Question

我正在尝试构建代理API管理并添加此策略。我总是收到HTTP / 1.1 401未经授权

<policies>
    <inbound>
        <base />
        <set-variable name="cosmoskey" value="{{CosmosKey}}" />
        <set-variable name="requestDateString" value="@(DateTime.UtcNow.ToString("r"))" />
        <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
            <set-url>https://fellowtest.documents.azure.com/dbs/ToDoList/colls/Items/docs</set-url>
            <set-method>POST</set-method>
            <set-header name="Authorization" exists-action="override">
                <value>@{
          var verb = "GET";
          var resourceType = "docs";
          var resourceLink = "";
          var key = context.Variables.GetValueOrDefault<string>("cosmoskey");
          var keyType = "master";
          var tokenVersion = "1.0";
          var date = context.Variables.GetValueOrDefault<string>("requestDateString");

          var hmacSha256 = new System.Security.Cryptography.HMACSHA256 { Key = Convert.FromBase64String(key) };  

          verb = verb ?? "";  
          resourceType = resourceType ?? "";
          resourceLink = resourceLink ?? "";

          string payLoad = string.Format("{0}\n{1}\n{2}\n{3}\n{4}\n",  
                  verb.ToLowerInvariant(),  
                  resourceType.ToLowerInvariant(),  
                  resourceLink,  
                  date.ToLowerInvariant(),  
                  ""  
          );  

          byte[] hashPayLoad = hmacSha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(payLoad));  
          string signature = Convert.ToBase64String(hashPayLoad);  

          return System.Uri.EscapeDataString(String.Format("type={0}&ver={1}&sig={2}",  
              keyType,  
              tokenVersion,  
              signature));
        }</value>
            </set-header>
            <set-header name="Accept" exists-action="override">
                <value>application/json</value>
            </set-header>
            <set-header name="x-ms-date" exists-action="override">
                <value>@(context.Variables.GetValueOrDefault<string>("requestDateString"))</value>
            </set-header>
            <set-header name="x-ms-version" exists-action="override">
                <value>2016-07-11</value>
            </set-header>
        </send-request>
    </inbound>

当我执行邮递员的相同操作时，它可以工作，但不能通过API管理

    HTTP/1.1 401 Unauthorized

strict-transport-security: max-age=31536000
x-ms-gatewayversion: version=2.1.0.0
date: Tue, 16 Oct 2018 10:31:14 GMT
vary: Origin
ocp-apim-trace-location: https://apimgmtstpf0fn54oijkfxdy.blob.core.windows.net/apiinspectorcontainer/ZwM6kv46nxmT68jcPQD2Cw2-80?sv=2017-04-17&sr=b&sig=vxLvbzC6eGFtdo2tGN8XcmGgOq7Dtpv4QUBVoRt7L7g%3D&se=2018-10-17T10%3A31%3A14Z&sp=r&traceId=d330a86fe0334c99ad36fbc5ea737c00
content-type: application/json
x-ms-activity-id: 43409a3d-06a7-4d2c-8e41-a5d8bc1456e7
transfer-encoding: chunked
content-location: https://fellowtest.documents.azure.com/test3
{
    "code": "Unauthorized",
    "message": "Required Header authorization is missing. Ensure a valid Authorization token is passed.\r\nActivityId: 43409a3d-06a7-4d2c-8e41-a5d8bc1456e7, Microsoft.Azure.Documents.Common/2.1.0.0"
}

跟踪看起来还可以，所以我无法找出错误所在。有没有人做过或者知道我在哪里可以找到方法书？

Answer 1

要构建有效的哈希令牌签名（有关详细信息，请参见https://docs.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources），您需要提供动词（在您的情况下为“ get”，因为它是GET请求，所以可以）， ResourceType （“ docs”-可以，因为您要列出文档是可以的）和 ResourceLink （在您的情况下为“”），在您的情况下应设置为：

var resourceLink = "dbs/ToDoList/colls/Items";

此外，发送请求策略不会将响应返回给调用方。基本上，将响应保存到作为参数给出的变量中（在这种情况下为“ response”）。

要向呼叫者返回响应，可以使用策略。

<return-response>
    <set-body>@(((IResponse)context.Variables["response"]).Body.As<JObject>(preserveContent: true).ToString())</set-body>
</return-response>

评论中提到的解决方案似乎是实现您想要做的事的最佳方法（https://www.fellow-consulting.com/azure-api-management-proxy-to-cosmos-db/）

Azure API管理-Cosmos DB

1 个答案: