Tests

seanmcc-msft · seanmcc-msft · commit 96bc3496366b · 2025-06-18T14:56:07.000-05:00
diff --git a/sdk/storage/Azure.Storage.Queues/tests/Azure.Storage.Queues.Tests.csproj b/sdk/storage/Azure.Storage.Queues/tests/Azure.Storage.Queues.Tests.csproj
@@ -17,6 +17,7 @@
     <PackageReference Include="Azure.Security.KeyVault.Keys" />
     <PackageReference Include="Microsoft.Azure.KeyVault.Core" />
     <PackageReference Include="Microsoft.Azure.Storage.Queue" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <ProjectReference Include="$(MSBuildThisFileDirectory)..\src\Azure.Storage.Queues.csproj" />
     <ProjectReference Include="$(MSBuildThisFileDirectory)..\..\Azure.Storage.Common\src\Azure.Storage.Common.csproj" />
   </ItemGroup>
diff --git a/sdk/storage/Azure.Storage.Queues/tests/QueueClientTests.cs b/sdk/storage/Azure.Storage.Queues/tests/QueueClientTests.cs
@@ -1286,35 +1286,6 @@ public async Task SendMessageAsync_SAS()
             Assert.NotNull(response.Value);
         }
 
-        [RecordedTest]
-        [ServiceVersion(Min = QueueClientOptions.ServiceVersion.V2026_02_06)]
-        public async Task SendMessageAsync_UserDelegationSAS()
-        {
-            // Arrange
-            string queueName = GetNewQueueName();
-            QueueServiceClient service = GetServiceClient_OAuth();
-            await using DisposingQueue test = await GetTestQueueAsync(service);
-
-            Response<UserDelegationKey> userDelegationKeyResponse = await service.GetUserDelegationKeyAsync(
-                startsOn: null,
-                expiresOn: Recording.UtcNow.AddHours(1));
-
-            UserDelegationKey userDelegationKey = userDelegationKeyResponse.Value;
-
-            string stringToSign = null;
-            Uri queueUri = test.Queue.GenerateUserDelegationSasUri(QueueSasPermissions.All, Recording.UtcNow.AddHours(1), userDelegationKey, out stringToSign);
-
-            QueueClient queueClient = InstrumentClient(new QueueClient(queueUri, GetOptions()));
-
-            // Act
-            Response<SendReceipt> response = await queueClient.SendMessageAsync(
-                messageText: GetNewString(),
-                visibilityTimeout: new TimeSpan(0, 0, 1),
-                timeToLive: new TimeSpan(1, 0, 0));
-            // Assert
-            Assert.NotNull(response.Value);
-        }
-
         [RecordedTest]
         public async Task SendMessageAsync_SasWithIdentifier()
         {
diff --git a/sdk/storage/Azure.Storage.Queues/tests/QueueSasTests.cs b/sdk/storage/Azure.Storage.Queues/tests/QueueSasTests.cs
@@ -3,12 +3,17 @@
 
 using System;
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
+using Azure.Core;
 using Azure.Core.TestFramework;
+using Azure.Storage.Queues.Models;
 using Azure.Storage.Queues.Specialized;
 using Azure.Storage.Queues.Tests;
+using Azure.Storage.Sas;
 using Azure.Storage.Test;
 using Azure.Storage.Test.Shared;
 using NUnit.Framework;
@@ -118,6 +123,132 @@ public async Task AccountSas_ServiceOrder(string services)
             await InvokeAccountSasTest(services: services);
         }
 
+        [RecordedTest]
+        [ServiceVersion(Min = QueueClientOptions.ServiceVersion.V2026_02_06)]
+        public async Task SendMessageAsync_UserDelegationSAS()
+        {
+            // Arrange
+            string queueName = GetNewQueueName();
+            QueueServiceClient service = GetServiceClient_OAuth();
+            await using DisposingQueue test = await GetTestQueueAsync(service);
+
+            Response<UserDelegationKey> userDelegationKeyResponse = await service.GetUserDelegationKeyAsync(
+                startsOn: null,
+                expiresOn: Recording.UtcNow.AddHours(1));
+
+            UserDelegationKey userDelegationKey = userDelegationKeyResponse.Value;
+
+            Uri queueUri = test.Queue.GenerateUserDelegationSasUri(QueueSasPermissions.All, Recording.UtcNow.AddHours(1), userDelegationKey);
+
+            QueueClient queueClient = InstrumentClient(new QueueClient(queueUri, GetOptions()));
+
+            // Act
+            Response<SendReceipt> response = await queueClient.SendMessageAsync(
+                messageText: GetNewString(),
+                visibilityTimeout: new TimeSpan(0, 0, 1),
+                timeToLive: new TimeSpan(1, 0, 0));
+
+            // Assert
+            Assert.NotNull(response.Value);
+        }
+
+        [RecordedTest]
+        [LiveOnly] // Cannot record Entra ID token
+        [ServiceVersion(Min = QueueClientOptions.ServiceVersion.V2026_02_06)]
+        public async Task SendMessageAsync_UserDelegationSAS_DelegatedObjectId()
+        {
+            // Arrange
+            QueueServiceClient service = GetServiceClient_OAuth();
+            await using DisposingQueue test = await GetTestQueueAsync(service);
+
+            Response<UserDelegationKey> userDelegationKeyResponse = await service.GetUserDelegationKeyAsync(
+                startsOn: null,
+                expiresOn: Recording.UtcNow.AddHours(1));
+
+            // We need to get the object ID from the token credential used to authenticate the request
+            TokenCredential tokenCredential = TestEnvironment.Credential;
+            AccessToken accessToken = await tokenCredential.GetTokenAsync(
+                new TokenRequestContext(Scopes),
+                CancellationToken.None);
+
+            JwtSecurityToken jwtSecurityToken = new JwtSecurityTokenHandler().ReadJwtToken(accessToken.Token);
+            jwtSecurityToken.Payload.TryGetValue(Constants.Sas.ObjectId, out object objectId);
+
+            UserDelegationKey userDelegationKey = userDelegationKeyResponse.Value;
+
+            QueueSasBuilder queueSasBuilder = new QueueSasBuilder(QueueSasPermissions.All, Recording.UtcNow.AddHours(1))
+            {
+                QueueName = test.Queue.Name,
+                DelegatedUserObjectId = objectId?.ToString()
+            };
+
+            QueueSasQueryParameters sasQueryParameters = queueSasBuilder.ToSasQueryParameters(userDelegationKey, service.AccountName, out string stringToSign);
+
+            QueueUriBuilder uriBuilder = new QueueUriBuilder(test.Queue.Uri)
+            {
+                Sas = sasQueryParameters
+            };
+
+            QueueClient identityQueueClient = InstrumentClient(new QueueClient(uriBuilder.ToUri(), TestEnvironment.Credential, GetOptions()));
+
+            // Act
+            Response<SendReceipt> response = await identityQueueClient.SendMessageAsync(
+                messageText: GetNewString(),
+                visibilityTimeout: new TimeSpan(0, 0, 1),
+                timeToLive: new TimeSpan(1, 0, 0));
+
+            // Assert
+            Assert.NotNull(response.Value);
+        }
+
+        [RecordedTest]
+        [LiveOnly] // Cannot record Entra ID token
+        [ServiceVersion(Min = QueueClientOptions.ServiceVersion.V2026_02_06)]
+        public async Task SendMessageAsync_UserDelegationSAS_DelegatedObjectId_Fail()
+        {
+            // Arrange
+            QueueServiceClient service = GetServiceClient_OAuth();
+            await using DisposingQueue test = await GetTestQueueAsync(service);
+
+            Response<UserDelegationKey> userDelegationKeyResponse = await service.GetUserDelegationKeyAsync(
+                startsOn: null,
+                expiresOn: Recording.UtcNow.AddHours(1));
+
+            // We need to get the object ID from the token credential used to authenticate the request
+            TokenCredential tokenCredential = TestEnvironment.Credential;
+            AccessToken accessToken = await tokenCredential.GetTokenAsync(
+                new TokenRequestContext(Scopes),
+                CancellationToken.None);
+
+            JwtSecurityToken jwtSecurityToken = new JwtSecurityTokenHandler().ReadJwtToken(accessToken.Token);
+            jwtSecurityToken.Payload.TryGetValue(Constants.Sas.ObjectId, out object objectId);
+
+            UserDelegationKey userDelegationKey = userDelegationKeyResponse.Value;
+
+            QueueSasBuilder queueSasBuilder = new QueueSasBuilder(QueueSasPermissions.All, Recording.UtcNow.AddHours(1))
+            {
+                QueueName = test.Queue.Name,
+                DelegatedUserObjectId = objectId?.ToString()
+            };
+
+            QueueSasQueryParameters sasQueryParameters = queueSasBuilder.ToSasQueryParameters(userDelegationKey, service.AccountName, out string stringToSign);
+
+            QueueUriBuilder uriBuilder = new QueueUriBuilder(test.Queue.Uri)
+            {
+                Sas = sasQueryParameters
+            };
+
+            QueueClient identityQueueClient = InstrumentClient(new QueueClient(uriBuilder.ToUri(), GetOptions()));
+
+            // Act
+            await TestHelper.AssertExpectedExceptionAsync<RequestFailedException>(
+                identityQueueClient.SendMessageAsync(
+                    messageText: GetNewString(),
+                    visibilityTimeout: new TimeSpan(0, 0, 1),
+                    timeToLive: new TimeSpan(1, 0, 0)),
+                e => Assert.AreEqual("AuthenticationFailed", e.ErrorCode));
+        }
+
         // Creating Client from GetStorageClient
         #region QueueServiceClient
         private async Task InvokeAccountServiceToQueueSasTest(
