Redact SAS credentials from Error.SasCredentialRequiresUriWithoutSas message (Azure#48580)

nickliu-msft · web-flow · commit 519bbe65215e · 2025-03-06T00:00:59.000-05:00
diff --git a/sdk/storage/Azure.Storage.Blobs/assets.json b/sdk/storage/Azure.Storage.Blobs/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/storage/Azure.Storage.Blobs",
-  "Tag": "net/storage/Azure.Storage.Blobs_bf9faa9325"
+  "Tag": "net/storage/Azure.Storage.Blobs_d1a42a73c0"
 }
diff --git a/sdk/storage/Azure.Storage.Blobs/tests/BlobSasBuilderTests.cs b/sdk/storage/Azure.Storage.Blobs/tests/BlobSasBuilderTests.cs
@@ -554,6 +554,48 @@ public async Task BlobSasBuilder_CorrelationId()
             }
         }
 
+        [RecordedTest]
+        public async Task SasCredentialRequiresUriWithoutSasError_RedactedSasUri()
+        {
+            // Arrange
+            BlobServiceClient oauthService = GetServiceClient_OAuth();
+            string containerName = GetNewContainerName();
+
+            await using DisposingContainer test = await GetTestContainerAsync(service: oauthService, containerName: containerName);
+
+            Response<UserDelegationKey> userDelegationKey = await oauthService.GetUserDelegationKeyAsync(
+                startsOn: Recording.UtcNow.AddHours(-1),
+                expiresOn: Recording.UtcNow.AddHours(1));
+
+            BlobSasBuilder blobSasBuilder = new BlobSasBuilder
+            {
+                StartsOn = Recording.UtcNow.AddHours(-1),
+                ExpiresOn = Recording.UtcNow.AddHours(1),
+                BlobContainerName = containerName,
+            };
+
+            blobSasBuilder.SetPermissions(BlobSasPermissions.All);
+
+            BlobUriBuilder blobUriBuilder = new BlobUriBuilder(test.Container.Uri)
+            {
+                Sas = blobSasBuilder.ToSasQueryParameters(userDelegationKey, test.Container.AccountName)
+            };
+
+            Uri sasUri = blobUriBuilder.ToUri();
+
+            UriBuilder uriBuilder = new UriBuilder(sasUri);
+            uriBuilder.Query = "[REDACTED]";
+            string redactedUri = uriBuilder.Uri.ToString();
+
+            ArgumentException ex = Errors.SasCredentialRequiresUriWithoutSas<BlobUriBuilder>(sasUri);
+
+            // Assert
+            Assert.IsTrue(ex.Message.Contains(redactedUri));
+            Assert.IsFalse(ex.Message.Contains("st="));
+            Assert.IsFalse(ex.Message.Contains("se="));
+            Assert.IsFalse(ex.Message.Contains("sig="));
+        }
+
         private string BuildSignature(bool includeBlob, bool includeSnapshot, string containerName, string blobName, TestConstants constants)
         {
             var canonicalName = includeBlob ? $"/blob/{constants.Sas.Account}/{containerName}/{blobName}"
diff --git a/sdk/storage/Azure.Storage.Common/CHANGELOG.md b/sdk/storage/Azure.Storage.Common/CHANGELOG.md
@@ -9,6 +9,7 @@
 ### Bugs Fixed
 - Fixed bug where in rare cases, a `NullReferenceException` could be thrown when parsing an error response from the service.
 - Fixed bug to ensure that the accumulated disposables within the internal `StorageWriteStream` are disposed properly in the event that an exception is thrown during the disposal process. (#47781)
+- Fixed bug to Redact SAS credentials from Error.SasCredentialRequiresUriWithoutSas message.
 
 ### Other Changes
 
diff --git a/sdk/storage/Azure.Storage.Common/src/Shared/Errors.Clients.cs b/sdk/storage/Azure.Storage.Common/src/Shared/Errors.Clients.cs
@@ -45,10 +45,16 @@ public static InvalidOperationException TokenCredentialsRequireHttps()
             => new InvalidOperationException("Use of token credentials requires HTTPS");
 
         public static ArgumentException SasCredentialRequiresUriWithoutSas<TUriBuilder>(Uri uri)
-            => new ArgumentException(
-                $"You cannot use {nameof(AzureSasCredential)} when the resource URI also contains a Shared Access Signature: {uri}\n" +
+        {
+            UriBuilder uriBuilder = new UriBuilder(uri);
+            uriBuilder.Query = "[REDACTED]";
+            Uri redactedUri = uriBuilder.Uri;
+
+            return new ArgumentException(
+                $"You cannot use {nameof(AzureSasCredential)} when the resource URI also contains a Shared Access Signature: {redactedUri}\n" +
                 $"You can remove the shared access signature by creating a {typeof(TUriBuilder).Name}, setting {typeof(TUriBuilder).Name}.Sas to null," +
                 $" and calling {typeof(TUriBuilder).Name}.ToUri.");
+        }
 
         public static InvalidOperationException SasMissingData(string paramName)
             => new InvalidOperationException($"SAS is missing required parameter: {paramName}");
diff --git a/sdk/storage/Azure.Storage.Files.DataLake/assets.json b/sdk/storage/Azure.Storage.Files.DataLake/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/storage/Azure.Storage.Files.DataLake",
-  "Tag": "net/storage/Azure.Storage.Files.DataLake_d74597f1e3"
+  "Tag": "net/storage/Azure.Storage.Files.DataLake_a37793870a"
 }
diff --git a/sdk/storage/Azure.Storage.Files.DataLake/tests/DataLakeSasBuilderTests.cs b/sdk/storage/Azure.Storage.Files.DataLake/tests/DataLakeSasBuilderTests.cs
@@ -712,5 +712,50 @@ public async Task DataLakeSasBuilder_DirectoryDepth_CustomSas(string directoryNa
             // Assert
             Assert.AreEqual(expectedDepth, newUriBuilder.Sas.DirectoryDepth);
         }
+
+        [RecordedTest]
+        public async Task SasCredentialRequiresUriWithoutSasError_RedactedSasUri()
+        {
+            // Arrange
+            DataLakeServiceClient oauthService = GetServiceClient_OAuth();
+            string fileSystemName = GetNewFileSystemName();
+            string directoryName = GetNewDirectoryName();
+
+            await using DisposingFileSystem test = await GetNewFileSystem(service: oauthService, fileSystemName: fileSystemName);
+
+            DataLakeDirectoryClient directory = test.FileSystem.GetDirectoryClient(directoryName);
+
+            Response<UserDelegationKey> userDelegationKey = await oauthService.GetUserDelegationKeyAsync(
+                startsOn: null,
+                expiresOn: Recording.UtcNow.AddHours(1));
+
+            // Make a SAS with the DirectoryDepth/sdd
+            DataLakeSasBuilder dataLakeSasBuilder = new(DataLakeSasPermissions.All, Recording.UtcNow.AddHours(1))
+            {
+                StartsOn = Recording.UtcNow.AddHours(-1),
+                ExpiresOn = Recording.UtcNow.AddHours(1),
+                Path = directoryName,
+                IsDirectory = true
+            };
+
+            DataLakeUriBuilder uriBuilder = new DataLakeUriBuilder(test.Container.Uri)
+            {
+                Sas = dataLakeSasBuilder.ToSasQueryParameters(userDelegationKey, test.Container.AccountName)
+            };
+
+            Uri sasUri = uriBuilder.ToUri();
+
+            UriBuilder uriBuilder2 = new UriBuilder(sasUri);
+            uriBuilder2.Query = "[REDACTED]";
+            string redactedUri = uriBuilder2.Uri.ToString();
+
+            ArgumentException ex = Errors.SasCredentialRequiresUriWithoutSas<DataLakeUriBuilder>(sasUri);
+
+            // Assert
+            Assert.IsTrue(ex.Message.Contains(redactedUri));
+            Assert.IsFalse(ex.Message.Contains("st="));
+            Assert.IsFalse(ex.Message.Contains("se="));
+            Assert.IsFalse(ex.Message.Contains("sig="));
+        }
     }
 }
diff --git a/sdk/storage/Azure.Storage.Files.Shares/assets.json b/sdk/storage/Azure.Storage.Files.Shares/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/storage/Azure.Storage.Files.Shares",
-  "Tag": "net/storage/Azure.Storage.Files.Shares_92c08b30c4"
+  "Tag": "net/storage/Azure.Storage.Files.Shares_cd8d6a7947"
 }
diff --git a/sdk/storage/Azure.Storage.Files.Shares/tests/FileSasBuilderTests.cs b/sdk/storage/Azure.Storage.Files.Shares/tests/FileSasBuilderTests.cs
@@ -243,6 +243,45 @@ public void ShareUriBuilder_CustomUri_AccountShareFileTest()
             Assert.AreEqual(originalUri, newUri);
         }
 
+        [RecordedTest]
+        public async Task SasCredentialRequiresUriWithoutSasError_RedactedSasUri()
+        {
+            // Arrange
+            await using DisposingShare test = await GetTestShareAsync();
+
+            ShareSasBuilder fileSasBuilder = new ShareSasBuilder
+            {
+                StartsOn = Recording.UtcNow.AddHours(-1),
+                ExpiresOn = Recording.UtcNow.AddHours(1),
+                ShareName = test.Share.Name
+            };
+
+            fileSasBuilder.SetPermissions(
+                rawPermissions: "LDWCR",
+                normalize: true);
+
+            StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(TestConfigDefault.AccountName, TestConfigDefault.AccountKey);
+
+            ShareUriBuilder fileUriBuilder = new ShareUriBuilder(test.Share.Uri)
+            {
+                Sas = fileSasBuilder.ToSasQueryParameters(sharedKeyCredential)
+            };
+
+            Uri sasUri = fileUriBuilder.ToUri();
+
+            UriBuilder uriBuilder = new UriBuilder(sasUri);
+            uriBuilder.Query = "[REDACTED]";
+            string redactedUri = uriBuilder.Uri.ToString();
+
+            ArgumentException ex = Errors.SasCredentialRequiresUriWithoutSas<ShareUriBuilder>(sasUri);
+
+            // Assert
+            Assert.IsTrue(ex.Message.Contains(redactedUri));
+            Assert.IsFalse(ex.Message.Contains("st="));
+            Assert.IsFalse(ex.Message.Contains("se="));
+            Assert.IsFalse(ex.Message.Contains("sig="));
+        }
+
         private ShareSasBuilder BuildFileSasBuilder(bool includeFilePath, TestConstants constants, string shareName, string filePath)
         {
             var fileSasBuilder = new ShareSasBuilder
diff --git a/sdk/storage/Azure.Storage.Queues/assets.json b/sdk/storage/Azure.Storage.Queues/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/storage/Azure.Storage.Queues",
-  "Tag": "net/storage/Azure.Storage.Queues_ef3164e0b2"
+  "Tag": "net/storage/Azure.Storage.Queues_ef5347e834"
 }
diff --git a/sdk/storage/Azure.Storage.Queues/tests/QueueSasBuilderTests.cs b/sdk/storage/Azure.Storage.Queues/tests/QueueSasBuilderTests.cs
@@ -235,6 +235,45 @@ public void QueueUriBuilder_CustomUri_AccountShareFileTest()
             Assert.AreEqual(originalUri, newUri);
         }
 
+        [RecordedTest]
+        public async Task SasCredentialRequiresUriWithoutSasError_RedactedSasUri()
+        {
+            // Arrange
+            await using DisposingQueue test = await GetTestQueueAsync();
+
+            QueueSasBuilder queueSasBuilder = new QueueSasBuilder
+            {
+                StartsOn = Recording.UtcNow.AddHours(-1),
+                ExpiresOn = Recording.UtcNow.AddHours(1),
+                QueueName = test.Queue.Name
+            };
+
+            queueSasBuilder.SetPermissions(
+                rawPermissions: "raup",
+                normalize: true);
+
+            StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(TestConfigDefault.AccountName, TestConfigDefault.AccountKey);
+
+            QueueUriBuilder queueUriBuilder = new QueueUriBuilder(test.Queue.Uri)
+            {
+                Sas = queueSasBuilder.ToSasQueryParameters(sharedKeyCredential)
+            };
+
+            Uri sasUri = queueUriBuilder.ToUri();
+
+            UriBuilder uriBuilder = new UriBuilder(sasUri);
+            uriBuilder.Query = "[REDACTED]";
+            string redactedUri = uriBuilder.Uri.ToString();
+
+            ArgumentException ex = Errors.SasCredentialRequiresUriWithoutSas<QueueUriBuilder>(sasUri);
+
+            // Assert
+            Assert.IsTrue(ex.Message.Contains(redactedUri));
+            Assert.IsFalse(ex.Message.Contains("st="));
+            Assert.IsFalse(ex.Message.Contains("se="));
+            Assert.IsFalse(ex.Message.Contains("sig="));
+        }
+
         private QueueSasBuilder BuildQueueSasBuilder(TestConstants constants, string queueName)
         {
             var queueSasBuilder = new QueueSasBuilder

Original file line number	Diff line number	Diff line change
`@@ -2,5 +2,5 @@`
`2`	`2`	`"AssetsRepo": "Azure/azure-sdk-assets",`
`3`	`3`	`"AssetsRepoPrefixPath": "net",`
`4`	`4`	`"TagPrefix": "net/storage/Azure.Storage.Blobs",`
`5`		`- "Tag": "net/storage/Azure.Storage.Blobs_bf9faa9325"`
	`5`	`+ "Tag": "net/storage/Azure.Storage.Blobs_d1a42a73c0"`
`6`	`6`	`}`