Fix SAS permission derivation with leading ? char

alfpark · alfpark · commit fe1a88d2b6c7 · 2019-09-16T17:35:53.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## [Unreleased]
 
+### Fixed
+- Fix SAS permission derivation on SAS keys with leading '?' character
+
 ## [1.9.2] - 2019-09-09
 ### Fixed
 - Fix default overwrite behavior on upload performing point query lookups
diff --git a/blobxfer/operations/azure/__init__.py b/blobxfer/operations/azure/__init__.py
@@ -122,6 +122,9 @@ def __init__(self, name, key, endpoint, transfer_threads, timeout, proxy):
         self.key = key
         self.endpoint = endpoint
         self.is_sas = StorageAccount._key_is_sas(self.key)
+        # normalize sas keys
+        if self.is_sas and self.key[0] == '?':
+            self.key = self.key[1:]
         self.can_create_containers = self._container_manipulation_allowed()
         self.can_list_container_objects = (
             self._credential_allows_container_list()
@@ -134,9 +137,6 @@ def __init__(self, name, key, endpoint, transfer_threads, timeout, proxy):
                 raise ValueError(
                     'the provided SAS does not allow object-level access for '
                     'account: {}'.format(self.name))
-            # normalize sas keys
-            if self.key.startswith('?'):
-                self.key = self.key[1:]
         else:
             # check if sa shared key is base64
             if StorageAccount._VALID_BASE64_RE.match(self.key) is None:
diff --git a/tests/test_blobxfer_operations_azure.py b/tests/test_blobxfer_operations_azure.py
@@ -179,6 +179,26 @@ def test_credential_allows_object_read():
     assert a._credential_allows_object_read()
     assert a.can_read_object
 
+    a = azops.StorageAccount(
+        'name', '?sp=r&sr=b&sig=2', 'core.windows.net', 10, to, None)
+    assert a._credential_allows_object_read()
+    assert a.can_read_object
+
+    a = azops.StorageAccount(
+        'name', 'sp=r&sr=b&sig=2', 'core.windows.net', 10, to, None)
+    assert a._credential_allows_object_read()
+    assert a.can_read_object
+
+    a = azops.StorageAccount(
+        'name', '?sr=b&sp=r&sig=2', 'core.windows.net', 10, to, None)
+    assert a._credential_allows_object_read()
+    assert a.can_read_object
+
+    a = azops.StorageAccount(
+        'name', 'sr=b&sp=r&sig=2', 'core.windows.net', 10, to, None)
+    assert a._credential_allows_object_read()
+    assert a.can_read_object
+
     a = azops.StorageAccount(
         'name', '?sv=0&si=policy&sig=2', 'core.windows.net', 10, to, None)
     assert a._credential_allows_object_read()
