Skip to content

STG100 - Blob Principal Bound Identity SAS #46282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Aug 20, 2025
Merged

STG100 - Blob Principal Bound Identity SAS #46282

merged 14 commits into from
Aug 20, 2025

Conversation

ibrandes
Copy link
Member

@ibrandes ibrandes commented Aug 5, 2025
edited
Loading

🔐 New Feature: Delegated User Object ID for SAS

This PR adds support for binding a SAS (Shared Access Signature) to a specific Entra ID user via a new field: delegatedUserObjectId. This ensures that the SAS can only be used in conjunction with a token issued to the specified user.

📦 Key Code Changes

  1. New Field Added

    • delegatedUserObjectId added to:
      • BlobServiceSasSignatureValues
      • BlobSasImplUtil
      • CommonSasQueryParameters
      • Constants.UrlConstants as SAS_DELEGATED_USER_OBJECT_ID

  2. SAS String Construction

    • The delegatedUserObjectId is now included in the SAS string-to-sign logic and query parameters.

  3. Asset Tag Update

    • Updated the asset tag in assets.json.

🧪 Tests Added

New test cases validate the behavior of SAS with delegatedUserObjectId:

  • Positive Tests: SAS works when used with the correct token.
  • Negative Tests: SAS fails when token is missing or mismatched.
  • Unit Tests: Validate string-to-sign logic and encoding.

🛠️ Utilities

  • Added a helper method getOidFromToken in StorageCommonTestUtils to extract the object ID from a token.

@github-actions github-actions bot added the Storage Storage Service (Queues, Blobs, Files) label Aug 5, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 5, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

com.azure:azure-storage-blob
com.azure:azure-storage-common

@ibrandes ibrandes marked this pull request as ready for review August 6, 2025 19:23
@ibrandes ibrandes changed the title Blob Principal Bound Identity SAS STG100 - Blob Principal Bound Identity SAS Aug 17, 2025
@ibrandes ibrandes requested a review from Copilot August 17, 2025 20:09
Copilot
Copilot AI reviewed Aug 17, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements Delegated User Object ID for SAS functionality, enabling SAS tokens to be bound to specific Entra ID users for enhanced security. The feature ensures that SAS tokens can only be used when accompanied by valid tokens issued to the specified user.

  • Adds delegatedUserObjectId field to core SAS classes and string-to-sign logic
  • Implements comprehensive tests covering both positive and negative scenarios
  • Updates asset tags for the new test assets

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
StorageCommonTestUtils.java Added helper method to extract OID from JWT tokens
CommonSasQueryParameters.java Added field and getter for delegated user object ID
Constants.java Added SAS parameter constant for delegated user object ID
SasClientTests.java Added comprehensive tests for delegated object ID functionality
SasAsyncClientTests.java Added async test variants for delegated object ID functionality
BlobTestBase.java Improved retry logic for live tests
BlobServiceSasSignatureValues.java Added delegated user object ID field and methods
BlobSasImplUtil.java Integrated delegated user object ID into SAS generation and signing
assets.json Updated asset tag for new test resources

kyleknap
kyleknap reviewed Aug 20, 2025
View reviewed changes
Copy link
Member

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just had one question/suggestion.

kyleknap
kyleknap approved these changes Aug 20, 2025
View reviewed changes
Copy link
Member

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🚢

@ibrandes ibrandes merged commit 08284c0 into feature/storage/stg100base Aug 20, 2025
15 of 18 checks passed
@ibrandes ibrandes deleted the stg100/blobPrincipalBoundIdentitySas branch August 20, 2025 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@kyleknap kyleknap kyleknap approved these changes

@seanmcc-msft seanmcc-msft Awaiting requested review from seanmcc-msft seanmcc-msft is a code owner

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner

@gunjansingh-msft gunjansingh-msft Awaiting requested review from gunjansingh-msft gunjansingh-msft is a code owner

@browndav-msft browndav-msft Awaiting requested review from browndav-msft browndav-msft is a code owner

Assignees
No one assigned
Labels
Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ibrandes @kyleknap