Add support for user delegation SAS

Author: Jinming-Hu

Microsoft.WindowsAzure.Storage/includes/was/auth.h

@@ -26,12 +26,13 @@ namespace azure { namespace storage {
     class cloud_blob_shared_access_headers;
     class cloud_file_shared_access_headers;
     class account_shared_access_policy;
+    struct user_delegation_key;
 
 }} // namespace azure::storage
 
 namespace azure { namespace storage { namespace protocol {
 
-    utility::string_t calculate_hmac_sha256_hash(const utility::string_t& string_to_hash, const storage_credentials& credentials);
+    utility::string_t calculate_hmac_sha256_hash(const utility::string_t& string_to_hash, const std::vector<uint8_t>& key);
 
     const utility::string_t auth_name_shared_key(_XPLATSTR("SharedKey"));
     const utility::string_t auth_name_shared_key_lite(_XPLATSTR("SharedKeyLite"));
@@ -474,6 +475,7 @@ namespace azure { namespace storage { namespace protocol {
     utility::string_t get_queue_sas_token(const utility::string_t& identifier, const shared_access_policy& policy, const utility::string_t& resource, const storage_credentials& credentials);
     utility::string_t get_table_sas_token(const utility::string_t& identifier, const shared_access_policy& policy, const utility::string_t& table_name, const utility::string_t& start_partition_key, const utility::string_t& start_row_key, const utility::string_t& end_partition_key, const utility::string_t& end_row_key, const utility::string_t& resource, const storage_credentials& credentials);
     utility::string_t get_file_sas_token(const utility::string_t& identifier, const shared_access_policy& policy, const cloud_file_shared_access_headers& headers, const utility::string_t& resource_type, const utility::string_t& resource, const storage_credentials& credentials);
+    utility::string_t get_blob_user_delegation_sas_token(const shared_access_policy& policy, const cloud_blob_shared_access_headers& headers, const utility::string_t& resource_type, const utility::string_t& resource, const utility::string_t& snapshot_time, const user_delegation_key& key);
     storage_credentials parse_query(const web::http::uri& uri, bool require_signed_resource);
 
 #pragma endregion

Microsoft.WindowsAzure.Storage/includes/was/blob.h

@@ -2516,6 +2516,17 @@ namespace azure { namespace storage {
         friend class protocol::list_containers_reader;
     };
 
+    struct user_delegation_key
+    {
+        utility::string_t signed_oid;
+        utility::string_t signed_tid;
+        utility::datetime signed_start;
+        utility::datetime signed_expiry;
+        utility::string_t signed_service;
+        utility::string_t signed_version;
+        utility::string_t key;
+    };
+
     /// <summary>
     /// Provides a client-side logical representation of the Windows Azure Blob Service. This client is used to configure and execute requests against the Blob Service.
     /// </summary>
@@ -3064,6 +3075,39 @@ namespace azure { namespace storage {
             m_directory_delimiter = std::move(value);
         }
 
+        /// <summary>
+        /// Gets a key that can be used to sign a user delegation SAS (shared access signature).
+        /// </summary>
+        /// <param name="start">The start time for the user delegation key.</param>
+        /// <param name="expiry">The expiry time for the user delegation key.</param>
+        /// <returns>A string containing user delegation key.</returns>
+        user_delegation_key get_user_delegation_key(const utility::datetime& start, const utility::datetime& expiry)
+        {
+            return get_user_delegation_key_async(start, expiry).get();
+        }
+
+        /// <summary>
+        /// Initiates an asynchronous operation to get a key that can be used to sign a user delegation SAS (shared access signature).
+        /// </summary>
+        /// <param name="start">The start time for the user delegation key.</param>
+        /// <param name="expiry">The expiry time for the user delegation key.</param>
+        /// <returns>A <see cref="pplx::task" /> object of string that contains user delegation key.</returns>
+        pplx::task<user_delegation_key> get_user_delegation_key_async(const utility::datetime& start, const utility::datetime& expiry)
+        {
+            return get_user_delegation_key_async(start, expiry, blob_request_options(), operation_context(), pplx::cancellation_token::none());
+        }
+
+        /// <summary>
+        /// Initiates an asynchronous operation to get a key that can be used to sign a user delegation SAS (shared access signature).
+        /// </summary>
+        /// <param name="start">The start time for the user delegation key.</param>
+        /// <param name="expiry">The expiry time for the user delegation key.</param>
+        /// <param name="options">An <see cref="azure::storage::blob_request_options" /> object that specifies additional options for the request.</param>
+        /// <param name="context">An <see cref="azure::storage::operation_context" /> object that represents the context for the current operation.</param>
+        /// <param name="cancellation_token">An <see cref="pplx::cancellation_token" /> object that is used to cancel the current operation.</param>
+        /// <returns>A <see cref="pplx::task" /> object of string that contains user delegation key.</returns>
+        WASTORAGE_API pplx::task<user_delegation_key> get_user_delegation_key_async(const utility::datetime& start, const utility::datetime& expiry, const request_options& modified_options, operation_context context, const pplx::cancellation_token& cancellation_token);
+
     private:
         pplx::task<account_properties> download_account_properties_base_async(const storage_uri& uri, const request_options& modified_options, operation_context context, const pplx::cancellation_token& cancellation_token) const;
 
@@ -3175,6 +3219,14 @@ namespace azure { namespace storage {
         /// <returns>A string containing a shared access signature.</returns>
         WASTORAGE_API utility::string_t get_shared_access_signature(const blob_shared_access_policy& policy, const utility::string_t& stored_policy_identifier) const;
 
+        /// <summary>
+        /// Returns a user delegation SAS for the container.
+        /// </summary>
+        /// <param name="key">User delegation key used to sign this SAS.</param>
+        /// <param name="policy">The access policy for the shared access signature.</param>
+        /// <returns>A string containing a shared access signature.</returns>
+        WASTORAGE_API utility::string_t get_user_delegation_sas(const user_delegation_key& key, const blob_shared_access_policy& policy) const;
+
         /// <summary>
         /// Gets a reference to a blob in this container.
         /// </summary>
@@ -4612,6 +4664,27 @@ namespace azure { namespace storage {
         /// <returns>A string containing a shared access signature.</returns>
         WASTORAGE_API utility::string_t get_shared_access_signature(const blob_shared_access_policy& policy, const utility::string_t& stored_policy_identifier, const cloud_blob_shared_access_headers& headers) const;
 
+
+        /// <summary>
+        /// Returns a user delegation SAS for the blob.
+        /// </summary>
+        /// <param name="key">User delegation key used to sign this SAS.</param>
+        /// <param name="policy">The access policy for the shared access signature.</param>
+        /// <returns>A string containing a shared access signature.</returns>
+        utility::string_t get_user_delegation_sas(const user_delegation_key& key, const blob_shared_access_policy& policy) const
+        {
+            return get_user_delegation_sas(key, policy, cloud_blob_shared_access_headers());
+        }
+
+        /// <summary>
+        /// Returns a user delegation SAS for the blob.
+        /// </summary>
+        /// <param name="key">User delegation key used to sign this SAS.</param>
+        /// <param name="policy">The access policy for the shared access signature.</param>
+        /// <param name="headers">The optional header values to set for a blob returned with this SAS.</param>
+        /// <returns>A string containing a shared access signature.</returns>
+        WASTORAGE_API utility::string_t get_user_delegation_sas(const user_delegation_key& key, const blob_shared_access_policy& policy, const cloud_blob_shared_access_headers& headers) const;
+
         /// <summary>
         /// Opens a stream for reading from the blob.
         /// </summary>

Microsoft.WindowsAzure.Storage/includes/was/core.h

@@ -232,22 +232,45 @@ namespace azure { namespace storage {
         {
         }
 
+        class sas_credential
+        {
+        public:
+            explicit sas_credential(utility::string_t sas_token) : m_sas_token(std::move(sas_token))
+            {
+            }
+
+        private:
+            utility::string_t m_sas_token;
+
+            friend class storage_credentials;
+        };
+
         /// <summary>
         /// Initializes a new instance of the <see cref="azure::storage::storage_credentials" /> class with the specified shared access signature token.
         /// </summary>
         /// <param name="sas_token">A string containing the shared access signature token.</param>
         explicit storage_credentials(utility::string_t sas_token)
-            : m_sas_token(std::move(sas_token))
+            : storage_credentials(utility::string_t(), sas_credential{sas_token})
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="azure::storage::storage_credentials" /> class with the specified account name and shared access signature token.
+        /// </summary>
+        /// <param name="account_name">A string containing the name of the storage account.</param>
+        /// <param name="sas_token">An <see cref="azure::storage::sas_credential" /> containing shared access signature token.</param>
+        storage_credentials(utility::string_t account_name, sas_credential sas_token)
+            : m_account_name(std::move(account_name)), m_sas_token(std::move(sas_token.m_sas_token))
         {
             if (m_sas_token.size() >= 1 && m_sas_token.at(0) == _XPLATSTR('?'))
             {
                 m_sas_token = m_sas_token.substr(1);
             }
-            
+
             auto splitted_query = web::uri::split_query(m_sas_token);
             if (!splitted_query.empty())
             {
-                splitted_query[protocol::uri_query_sas_api_version] = protocol::header_value_storage_version; 
+                splitted_query[protocol::uri_query_sas_api_version] = protocol::header_value_storage_version;
                 web::uri_builder builder;
                 for (const auto& kv : splitted_query)
                 {
@@ -278,7 +301,17 @@ namespace azure { namespace storage {
         /// </summary>
         /// <param name="token">A <see cref="azure::storage::storage_credentials::bearer_token_credential" /> class containing bearer token.</param>
         template<class T, typename std::enable_if<std::is_same<typename std::decay<T>::type, bearer_token_credential>::value>::type* = nullptr>
-        explicit storage_credentials(T&& token) : m_bearer_token_credential(std::make_shared<bearer_token_credential>())
+        explicit storage_credentials(T&& token) : storage_credentials(utility::string_t(), std::forward<T>(token))
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="azure::storage::storage_credentials" /> class with the specified account name and bearer token.
+        /// </summary>
+        /// <param name="account_name">A string containing the name of the storage account.</param>
+        /// <param name="token">A <see cref="azure::storage::storage_credentials::bearer_token_credential" /> class containing bearer token.</param>
+        template<class T, typename std::enable_if<std::is_same<typename std::decay<T>::type, bearer_token_credential>::value>::type* = nullptr>
+        storage_credentials(utility::string_t account_name, T&& token) : m_account_name(std::move(account_name)), m_bearer_token_credential(std::make_shared<bearer_token_credential>())
         {
             m_bearer_token_credential->m_bearer_token = std::forward<T>(token).m_bearer_token;
         }
@@ -399,7 +432,7 @@ namespace azure { namespace storage {
         /// <returns><c>true</c> if the credentials are for anonymous access; otherwise, <c>false</c>.</returns>
         bool is_anonymous() const
         {
-            return m_sas_token.empty() && m_account_name.empty() && !is_bearer_token();
+            return m_sas_token.empty() && m_account_key.empty() && !is_bearer_token();
         }
 
         /// <summary>
@@ -408,7 +441,7 @@ namespace azure { namespace storage {
         /// <returns><c>true</c> if the credentials are a shared access signature token; otherwise, <c>false</c>.</returns>
         bool is_sas() const
         {
-            return !m_sas_token.empty() && m_account_name.empty() && !is_bearer_token();
+            return !m_sas_token.empty() && m_account_key.empty() && !is_bearer_token();
         }
 
         /// <summary>
@@ -417,7 +450,7 @@ namespace azure { namespace storage {
         /// <returns><c>true</c> if the credentials are a shared key; otherwise, <c>false</c>.</returns>
         bool is_shared_key() const
         {
-            return m_sas_token.empty() && !m_account_name.empty() && !is_bearer_token();
+            return m_sas_token.empty() && !m_account_key.empty() && !is_bearer_token();
         }
 
         /// <summary>

Microsoft.WindowsAzure.Storage/includes/wascore/constants.dat

@@ -65,6 +65,12 @@ DAT(uri_query_sas_services, _XPLATSTR("ss"))
 DAT(uri_query_sas_resource_types, _XPLATSTR("srt"))
 DAT(uri_query_sas_ip, _XPLATSTR("sip"))
 DAT(uri_query_sas_protocol, _XPLATSTR("spr"))
+DAT(uri_query_sas_skoid, _XPLATSTR("skoid"))
+DAT(uri_query_sas_sktid, _XPLATSTR("sktid"))
+DAT(uri_query_sas_skt, _XPLATSTR("skt"))
+DAT(uri_query_sas_ske, _XPLATSTR("ske"))
+DAT(uri_query_sas_sks, _XPLATSTR("sks"))
+DAT(uri_query_sas_skv, _XPLATSTR("skv"))
 
 // table query parameters
 DAT(table_query_next_partition_key, _XPLATSTR("NextPartitionKey"))
@@ -106,6 +112,7 @@ DAT(component_range, _XPLATSTR("range"))
 DAT(component_incrementalcopy, _XPLATSTR("incrementalcopy"))
 DAT(component_tier, _XPLATSTR("tier"))
 DAT(component_file_permission, _XPLATSTR("filepermission"))
+DAT(component_user_delegation_key, _XPLATSTR("userdelegationkey"))
 
 // common resources
 DAT(root_container, _XPLATSTR("$root"))
@@ -375,6 +382,17 @@ DAT(xml_file_id, _XPLATSTR("Id"))
 DAT(xml_access_tier, _XPLATSTR("AccessTier"))
 DAT(xml_access_tier_inferred, _XPLATSTR("AccessTierInferred"))
 DAT(xml_access_tier_change_time, _XPLATSTR("AccessTierChangeTime"))
+DAT(xml_user_delegation_key, _XPLATSTR("UserDelegationKey"))
+DAT(xml_user_delegation_key_signed_oid, _XPLATSTR("SignedOid"))
+DAT(xml_user_delegation_key_signed_tid, _XPLATSTR("SignedTid"))
+DAT(xml_user_delegation_key_signed_start, _XPLATSTR("SignedStart"))
+DAT(xml_user_delegation_key_signed_expiry, _XPLATSTR("SignedExpiry"))
+DAT(xml_user_delegation_key_signed_service, _XPLATSTR("SignedService"))
+DAT(xml_user_delegation_key_signed_version, _XPLATSTR("SignedVersion"))
+DAT(xml_user_delegation_key_value, _XPLATSTR("Value"))
+DAT(xml_user_delegation_key_info, _XPLATSTR("KeyInfo"))
+DAT(xml_user_delegation_key_start, _XPLATSTR("Start"))
+DAT(xml_user_delegation_key_expiry, _XPLATSTR("Expiry"))
 
 // json strings
 DAT(json_file_permission, _XPLATSTR("permission"))
@@ -411,6 +429,7 @@ DAT(error_crc64_mismatch, "Calculated CRC64 does not match existing property.")
 DAT(error_missing_md5, "MD5 does not exist. If you do not want to force validation, please disable use_transactional_md5.")
 DAT(error_missing_crc64, "CRC64 does not exist. If you do not want to force validation, please disable use_transactional_crc64.")
 DAT(error_sas_missing_credentials, "Cannot create Shared Access Signature unless Shared Key credentials are used.")
+DAT(error_uds_missing_credentials, "Cannot create User Delegation SAS unless token credentials are used")
 DAT(error_client_timeout, "The client could not finish the operation within specified timeout.")
 DAT(error_cannot_modify_snapshot, "Cannot perform this operation on a blob representing a snapshot.")
 DAT(error_page_blob_size_unknown, "The size of the page blob could not be determined, because a length argument is not provided and stream is not seekable or stream length exceeds the permitted length.")

Microsoft.WindowsAzure.Storage/includes/wascore/protocol.h

@@ -70,6 +70,7 @@ namespace azure { namespace storage { namespace protocol {
     web::http::http_request abort_copy_blob(const utility::string_t& copy_id, const access_condition& condition, web::http::uri_builder& uri_builder, const std::chrono::seconds& timeout, operation_context context);
     web::http::http_request incremental_copy_blob(const web::http::uri& source, const access_condition& condition, const cloud_metadata& metadata, web::http::uri_builder& uri_builder, const std::chrono::seconds& timeout, operation_context context);
     web::http::http_request set_blob_tier(const utility::string_t& tier, const access_condition& condition, web::http::uri_builder& uri_builder, const std::chrono::seconds& timeout, operation_context context);
+    web::http::http_request get_user_delegation_key(web::http::uri_builder& uri_builder, const std::chrono::seconds& timeout, operation_context context);
     void add_lease_id(web::http::http_request& request, const access_condition& condition);
     void add_sequence_number_condition(web::http::http_request& request, const access_condition& condition);
     void add_access_condition(web::http::http_request& request, const access_condition& condition);

Microsoft.WindowsAzure.Storage/includes/wascore/protocol_xml.h

@@ -470,12 +470,12 @@ namespace azure { namespace storage { namespace protocol {
 
                 if (policy.start().is_initialized())
                 {
-                    write_element(xml_access_policy_start, core::convert_to_string_with_fixed_length_fractional_seconds(policy.start()));
+                    write_element(xml_access_policy_start, core::convert_to_iso8601_string(policy.start(), 7));
                 }
 
                 if (policy.expiry().is_initialized())
                 {
-                    write_element(xml_access_policy_expiry, core::convert_to_string_with_fixed_length_fractional_seconds(policy.expiry()));
+                    write_element(xml_access_policy_expiry, core::convert_to_iso8601_string(policy.expiry(), 7));
                 }
 
                 if (policy.permission() != 0)
@@ -931,6 +931,40 @@ namespace azure { namespace storage { namespace protocol {
         void handle_geo_replication_status(const utility::string_t& element_name);
     };
 
+    class user_delegation_key_time_writer : public core::xml::xml_writer
+    {
+    public:
+
+        user_delegation_key_time_writer()
+        {
+        }
+
+        std::string write(const utility::datetime& start, const utility::datetime& expiry);
+    };
+
+    class user_delegation_key_reader : public core::xml::xml_reader
+    {
+    public:
+        explicit user_delegation_key_reader(concurrency::streams::istream stream) : xml_reader(stream)
+        {
+        }
+
+        user_delegation_key move_key()
+        {
+            auto result = parse();
+            if (result == xml_reader::parse_result::xml_not_complete)
+            {
+                throw storage_exception(protocol::error_xml_not_complete, true);
+            }
+            return std::move(m_key);
+        }
+
+    protected:
+        void handle_element(const utility::string_t& element_name) override;
+
+        user_delegation_key m_key;
+    };
+
 }}} // namespace azure::storage::protocol
 
 #pragma pop_macro("max")