Added support for directory and delegation SAS

sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BlobSasImplUtil.java

@@ -110,7 +110,7 @@ public BlobSasImplUtil(BlobServiceSasSignatureValues sasValues, String container
             throw logger.logExceptionAsError(
                 new IllegalArgumentException("'snapshot' and 'versionId' cannot be used at the same time."));
         }
-        this.version = sasValues.getVersion();
+        this.version = null; /* Setting this to null forces the latest service version - see ensureState. */
         this.protocol = sasValues.getProtocol();
         this.startTime = sasValues.getStartTime();
         this.expiryTime = sasValues.getExpiryTime();
@@ -314,6 +314,9 @@ private String stringToSign(final UserDelegationKey key, String canonicalName) {
             key.getSignedExpiry() == null ? "" : Constants.ISO_8601_UTC_DATE_FORMATTER.format(key.getSignedExpiry()),
             key.getSignedService() == null ? "" : key.getSignedService(),
             key.getSignedVersion() == null ? "" : key.getSignedVersion(),
+            "", /* saoid - empty since this applies to HNS only accounts. */
+            "", /* suoid - empty since this applies to HNS only accounts. */
+            "", /* cid - empty since this applies to HNS only accounts. */
             this.sasIpRange == null ? "" : this.sasIpRange.toString(),
             this.protocol == null ? "" : this.protocol.toString(),
             version,

sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobServiceSasSignatureValues.java

@@ -149,9 +149,7 @@ public BlobServiceSasSignatureValues(String identifier) {
     public BlobServiceSasSignatureValues(String version, SasProtocol sasProtocol, OffsetDateTime startTime,
         OffsetDateTime expiryTime, String permission, SasIpRange sasIpRange, String identifier, String cacheControl,
         String contentDisposition, String contentEncoding, String contentLanguage, String contentType) {
-        if (version != null) {
-            this.version = version;
-        }
+        this.version = null;
         this.protocol = sasProtocol;
         this.startTime = startTime;
         this.expiryTime = expiryTime;
@@ -179,9 +177,11 @@ public String getVersion() {
      *
      * @param version Version to target
      * @return the updated BlobServiceSASSignatureValues object
+     * @deprecated The version is set to the latest version of sas.
      */
+    @Deprecated
     public BlobServiceSasSignatureValues setVersion(String version) {
-        this.version = version;
+        /* No-op.*/
         return this;
     }
 
@@ -656,7 +656,7 @@ private String stringToSign(String canonicalName) {
             this.identifier == null ? "" : this.identifier,
             this.sasIpRange == null ? "" : this.sasIpRange.toString(),
             this.protocol == null ? "" : this.protocol.toString(),
-            version,
+            BlobSasServiceVersion.V2019_12_12.getVersion(), /* Pin down to version so old string to sign works. */
             resource,
             this.snapshotId == null ? "" : this.snapshotId,
             this.cacheControl == null ? "" : this.cacheControl,
@@ -681,7 +681,7 @@ private String stringToSign(final UserDelegationKey key, String canonicalName) {
             key.getSignedVersion() == null ? "" : key.getSignedVersion(),
             this.sasIpRange == null ? "" : this.sasIpRange.toString(),
             this.protocol == null ? "" : this.protocol.toString(),
-            version,
+            BlobSasServiceVersion.V2019_12_12.getVersion(), /* Pin down to version so old string to sign works. */
             resource,
             this.snapshotId == null ? "" : this.snapshotId,
             this.cacheControl == null ? "" : this.cacheControl,

sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/implementation/Constants.java

@@ -347,6 +347,26 @@ public static final class UrlConstants {
          */
         public static final String SAS_SIGNED_KEY_VERSION = "skv";
 
+        /**
+         * The SAS authorized object id parameter for user delegation SAS.
+         */
+        public static final String SAS_AUTHORIZED_OBJECT_ID = "saoid";
+
+        /**
+         * The SAS unauthorized object id parameter for user delegation SAS.
+         */
+        public static final String SAS_UNAUTHORIZED_OBJECT_ID = "suoid";
+
+        /**
+         * The SAS correlation id parameter for user delegation SAS.
+         */
+        public static final String SAS_CORRELATION_ID = "scid";
+
+        /**
+         * The SAS directory depth parameter.
+         */
+        public static final String SAS_DIRECTORY_DEPTH = "sdd";
+
         /**
          * The SAS queue constant.
          */

sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/sas/CommonSasQueryParameters.java

@@ -11,6 +11,7 @@
 import java.util.Map;
 import java.util.function.Function;
 
+
 /**
  * Represents the components that make up an Azure Storage SAS' query parameters. This type is not constructed directly
  * by the user; it is only generated by the URLParts type. NOTE: Instances of this class are immutable to ensure thread
@@ -62,6 +63,14 @@ public class CommonSasQueryParameters {
 
     private final String contentType;
 
+    private final Integer directoryDepth;
+
+    private final String authorizedObjectId;
+
+    private final String unauthorizedObjectId;
+
+    private final String correlationId;
+
     /**
      * Creates a new {@link CommonSasQueryParameters} object.
      *
@@ -114,6 +123,14 @@ public CommonSasQueryParameters(Map<String, String[]> queryParamsMap, boolean re
             removeSasParametersFromMap);
         this.contentType = getQueryParameter(queryParamsMap, Constants.UrlConstants.SAS_CONTENT_TYPE,
             removeSasParametersFromMap);
+        this.authorizedObjectId = getQueryParameter(queryParamsMap, Constants.UrlConstants.SAS_AUTHORIZED_OBJECT_ID,
+            removeSasParametersFromMap);
+        this.unauthorizedObjectId = getQueryParameter(queryParamsMap, Constants.UrlConstants.SAS_UNAUTHORIZED_OBJECT_ID,
+            removeSasParametersFromMap);
+        this.correlationId = getQueryParameter(queryParamsMap, Constants.UrlConstants.SAS_CORRELATION_ID,
+            removeSasParametersFromMap);
+        this.directoryDepth = getQueryParameter(queryParamsMap, Constants.UrlConstants.SAS_DIRECTORY_DEPTH,
+            removeSasParametersFromMap, Integer::parseInt);
     }
 
     /**
@@ -196,6 +213,12 @@ public String encode() {
         SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CONTENT_ENCODING, this.contentEncoding);
         SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CONTENT_LANGUAGE, this.contentLanguage);
         SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CONTENT_TYPE, this.contentType);
+        SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_AUTHORIZED_OBJECT_ID,
+            this.authorizedObjectId);
+        SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_UNAUTHORIZED_OBJECT_ID,
+            this.unauthorizedObjectId);
+        SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CORRELATION_ID, this.correlationId);
+        SasImplUtils.tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_DIRECTORY_DEPTH, this.directoryDepth);
 
         return sb.toString();
     }
@@ -356,4 +379,34 @@ public String getPermissions() {
     public String getSignature() {
         return signature;
     }
+
+    /**
+     * @return The directory depth of the resource this SAS token authorizes.
+     */
+    public Integer getDirectoryDepth() {
+        return directoryDepth;
+    }
+
+    /**
+     * @return the AAD object id value for the SAS.
+     */
+    public String getObjectId() {
+        return unauthorizedObjectId != null ? unauthorizedObjectId : authorizedObjectId;
+    }
+
+    /**
+     * @return Whether or not the service will perform an additional POSIX ACL check to determine
+     * if the user is authorized.
+     */
+    public boolean isPosixCheckPerformed() {
+        return unauthorizedObjectId != null;
+    }
+
+    /**
+     * @return The correlation id to correlate the storage audit logs with the audit logs used by the principal
+     * generating and distributing the SAS.
+     */
+    public String getCorrelationId() {
+        return correlationId;
+    }
 }

sdk/storage/azure-storage-file-datalake/CHANGELOG.md

@@ -4,6 +4,7 @@
 - Added support for the 2019-02-10 service version.
 - Added support to schedule file expiration. 
 - Added support to specify Arrow Output Serialization when querying a file. 
+- Added support to generate directory SAS and added support to specify additional user ids and correlation ids for  user delegation SAS.
 - Added support to upload data to a file from an InputStream.
 - Added support to specify permissions and umask when uploading a file. 
 - Fixed a bug where an empty string would be sent with the x-ms-properties header when metadata was null or empty.

sdk/storage/azure-storage-file-datalake/src/main/java/com/azure/storage/file/datalake/DataLakeFileSystemAsyncClient.java

@@ -18,12 +18,14 @@
 import com.azure.storage.common.StorageSharedKeyCredential;
 import com.azure.storage.common.Utility;
 import com.azure.storage.common.implementation.Constants;
+import com.azure.storage.common.implementation.SasImplUtils;
 import com.azure.storage.common.implementation.StorageImplUtils;
 import com.azure.storage.file.datalake.implementation.DataLakeStorageClientBuilder;
 import com.azure.storage.file.datalake.implementation.DataLakeStorageClientImpl;
 import com.azure.storage.file.datalake.implementation.models.FileSystemsListPathsResponse;
 import com.azure.storage.file.datalake.implementation.models.Path;
 import com.azure.storage.file.datalake.implementation.util.DataLakeImplUtils;
+import com.azure.storage.file.datalake.implementation.util.DataLakeSasImplUtil;
 import com.azure.storage.file.datalake.models.DataLakeRequestConditions;
 import com.azure.storage.file.datalake.models.DataLakeSignedIdentifier;
 import com.azure.storage.file.datalake.models.FileSystemAccessPolicies;
@@ -798,9 +800,8 @@ BlobContainerAsyncClient getBlobContainerAsyncClient() {
      */
     public String generateUserDelegationSas(DataLakeServiceSasSignatureValues dataLakeServiceSasSignatureValues,
         UserDelegationKey userDelegationKey) {
-        return blobContainerAsyncClient.generateUserDelegationSas(
-            Transforms.toBlobSasValues(dataLakeServiceSasSignatureValues),
-            Transforms.toBlobUserDelegationKey(userDelegationKey));
+        return new DataLakeSasImplUtil(dataLakeServiceSasSignatureValues, getFileSystemName())
+            .generateUserDelegationSas(userDelegationKey, getAccountName());
     }
 
     /**
@@ -817,6 +818,7 @@ public String generateUserDelegationSas(DataLakeServiceSasSignatureValues dataLa
      * @return A {@code String} representing all SAS query parameters.
      */
     public String generateSas(DataLakeServiceSasSignatureValues dataLakeServiceSasSignatureValues) {
-        return blobContainerAsyncClient.generateSas(Transforms.toBlobSasValues(dataLakeServiceSasSignatureValues));
+        return new DataLakeSasImplUtil(dataLakeServiceSasSignatureValues, getFileSystemName())
+            .generateSas(SasImplUtils.extractSharedKeyCredential(getHttpPipeline()));
     }
 }

sdk/storage/azure-storage-file-datalake/src/main/java/com/azure/storage/file/datalake/DataLakePathAsyncClient.java

@@ -17,6 +17,7 @@
 import com.azure.storage.common.StorageSharedKeyCredential;
 import com.azure.storage.common.Utility;
 import com.azure.storage.common.implementation.Constants;
+import com.azure.storage.common.implementation.SasImplUtils;
 import com.azure.storage.file.datalake.implementation.DataLakeStorageClientBuilder;
 import com.azure.storage.file.datalake.implementation.DataLakeStorageClientImpl;
 import com.azure.storage.file.datalake.implementation.models.LeaseAccessConditions;
@@ -26,6 +27,7 @@
 import com.azure.storage.file.datalake.implementation.models.PathResourceType;
 import com.azure.storage.file.datalake.implementation.models.SourceModifiedAccessConditions;
 import com.azure.storage.file.datalake.implementation.util.DataLakeImplUtils;
+import com.azure.storage.file.datalake.implementation.util.DataLakeSasImplUtil;
 import com.azure.storage.file.datalake.implementation.util.TransformUtils;
 import com.azure.storage.file.datalake.models.DataLakeRequestConditions;
 import com.azure.storage.file.datalake.models.PathAccessControl;
@@ -815,9 +817,9 @@ BlockBlobAsyncClient getBlockBlobAsyncClient() {
      */
     public String generateUserDelegationSas(DataLakeServiceSasSignatureValues dataLakeServiceSasSignatureValues,
         UserDelegationKey userDelegationKey) {
-        return blockBlobAsyncClient.generateUserDelegationSas(
-            Transforms.toBlobSasValues(dataLakeServiceSasSignatureValues),
-            Transforms.toBlobUserDelegationKey(userDelegationKey));
+        return new DataLakeSasImplUtil(dataLakeServiceSasSignatureValues, getFileSystemName(), getObjectPath(),
+            PathResourceType.DIRECTORY.equals(this.pathResourceType))
+            .generateUserDelegationSas(userDelegationKey, getAccountName());
     }
 
     /**
@@ -834,6 +836,8 @@ public String generateUserDelegationSas(DataLakeServiceSasSignatureValues dataLa
      * @return A {@code String} representing all SAS query parameters.
      */
     public String generateSas(DataLakeServiceSasSignatureValues dataLakeServiceSasSignatureValues) {
-        return blockBlobAsyncClient.generateSas(Transforms.toBlobSasValues(dataLakeServiceSasSignatureValues));
+        return new DataLakeSasImplUtil(dataLakeServiceSasSignatureValues, getFileSystemName(), getObjectPath(),
+            PathResourceType.DIRECTORY.equals(this.pathResourceType))
+            .generateSas(SasImplUtils.extractSharedKeyCredential(getHttpPipeline()));
     }
 }

sdk/storage/azure-storage-file-datalake/src/main/java/com/azure/storage/file/datalake/Transforms.java

@@ -30,8 +30,6 @@
 import com.azure.storage.blob.models.BlobRequestConditions;
 import com.azure.storage.blob.models.BlobSignedIdentifier;
 import com.azure.storage.blob.models.ListBlobContainersOptions;
-import com.azure.storage.blob.sas.BlobContainerSasPermission;
-import com.azure.storage.blob.sas.BlobServiceSasSignatureValues;
 import com.azure.storage.common.ParallelTransferOptions;
 import com.azure.storage.common.ProgressReceiver;
 import com.azure.storage.file.datalake.implementation.models.Path;
@@ -71,7 +69,6 @@
 import com.azure.storage.file.datalake.models.PathProperties;
 import com.azure.storage.file.datalake.models.PublicAccessType;
 import com.azure.storage.file.datalake.models.UserDelegationKey;
-import com.azure.storage.file.datalake.sas.DataLakeServiceSasSignatureValues;
 
 import java.time.OffsetDateTime;
 import java.time.format.DateTimeFormatter;
@@ -190,21 +187,6 @@ static UserDelegationKey toDataLakeUserDelegationKey(com.azure.storage.blob.mode
             .setValue(blobUserDelegationKey.getValue());
     }
 
-    static com.azure.storage.blob.models.UserDelegationKey toBlobUserDelegationKey(UserDelegationKey
-        dataLakeUserDelegationKey) {
-        if (dataLakeUserDelegationKey == null) {
-            return null;
-        }
-        return new com.azure.storage.blob.models.UserDelegationKey()
-            .setSignedExpiry(dataLakeUserDelegationKey.getSignedExpiry())
-            .setSignedObjectId(dataLakeUserDelegationKey.getSignedObjectId())
-            .setSignedTenantId(dataLakeUserDelegationKey.getSignedTenantId())
-            .setSignedService(dataLakeUserDelegationKey.getSignedService())
-            .setSignedStart(dataLakeUserDelegationKey.getSignedStart())
-            .setSignedVersion(dataLakeUserDelegationKey.getSignedVersion())
-            .setValue(dataLakeUserDelegationKey.getValue());
-    }
-
     static BlobHttpHeaders toBlobHttpHeaders(PathHttpHeaders pathHTTPHeaders) {
         if (pathHTTPHeaders == null) {
             return null;
@@ -425,40 +407,6 @@ private static DataLakeAccessPolicy toDataLakeAccessPolicy(BlobAccessPolicy acce
             .setPermissions(accessPolicy.getPermissions());
     }
 
-    static BlobServiceSasSignatureValues toBlobSasValues(DataLakeServiceSasSignatureValues
-        dataLakeServiceSasSignatureValues) {
-        if (dataLakeServiceSasSignatureValues == null) {
-            return null;
-        }
-        BlobServiceSasSignatureValues blobServiceSasSignatureValues;
-        if (dataLakeServiceSasSignatureValues.getIdentifier() != null) {
-            blobServiceSasSignatureValues =
-                new BlobServiceSasSignatureValues(dataLakeServiceSasSignatureValues.getIdentifier());
-        } else {
-            // It's ok to use blob container sas permission since its a super set of blob sas permission
-            blobServiceSasSignatureValues =
-                new BlobServiceSasSignatureValues(dataLakeServiceSasSignatureValues.getExpiryTime(),
-                    BlobContainerSasPermission.parse(dataLakeServiceSasSignatureValues.getPermissions()));
-        }
-        blobServiceSasSignatureValues.setVersion(dataLakeServiceSasSignatureValues.getVersion())
-            .setProtocol(dataLakeServiceSasSignatureValues.getProtocol())
-            .setStartTime(dataLakeServiceSasSignatureValues.getStartTime())
-            .setExpiryTime(dataLakeServiceSasSignatureValues.getExpiryTime())
-            .setSasIpRange(dataLakeServiceSasSignatureValues.getSasIpRange())
-            .setIdentifier(dataLakeServiceSasSignatureValues.getIdentifier())
-            .setCacheControl(dataLakeServiceSasSignatureValues.getCacheControl())
-            .setContentDisposition(dataLakeServiceSasSignatureValues.getContentDisposition())
-            .setContentEncoding(dataLakeServiceSasSignatureValues.getContentEncoding())
-            .setContentLanguage(dataLakeServiceSasSignatureValues.getContentLanguage())
-            .setContentType(dataLakeServiceSasSignatureValues.getContentType());
-        if (dataLakeServiceSasSignatureValues.getPermissions() != null) {
-            // It's ok to use blob container sas permission since its a super set of blob sas permission
-            blobServiceSasSignatureValues.setPermissions(BlobContainerSasPermission.parse(
-                dataLakeServiceSasSignatureValues.getPermissions()));
-        }
-        return blobServiceSasSignatureValues;
-    }
-
     static com.azure.storage.blob.models.ParallelTransferOptions toBlobParallelTransferOptions(
         ParallelTransferOptions pto) {
         if (pto == null) {