[Storage] Expose services to be configurable for account SAS generation (#34389)

* Expose Services to be configurable for account SAS generation

* Nit

* Changelogs, tests for blob&file SAS token combo

* Fix typehint to support str

* Fix import

* No network calls assert ss=

* Remove service calls, unit test :D

* Export Services, fix imports

Author: vincenttran-msft

sdk/storage/azure-storage-blob/CHANGELOG.md

@@ -5,6 +5,8 @@
 This version and all future versions will require Python 3.8+. Python 3.7 is no longer supported.
 
 ### Features Added
+- The `services` parameter has been added to the `generate_account_sas` API, which enables the ability to generate SAS
+tokens to be used with multiple services. By default, the SAS token service scope will default to the current service.
 
 ### Bugs Fixed
 - Bumped dependency of `typing-extensions` to `>=4.6.0` to avoid potential `TypeError` with `typing.TypeVar` on
@@ -206,7 +208,7 @@ This version and all future versions will require Python 3.6+. Python 2.7 is no
     - `set_immutability_policy`
 - Encryption Scope is now supported for Sync Blob Copy (`copy_from_url()`).
 - Encryption Scope is now supported as a SAS permission.
-- Added support for blob names containing invalid XML characters. 
+- Added support for blob names containing invalid XML characters.
   Previously \uFFFE and \uFFFF would fail if present in blob name.
 - Added support for listing system containers with get_blob_containers().
 - Added support for `find_blobs_by_tags()` on a container.
@@ -257,7 +259,7 @@ This version and all future versions will require Python 3.6+. Python 2.7 is no
 
 **Fixes**
 - Blob Client Typing annotation issues have been resolved, specifically `invalid type inference` issues (#19906)
-- Duplicate type signature issue has been resolved (#19739) 
+- Duplicate type signature issue has been resolved (#19739)
 
 ## 12.9.0 (2021-09-15)
 **Stable release of preview features**

sdk/storage/azure-storage-blob/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/storage/azure-storage-blob",
-  "Tag": "python/storage/azure-storage-blob_ad4923b44f"
+  "Tag": "python/storage/azure-storage-blob_cdf4374dd9"
 }

sdk/storage/azure-storage-blob/azure/storage/blob/__init__.py

@@ -21,7 +21,8 @@
     ResourceTypes,
     AccountSasPermissions,
     StorageErrorCode,
-    UserDelegationKey
+    UserDelegationKey,
+    Services
 )
 from ._generated.models import (
     RehydratePriority,
@@ -60,7 +61,7 @@
     ArrowType,
     ObjectReplicationPolicy,
     ObjectReplicationRule,
-    ImmutabilityPolicy
+    ImmutabilityPolicy,
 )
 from ._list_blobs_helper import BlobPrefix
 
@@ -246,5 +247,6 @@ def download_blob_from_url(
     'ArrowType',
     'BlobQueryReader',
     'ObjectReplicationPolicy',
-    'ObjectReplicationRule'
+    'ObjectReplicationRule',
+    'Services',
 ]

sdk/storage/azure-storage-blob/azure/storage/blob/_shared_access_signature.py

@@ -308,15 +308,17 @@ def get_token(self):
 
 
 def generate_account_sas(
-        account_name,  # type: str
-        account_key,  # type: str
-        resource_types,  # type: Union[ResourceTypes, str]
-        permission,  # type: Union[AccountSasPermissions, str]
-        expiry,  # type: Union[datetime, str]
-        start=None,  # type: Optional[Union[datetime, str]]
-        ip=None,  # type: Optional[str]
-        **kwargs # type: Any
-    ):  # type: (...) -> str
+    account_name: str,
+    account_key: str,
+    resource_types: Union["ResourceTypes", str],
+    permission: Union["AccountSasPermissions", str],
+    expiry: Union["datetime", str],
+    start: Optional[Union["datetime", str]] = None,
+    ip: Optional[str] = None,
+    *,
+    services: Union[Services, str] = Services(blob=True),
+    **kwargs: Any
+) -> str:
     """Generates a shared access signature for the blob service.
 
     Use the returned signature with the credential parameter of any BlobServiceClient,
@@ -351,6 +353,9 @@ def generate_account_sas(
         or address range specified on the SAS token, the request is not authenticated.
         For example, specifying ip=168.1.5.65 or ip=168.1.5.60-168.1.5.70 on the SAS
         restricts the request to those IP addresses.
+    :keyword Union[Services, str] services:
+        Specifies the services that the Shared Access Signature (sas) token will be able to be utilized with.
+        Will default to only this package (i.e. blobs) if not provided.
     :keyword str protocol:
         Specifies the protocol permitted for a request made. The default value is https.
     :keyword str encryption_scope:
@@ -369,7 +374,7 @@ def generate_account_sas(
     """
     sas = SharedAccessSignature(account_name, account_key)
     return sas.generate_account(
-        services=Services(blob=True),
+        services=services,
         resource_types=resource_types,
         permission=permission,
         expiry=expiry,

sdk/storage/azure-storage-blob/tests/test_common_blob.py

@@ -40,6 +40,7 @@
     LinearRetry,
     ResourceTypes,
     RetentionPolicy,
+    Services,
     StandardBlobTier,
     StorageErrorCode,
     download_blob_from_url,
@@ -2139,6 +2140,25 @@ def test_blob_service_sas(self, **kwargs):
         assert blob_list is not None
         assert blob_props is not None
 
+    @BlobPreparer()
+    def test_multiple_services_sas(self, **kwargs):
+        storage_account_name = kwargs.pop("storage_account_name")
+        storage_account_key = kwargs.pop("storage_account_key")
+
+        # Act
+        token = self.generate_sas(
+            generate_account_sas,
+            storage_account_name,
+            storage_account_key,
+            ResourceTypes(container=True, object=True, service=True),
+            AccountSasPermissions(read=True, list=True),
+            datetime.utcnow() + timedelta(hours=1),
+            services=Services(blob=True, fileshare=True)
+        )
+
+        # Assert
+        assert 'ss=bf' in token
+
     @pytest.mark.live_test_only
     @BlobPreparer()
     def test_set_immutability_policy_using_sas(self, **kwargs):
@@ -2225,7 +2245,7 @@ def test_set_immutability_policy_using_sas(self, **kwargs):
         # Assert response using blob sas
         assert resp_with_blob_sas['immutability_policy_until_date'] is not None
         assert resp_with_blob_sas['immutability_policy_mode'] is not None
-        
+
         if self.is_live:
             blob_client.delete_immutability_policy()
             blob_client.set_legal_hold(False)

sdk/storage/azure-storage-blob/tests/test_common_blob_async.py

@@ -43,12 +43,12 @@
     RehydratePriority,
     ResourceTypes,
     RetentionPolicy,
+    Services,
     StandardBlobTier,
     StorageErrorCode,
     generate_account_sas,
     generate_container_sas,
     generate_blob_sas)
-
 from devtools_testutils.aio import recorded_by_proxy_async
 from devtools_testutils.storage.aio import AsyncStorageRecordedTestCase
 from settings.testcase import BlobPreparer
@@ -2315,6 +2315,25 @@ async def test_account_sas_credential(self, **kwargs):
         assert blob_name == blob_properties.name
         assert self.container_name == container_properties.name
 
+    @BlobPreparer()
+    async def test_multiple_services_sas(self, **kwargs):
+        storage_account_name = kwargs.pop("storage_account_name")
+        storage_account_key = kwargs.pop("storage_account_key")
+
+        # Act
+        token = self.generate_sas(
+            generate_account_sas,
+            storage_account_name,
+            storage_account_key,
+            ResourceTypes(container=True, object=True, service=True),
+            AccountSasPermissions(read=True, list=True),
+            datetime.utcnow() + timedelta(hours=1),
+            services=Services(blob=True, fileshare=True)
+        )
+
+        # Assert
+        assert 'ss=bf' in token
+
     @BlobPreparer()
     @recorded_by_proxy_async
     async def test_azure_named_key_credential_access(self, **kwargs):

sdk/storage/azure-storage-file-datalake/CHANGELOG.md

@@ -5,6 +5,8 @@
 This version and all future versions will require Python 3.8+. Python 3.7 is no longer supported.
 
 ### Features Added
+- The `services` parameter has been added to the `generate_account_sas` API, which enables the ability to generate SAS
+tokens to be used with multiple services. By default, the SAS token service scope will default to the current service.
 
 ### Bugs Fixed
 - Bumped dependency of `typing-extensions` to `>=4.6.0` to avoid potential `TypeError` with `typing.TypeVar` on
@@ -190,7 +192,7 @@ in a future release.
     - `permanent_delete`
     - `set_immutability_policy`
 **Fixes**
-- `FileSystemProperties` was not subscriptable. Now it is both subscriptable and attributes can also be accessed directly (#20772) 
+- `FileSystemProperties` was not subscriptable. Now it is both subscriptable and attributes can also be accessed directly (#20772)
 - Datalake Client Typing annotation issues have been resolved (#19906)
 
 ## 12.5.0 (2021-09-15)

sdk/storage/azure-storage-file-datalake/azure/storage/filedatalake/__init__.py

@@ -44,14 +44,14 @@
     ResourceTypes,
     RetentionPolicy,
     StaticWebsite,
-    UserDelegationKey
+    UserDelegationKey,
 )
 
 from ._shared_access_signature import generate_account_sas, generate_file_system_sas, generate_directory_sas, \
     generate_file_sas
 
 from ._shared.policies import ExponentialRetry, LinearRetry
-from ._shared.models import StorageErrorCode
+from ._shared.models import StorageErrorCode, Services
 from ._version import VERSION
 
 __version__ = VERSION
@@ -105,5 +105,6 @@
     'StorageErrorCode',
     'StorageStreamDownloader',
     'UserDelegationKey',
-    'VERSION'
+    'VERSION',
+    'Services'
 ]

sdk/storage/azure-storage-file-datalake/azure/storage/filedatalake/_shared_access_signature.py

@@ -10,6 +10,7 @@
 
 from azure.storage.blob import generate_account_sas as generate_blob_account_sas
 from azure.storage.blob import generate_container_sas, generate_blob_sas
+from ._shared.models import Services
 from ._shared.shared_access_signature import QueryStringConstants
 
 
@@ -26,13 +27,15 @@
 
 
 def generate_account_sas(
-        account_name,  # type: str
-        account_key,  # type: str
-        resource_types,  # type: Union[ResourceTypes, str]
-        permission,  # type: Union[AccountSasPermissions, str]
-        expiry,  # type: Union[datetime, str]
-        **kwargs # type: Any
-    ):  # type: (...) -> str
+    account_name: str,
+    account_key: str,
+    resource_types: Union["ResourceTypes", str],
+    permission: Union["AccountSasPermissions", str],
+    expiry: Union["datetime", str],
+    *,
+    services: Union[Services, str] = Services(blob=True),
+    **kwargs: Any
+) -> str:
     """Generates a shared access signature for the DataLake service.
 
     Use the returned signature as the credential parameter of any DataLakeServiceClient,
@@ -67,6 +70,9 @@ def generate_account_sas(
         or address range specified on the SAS token, the request is not authenticated.
         For example, specifying ip=168.1.5.65 or ip=168.1.5.60-168.1.5.70 on the SAS
         restricts the request to those IP addresses.
+    :keyword Union[Services, str] services:
+        Specifies the services that the Shared Access Signature (sas) token will be able to be utilized with.
+        Will default to only this package (i.e. blobs) if not provided.
     :keyword str protocol:
         Specifies the protocol permitted for a request made. The default value is https.
     :keyword str encryption_scope:
@@ -80,6 +86,7 @@ def generate_account_sas(
         resource_types=resource_types,
         permission=permission,
         expiry=expiry,
+        services=services,
         **kwargs
     )