmStorageAccountSasResourceTypes(v interface{}, k string) (ws []st
 
 func computeAzureStorageAccountSas(accountName string,
 	accountKey string,
-	permissions string, services string,
-	resourceTypes string, start string, expiry string,
-	signedProtocol string, signedIp string, signedVersion string) (string, error) {
+	permissions string,
+	services string,
+	resourceTypes string,
+	start string,
+	expiry string,
+	signedProtocol string,
+	signedIp string,
+	signedVersion string) (string, error) {
 
 	// UTF-8 by default...
 	stringToSign := accountName + "\n"
@@ -168,13 +173,15 @@ func computeAzureStorageAccountSas(accountName string,
 	hasher.Write([]byte(stringToSign))
 	signature := hasher.Sum(nil)
 
+	// Trial and error to determine which fields the Azure portal
+	// URL encodes for a query string and which it does not.
 	sasToken := "?sv=" + url.QueryEscape(signedVersion)
 	sasToken += "&ss=" + url.QueryEscape(services)
 	sasToken += "&srt=" + url.QueryEscape(resourceTypes)
 	sasToken += "&sp=" + url.QueryEscape(permissions)
 	sasToken += "&se=" + (expiry)
 	sasToken += "&st=" + (start)
-	sasToken += "&spr=" + url.QueryEscape(signedProtocol)
+	sasToken += "&spr=" + (signedProtocol)
 
 	// this is consistent with how the Azure portal builds these.
 	if len(signedIp) > 0 {

diff --git a/azurerm/resource_arm_storage_account_sas_test.go b/azurerm/resource_arm_storage_account_sas_test.go
@@ -66,6 +66,19 @@ func TestComputeAzureStorageAccountSas(t *testing.T) {
 			"2017-07-29",
 			"?sv=2017-07-29&ss=b&srt=c&sp=rwac&se=2020-03-20T04:00:00Z&st=2018-03-20T04:00:00Z&spr=https&sig=SQigK%2FnFA4pv0F0oMLqr6DxUWV4vtFqWi6q3Mf7o9nY%3D",
 		},
+		{
+			"azurermtestsa0",
+			"2vJrjEyL4re2nxCEg590wJUUC7PiqqrDHjAN5RU304FNUQieiEwS2bfp83O0v28iSfWjvYhkGmjYQAdd9x+6nw==",
+			"rwdlac",
+			"b",
+			"sco",
+			"2018-03-20T04:00:00Z",
+			"2018-03-28T05:04:25Z",
+			"https,http",
+			"",
+			"2017-07-29",
+			"?sv=2017-07-29&ss=b&srt=sco&sp=rwdlac&se=2018-03-28T05:04:25Z&st=2018-03-20T04:00:00Z&spr=https,http&sig=OLNwL%2B7gxeDQQaUyNdXcDPK2aCbCMgEkJNjha9te448%3D",
+		},
 	}
 
 	for _, test := range testCases {