[Storage] [STG 100] Datalake Security Principal Bound Identity SAS (#42647)

Author: weirongw23-msft

sdk/storage/azure-storage-file-datalake/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/storage/azure-storage-file-datalake",
-  "Tag": "python/storage/azure-storage-file-datalake_a7ee812abc"
+  "Tag": "python/storage/azure-storage-file-datalake_75e92b68c3"
 }

sdk/storage/azure-storage-file-datalake/azure/storage/filedatalake/_shared/shared_access_signature.py

@@ -209,6 +209,9 @@ def add_resource(self, resource):
     def add_id(self, policy_id):
         self._add_query(QueryStringConstants.SIGNED_IDENTIFIER, policy_id)
 
+    def add_user_delegation_oid(self, user_delegation_oid):
+        self._add_query(QueryStringConstants.SIGNED_DELEGATED_USER_OID, user_delegation_oid)
+
     def add_account(self, services, resource_types):
         self._add_query(QueryStringConstants.SIGNED_SERVICES, services)
         self._add_query(QueryStringConstants.SIGNED_RESOURCE_TYPES, resource_types)

sdk/storage/azure-storage-file-datalake/azure/storage/filedatalake/_shared_access_signature.py

@@ -108,6 +108,7 @@ def generate_file_system_sas(
     permission: Optional[Union["FileSystemSasPermissions", str]] = None,
     expiry: Optional[Union["datetime", str]] = None,
     *,
+    user_delegation_oid: Optional[str] = None,
     sts_hook: Optional[Callable[[str], None]] = None,
     **kwargs: Any
 ) -> str:
@@ -193,6 +194,10 @@ def generate_file_system_sas(
         generating and distributing the SAS.
     :keyword str encryption_scope:
         Specifies the encryption scope for a request made so that all write operations will be service encrypted.
+    :keyword str user_delegation_oid:
+        Specifies the Entra ID of the user that is authorized to use the resulting SAS URL.
+        The resulting SAS URL must be used in conjunction with an Entra ID token that has been
+        issued to the user specified in this value.
     :keyword sts_hook:
         For debugging purposes only. If provided, the hook is called with the string to sign
         that was used to generate the SAS.
@@ -207,6 +212,7 @@ def generate_file_system_sas(
         user_delegation_key=credential if not isinstance(credential, str) else None,
         permission=cast(Optional[Union["ContainerSasPermissions", str]], permission),
         expiry=expiry,
+        user_delegation_oid=user_delegation_oid,
         sts_hook=sts_hook,
         **kwargs
     )
@@ -220,6 +226,7 @@ def generate_directory_sas(
     permission: Optional[Union["DirectorySasPermissions", str]] = None,
     expiry: Optional[Union["datetime", str]] = None,
     *,
+    user_delegation_oid: Optional[str] = None,
     sts_hook: Optional[Callable[[str], None]] = None,
     **kwargs: Any
 ) -> str:
@@ -307,6 +314,10 @@ def generate_directory_sas(
         generating and distributing the SAS.
     :keyword str encryption_scope:
         Specifies the encryption scope for a request made so that all write operations will be service encrypted.
+    :keyword str user_delegation_oid:
+        Specifies the Entra ID of the user that is authorized to use the resulting SAS URL.
+        The resulting SAS URL must be used in conjunction with an Entra ID token that has been
+        issued to the user specified in this value.
     :keyword sts_hook:
         For debugging purposes only. If provided, the hook is called with the string to sign
         that was used to generate the SAS.
@@ -325,6 +336,7 @@ def generate_directory_sas(
         expiry=expiry,
         sdd=depth,
         is_directory=True,
+        user_delegation_oid=user_delegation_oid,
         sts_hook=sts_hook,
         **kwargs
     )
@@ -339,6 +351,7 @@ def generate_file_sas(
     permission: Optional[Union["FileSasPermissions", str]] = None,
     expiry: Optional[Union["datetime", str]] = None,
     *,
+    user_delegation_oid: Optional[str] = None,
     sts_hook: Optional[Callable[[str], None]] = None,
     **kwargs: Any
 ) -> str:
@@ -428,6 +441,10 @@ def generate_file_sas(
         generating and distributing the SAS. This can only be used when generating a SAS with delegation key.
     :keyword str encryption_scope:
         Specifies the encryption scope for a request made so that all write operations will be service encrypted.
+    :keyword str user_delegation_oid:
+        Specifies the Entra ID of the user that is authorized to use the resulting SAS URL.
+        The resulting SAS URL must be used in conjunction with an Entra ID token that has been
+        issued to the user specified in this value.
     :keyword sts_hook:
         For debugging purposes only. If provided, the hook is called with the string to sign
         that was used to generate the SAS.
@@ -448,6 +465,7 @@ def generate_file_sas(
         permission=cast(Optional[Union["BlobSasPermissions", str]], permission),
         expiry=expiry,
         sts_hook=sts_hook,
+        user_delegation_oid=user_delegation_oid,
         **kwargs
     )
 

sdk/storage/azure-storage-file-datalake/tests/test_file_system.py

@@ -3,6 +3,7 @@
 # Licensed under the MIT License. See License.txt in the project root for
 # license information.
 # --------------------------------------------------------------------------
+import jwt
 import unittest
 from datetime import datetime, timedelta
 from time import sleep
@@ -1149,6 +1150,123 @@ def test_get_and_set_access_control_oauth(self, **kwargs):
         # Assert
         assert acl == access_control['acl']
 
+    @DataLakePreparer()
+    @recorded_by_proxy
+    def test_get_user_delegation_sas(self, **kwargs):
+        datalake_storage_account_name = kwargs.pop("datalake_storage_account_name")
+        variables = kwargs.pop("variables", {})
+
+        token_credential = self.get_credential(DataLakeServiceClient)
+        service = DataLakeServiceClient(
+            self.account_url(datalake_storage_account_name, "dfs"),
+            credential=token_credential,
+        )
+        start = self.get_datetime_variable(variables, 'start_time', datetime.utcnow())
+        expiry = self.get_datetime_variable(variables, 'expiry_time', datetime.utcnow() + timedelta(hours=1))
+        user_delegation_key_1 = service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+        user_delegation_key_2 = service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+
+        # Assert key1 is valid
+        assert user_delegation_key_1.signed_oid is not None
+        assert user_delegation_key_1.signed_tid is not None
+        assert user_delegation_key_1.signed_start is not None
+        assert user_delegation_key_1.signed_expiry is not None
+        assert user_delegation_key_1.signed_version is not None
+        assert user_delegation_key_1.signed_service is not None
+        assert user_delegation_key_1.value is not None
+
+        # Assert key1 and key2 are equal, since they have the exact same start and end times
+        assert user_delegation_key_1.signed_oid == user_delegation_key_2.signed_oid
+        assert user_delegation_key_1.signed_tid == user_delegation_key_2.signed_tid
+        assert user_delegation_key_1.signed_start == user_delegation_key_2.signed_start
+        assert user_delegation_key_1.signed_expiry == user_delegation_key_2.signed_expiry
+        assert user_delegation_key_1.signed_version == user_delegation_key_2.signed_version
+        assert user_delegation_key_1.signed_service == user_delegation_key_2.signed_service
+        assert user_delegation_key_1.value == user_delegation_key_2.value
+
+        return variables
+
+    @pytest.mark.live_test_only
+    @DataLakePreparer()
+    def test_datalake_user_delegation_oid(self, **kwargs):
+        datalake_storage_account_name = kwargs.pop("datalake_storage_account_name")
+        data = b"abc123"
+
+        token_credential = self.get_credential(DataLakeServiceClient)
+        account_url = self.account_url(datalake_storage_account_name, "dfs")
+        dsc = DataLakeServiceClient(account_url, credential=token_credential)
+        file_system_name = self.get_resource_name(TEST_FILE_SYSTEM_PREFIX)
+        file_system = dsc.create_file_system(file_system_name)
+        directory_name = "dir"
+        directory = file_system.create_directory(directory_name)
+        file_name = "file"
+        file = directory.create_file(file_name)
+        file.upload_data(data, length=len(data), overwrite=True)
+
+        start = datetime.utcnow()
+        expiry = datetime.utcnow() + timedelta(hours=1)
+        user_delegation_key = dsc.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+        token = token_credential.get_token("https://storage.azure.com/.default")
+        user_delegation_oid = jwt.decode(token.token, options={"verify_signature": False}).get("oid")
+
+        file_system_token = self.generate_sas(
+            generate_file_system_sas,
+            dsc.account_name,
+            file_system_name,
+            user_delegation_key,
+            permission=FileSystemSasPermissions(write=True, read=True, delete=True, list=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid,
+        )
+        file_system_client = FileSystemClient(
+            f"{account_url}?{file_system_token}",
+            file_system_name=file_system_name,
+            credential=token_credential
+        )
+        paths = list(file_system_client.get_paths())
+        assert len(paths) == 2
+        assert paths[0]["name"] == directory.path_name
+        assert paths[1]["name"] == file.path_name
+
+        directory_token = self.generate_sas(
+            generate_directory_sas,
+            dsc.account_name,
+            file_system_name,
+            directory_name,
+            user_delegation_key,
+            permission=FileSasPermissions(write=True, read=True, delete=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid
+        )
+        directory_client = DataLakeDirectoryClient(
+            f"{account_url}?{directory_token}",
+            file_system_name=file_system_name,
+            directory_name=directory_name,
+            credential=token_credential
+        )
+        props = directory_client.get_directory_properties()
+        assert props is not None
+
+        file_token = self.generate_sas(
+            generate_file_sas,
+            datalake_storage_account_name,
+            file_system_name,
+            directory_name,
+            file_name,
+            credential=user_delegation_key,
+            permission=FileSasPermissions(write=True, read=True, delete=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid
+        )
+        file_client = DataLakeFileClient(
+            f"{account_url}?{file_token}",
+            file_system_name=file_system_name,
+            file_path=f"{directory_name}/{file_name}",
+            credential=token_credential
+        )
+        content = file_client.download_file().readall()
+        assert content == data
+
 # ------------------------------------------------------------------------------
 if __name__ == '__main__':
     unittest.main()

sdk/storage/azure-storage-file-datalake/tests/test_file_system_async.py

@@ -4,6 +4,7 @@
 # license information.
 # --------------------------------------------------------------------------
 import asyncio
+import jwt
 import unittest
 import uuid
 from datetime import datetime, timedelta
@@ -1279,6 +1280,126 @@ async def test_get_and_set_access_control_oauth(self, **kwargs):
         # Assert
         assert acl == access_control['acl']
 
+    @DataLakePreparer()
+    @recorded_by_proxy_async
+    async def test_get_user_delegation_sas(self, **kwargs):
+        datalake_storage_account_name = kwargs.pop("datalake_storage_account_name")
+        variables = kwargs.pop("variables", {})
+
+        token_credential = self.get_credential(DataLakeServiceClient, is_async=True)
+        service = DataLakeServiceClient(
+            self.account_url(datalake_storage_account_name, "dfs"),
+            credential=token_credential,
+        )
+        start = self.get_datetime_variable(variables, 'start_time', datetime.utcnow())
+        expiry = self.get_datetime_variable(variables, 'expiry_time', datetime.utcnow() + timedelta(hours=1))
+        user_delegation_key_1 = await service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+        user_delegation_key_2 = await service.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+
+        # Assert key1 is valid
+        assert user_delegation_key_1.signed_oid is not None
+        assert user_delegation_key_1.signed_tid is not None
+        assert user_delegation_key_1.signed_start is not None
+        assert user_delegation_key_1.signed_expiry is not None
+        assert user_delegation_key_1.signed_version is not None
+        assert user_delegation_key_1.signed_service is not None
+        assert user_delegation_key_1.value is not None
+
+        # Assert key1 and key2 are equal, since they have the exact same start and end times
+        assert user_delegation_key_1.signed_oid == user_delegation_key_2.signed_oid
+        assert user_delegation_key_1.signed_tid == user_delegation_key_2.signed_tid
+        assert user_delegation_key_1.signed_start == user_delegation_key_2.signed_start
+        assert user_delegation_key_1.signed_expiry == user_delegation_key_2.signed_expiry
+        assert user_delegation_key_1.signed_version == user_delegation_key_2.signed_version
+        assert user_delegation_key_1.signed_service == user_delegation_key_2.signed_service
+        assert user_delegation_key_1.value == user_delegation_key_2.value
+
+        return variables
+
+    @pytest.mark.live_test_only
+    @DataLakePreparer()
+    async def test_datalake_user_delegation_oid(self, **kwargs):
+        datalake_storage_account_name = kwargs.pop("datalake_storage_account_name")
+        data = b"abc123"
+
+        token_credential = self.get_credential(DataLakeServiceClient, is_async=True)
+        account_url = self.account_url(datalake_storage_account_name, "dfs")
+        dsc = DataLakeServiceClient(account_url, credential=token_credential)
+        file_system_name = self.get_resource_name(TEST_FILE_SYSTEM_PREFIX)
+        file_system = await dsc.create_file_system(file_system_name)
+        directory_name = "dir"
+        directory = await file_system.create_directory(directory_name)
+        file_name = "file"
+        file = await directory.create_file(file_name)
+        await file.upload_data(data, length=len(data), overwrite=True)
+
+        start = datetime.utcnow()
+        expiry = datetime.utcnow() + timedelta(hours=1)
+        user_delegation_key = await dsc.get_user_delegation_key(key_start_time=start, key_expiry_time=expiry)
+        token = await token_credential.get_token("https://storage.azure.com/.default")
+        user_delegation_oid = jwt.decode(token.token, options={"verify_signature": False}).get("oid")
+
+        file_system_token = self.generate_sas(
+            generate_file_system_sas,
+            dsc.account_name,
+            file_system_name,
+            user_delegation_key,
+            permission=FileSystemSasPermissions(write=True, read=True, delete=True, list=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid,
+        )
+        file_system_client = FileSystemClient(
+            f"{account_url}?{file_system_token}",
+            file_system_name=file_system_name,
+            credential=token_credential
+        )
+        paths = []
+        async for path in file_system_client.get_paths() :
+            paths.append(path)
+
+        assert len(paths) == 2
+        assert paths[0]["name"] == directory.path_name
+        assert paths[1]["name"] == file.path_name
+
+        directory_token = self.generate_sas(
+            generate_directory_sas,
+            dsc.account_name,
+            file_system_name,
+            directory_name,
+            user_delegation_key,
+            permission=FileSasPermissions(write=True, read=True, delete=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid
+        )
+        directory_client = DataLakeDirectoryClient(
+            f"{account_url}?{directory_token}",
+            file_system_name=file_system_name,
+            directory_name=directory_name,
+            credential=token_credential
+        )
+        props = await directory_client.get_directory_properties()
+        assert props is not None
+
+        file_token = self.generate_sas(
+            generate_file_sas,
+            datalake_storage_account_name,
+            file_system_name,
+            directory_name,
+            file_name,
+            credential=user_delegation_key,
+            permission=FileSasPermissions(write=True, read=True, delete=True),
+            expiry=expiry,
+            user_delegation_oid=user_delegation_oid
+        )
+        file_client = DataLakeFileClient(
+            f"{account_url}?{file_token}",
+            file_system_name=file_system_name,
+            file_path=f"{directory_name}/{file_name}",
+            credential=token_credential
+        )
+        content = await (await file_client.download_file()).readall()
+        assert content == data
+
 # ------------------------------------------------------------------------------
 if __name__ == '__main__':
     unittest.main()