Fix invalid SAS token from New-AzServiceBusAuthorizationRuleSASToken and New-AzEventHubAuthorizationRuleSASToken (#14535)

fsackur · wyunchi-ms · web-flow · commit 93beeb87595c · 2021-03-16T13:41:55.000+08:00
* Fix #12975 New-AzServiceBusAuthorizationRuleSASToken returns invalid token * Tidy * Update changelog * Fix #14534 New-AzEventHubAuthorizationRuleSASToken returns invalid token when StartTime is provided * Tidy * Update changelog * Update ChangeLog.md * Update ChangeLog.md * Fix syntax errors Co-authored-by: Yunchi Wang <54880216+wyunchi-ms@users.noreply.github.com>
diff --git a/src/EventHub/EventHub/ChangeLog.md b/src/EventHub/EventHub/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed that `New-AzServiceBusAuthorizationRuleSASToken` returns invalid token. [#12975]
 
 ## Version 1.7.1
 * Fixed Cluster commands for EventHub cluster without tags
diff --git a/src/EventHub/EventHub/Cmdlets/AuthorizationRule/NewAzureEventhubAuthorizationRuleSASToken.cs b/src/EventHub/EventHub/Cmdlets/AuthorizationRule/NewAzureEventhubAuthorizationRuleSASToken.cs
@@ -91,15 +91,24 @@ public override void ExecuteCmdlet()
                         }
                 }
 
-                TimeSpan secondsFromBaseTime = ExpiryTime.Value.Subtract(EpochTime);
-                long seconds = Convert.ToInt64(secondsFromBaseTime.TotalSeconds, CultureInfo.InvariantCulture);
-                string stringToSign = StartTime.HasValue ? StartTime.ToString() + "\n" + System.Web.HttpUtility.UrlEncode(resourceUri) + "\n" + seconds : System.Web.HttpUtility.UrlEncode(resourceUri) + "\n" + seconds;
+                var encodedResourceUri = System.Web.HttpUtility.UrlEncode(resourceUri);
+                var expiry = Convert.ToInt64(ExpiryTime.Value.Subtract(EpochTime).TotalSeconds, CultureInfo.InvariantCulture);
+                var stringToSign = StartTime == null ? "" : Convert.ToInt64(StartTime.Value.Subtract(EpochTime).TotalSeconds, CultureInfo.InvariantCulture) + "\n";
+                stringToSign = stringToSign + encodedResourceUri + "\n" + expiry;
+
                 HMACSHA256 hmac = new HMACSHA256(System.Text.Encoding.UTF8.GetBytes(sakey));
                 var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
-                string sasToken = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), seconds, KeyType);
+
+                string sasToken = String.Format(CultureInfo.InvariantCulture,
+                                                "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
+                                                HttpUtility.UrlEncode(resourceUri),
+                                                HttpUtility.UrlEncode(signature),
+                                                expiry,
+                                                KeyType);
+
                 PSSharedAccessSignatureAttributes psSastoken = new PSSharedAccessSignatureAttributes(sasToken);
-                WriteObject(psSastoken, true);
 
+                WriteObject(psSastoken, true);
             }
             catch (Management.EventHub.Models.ErrorResponseException ex)
             {
diff --git a/src/ServiceBus/ServiceBus/ChangeLog.md b/src/ServiceBus/ServiceBus/ChangeLog.md
@@ -19,6 +19,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed that `New-AzServiceBusAuthorizationRuleSASToken` returns invalid token. [#12975]
 
 ## Version 1.4.1
 * Update references in .psd1 to use relative path
diff --git a/src/ServiceBus/ServiceBus/Cmdlets/AuthorizationRule/NewAzureServiceBusAuthorizationRuleSASToken.cs b/src/ServiceBus/ServiceBus/Cmdlets/AuthorizationRule/NewAzureServiceBusAuthorizationRuleSASToken.cs
@@ -55,10 +55,11 @@ public override void ExecuteCmdlet()
             {
                 LocalResourceIdentifier identifier = new LocalResourceIdentifier(AuthorizationRuleId);
                 string resourceUri = string.Empty, strPolicyName = string.Empty, sakey = string.Empty;
+                DateTime EpochTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
 
                 PSListKeysAttributes listkeys;
                 if (identifier.ParentResource1 != null && AuthorizationRuleId.Contains("topics"))
-                {                   
+                {
                     listkeys =  Client.GetTopicKey(identifier.ResourceGroupName, identifier.ParentResource, identifier.ParentResource1, identifier.ResourceName);
                 }
                 else if (identifier.ParentResource1 != null && AuthorizationRuleId.Contains("queues"))
@@ -94,13 +95,24 @@ public override void ExecuteCmdlet()
                         }
                 }
 
-                string stringToSign = StartTime.HasValue ? StartTime.ToString() + "\n" + System.Web.HttpUtility.UrlEncode(resourceUri) + "\n" + ExpiryTime.ToString() : System.Web.HttpUtility.UrlEncode(resourceUri) + "\n" + ExpiryTime.ToString();
+                var encodedResourceUri = System.Web.HttpUtility.UrlEncode(resourceUri);
+                var expiry = Convert.ToInt64(ExpiryTime.Value.Subtract(EpochTime).TotalSeconds, CultureInfo.InvariantCulture);
+                var stringToSign = StartTime == null ? "" : Convert.ToInt64(StartTime.Value.Subtract(EpochTime).TotalSeconds, CultureInfo.InvariantCulture) + "\n";
+                stringToSign = stringToSign + encodedResourceUri + "\n" + expiry;
+
                 HMACSHA256 hmac = new HMACSHA256(System.Text.Encoding.UTF8.GetBytes(sakey));
                 var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
-                string sasToken = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), ExpiryTime, KeyType);
+
+                string sasToken = String.Format(CultureInfo.InvariantCulture,
+                                                "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
+                                                HttpUtility.UrlEncode(resourceUri),
+                                                HttpUtility.UrlEncode(signature),
+                                                ExpiryTime,
+                                                KeyType);
+
                 PSSharedAccessSignatureAttributes psSastoken = new PSSharedAccessSignatureAttributes(sasToken);
-                WriteObject(psSastoken, true);
 
+                WriteObject(psSastoken, true);
             }
             catch (Management.ServiceBus.Models.ErrorResponseException ex)
             {
