[Blob][IdentitySAS]Add Identity SAS

sdk/storage/azure-storage-blob/azure/storage/blob/_shared/models.py

@@ -420,3 +420,36 @@ def __str__(self):
 Services.BLOB = Services(blob=True)
 Services.QUEUE = Services(queue=True)
 Services.FILE = Services(file=True)
+
+
+class UserDelegationKey(object):
+    """
+    Represents a user delegation key, provided to the user by Azure Storage
+    based on their Azure Active Directory access token.
+
+    The fields are saved as simple strings since the user does not have to interact with this object;
+    to generate an identify SAS, the user can simply pass it to the right API.
+
+    :ivar str signed_oid:
+        Object ID of this token.
+    :ivar str signed_tid:
+        Tenant ID of the tenant that issued this token.
+    :ivar str signed_start:
+        The datetime this token becomes valid.
+    :ivar str signed_expiry:
+        The datetime this token expires.
+    :ivar str signed_service:
+        What service this key is valid for.
+    :ivar str signed_version:
+        The version identifier of the REST service that created this token.
+    :ivar str value:
+        The user delegation key.
+    """
+    def __init__(self):
+        self.signed_oid = None
+        self.signed_tid = None
+        self.signed_start = None
+        self.signed_expiry = None
+        self.signed_service = None
+        self.signed_version = None
+        self.value = None

sdk/storage/azure-storage-blob/azure/storage/blob/_shared/parser.py

@@ -6,6 +6,8 @@
 
 import sys
 
+from .models import UserDelegationKey
+
 if sys.version_info < (3,):
     def _str(value):
         if isinstance(value, unicode):  # pylint: disable=undefined-variable
@@ -18,3 +20,15 @@ def _str(value):
 
 def _to_utc_datetime(value):
     return value.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+
+def _parse_to_internal_user_delegation_key(service_user_delegation_key):
+    internal_user_delegation_key = UserDelegationKey()
+    internal_user_delegation_key.signed_oid = service_user_delegation_key.signed_oid
+    internal_user_delegation_key.signed_tid = service_user_delegation_key.signed_tid
+    internal_user_delegation_key.signed_start = _to_utc_datetime(service_user_delegation_key.signed_start)
+    internal_user_delegation_key.signed_expiry = _to_utc_datetime(service_user_delegation_key.signed_expiry)
+    internal_user_delegation_key.signed_service = service_user_delegation_key.signed_service
+    internal_user_delegation_key.signed_version = service_user_delegation_key.signed_version
+    internal_user_delegation_key.value = service_user_delegation_key.value
+    return internal_user_delegation_key

sdk/storage/azure-storage-blob/azure/storage/blob/_shared_access_signature.py

@@ -188,7 +188,7 @@ def generate_container(self, container_name, permission=None, expiry=None,
                                           content_encoding, content_language,
                                           content_type)
         sas.add_resource_signature(self.account_name, self.account_key, container_name,
-                                   user_delegation_key=None)
+                                   user_delegation_key=self.user_delegation_key)
         return sas.get_token()
 
 

sdk/storage/azure-storage-blob/azure/storage/blob/blob_client.py

@@ -133,6 +133,7 @@ def __init__(
         except AttributeError:
             raise ValueError("Blob URL must be a string.")
         parsed_url = urlparse(blob_url.rstrip('/'))
+        self.account_name = parsed_url.hostname.split('.')[0]
         if not parsed_url.path and not (container and blob):
             raise ValueError("Please specify a container and blob name.")
         if not parsed_url.netloc:
@@ -231,7 +232,8 @@ def generate_shared_access_signature(
             content_disposition=None,  # type: Optional[str]
             content_encoding=None,  # type: Optional[str]
             content_language=None,  # type: Optional[str]
-            content_type=None  # type: Optional[str]
+            content_type=None,  # type: Optional[str]
+            user_delegation_key=None
         ):
         # type: (...) -> Any
         """
@@ -289,12 +291,20 @@ def generate_shared_access_signature(
         :param str content_type:
             Response header value for Content-Type when resource is accessed
             using this shared access signature.
+        :param ~azure.storage.blob._shared.models.UserDelegationKey user_delegation_key:
+            Instead of an account key, the user could pass in a user delegation key.
+            A user delegation key can be obtained from the service by authenticating with an AAD identity;
+            this can be accomplished by calling get_user_delegation_key.
+            When present, the SAS is signed with the user delegation key instead.
         :return: A Shared Access Signature (sas) token.
         :rtype: str
         """
-        if not hasattr(self.credential, 'account_key') or not self.credential.account_key:
-            raise ValueError("No account SAS key available.")
-        sas = BlobSharedAccessSignature(self.credential.account_name, self.credential.account_key)
+        if user_delegation_key is not None:
+            sas = BlobSharedAccessSignature(self.account_name, user_delegation_key=user_delegation_key)
+        else:
+            if not hasattr(self.credential, 'account_key') or not self.credential.account_key:
+                raise ValueError("No account SAS key available.")
+            sas = BlobSharedAccessSignature(self.credential.account_name, self.credential.account_key)
         return sas.generate_blob(
             self.container_name,
             self.blob_name,

sdk/storage/azure-storage-blob/azure/storage/blob/blob_service_client.py

@@ -9,6 +9,10 @@
     Union, Optional, Any, Iterable, Dict, List,
     TYPE_CHECKING
 )
+
+from ._generated.models import KeyInfo
+from ._shared.parser import _to_utc_datetime, _parse_to_internal_user_delegation_key
+
 try:
     from urllib.parse import urlparse
 except ImportError:
@@ -18,7 +22,7 @@
 from azure.core.tracing.decorator import distributed_trace
 
 from ._shared.shared_access_signature import SharedAccessSignature
-from ._shared.models import LocationMode, Services
+from ._shared.models import LocationMode, Services, UserDelegationKey
 from ._shared.base_client import StorageAccountHostsMixin, parse_connection_str, parse_query
 from ._shared.response_handlers import return_response_headers, process_storage_error
 from ._generated import AzureBlobStorage
@@ -223,6 +227,33 @@ def generate_shared_access_signature(
             protocol=protocol
         ) # type: ignore
 
+    @distributed_trace
+    def get_user_delegation_key(self, key_start_time,  # type: datetime
+                                key_expiry_time,  # type: datetime
+                                timeout=None  # type: Optional[int]
+                                ):
+        # type: (datetime, datetime, Optional[int]) -> UserDelegationKey
+        """
+        Obtain a user delegation key for the purpose of signing SAS tokens.
+        A token credential must be present on the service object for this request to succeed.
+
+        :param datetime key_start_time:
+            A DateTime value. Indicates when the key becomes valid.
+        :param datetime key_expiry_time:
+            A DateTime value. Indicates when the key stops being valid.
+        :param int timeout:
+            The timeout parameter is expressed in seconds.
+        :return: The user delegation key.
+        :rtype: ~azure.storage.blob._shared.models.UserDelegationKey
+        """
+        key_info = KeyInfo(start=_to_utc_datetime(key_start_time), expiry=_to_utc_datetime(key_expiry_time))
+        try:
+            user_delegation_key = self._client.service.get_user_delegation_key(key_info=key_info, timeout=timeout)
+        except StorageErrorException as error:
+            process_storage_error(error)
+
+        return _parse_to_internal_user_delegation_key(user_delegation_key)  # type: ignore
+
     @distributed_trace
     def get_account_information(self, **kwargs): # type: ignore
         # type: (Optional[int]) -> Dict[str, str]

sdk/storage/azure-storage-blob/azure/storage/blob/container_client.py

@@ -119,6 +119,7 @@ def __init__(
         except AttributeError:
             raise ValueError("Container URL must be a string.")
         parsed_url = urlparse(container_url.rstrip('/'))
+        self.account_name = parsed_url.hostname.split('.')[0]
         if not parsed_url.path and not container:
             raise ValueError("Please specify a container name.")
         if not parsed_url.netloc:
@@ -192,7 +193,8 @@ def generate_shared_access_signature(
             content_disposition=None,  # type: Optional[str]
             content_encoding=None,  # type: Optional[str]
             content_language=None,  # type: Optional[str]
-            content_type=None  # type: Optional[str]
+            content_type=None,  # type: Optional[str]
+            user_delegation_key=None  # type Optional[]
         ):
         # type: (...) -> Any
         """Generates a shared access signature for the container.
@@ -248,6 +250,11 @@ def generate_shared_access_signature(
         :param str content_type:
             Response header value for Content-Type when resource is accessed
             using this shared access signature.
+        :param ~azure.storage.blob._shared.models.UserDelegationKey user_delegation_key:
+            Instead of an account key, the user could pass in a user delegation key.
+            A user delegation key can be obtained from the service by authenticating with an AAD identity;
+            this can be accomplished by calling get_user_delegation_key.
+            When present, the SAS is signed with the user delegation key instead.
         :return: A Shared Access Signature (sas) token.
         :rtype: str
 
@@ -259,9 +266,12 @@ def generate_shared_access_signature(
                 :dedent: 12
                 :caption: Generating a sas token.
         """
-        if not hasattr(self.credential, 'account_key') and not self.credential.account_key:
-            raise ValueError("No account SAS key available.")
-        sas = BlobSharedAccessSignature(self.credential.account_name, self.credential.account_key)
+        if user_delegation_key is not None:
+            sas = BlobSharedAccessSignature(self.account_name, user_delegation_key=user_delegation_key)
+        else:
+            if not hasattr(self.credential, 'account_key') and not self.credential.account_key:
+                raise ValueError("No account SAS key available.")
+            sas = BlobSharedAccessSignature(self.credential.account_name, self.credential.account_key)
         return sas.generate_container(
             self.container_name,
             permission=permission,

sdk/storage/azure-storage-blob/tests/test_common_blob.py

@@ -1264,6 +1264,67 @@ def test_account_sas(self):
         self.assertEqual(self.byte_data, blob_response.content)
         self.assertTrue(container_response.ok)
 
+    def test_get_user_delegation_key(self):
+        if TestMode.need_recording_file(self.test_mode):
+            return
+        # Act
+        token_credential = self.generate_oauth_token()
+
+        # Action 1: make sure token works
+        service = BlobServiceClient(self._get_oauth_account_url(), credential=token_credential)
+
+        start = datetime.utcnow()
+        expiry = datetime.utcnow() + timedelta(hours=1)
+        user_delegation_key_1 = service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+        user_delegation_key_2 = service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+
+        # Assert key1 is valid
+        self.assertIsNotNone(user_delegation_key_1.signed_oid)
+        self.assertIsNotNone(user_delegation_key_1.signed_tid)
+        self.assertIsNotNone(user_delegation_key_1.signed_start)
+        self.assertIsNotNone(user_delegation_key_1.signed_expiry)
+        self.assertIsNotNone(user_delegation_key_1.signed_version)
+        self.assertIsNotNone(user_delegation_key_1.signed_service)
+        self.assertIsNotNone(user_delegation_key_1.value)
+
+        # Assert key1 and key2 are equal, since they have the exact same start and end times
+        self.assertEqual(user_delegation_key_1.signed_oid, user_delegation_key_2.signed_oid)
+        self.assertEqual(user_delegation_key_1.signed_tid, user_delegation_key_2.signed_tid)
+        self.assertEqual(user_delegation_key_1.signed_start, user_delegation_key_2.signed_start)
+        self.assertEqual(user_delegation_key_1.signed_expiry, user_delegation_key_2.signed_expiry)
+        self.assertEqual(user_delegation_key_1.signed_version, user_delegation_key_2.signed_version)
+        self.assertEqual(user_delegation_key_1.signed_service, user_delegation_key_2.signed_service)
+        self.assertEqual(user_delegation_key_1.value, user_delegation_key_2.value)
+
+    def test_user_delegation_sas_for_blob(self):
+        # SAS URL is calculated from storage key, so this test runs live only
+        if TestMode.need_recording_file(self.test_mode):
+            return
+
+        # Arrange
+        token_credential = self.generate_oauth_token()
+        service_client = BlobServiceClient(self._get_oauth_account_url(), credential=token_credential)
+        user_delegation_key = service_client.get_user_delegation_key(datetime.utcnow(),
+                                                                     datetime.utcnow() + timedelta(hours=1))
+
+        container_client = service_client.create_container(self.get_resource_name('oauthcontainer'))
+        blob_client = container_client.get_blob_client(self.get_resource_name('oauthblob'))
+        blob_client.upload_blob(self.byte_data, length=len(self.byte_data))
+
+        token = blob_client.generate_shared_access_signature(
+            permission=BlobPermissions.READ,
+            expiry=datetime.utcnow() + timedelta(hours=1),
+            user_delegation_key=user_delegation_key,
+        )
+
+        # Act
+        # Use the generated identity sas
+        new_blob_client = BlobClient(blob_client.url, credential=token)
+        content = new_blob_client.download_blob()
+
+        # Assert
+        self.assertEqual(self.byte_data, b"".join(list(content)))
+
     @record
     def test_token_credential(self):
         token_credential = self.generate_oauth_token()

sdk/storage/azure-storage-blob/tests/test_container.py

@@ -24,6 +24,7 @@
     AccessPolicy
 )
 
+from azure.identity import ClientSecretCredential
 from testcase import StorageTestCase, TestMode, record, LogCaptured
 
 #------------------------------------------------------------------------------
@@ -71,6 +72,14 @@ def _create_container(self, prefix=TEST_CONTAINER_PREFIX):
             pass
         return container
 
+    def _generate_oauth_token(self):
+
+        return ClientSecretCredential(
+            self.settings.ACTIVE_DIRECTORY_APPLICATION_ID,
+            self.settings.ACTIVE_DIRECTORY_APPLICATION_SECRET,
+            self.settings.ACTIVE_DIRECTORY_TENANT_ID
+        )
+
     #--Test cases for containers -----------------------------------------
     @record
     def test_create_container(self):
@@ -1068,6 +1077,34 @@ def test_web_container_normal_operations_working(self):
             # delete container
             container.delete_container()
 
+    def test_user_delegation_sas_for_container(self):
+        # SAS URL is calculated from storage key, so this test runs live only
+        if TestMode.need_recording_file(self.test_mode):
+            return
+
+        # Arrange
+        token_credential = self.generate_oauth_token()
+        service_client = BlobServiceClient(self._get_oauth_account_url(), credential=token_credential)
+        user_delegation_key = service_client.get_user_delegation_key(datetime.utcnow(),
+                                                                     datetime.utcnow() + timedelta(hours=1))
+
+        container_client = service_client.create_container(self.get_resource_name('oauthcontainer'))
+        token = container_client.generate_shared_access_signature(
+            expiry=datetime.utcnow() + timedelta(hours=1),
+            permission=ContainerPermissions.READ,
+            user_delegation_key=user_delegation_key,
+        )
+
+        blob_client = container_client.get_blob_client(self.get_resource_name('oauthblob'))
+        blob_content = self.get_random_text_data(1024)
+        blob_client.upload_blob(blob_content, length=len(blob_content))
+
+        # Act
+        new_blob_client = BlobClient(blob_client.url, credential=token)
+        content = new_blob_client.download_blob()
+
+        # Assert
+        self.assertEqual(blob_content, b"".join(list(content)).decode('utf-8'))
 
 #------------------------------------------------------------------------------
 if __name__ == '__main__':

sdk/storage/azure-storage-file/azure/storage/file/_shared/models.py

@@ -420,3 +420,36 @@ def __str__(self):
 Services.BLOB = Services(blob=True)
 Services.QUEUE = Services(queue=True)
 Services.FILE = Services(file=True)
+
+
+class UserDelegationKey(object):
+    """
+    Represents a user delegation key, provided to the user by Azure Storage
+    based on their Azure Active Directory access token.
+
+    The fields are saved as simple strings since the user does not have to interact with this object;
+    to generate an identify SAS, the user can simply pass it to the right API.
+
+    :ivar str signed_oid:
+        Object ID of this token.
+    :ivar str signed_tid:
+        Tenant ID of the tenant that issued this token.
+    :ivar str signed_start:
+        The datetime this token becomes valid.
+    :ivar str signed_expiry:
+        The datetime this token expires.
+    :ivar str signed_service:
+        What service this key is valid for.
+    :ivar str signed_version:
+        The version identifier of the REST service that created this token.
+    :ivar str value:
+        The user delegation key.
+    """
+    def __init__(self):
+        self.signed_oid = None
+        self.signed_tid = None
+        self.signed_start = None
+        self.signed_expiry = None
+        self.signed_service = None
+        self.signed_version = None
+        self.value = None