Stupid Azure Trick #6 – A CORS Toggler Command-line Tool for Windows Azure Blobs

[Edit: I originally accidentally published an old draft. The draft went out to all email subscribers and was public for around 90 minutes. Fixed now.]

In the most recent Stupid Azure Trick installment, I explained how one could host a 1000 visitor-per-day web site for one penny per month. Since then I also explained my choice to use CORS in that same application. Here I will dig into specifically using CORS with Windows Azure.

I also show how the curl command line tool can be helpful to examine CORS properties in HTTP headers for a blob service.

I also will briefly describe a simple tool I built that could quickly turn CORS on or off for a specified Blob service – the CORS Toggler. The CORS Toggler (in its current simple form) was useful to me because of two constraints that were true for my scenario:

• I was only reading files from the Windows Azure Blob Service. When just reading, pre-flight request doesn’t matter when you are just reading. Simplification #1.
• I didn’t care whether the blob resource is publicly available, rather than just available to my application. So the CORS policy was to open to any caller (‘*’). Simplification #2.

These two simplifications mean that the toggler knew what it meant to enable CORS (open up for reading to all comers) and to disable. (Though it is worth noting that opening up CORS to any caller is probably a common scenario. Also worth noting that tool could easily extended to support a whitelist for allowed domains or other features.)

First, here’s the code for the toggler – there are three files here:

1. Driver program (Console app in C#) – handles command line params and such and then calls into the …
2. Code to perform simple CORS manipulation (C# class)
3. The above two and driven (in my fast toggler) through the third file (command line batch file) which passes in the storage keys and storage account name for the service I was working with

	@echo off
	D:\dev\path\to\ToggleCors.exe azuremap 123abcYourStorageKeyIsHere987zyx== %1
	echo.
	echo FOR COMPARISON QUERY THE nocors SERVICE (which never has CORS set)
	echo.
	D:\dev\path\to\ToggleCors.exe nocors 123abcYourStorageKeyIsHere987zyx== -q
	echo.
	PowerShell -Command Get-Date

view rawcors-toggler.bat hosted with  by GitHub

	using System;
	using Microsoft.WindowsAzure.Storage.Auth;
	using Microsoft.WindowsAzure.Storage.Blob;
	using Microsoft.WindowsAzure.Storage.Shared.Protocol;
	using Newtonsoft.Json;
	namespace BlobCorsToggle
	{
	public class SimpleAzureBlobCorsSetter
	{
	public CloudBlobClient CloudBlobClient { get; private set; }
	public SimpleAzureBlobCorsSetter(Uri blobServiceUri, StorageCredentials storageCredentials)
	{
	this.CloudBlobClient = new CloudBlobClient(blobServiceUri, storageCredentials);
	}
	public SimpleAzureBlobCorsSetter(CloudBlobClient blobClient)
	{
	this.CloudBlobClient = blobClient;
	}
	/// <summary>
	/// Set Blob Service CORS settings for specified Windows Azure Storage Account.
	/// Either sets to a hard-coded set of values (see below) or clears of all CORS settings.
	///
	/// Does not check for any existing CORS settings, but clobbers with the CORS settings
	/// to allow HTTP GET access from any origin. Non-CORS settings are left intact.
	///
	/// Most useful for scenarios where a file is published in Blob Storage for read-access
	/// by any client.
	///
	/// Can also be useful in conjunction with Valet Key Pattern-style limited access, as
	/// might be useful with a mobile application.
	/// </summary>
	/// <param name="clear">if true, clears all CORS setting, else allows GET from any origin</param>
	public void SetBlobCorsGetAnyOrigin(bool clear)
	{
	// http://msdn.microsoft.com/en-us/library/windowsazure/dn535601.aspx
	var corsGetAnyOriginRule = new CorsRule();
	corsGetAnyOriginRule.AllowedOrigins.Add("*"); // allow access to any client
	corsGetAnyOriginRule.AllowedMethods = CorsHttpMethods.Get; // only CORS-enable http GET
	corsGetAnyOriginRule.ExposedHeaders.Add("*"); // let client see any header we've configured
	corsGetAnyOriginRule.AllowedHeaders.Add("*"); // let clients request any header they can think of
	corsGetAnyOriginRule.MaxAgeInSeconds = (int)TimeSpan.FromHours(10).TotalSeconds; // clients are safe to cache CORS config for up to this long
	var blobServiceProperties = this.CloudBlobClient.GetServiceProperties();
	if (clear)
	{
	blobServiceProperties.Cors.CorsRules.Clear();
	}
	else
	{
	blobServiceProperties.Cors.CorsRules.Clear(); // replace current property set
	blobServiceProperties.Cors.CorsRules.Add(corsGetAnyOriginRule);
	}
	this.CloudBlobClient.SetServiceProperties(blobServiceProperties);
	}
	public void DumpCurrentProperties()
	{
	var blobServiceProperties = this.CloudBlobClient.GetServiceProperties();
	var blobPropertiesStringified = StringifyProperties(blobServiceProperties);
	Console.WriteLine("Current Properties:\n{0}", blobPropertiesStringified);
	}
	internal string StringifyProperties(ServiceProperties serviceProperties)
	{
	// JsonConvert.SerializeObject(serviceProperties) for whole object graph or
	// JsonConvert.SerializeObject(serviceProperties.Cors) for just CORS
	return Newtonsoft.Json.JsonConvert.SerializeObject(serviceProperties, Formatting.Indented);
	}
	}
	}

view rawSimpleAzureBlobCorsSetter.cs hosted with  by GitHub

	using System;
	using System.Diagnostics;
	using System.IO;
	using Microsoft.WindowsAzure.Storage.Auth;
	namespace BlobCorsToggle
	{
	class Program
	{
	static string clearFlag = "-clear";
	static string queryFlag = "-q";
	static void Main(string[] args)
	{
	if (args.Length == 0 || !ValidCommandArguments(args))
	{
	#region Show Correct Usage
	if (args.Length != 0 && !ValidCommandArguments(args))
	{
	var saveForegroundColor = Console.ForegroundColor;
	Console.ForegroundColor = ConsoleColor.Red;
	Console.Write("\nINVALID COMMAND LINE OR UNKNOWN FLAGS: ");
	foreach (var arg in args) Console.Write("{0} ", arg);
	Console.WriteLine();
	Console.ForegroundColor = saveForegroundColor;
	}
	Console.WriteLine("usage:\n{0} <storage acct name> <storage acct key> [{1}]",
	Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]),
	clearFlag);
	Console.WriteLine();
	Console.WriteLine("example setting:\n{0} {1} {2}",
	Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]),
	"mystorageacct",
	"lala+aou812SomERAndOmStrINglOlLolFroMmYStORaG3akounT314159265358979323ilIkEpi==");
	Console.WriteLine();
	Console.WriteLine("example clearing:\n{0} {1} {2} {3}",
	Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]),
	"mystorageacct",
	"lala+aou812SomERAndOmStrINglOlLolFroMmYStORaG3akounT314159265358979323ilIkEpi==",
	clearFlag);
	if (Debugger.IsAttached)
	{
	Console.WriteLine("\nPress any key to exit.");
	Console.ReadKey();
	}
	#endregion
	}
	else
	{
	var storageAccountName = args[0];
	var storageKey = args[1];
	var blobServiceUri = new Uri(String.Format("https://{0}.blob.core.windows.net", storageAccountName));
	var storageCredentials = new StorageCredentials(storageAccountName, storageKey);
	var blobConfig = new SimpleAzureBlobCorsSetter(blobServiceUri, storageCredentials);
	bool query = (args.Length == 3 && args[2] == queryFlag);
	if (query)
	{
	blobConfig.DumpCurrentProperties();
	return;
	}
	blobConfig.DumpCurrentProperties();
	Console.WriteLine();
	bool clear = (args.Length == 3 && args[2] == clearFlag);
	blobConfig.SetBlobCorsGetAnyOrigin(clear);
	Console.WriteLine("CORS Blob Properties for Storage Account {0} have been {1}.",
	storageAccountName, clear ? "cleared" : "set");
	Console.WriteLine();
	blobConfig.DumpCurrentProperties();
	}
	}
	private static bool ValidCommandArguments(string[] args)
	{
	if (args.Length == 2) return true;
	if (args.Length == 3 && (args[2] == clearFlag || args[2] == queryFlag)) return true;
	return false;
	}
	}
	}

view rawToggleCors.cs hosted with  by GitHub

One simple point to highlight – CORS properties are simply available on the Blob service object (and would be same for Table or Queue service within Storage):

Yes, this is a very simple API.

Showing the Service Object Contents

For those interested in the contents of these objects, here are a few ways to show content of properties (in code) before turning on CORS and after. (The object views are created using the technique I described my post on using JSON.NET as an object dumper that’s Good Enough™.)

DUMPING OBJECT BEFORE CORS ENABLED (just CORS properties):

{“Logging”:{“Version”:”1.0″,”LoggingOperations”:0,”RetentionDays”:null},”Metrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”HourMetrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”Cors”:{“CorsRules”:[]},”MinuteMetrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”DefaultServiceVersion”:null}

DUMPING OBJECT AFTER CORS ENABLED:

{“Logging”:{“Version”:”1.0″,”LoggingOperations”:0,”RetentionDays”:null},”Metrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”HourMetrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”Cors”:{“CorsRules”:[{“AllowedOrigins”:[“*”],”ExposedHeaders”:[“*”],”AllowedHeaders”:[“*”],”AllowedMethods”:1,”MaxAgeInSeconds”:36000}]},”MinuteMetrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”DefaultServiceVersion”:null}

DUMPING OBJECT BEFORE CORS ENABLED (but including ALL properties):

Current Properties:
{“Logging”:{“Version”:”1.0″,”LoggingOperations”:0,”RetentionDays”:null},”Metrics
“:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”HourMetrics”:{“Versio
n”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”Cors”:{“CorsRules”:[]},”MinuteM
etrics”:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”DefaultServiceV
ersion”:null}

DUMPING OBJECT AFTER CORS ENABLED (but including ALL properties):

Current Properties:
{“Logging”:{“Version”:”1.0″,”LoggingOperations”:0,”RetentionDays”:null},”Metrics
“:{“Version”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”HourMetrics”:{“Versio
n”:”1.0″,”MetricsLevel”:0,”RetentionDays”:null},”Cors”:{“CorsRules”:[{“AllowedOr
igins”:[“*”],”ExposedHeaders”:[“*”],”AllowedHeaders”:[“*”],”AllowedMethods”:1,”M
axAgeInSeconds”:36000}]},”MinuteMetrics”:{“Version”:”1.0″,”MetricsLevel”:0,”Rete
ntionDays”:null},”DefaultServiceVersion”:null}

Using ‘curl’ To Examine CORS Data:

curl -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS --verbose http://azuremap.blob.core.windows.net/maps/azuremap.geojson

view rawcheck-cors hosted with  by GitHub

CURL OUTPUT BEFORE CORS ENABLED:

D:\dev\github>curl -H “Origin: http://example.com” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: X-Requested-With” -X OPTIONS –verbosehttp://azuremap.blob.core.windows.net/maps/azuremap.geojson

* Adding handle: conn: 0x805fa8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 0 (0x805fa8) send_pipe: 1, recv_pipe: 0
* About to connect() to azuremap.blob.core.windows.net port 80 (#0)
*   Trying 168.62.32.206…
* Connected to azuremap.blob.core.windows.net (168.62.32.206) port 80 (#0)
> OPTIONS /maps/azuremap.geojson HTTP/1.1
> User-Agent: curl/7.31.0
> Host: azuremap.blob.core.windows.net
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 403 CORS not enabled or no matching rule found for this request.
< Content-Length: 316
< Content-Type: application/xml
* Server Blob Service Version 1.0 Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: Blob Service Version 1.0 Microsoft-HTTPAPI/2.0
< x-ms-request-id: 04402242-d4a7-4d0c-bedc-ff553a1bc982
< Date: Sun, 26 Jan 2014 15:08:11 GMT
<
<?xml version=”1.0″ encoding=”utf-8″?><Error><Code>CorsPreflightFailure</Code><Message>CORS not enabled or no matching rule found for this request.
RequestId:04402242-d4a7-4d0c-bedc-ff553a1bc982
Time:2014-01-26T15:08:12.0193649Z</Message><MessageDetails>No CORS rules matches this request</MessageDetails></Error>*
Connection #0 to host azuremap.blob.core.windows.net left intact

CURL OUTPUT AFTER CORS ENABLED:

D:\dev\github>curl -H “Origin: http://example.com” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: X-Requested-With” -X OPTIONS –verbosehttp://azuremap.blob.core.windows.net/maps/azuremap.geojson
* Adding handle: conn: 0x1f55fa8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 0 (0x1f55fa8) send_pipe: 1, recv_pipe: 0
* About to connect() to azuremap.blob.core.windows.net port 80 (#0)
*   Trying 168.62.32.206…
* Connected to azuremap.blob.core.windows.net (168.62.32.206) port 80 (#0)
> OPTIONS /maps/azuremap.geojson HTTP/1.1
> User-Agent: curl/7.31.0
> Host: azuremap.blob.core.windows.net
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
* Server Blob Service Version 1.0 Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: Blob Service Version 1.0 Microsoft-HTTPAPI/2.0
< x-ms-request-id: d4df8953-f8ae-441b-89fe-b69232579aa4
< Access-Control-Allow-Origin: http://example.com
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Headers: X-Requested-With
< Access-Control-Max-Age: 36000
< Access-Control-Allow-Credentials: true
< Date: Sun, 26 Jan 2014 16:02:25 GMT
<
* Connection #0 to host azuremap.blob.core.windows.net left intact

Resources

A new version of the Windows Azure Storage Emulator (v2.2.1) is now in Preview. This release has support for “2013-08-15” version of Storage which includes CORS (and JSON and other) support.

Overall description of Azure Storage’s CORS Support:

http://msdn.microsoft.com/en-us/library/windowsazure/dn535601.aspx

REST API doc (usually the canonical doc for any feature, though in code it is easily accessed with the Windows Azure SDK for .NET)

http://msdn.microsoft.com/en-us/library/windowsazure/hh452235.aspx

A couple of excellent posts from the community on CORS support in Windows Azure Storage:

• http://www.contentmaster.com/azure/windows-azure-storage-cors/
• http://gauravmantri.com/2013/12/01/windows-azure-storage-and-cors-lets-have-some-fun/