[Storage] az storage blob/container/fs/share/file/queue generate-sas: Support user delegated sas with OAuth (#32508)

Author: calvinhzy

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -115,10 +115,10 @@ class ResourceType(Enum):  # pylint: disable=too-few-public-methods
     MGMT_SQLVM = ('azure.mgmt.sqlvirtualmachine', None)
     MGMT_MANAGEDSERVICES = ('azure.mgmt.managedservices', None)
     MGMT_NETAPPFILES = ('azure.mgmt.netappfiles', None)
-    DATA_STORAGE_BLOB = ('azure.multiapi.storagev2.blob', None)
-    DATA_STORAGE_FILEDATALAKE = ('azure.multiapi.storagev2.filedatalake', None)
-    DATA_STORAGE_FILESHARE = ('azure.multiapi.storagev2.fileshare', None)
-    DATA_STORAGE_QUEUE = ('azure.multiapi.storagev2.queue', None)
+    DATA_STORAGE_BLOB = ('azure.storage.blob', None)
+    DATA_STORAGE_FILEDATALAKE = ('azure.storage.filedatalake', None)
+    DATA_STORAGE_FILESHARE = ('azure.storage.fileshare', None)
+    DATA_STORAGE_QUEUE = ('azure.storage.queue', None)
     DATA_STORAGE_TABLE = ('azure.data.tables', None)
     DATA_BATCH = ('azure.batch', None)
 
@@ -204,10 +204,10 @@ def default_api_version(self):
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_SETTING: None,
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP: '7.5-preview.1',
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL: '7.4',
-        ResourceType.DATA_STORAGE_BLOB: '2022-11-02',
-        ResourceType.DATA_STORAGE_FILEDATALAKE: '2021-08-06',
-        ResourceType.DATA_STORAGE_FILESHARE: '2025-07-05',
-        ResourceType.DATA_STORAGE_QUEUE: '2018-03-28',
+        ResourceType.DATA_STORAGE_BLOB: None,
+        ResourceType.DATA_STORAGE_FILEDATALAKE: None,
+        ResourceType.DATA_STORAGE_FILESHARE: None,
+        ResourceType.DATA_STORAGE_QUEUE: None,
         ResourceType.DATA_STORAGE_TABLE: None,
         ResourceType.MGMT_SERVICEBUS: None,
         ResourceType.MGMT_EVENTHUB: None,

src/azure-cli/azure/cli/command_modules/storage/_client_factory.py

@@ -141,7 +141,12 @@ def cf_blob_service(cli_ctx, kwargs):
                                                            'to get a valid connection string')
     if not account_url:
         account_url = get_account_url(cli_ctx, account_name=account_name, service='blob')
+
     credential = account_key or sas_token or token_credential
+    if sas_token and 'sduoid=' in sas_token and token_credential:
+        credential = token_credential
+        account_url = account_url + '?' + sas_token
+
     if account_name and account_key:
         # For non-standard account URL such as Edge Zone, account_name can't be parsed from account_url. Use credential
         # dict instead.
@@ -151,26 +156,29 @@ def cf_blob_service(cli_ctx, kwargs):
                           connection_timeout=kwargs.pop('connection_timeout', None), **client_kwargs)
 
 
-def get_credential(kwargs):
+def get_credential(client_url, kwargs):
     account_key = kwargs.pop('account_key', None)
     token_credential = kwargs.pop('token_credential', None)
     sas_token = kwargs.pop('sas_token', None)
     credential = account_key or sas_token or token_credential
-    return credential
+    if sas_token and 'sduoid=' in sas_token and token_credential:
+        credential = token_credential
+        client_url = client_url + '?' + sas_token
+    return client_url, credential
 
 
 def cf_blob_client(cli_ctx, kwargs):
     # track2 partial migration
     if kwargs.get('blob_url'):
         t_blob_client = get_sdk(cli_ctx, ResourceType.DATA_STORAGE_BLOB, '_blob_client#BlobClient')
-        credential = get_credential(kwargs)
+        blob_url, credential = get_credential(kwargs.pop('blob_url'), kwargs)
         # del unused kwargs
         kwargs.pop('connection_string')
         kwargs.pop('account_name')
         kwargs.pop('account_url')
         kwargs.pop('container_name')
         kwargs.pop('blob_name')
-        return t_blob_client.from_blob_url(blob_url=kwargs.pop('blob_url'),
+        return t_blob_client.from_blob_url(blob_url=blob_url,
                                            credential=credential,
                                            snapshot=kwargs.pop('snapshot', None),
                                            connection_timeout=kwargs.pop('connection_timeout', None))
@@ -220,6 +228,9 @@ def cf_adls_service(cli_ctx, kwargs):
     if not account_url:
         account_url = get_account_url(cli_ctx, account_name=account_name, service='dfs')
     credential = account_key or sas_token or token_credential
+    if sas_token and 'sduoid=' in sas_token and token_credential:
+        credential = token_credential
+        account_url = account_url + '?' + sas_token
 
     return t_adls_service(account_url=account_url, credential=credential, **client_kwargs)
 
@@ -257,6 +268,9 @@ def cf_queue_service(cli_ctx, kwargs):
     if not account_url:
         account_url = get_account_url(cli_ctx, account_name=account_name, service='queue')
     credential = account_key or sas_token or token_credential
+    if sas_token and 'sduoid=' in sas_token and token_credential:
+        credential = token_credential
+        account_url = account_url + '?' + sas_token
 
     return t_queue_service(account_url=account_url, credential=credential, **client_kwargs)
 
@@ -329,6 +343,9 @@ def cf_share_service(cli_ctx, kwargs):
     if not account_url:
         account_url = get_account_url(cli_ctx, account_name=account_name, service='file')
     credential = account_key or sas_token or token_credential
+    if sas_token and 'sduoid=' in sas_token and token_credential:
+        credential = token_credential
+        account_url = account_url + '?' + sas_token
 
     return t_share_service(account_url=account_url, credential=credential, **client_kwargs)
 
@@ -351,7 +368,7 @@ def cf_share_file_client(cli_ctx, kwargs):
         token_intent = 'backup' if enable_file_backup_request_intent else None
         if token_credential is not None and not enable_file_backup_request_intent:
             raise RequiredArgumentMissingError("--enable-file-backup-request-intent is required for file share OAuth")
-        credential = get_credential(kwargs)
+        file_url, credential = get_credential(kwargs.pop('file_url'), kwargs)
         # del unused kwargs
         kwargs.pop('connection_string')
         kwargs.pop('account_name')
@@ -372,7 +389,7 @@ def cf_share_file_client(cli_ctx, kwargs):
             if kwargs.get("source_share") or (copy_url and re.match(r"https?:\/\/.*?\.file\..*", copy_url)):
                 client_kwargs["allow_source_trailing_dot"] = not disallow_source_trailing_dot
 
-        return t_file_client.from_file_url(file_url=kwargs.pop('file_url'),
+        return t_file_client.from_file_url(file_url=file_url,
                                            credential=credential, token_intent=token_intent, **client_kwargs)
     if 'file_url' in kwargs:
         kwargs.pop('file_url')

src/azure-cli/azure/cli/command_modules/storage/_help.py

@@ -2681,6 +2681,16 @@
         az storage fs file upload --source a.txt -p dir/a.txt -f fsname --account-name myadlsaccount --account-key 0000-0000
 """
 
+helps['storage fs file generate-sas'] = """
+type: command
+short-summary: Generate a SAS token for file in ADLS Gen2 account.
+examples:
+  - name: Generate a sas token for file.
+    text: |
+        end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
+        az storage fs file generate-sas -p dir/a.txt --file-system myfilesystem --https-only --permissions dlrw --expiry $end -o tsv
+"""
+
 helps['storage fs metadata'] = """
 type: group
 short-summary: Manage the metadata for file system.

src/azure-cli/azure/cli/command_modules/storage/_params.py

@@ -24,7 +24,7 @@
                           get_api_version_type, blob_download_file_path_validator, blob_tier_validator, validate_subnet,
                           validate_immutability_arguments, validate_blob_name_for_upload, validate_share_close_handle,
                           blob_tier_validator_track2, services_type_v2, resource_type_type_v2, PermissionScopeAddAction,
-                          SshPublicKeyAddAction)
+                          SshPublicKeyAddAction, user_delegation_oid_validator)
 
 
 def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statements, too-many-lines, too-many-branches, line-too-long
@@ -961,6 +961,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                                     'specifies the blob snapshot to grant permission.')
         c.extra('encryption_scope', help='A predefined encryption scope used to encrypt the data on the service.')
         c.ignore('sas_token')
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     with self.argument_context('storage blob restore', resource_type=ResourceType.MGMT_STORAGE) as c:
         from ._validators import BlobRangeAddAction
@@ -1680,6 +1684,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                         "The expiry parameter and '--auth-mode login' are required if this argument is specified. ")
         c.extra('encryption_scope', help='A predefined encryption scope used to encrypt the data on the service.')
         c.ignore('sas_token')
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     for cmd in ['acquire', 'renew', 'break', 'change', 'release']:
         with self.argument_context(f'storage container lease {cmd}') as c:
@@ -1941,6 +1949,13 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help=sas_help.format(get_permission_help_string(t_share_permissions)),
                    validator=get_permission_validator(t_share_permissions))
         c.ignore('sas_token')
+        c.argument('as_user', action='store_true', validator=as_user_validator, is_preview=True,
+                   help="Indicates that this command return the SAS signed with the user delegation key. "
+                        "The expiry parameter and '--auth-mode login' are required if this argument is specified. ")
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     with self.argument_context('storage share update') as c:
         c.extra('share_name', share_name_type, options_list=('--name', '-n'), required=True)
@@ -2149,6 +2164,13 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
         c.extra('content_type', help='Response header value for Content-Type when resource is accessed '
                                      'using this shared access signature.')
         c.ignore('sas_token')
+        c.extra('as_user', action='store_true', validator=as_user_validator, is_preview=True,
+                help="Indicates that this command return the SAS signed with the user delegation key. "
+                     "The expiry parameter and '--auth-mode login' are required if this argument is specified. ")
+        c.extra('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                     'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                     'to the user specified in this value.')
 
     with self.argument_context('storage file list') as c:
         c.extra('share_name', share_name_type, required=True)
@@ -2295,6 +2317,13 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help=sas_help.format(get_permission_help_string(t_queue_permissions)),
                    validator=get_permission_validator(t_queue_permissions))
         c.ignore('sas_token')
+        c.argument('as_user', action='store_true', validator=as_user_validator, is_preview=True,
+                   help="Indicates that this command return the SAS signed with the user delegation key. "
+                        "The expiry parameter and '--auth-mode login' are required if this argument is specified. ")
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     with self.argument_context('storage queue list') as c:
         c.argument('include_metadata', help='Specify that queue metadata be returned in the response.')
@@ -2540,6 +2569,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Indicate that this command return the full blob URI and the shared access signature token.')
         c.argument('encryption_scope', help='Specify the encryption scope for a request made so that all '
                                             'write operations will be service encrypted.')
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     with self.argument_context('storage fs list') as c:
         c.argument('include_metadata', arg_type=get_three_state_flag(),
@@ -2666,6 +2699,46 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Indicate that this command return the full blob URI and the shared access signature token.')
         c.argument('encryption_scope', help='Specify the encryption scope for a request made so that all '
                                             'write operations will be service encrypted.')
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
+
+    with self.argument_context('storage fs file generate-sas') as c:
+        t_file_system_permissions = self.get_sdk('_models#FileSystemSasPermissions',
+                                                 resource_type=ResourceType.DATA_STORAGE_FILEDATALAKE)
+        c.register_sas_arguments()
+        c.argument('file_system_name', options_list=['-f', '--file-system'],
+                   help='File system name (i.e. container name).', required=True)
+        c.argument('path', options_list=['-p', '--path'], help="The file path in a file system.", required=True)
+        c.argument('id', options_list='--policy-name',
+                   help='The name of a stored access policy.')
+        c.argument('permission', options_list='--permissions',
+                   help=sas_help.format(get_permission_help_string(t_file_system_permissions)),
+                   validator=get_permission_validator(t_file_system_permissions))
+        c.argument('cache_control', help='Response header value for Cache-Control when resource is accessed'
+                                         'using this shared access signature.')
+        c.argument('content_disposition', help='Response header value for Content-Disposition when resource is accessed'
+                                               'using this shared access signature.')
+        c.argument('content_encoding', help='Response header value for Content-Encoding when resource is accessed'
+                                            'using this shared access signature.')
+        c.argument('content_language', help='Response header value for Content-Language when resource is accessed'
+                                            'using this shared access signature.')
+        c.argument('content_type', help='Response header value for Content-Type when resource is accessed'
+                                        'using this shared access signature.')
+        c.argument('as_user', action='store_true',
+                   validator=as_user_validator,
+                   help="Indicates that this command return the SAS signed with the user delegation key. "
+                        "The expiry parameter and '--auth-mode login' are required if this argument is specified. ")
+        c.ignore('sas_token')
+        c.argument('full_uri', action='store_true',
+                   help='Indicate that this command return the full blob URI and the shared access signature token.')
+        c.argument('encryption_scope', help='Specify the encryption scope for a request made so that all '
+                                            'write operations will be service encrypted.')
+        c.argument('user_delegation_oid', validator=user_delegation_oid_validator, is_preview=True,
+                   help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
+                        'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
+                        'to the user specified in this value.')
 
     with self.argument_context('storage fs file list') as c:
         c.extra('file_system_name', options_list=['-f', '--file-system'],

src/azure-cli/azure/cli/command_modules/storage/_validators.py

@@ -142,8 +142,10 @@ def validate_client_parameters(cmd, namespace):
         account_key_args = [arg for arg in account_key_args if arg]
 
         if account_key_args:
-            logger.warning('In "login" auth mode, the following arguments are ignored: %s',
-                           ' ,'.join(account_key_args))
+            # user delegation oid with oauth
+            if not (n.sas_token and 'sduoid=' in n.sas_token):
+                logger.warning('In "login" auth mode, the following arguments are ignored: %s',
+                               ' ,'.join(account_key_args))
         return
 
     # When there is no input for credential, we will read environment variable
@@ -1557,6 +1559,13 @@ def as_user_validator(namespace):
                 None, "incorrect usage: specify '--auth-mode login' when as-user is enabled")
 
 
+def user_delegation_oid_validator(namespace):
+    if namespace.user_delegation_oid and not namespace.as_user:
+        raise argparse.ArgumentError(
+            None, "incorrect usage: need to specify '--as-user' when '--user-delegation-oid' is "
+                  "provided")
+
+
 def validator_change_feed_retention_days(namespace):
     enable = namespace.enable_change_feed
     days = namespace.change_feed_retention_days