/// <summary>  
/// 云存儲(chǔ)權(quán)限管理接口  
/// </summary>  
public interface ICloudStoragePermissionManager  
{  
    /// <summary>  
    /// 設(shè)置存儲(chǔ)桶的訪問(wèn)權(quán)限  
    /// </summary>  
    Task SetBucketAcl(string bucketName, string acl);  

    /// <summary>  
    /// 為特定用戶/角色生成臨時(shí)訪問(wèn)令牌  
    /// </summary>  
    Task<string> GenerateSignedUrl(string bucketName, string objectKey, TimeSpan expiration);  

    /// <summary>  
    /// 驗(yàn)證當(dāng)前用戶的訪問(wèn)權(quán)限  
    /// </summary>  
    Task<bool> CheckAccessPermission(string bucketName, string objectKey, string action);  
}

using Amazon.S3;  
using Amazon.S3.Model;  
using Amazon.IdentityManagement;  
using Amazon.IdentityManagement.Model;  

public class AWSCloudStorageManager : ICloudStoragePermissionManager  
{  
    private readonly IAmazonS3 _s3Client;  
    private readonly IAmazonIdentityManagementService _iamClient;  

    public AWSCloudStorageManager()  
    {  
        // 從環(huán)境變量加載憑證（推薦生產(chǎn)環(huán)境使用）  
        var s3Config = new AmazonS3Config  
        {  
            RegionEndpoint = Amazon.RegionEndpoint.USWest2  
        };  
        _s3Client = new AmazonS3Client(s3Config);  

        var iamConfig = new AmazonIdentityManagementServiceConfig  
        {  
            RegionEndpoint = Amazon.RegionEndpoint.USWest2  
        };  
        _iamClient = new AmazonIdentityManagementServiceClient(iamConfig);  
    }  

    /// <summary>  
    /// 創(chuàng)建自定義IAM角色并綁定策略  
    /// </summary>  
    public async Task CreateRoleWithPolicy(string roleName, string policyJson)  
    {  
        // 1. 創(chuàng)建角色  
        var createRoleRequest = new CreateRoleRequest  
        {  
            RoleName = roleName,  
            AssumeRolePolicyDocument = @"{  
                ""Version"": ""2012-10-17"",  
                ""Statement"": [{  
                    ""Effect"": ""Allow"",  
                    ""Principal"": {""Service"": ""ec2.amazonaws.com""},  
                    ""Action"": ""sts:AssumeRole""  
                }]  
            }"  
        };  
        var roleResponse = await _iamClient.CreateRoleAsync(createRoleRequest);  

        // 2. 創(chuàng)建策略  
        var createPolicyRequest = new CreatePolicyRequest  
        {  
            PolicyName = $"{roleName}-Policy",  
            PolicyDocument = policyJson  
        };  
        var policyResponse = await _iamClient.CreatePolicyAsync(createPolicyRequest);  

        // 3. 綁定策略到角色  
        await _iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest  
        {  
            RoleName = roleName,  
            PolicyArn = policyResponse.Policy.Arn  
        });  
    }  

    /// <summary>  
    /// 設(shè)置存儲(chǔ)桶ACL（Access Control List）  
    /// </summary>  
    public async Task SetBucketAcl(string bucketName, string acl)  
    {  
        var putAclRequest = new PutBucketAclRequest  
        {  
            BucketName = bucketName,  
            CannedACL = acl // 可選值：Private, PublicRead, PublicReadWrite  
        };  
        await _s3Client.PutBucketAclAsync(putAclRequest);  
    }  
}

using Azure.Identity;  
using Azure.Storage.Blobs;  
using Azure.Storage.Blobs.Models;  
using Azure.Storage.Sas;  

public class AzureCloudStorageManager : ICloudStoragePermissionManager  
{  
    private readonly BlobServiceClient _blobServiceClient;  

    public AzureCloudStorageManager()  
    {  
        // 使用Managed Identity進(jìn)行身份驗(yàn)證（推薦生產(chǎn)環(huán)境）  
        var credential = new DefaultAzureCredential();  
        _blobServiceClient = new BlobServiceClient(new Uri("https://youraccount.blob.core.windows.net"), credential);  
    }  

    /// <summary>  
    /// 為存儲(chǔ)賬戶分配RBAC角色  
    /// </summary>  
    public async Task AssignRoleToUser(string userEmail, string roleName)  
    {  
        var userPrincipalId = await GetUserIdFromAzureAD(userEmail);  
        var roleAssignment = new RoleAssignmentProperties  
        {  
            RoleDefinitionId = $"/providers/Microsoft.Authorization/roleDefinitions/{roleName}",  
            PrincipalId = userPrincipalId  
        };  
        // 通過(guò)Azure REST API或Azure SDK for .NET進(jìn)行角色分配  
    }  

    /// <summary>  
    /// 生成SAS Token實(shí)現(xiàn)臨時(shí)訪問(wèn)權(quán)限  
    /// </summary>  
    public string GenerateSasToken(string containerName, string blobName)  
    {  
        var containerClient = _blobServiceClient.GetBlobContainerClient(containerName);  
        var sasBuilder = new BlobSasBuilder  
        {  
            BlobContainerName = containerName,  
            BlobName = blobName,  
            Resource = "b", // b = blob, c = container  
            StartsOn = DateTimeOffset.UtcNow,  
            ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)  
        };  
        sasBuilder.SetPermissions(BlobSasPermissions.Read | BlobSasPermissions.Write);  

        var token = containerClient.GetSasUri(sasBuilder).AbsoluteUri;  
        return token;  
    }  
}

using AlibabaCloud.OSS.V2;  
using AlibabaCloud.OSS.Models;  

public class AliyunOssManager : ICloudStoragePermissionManager  
{  
    private readonly OSS.Client _ossClient;  

    public AliyunOssManager()  
    {  
        var config = new OSS.Configuration  
        {  
            Region = "cn-hangzhou",  
            Endpoint = "oss-cn-hangzhou.aliyuncs.com"  
        };  
        // 使用環(huán)境變量獲取憑證（推薦生產(chǎn)環(huán)境）  
        config.CredentialsProvider = new OSS.Credentials.EnvironmentVariableCredentialsProvider();  
        _ossClient = new OSS.Client(config);  
    }  

    /// <summary>  
    /// 設(shè)置存儲(chǔ)桶的訪問(wèn)權(quán)限  
    /// </summary>  
    public async Task SetBucketAcl(string bucketName, string acl)  
    {  
        var request = new PutBucketAclRequest  
        {  
            Bucket = bucketName,  
            Acl = acl // 可選值：private, public-read, public-read-write  
        };  
        await _ossClient.PutBucketAclAsync(request);  
    }  

    /// <summary>  
    /// 為RAM用戶授權(quán)訪問(wèn)存儲(chǔ)桶  
    /// </summary>  
    public async Task GrantRamUserAccess(string userId, string bucketName)  
    {  
        var policy = new PutBucketPolicyRequest  
        {  
            Bucket = bucketName,  
            Policy = $@"{{
                ""Version"": ""1"",
                ""Statement"": [{
                    ""Effect"": ""Allow"",
                    ""Principal"": ""{userId}"",
                    ""Action"": [""oss:PutObject"", ""oss:GetObject""],
                    ""Resource"": [""acs:oss:*:*:{bucketName}/*""]
                }]
            }}"  
        };  
        await _ossClient.PutBucketPolicyAsync(policy);  
    }  
}

/// <summary>  
/// 動(dòng)態(tài)權(quán)限評(píng)估器（基于ABAC模型）  
/// </summary>  
public class AttributeBasedAccessControlEvaluator  
{  
    public bool EvaluateAccessRequest(AccessRequestContext context)  
    {  
        // 示例：僅允許特定部門(mén)在工作時(shí)間訪問(wèn)敏感數(shù)據(jù)  
        if (context.RequestTime.Hour < 9 || context.RequestTime.Hour > 18)  
        {  
            return false; // 非工作時(shí)間禁止訪問(wèn)  
        }  

        if (!context.UserDepartment.Equals("Finance", StringComparison.OrdinalIgnoreCase))  
        {  
            return false; // 非財(cái)務(wù)部門(mén)禁止訪問(wèn)  
        }  

        if (context.ResourceClassification == "Confidential")  
        {  
            return context.UserSecurityLevel >= 3;  
        }  

        return true;  
    }  
}

/// <summary>  
/// 安全的權(quán)限檢查封裝  
/// </summary>  
public async Task<T> SafeAccessResource<T>(Func<Task<T>> accessAction)  
{  
    try  
    {  
        // 1. 檢查操作是否符合最小權(quán)限原則  
        if (!CheckMinimumPermission())  
        {  
            throw new SecurityException("權(quán)限不足");  
        }  

        // 2. 記錄操作審計(jì)日志  
        LogAuditEvent("ResourceAccessAttempt");  

        // 3. 執(zhí)行操作并捕獲異常  
        return await accessAction();  
    }  
    catch (Exception ex)  
    {  
        // 4. 標(biāo)準(zhǔn)化異常處理  
        LogError(ex);  
        throw new CloudStorageAccessException("云存儲(chǔ)訪問(wèn)失敗", ex);  
    }  
}

/// <summary>  
/// 多云權(quán)限管理工廠  
/// </summary>  
public static class CloudStorageManagerFactory  
{  
    public static ICloudStoragePermissionManager Create(string cloudProvider)  
    {  
        switch (cloudProvider.ToLowerInvariant())  
        {  
            case "aws":  
                return new AWSCloudStorageManager();  
            case "azure":  
                return new AzureCloudStorageManager();  
            case "aliyun":  
                return new AliyunOssManager();  
            default:  
                throw new ArgumentException($"不支持的云平臺(tái): {cloudProvider}");  
        }  
    }  
}