[Storage] Add missing SAS permissions to Storage packages (Azure#23179)

Author: jalauzon-msft

sdk/storage/azure-storage-blob/CHANGELOG.md

@@ -17,6 +17,11 @@ This version and all future versions will require Python 3.6+. Python 2.7 is no
 - Added support for `find_blobs_by_tags()` on a container.
 - Added support for `Find (f)` container SAS permission.
 
+### Bugs Fixed
+- Added all missing Service SAS permissions.
+- Fixed a bug that prevented `upload_blob()` from working with an OS pipe
+reader stream on Linux. (#23131)
+
 ## 12.10.0b4 (2022-02-24)
 
 ### Features Added

sdk/storage/azure-storage-blob/azure/storage/blob/_models.py

@@ -917,33 +917,50 @@ class ContainerSasPermissions(object):
         List blobs in the container.
     :param bool tag:
         Set or get tags on the blobs in the container.
+    :keyword bool add:
+        Add a block to an append blob.
+    :keyword bool create:
+        Write a new blob, snapshot a blob, or copy a blob to a new blob.
     :keyword bool permanent_delete:
         To enable permanent delete on the blob is permitted.
     :keyword bool find:
-        To enable finding blobs by tags
+        To enable finding blobs by tags.
+    :keyword bool move:
+        Move a blob or a directory and its contents to a new location.
+    :keyword bool execute:
+        Get the system properties and, if the hierarchical namespace is enabled for the storage account,
+        get the POSIX ACL of a blob.
     :keyword bool set_immutability_policy:
         To enable operations related to set/delete immutability policy.
         To get immutability policy, you just need read permission.
     """
     def __init__(self, read=False, write=False, delete=False,
                  list=False, delete_previous_version=False, tag=False, **kwargs):  # pylint: disable=redefined-builtin
         self.read = read
+        self.add = kwargs.pop('add', False)
+        self.create = kwargs.pop('create', False)
         self.write = write
         self.delete = delete
         self.delete_previous_version = delete_previous_version
         self.permanent_delete = kwargs.pop('permanent_delete', False)
         self.list = list
         self.tag = tag
         self.find = kwargs.pop('find', False)
+        self.move = kwargs.pop('move', False)
+        self.execute = kwargs.pop('execute', False)
         self.set_immutability_policy = kwargs.pop('set_immutability_policy', False)
         self._str = (('r' if self.read else '') +
+                     ('a' if self.add else '') +
+                     ('c' if self.create else '') +
                      ('w' if self.write else '') +
                      ('d' if self.delete else '') +
                      ('x' if self.delete_previous_version else '') +
                      ('y' if self.permanent_delete else '') +
                      ('l' if self.list else '') +
                      ('t' if self.tag else '') +
                      ('f' if self.find else '') +
+                     ('m' if self.move else '') +
+                     ('e' if self.execute else '') +
                      ('i' if self.set_immutability_policy else ''))
 
     def __str__(self):
@@ -963,17 +980,22 @@ def from_string(cls, permission):
         :rtype: ~azure.storage.blob.ContainerSasPermissions
         """
         p_read = 'r' in permission
+        p_add = 'a' in permission
+        p_create = 'c' in permission
         p_write = 'w' in permission
         p_delete = 'd' in permission
         p_delete_previous_version = 'x' in permission
         p_permanent_delete = 'y' in permission
         p_list = 'l' in permission
         p_tag = 't' in permission
         p_find = 'f' in permission
+        p_move = 'm' in permission
+        p_execute = 'e' in permission
         p_set_immutability_policy = 'i' in permission
         parsed = cls(read=p_read, write=p_write, delete=p_delete, list=p_list,
-                     delete_previous_version=p_delete_previous_version, tag=p_tag, find=p_find,
-                     set_immutability_policy=p_set_immutability_policy, permanent_delete=p_permanent_delete)
+                     delete_previous_version=p_delete_previous_version, tag=p_tag, add=p_add,
+                     create=p_create, permanent_delete=p_permanent_delete, find=p_find, move=p_move,
+                     execute=p_execute, set_immutability_policy=p_set_immutability_policy)
 
         return parsed
 
@@ -999,11 +1021,16 @@ class BlobSasPermissions(object):
         Delete the previous blob version for the versioning enabled storage account.
     :param bool tag:
         Set or get tags on the blob.
+    :keyword bool permanent_delete:
+        To enable permanent delete on the blob is permitted.
+    :keyword bool move:
+        Move a blob or a directory and its contents to a new location.
+    :keyword bool execute:
+        Get the system properties and, if the hierarchical namespace is enabled for the storage account,
+        get the POSIX ACL of a blob.
     :keyword bool set_immutability_policy:
         To enable operations related to set/delete immutability policy.
         To get immutability policy, you just need read permission.
-    :keyword bool permanent_delete:
-        To enable permanent delete on the blob is permitted.
     """
     def __init__(self, read=False, add=False, create=False, write=False,
                  delete=False, delete_previous_version=False, tag=True, **kwargs):
@@ -1015,6 +1042,8 @@ def __init__(self, read=False, add=False, create=False, write=False,
         self.delete_previous_version = delete_previous_version
         self.permanent_delete = kwargs.pop('permanent_delete', False)
         self.tag = tag
+        self.move = kwargs.pop('move', False)
+        self.execute = kwargs.pop('execute', False)
         self.set_immutability_policy = kwargs.pop('set_immutability_policy', False)
         self._str = (('r' if self.read else '') +
                      ('a' if self.add else '') +
@@ -1024,6 +1053,8 @@ def __init__(self, read=False, add=False, create=False, write=False,
                      ('x' if self.delete_previous_version else '') +
                      ('y' if self.permanent_delete else '') +
                      ('t' if self.tag else '') +
+                     ('m' if self.move else '') +
+                     ('e' if self.execute else '') +
                      ('i' if self.set_immutability_policy else ''))
 
     def __str__(self):
@@ -1050,11 +1081,13 @@ def from_string(cls, permission):
         p_delete_previous_version = 'x' in permission
         p_permanent_delete = 'y' in permission
         p_tag = 't' in permission
+        p_move = 'm' in permission
+        p_execute = 'e' in permission
         p_set_immutability_policy = 'i' in permission
 
         parsed = cls(read=p_read, add=p_add, create=p_create, write=p_write, delete=p_delete,
-                     delete_previous_version=p_delete_previous_version, tag=p_tag,
-                     set_immutability_policy=p_set_immutability_policy, permanent_delete=p_permanent_delete)
+                     delete_previous_version=p_delete_previous_version, tag=p_tag, permanent_delete=p_permanent_delete,
+                     move=p_move, execute=p_execute, set_immutability_policy=p_set_immutability_policy)
 
         return parsed
 

sdk/storage/azure-storage-blob/azure/storage/blob/_shared_access_signature.py

@@ -66,13 +66,14 @@ def generate_blob(self, container_name, blob_name, snapshot=None, version_id=Non
         :param str snapshot:
             The snapshot parameter is an opaque DateTime value that,
             when present, specifies the blob snapshot to grant permission.
-        :param BlobSasPermissions permission:
+        :param permission:
             The permissions associated with the shared access signature. The
             user is restricted to operations allowed by the permissions.
-            Permissions must be ordered read, write, delete, list.
+            Permissions must be ordered racwdxytmei.
             Required unless an id is given referencing a stored access policy
             which contains this field. This field must be omitted if it has been
             specified in an associated stored access policy.
+        :type permission: str or BlobSasPermissions
         :param expiry:
             The time at which the shared access signature becomes invalid.
             Required unless an id is given referencing a stored access policy
@@ -150,14 +151,14 @@ def generate_container(self, container_name, permission=None, expiry=None,
 
         :param str container_name:
             Name of container.
-        :param ContainerSasPermissions permission:
+        :param permission:
             The permissions associated with the shared access signature. The
             user is restricted to operations allowed by the permissions.
-            Permissions must be ordered read, write, delete, delete version, permanent delete, list, tag, find,
-            set immutability policy.
+            Permissions must be ordered racwdxyltfmei.
             Required unless an id is given referencing a stored access policy
             which contains this field. This field must be omitted if it has been
             specified in an associated stored access policy.
+        :type permission: str or ContainerSasPermissions
         :param expiry:
             The time at which the shared access signature becomes invalid.
             Required unless an id is given referencing a stored access policy
@@ -407,8 +408,7 @@ def generate_container_sas(
     :param permission:
         The permissions associated with the shared access signature. The
         user is restricted to operations allowed by the permissions.
-        Permissions must be ordered read, write, delete, delete version, permanent delete, list, tag, find,
-        set immutability policy.
+        Permissions must be ordered racwdxyltfmei.
         Required unless an id is given referencing a stored access policy
         which contains this field. This field must be omitted if it has been
         specified in an associated stored access policy.
@@ -527,7 +527,7 @@ def generate_blob_sas(
     :param permission:
         The permissions associated with the shared access signature. The
         user is restricted to operations allowed by the permissions.
-        Permissions must be ordered read, write, delete, list.
+        Permissions must be ordered racwdxytmei.
         Required unless an id is given referencing a stored access policy
         which contains this field. This field must be omitted if it has been
         specified in an associated stored access policy.

sdk/storage/azure-storage-blob/tests/test_common_blob.py

@@ -1822,6 +1822,53 @@ def test_account_sas(self, storage_account_name, storage_account_key):
         self.assertEqual(self.byte_data, blob_response.content)
         self.assertTrue(container_response.ok)
 
+    @pytest.mark.live_test_only
+    @BlobPreparer()
+    def test_blob_service_sas(self, storage_account_name, storage_account_key):
+        # SAS URL is calculated from storage key, so this test runs live only
+
+        self._setup(storage_account_name, storage_account_key)
+        container = self.bsc.get_container_client(self.container_name)
+        blob_name = self._create_block_blob(overwrite=True)
+        blob = self.bsc.get_blob_client(self.container_name, blob_name)
+
+        # Generate SAS with all available permissions
+        container_sas = generate_container_sas(
+            container.account_name,
+            container.container_name,
+            account_key=container.credential.account_key,
+            permission=ContainerSasPermissions(
+                read=True, write=True, delete=True, list=True, delete_previous_version=True,
+                tag=True, add=True, create=True, permanent_delete=True, find=True, move=True,
+                execute=True, set_immutability_policy=True
+            ),
+            expiry=datetime.utcnow() + timedelta(hours=1),
+        )
+
+        blob_sas = generate_blob_sas(
+            blob.account_name,
+            blob.container_name,
+            blob.blob_name,
+            snapshot=blob.snapshot,
+            account_key=blob.credential.account_key,
+            permission=BlobSasPermissions(
+                read=True, add=True, create=True, write=True, delete=True, delete_previous_version=True,
+                permanent_delete=True, tag=True, find=True, move=True, execute=True, set_immutability_policy=True
+            ),
+            expiry=datetime.utcnow() + timedelta(hours=1),
+        )
+
+        # Act
+        container_client = ContainerClient.from_container_url(container.url, credential=container_sas)
+        blob_list = list(container_client.list_blobs())
+
+        blob_client = BlobClient.from_blob_url(blob.url, credential=blob_sas)
+        blob_props = blob_client.get_blob_properties()
+
+        # Assert
+        self.assertIsNotNone(blob_list)
+        self.assertIsNotNone(blob_props)
+
     @pytest.mark.live_test_only
     @BlobPreparer()
     def test_set_immutability_policy_using_sas(self, versioned_storage_account_name, versioned_storage_account_key, storage_resource_group_name):

sdk/storage/azure-storage-file-datalake/CHANGELOG.md

@@ -14,6 +14,7 @@ This version and all future versions will require Python 3.6+. Python 2.7 is no
 
 ### Bugs Fixed
 - Update `azure-core` dependency to avoid inconsistent dependencies from being installed.
+- Added all missing Service SAS permissions.
 
 ## 12.6.0b2 (2021-12-13)
 

sdk/storage/azure-storage-file-datalake/azure/storage/filedatalake/_models.py

@@ -315,6 +315,10 @@ class FileSystemSasPermissions(object):
         Delete the file system.
     :param bool list:
         List paths in the file system.
+    :keyword bool add:
+        Append data to a file in the directory.
+    :keyword bool create:
+        Write a new file, snapshot a file, or copy a file to a new file.
     :keyword bool move:
         Move any file in the directory to a new location.
         Note the move operation can optionally be restricted to the child file or directory owner or
@@ -333,6 +337,8 @@ class FileSystemSasPermissions(object):
     def __init__(self, read=False, write=False, delete=False, list=False,  # pylint: disable=redefined-builtin
                  **kwargs):
         self.read = read
+        self.add = kwargs.pop('add', None)
+        self.create = kwargs.pop('create', None)
         self.write = write
         self.delete = delete
         self.list = list
@@ -341,6 +347,8 @@ def __init__(self, read=False, write=False, delete=False, list=False,  # pylint:
         self.manage_ownership = kwargs.pop('manage_ownership', None)
         self.manage_access_control = kwargs.pop('manage_access_control', None)
         self._str = (('r' if self.read else '') +
+                     ('a' if self.add else '') +
+                     ('c' if self.create else '') +
                      ('w' if self.write else '') +
                      ('d' if self.delete else '') +
                      ('l' if self.list else '') +
@@ -366,6 +374,8 @@ def from_string(cls, permission):
         :rtype: ~azure.storage.fildatalake.FileSystemSasPermissions
         """
         p_read = 'r' in permission
+        p_add = 'a' in permission
+        p_create = 'c' in permission
         p_write = 'w' in permission
         p_delete = 'd' in permission
         p_list = 'l' in permission
@@ -375,7 +385,8 @@ def from_string(cls, permission):
         p_manage_access_control = 'p' in permission
 
         parsed = cls(read=p_read, write=p_write, delete=p_delete,
-                     list=p_list, move=p_move, execute=p_execute, manage_ownership=p_manage_ownership,
+                     list=p_list, add=p_add, create=p_create, move=p_move,
+                     execute=p_execute, manage_ownership=p_manage_ownership,
                      manage_access_control=p_manage_access_control)
         return parsed
 
@@ -392,6 +403,8 @@ class DirectorySasPermissions(object):
         Create or write content, properties, metadata. Lease the directory.
     :param bool delete:
         Delete the directory.
+    :keyword bool add:
+        Append data to a file in the directory.
     :keyword bool list:
         List any files in the directory. Implies Execute.
     :keyword bool move:
@@ -412,6 +425,7 @@ class DirectorySasPermissions(object):
     def __init__(self, read=False, create=False, write=False,
                  delete=False, **kwargs):
         self.read = read
+        self.add = kwargs.pop('add', None)
         self.create = create
         self.write = write
         self.delete = delete
@@ -421,6 +435,7 @@ def __init__(self, read=False, create=False, write=False,
         self.manage_ownership = kwargs.pop('manage_ownership', None)
         self.manage_access_control = kwargs.pop('manage_access_control', None)
         self._str = (('r' if self.read else '') +
+                     ('a' if self.add else '') +
                      ('c' if self.create else '') +
                      ('w' if self.write else '') +
                      ('d' if self.delete else '') +
@@ -447,6 +462,7 @@ def from_string(cls, permission):
         :rtype: ~azure.storage.filedatalake.DirectorySasPermissions
         """
         p_read = 'r' in permission
+        p_add = 'a' in permission
         p_create = 'c' in permission
         p_write = 'w' in permission
         p_delete = 'd' in permission
@@ -456,7 +472,7 @@ def from_string(cls, permission):
         p_manage_ownership = 'o' in permission
         p_manage_access_control = 'p' in permission
 
-        parsed = cls(read=p_read, create=p_create, write=p_write, delete=p_delete,
+        parsed = cls(read=p_read, create=p_create, write=p_write, delete=p_delete, add=p_add,
                      list=p_list, move=p_move, execute=p_execute, manage_ownership=p_manage_ownership,
                      manage_access_control=p_manage_access_control)
         return parsed
@@ -470,11 +486,13 @@ class FileSasPermissions(object):
         Read the content, properties, metadata etc. Use the file as
         the source of a read operation.
     :param bool create:
-        Write a new file
+        Write a new file.
     :param bool write:
         Create or write content, properties, metadata. Lease the file.
     :param bool delete:
         Delete the file.
+    :keyword bool add:
+        Append data to the file.
     :keyword bool move:
         Move any file in the directory to a new location.
         Note the move operation can optionally be restricted to the child file or directory owner or
@@ -492,15 +510,16 @@ class FileSasPermissions(object):
 
     def __init__(self, read=False, create=False, write=False, delete=False, **kwargs):
         self.read = read
+        self.add = kwargs.pop('add', None)
         self.create = create
         self.write = write
         self.delete = delete
-        self.list = list
         self.move = kwargs.pop('move', None)
         self.execute = kwargs.pop('execute', None)
         self.manage_ownership = kwargs.pop('manage_ownership', None)
         self.manage_access_control = kwargs.pop('manage_access_control', None)
         self._str = (('r' if self.read else '') +
+                     ('a' if self.add else '') +
                      ('c' if self.create else '') +
                      ('w' if self.write else '') +
                      ('d' if self.delete else '') +
@@ -526,6 +545,7 @@ def from_string(cls, permission):
         :rtype: ~azure.storage.fildatalake.FileSasPermissions
         """
         p_read = 'r' in permission
+        p_add = 'a' in permission
         p_create = 'c' in permission
         p_write = 'w' in permission
         p_delete = 'd' in permission
@@ -534,7 +554,7 @@ def from_string(cls, permission):
         p_manage_ownership = 'o' in permission
         p_manage_access_control = 'p' in permission
 
-        parsed = cls(read=p_read, create=p_create, write=p_write, delete=p_delete,
+        parsed = cls(read=p_read, create=p_create, write=p_write, delete=p_delete, add=p_add,
                      move=p_move, execute=p_execute, manage_ownership=p_manage_ownership,
                      manage_access_control=p_manage_access_control)
         return parsed