STG100 - Datalake Principal Bound Identity SAS (#46445)

* adding implementation and happy path test

* adding more tests and recordings, and moving token extraction to common

* re-adding recordings after pull

* fixing string to sign test

* forgot that token can't be recorded

* reverting assets and moving query param

* adding old assets tag back because im silly

* whole feature

* adding more tests and consolidating string to sign logic

* fixing test that was unocovered through the fix to liveTestScenarioWithRetry

* removing change in blobsasimplutil

Author: ibrandes

sdk/storage/azure-storage-file-datalake/src/main/java/com/azure/storage/file/datalake/implementation/util/DataLakeSasImplUtil.java

@@ -92,6 +92,8 @@ public class DataLakeSasImplUtil {
 
     private String encryptionScope;
 
+    private String delegatedUserObjectId;
+
     /**
      * Creates a new {@link DataLakeSasImplUtil} with the specified parameters
      *
@@ -108,7 +110,7 @@ public DataLakeSasImplUtil(DataLakeServiceSasSignatureValues sasValues, String f
      * @param sasValues {@link DataLakeServiceSasSignatureValues}
      * @param fileSystemName The file system name
      * @param pathName The path name
-     * @param isDirectory Whether or not the path points to a directory.
+     * @param isDirectory Whether the path points to a directory.
      */
     public DataLakeSasImplUtil(DataLakeServiceSasSignatureValues sasValues, String fileSystemName, String pathName,
         boolean isDirectory) {
@@ -131,6 +133,7 @@ public DataLakeSasImplUtil(DataLakeServiceSasSignatureValues sasValues, String f
         this.correlationId = sasValues.getCorrelationId();
         this.isDirectory = isDirectory;
         this.encryptionScope = sasValues.getEncryptionScope();
+        this.delegatedUserObjectId = sasValues.getDelegatedUserObjectId();
     }
 
     /**
@@ -255,6 +258,8 @@ private String encode(UserDelegationKey userDelegationKey, String signature) {
                 this.authorizedAadObjectId);
             tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_AGENT_OBJECT_ID, this.unauthorizedAadObjectId);
             tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CORRELATION_ID, this.correlationId);
+            tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_DELEGATED_USER_OBJECT_ID,
+                this.delegatedUserObjectId);
         }
 
         tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_SIGNED_RESOURCE, this.resource);
@@ -455,7 +460,7 @@ public String stringToSign(final UserDelegationKey key, String canonicalName) {
                 this.authorizedAadObjectId == null ? "" : this.authorizedAadObjectId,
                 this.unauthorizedAadObjectId == null ? "" : this.unauthorizedAadObjectId,
                 this.correlationId == null ? "" : this.correlationId, "", /* new schema 2025-07-05 */
-                "", /* new schema 2025-07-05 */
+                this.delegatedUserObjectId == null ? "" : this.delegatedUserObjectId,
                 this.sasIpRange == null ? "" : this.sasIpRange.toString(),
                 this.protocol == null ? "" : this.protocol.toString(), VERSION, resource, "", /* Version segment. */
                 this.encryptionScope == null ? "" : this.encryptionScope,

sdk/storage/azure-storage-file-datalake/src/main/java/com/azure/storage/file/datalake/sas/DataLakeServiceSasSignatureValues.java

@@ -44,6 +44,7 @@ public final class DataLakeServiceSasSignatureValues {
     private String agentObjectId; /* suoid */
     private String correlationId;
     private String encryptionScope;
+    private String delegatedUserObjectId;
 
     /**
      * Creates an object with the specified expiry time and permissions
@@ -450,4 +451,28 @@ public DataLakeServiceSasSignatureValues setEncryptionScope(String encryptionSco
         this.encryptionScope = encryptionScope;
         return this;
     }
+
+    /**
+     * Optional. Beginning in version 2025-07-05, this value specifies the Entra ID of the user that is authorized to
+     * use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been
+     * issued to the user specified in this value.
+     *
+     * @return The Entra ID of the user that is authorized to use the resulting SAS URL.
+     */
+    public String getDelegatedUserObjectId() {
+        return delegatedUserObjectId;
+    }
+
+    /**
+     * Optional. Beginning in version 2025-07-05, this value specifies the Entra ID of the user that is authorized to
+     * use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been
+     * issued to the user specified in this value.
+     *
+     * @param delegatedUserObjectId The Entra ID of the user that is authorized to use the resulting SAS URL.
+     * @return the updated DataLakeServiceSasSignatureValues object
+     */
+    public DataLakeServiceSasSignatureValues setDelegatedUserObjectId(String delegatedUserObjectId) {
+        this.delegatedUserObjectId = delegatedUserObjectId;
+        return this;
+    }
 }

sdk/storage/azure-storage-file-datalake/src/test/java/com/azure/storage/file/datalake/DataLakeTestBase.java

@@ -760,4 +760,26 @@ public static void waitUntilPredicate(long delayMillis, int numberOfDelays, Supp
             sleepIfLiveTesting(delayMillis);
         }
     }
+
+    protected void liveTestScenarioWithRetry(Runnable runnable) {
+        if (!interceptorManager.isLiveMode()) {
+            runnable.run();
+            return;
+        }
+
+        int retry = 0;
+
+        // Try up to 5 times (4 retries + 1 final attempt)
+        while (retry < 4) {
+            try {
+                runnable.run();
+                return; // success
+            } catch (Exception ex) {
+                retry++;
+                sleepIfRunningAgainstService(5000);
+            }
+        }
+        // Final attempt (5th try)
+        runnable.run();
+    }
 }

sdk/storage/azure-storage-file-datalake/src/test/java/com/azure/storage/file/datalake/FileApiTest.java

@@ -3192,24 +3192,6 @@ public void queryAC(OffsetDateTime modified, OffsetDateTime unmodified, String m
         });
     }
 
-    private void liveTestScenarioWithRetry(Runnable runnable) {
-        if (!interceptorManager.isLiveMode()) {
-            runnable.run();
-            return;
-        }
-
-        int retry = 0;
-        while (retry < 5) {
-            try {
-                runnable.run();
-                break;
-            } catch (Exception ex) {
-                retry++;
-                sleepIfRunningAgainstService(5000);
-            }
-        }
-    }
-
     @RequiredServiceVersion(clazz = DataLakeServiceVersion.class, min = "2019-12-12")
     @ParameterizedTest
     @MethodSource("invalidModifiedMatchAndLeaseIdSupplier")

sdk/storage/azure-storage-file-datalake/src/test/java/com/azure/storage/file/datalake/FileAsyncApiTests.java

@@ -3903,12 +3903,15 @@ public void queryInputOutputIA(boolean input, boolean output) {
         FileQuerySerialization outSer = output ? ser : null;
         String expression = "SELECT * from BlobStorage";
 
-        liveTestScenarioWithRetry(() -> {
-            StepVerifier.create(fc.queryWithResponse(
-                new FileQueryOptions(expression, new ByteArrayOutputStream()).setInputSerialization(inSer)
-                    .setOutputSerialization(outSer)))
-                .verifyError(IllegalArgumentException.class);
-        });
+        FileQueryOptions options
+            = new FileQueryOptions(expression, new ByteArrayOutputStream()).setInputSerialization(inSer)
+                .setOutputSerialization(outSer);
+
+        // The IllegalArgumentException is thrown synchronously by the fc.queryWithResponse(options) method call itself,
+        // before StepVerifier.create() can subscribe to the Mono. StepVerifier.verifyError() is designed to verify an
+        // onError signal emitted by a reactive stream. It does not catch exceptions thrown during the assembly or
+        // creation of the stream.
+        assertThrows(IllegalArgumentException.class, () -> fc.queryWithResponse(options));
     }
 
     @RequiredServiceVersion(clazz = DataLakeServiceVersion.class, min = "2019-12-12")
@@ -3975,19 +3978,6 @@ public void queryAC(OffsetDateTime modified, OffsetDateTime unmodified, String m
         });
     }
 
-    private void liveTestScenarioWithRetry(Runnable runnable) {
-        int retry = 0;
-        while (retry < 5) {
-            try {
-                runnable.run();
-                break;
-            } catch (Exception ex) {
-                retry++;
-                sleepIfLiveTesting(5000);
-            }
-        }
-    }
-
     @RequiredServiceVersion(clazz = DataLakeServiceVersion.class, min = "2019-12-12")
     @ParameterizedTest
     @MethodSource("invalidModifiedMatchAndLeaseIdSupplier")