Queue User Delegation SAS (Azure#50347)

Author: seanmcc-msft

sdk/storage/Azure.Storage.Blobs/src/Azure.Storage.Blobs.csproj

@@ -106,5 +106,6 @@
     <Compile Include="$(AzureStorageSharedSources)\StorageBearerTokenChallengeAuthorizationPolicy.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)ISupportsTenantIdChallenges.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)AzureSasCredentialSynchronousPolicy.cs" LinkBase="Shared" />
+    <Compile Include="..\..\Azure.Storage.Common\src\Shared\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
   </ItemGroup>
 </Project>

sdk/storage/Azure.Storage.Blobs/src/BlobServiceClient.cs

@@ -1611,12 +1611,12 @@ private async Task<Response<UserDelegationKey>> GetUserDelegationKeyInternal(
 
                     if (startsOn.HasValue && startsOn.Value.Offset != TimeSpan.Zero)
                     {
-                        throw BlobErrors.InvalidDateTimeUtc(nameof(startsOn));
+                        throw Errors.InvalidDateTimeUtc(nameof(startsOn));
                     }
 
                     if (expiresOn.Offset != TimeSpan.Zero)
                     {
-                        throw BlobErrors.InvalidDateTimeUtc(nameof(expiresOn));
+                        throw Errors.InvalidDateTimeUtc(nameof(expiresOn));
                     }
 
                     KeyInfo keyInfo = new KeyInfo(expiresOn.ToString(Constants.Iso8601Format, CultureInfo.InvariantCulture))

sdk/storage/Azure.Storage.Blobs/src/Sas/BlobSasBuilder.cs

@@ -463,7 +463,7 @@ public BlobSasQueryParameters ToSasQueryParameters(UserDelegationKey userDelegat
 
             stringToSign = ToStringToSign(userDelegationKey, accountName);
 
-            string signature = ComputeHMACSHA256(userDelegationKey.Value, stringToSign);
+            string signature = SasExtensions.ComputeHMACSHA256(userDelegationKey.Value, stringToSign);
 
             BlobSasQueryParameters p = new BlobSasQueryParameters(
                 version: Version,
@@ -546,22 +546,6 @@ private static string GetCanonicalName(string account, string containerName, str
                ? $"/blob/{account}/{containerName}/{blobName.Replace("\\", "/")}"
                : $"/blob/{account}/{containerName}";
 
-        /// <summary>
-        /// ComputeHMACSHA256 generates a base-64 hash signature string for an
-        /// HTTP request or for a SAS.
-        /// </summary>
-        /// <param name="userDelegationKeyValue">
-        /// A <see cref="UserDelegationKey.Value"/> used to sign with a key
-        /// representing AD credentials.
-        /// </param>
-        /// <param name="message">The message to sign.</param>
-        /// <returns>The signed message.</returns>
-        private static string ComputeHMACSHA256(string userDelegationKeyValue, string message) =>
-            Convert.ToBase64String(
-                new HMACSHA256(
-                    Convert.FromBase64String(userDelegationKeyValue))
-                .ComputeHash(Encoding.UTF8.GetBytes(message)));
-
         /// <summary>
         /// Ensure the <see cref="BlobSasBuilder"/>'s properties are in a
         /// consistent state.

sdk/storage/Azure.Storage.Blobs/src/Shared/BlobErrors.cs

@@ -20,9 +20,6 @@ public static InvalidOperationException BlobOrContainerMissing(string leaseClien
             string blobContainerClient) =>
             new InvalidOperationException($"{leaseClient} requires either a {blobBaseClient} or {blobContainerClient}");
 
-        public static ArgumentException InvalidDateTimeUtc(string dateTime) =>
-            new ArgumentException($"{dateTime} must be UTC");
-
         internal static void VerifyHttpsCustomerProvidedKey(Uri uri, CustomerProvidedKey? customerProvidedKey)
         {
             if (customerProvidedKey.HasValue && !string.Equals(uri.Scheme, Constants.Https, StringComparison.OrdinalIgnoreCase))

sdk/storage/Azure.Storage.Common/src/Shared/Constants.cs

@@ -25,7 +25,8 @@ internal static class Constants
         /// Gets the default service version to use when building shared access
         /// signatures.
         /// </summary>
-        public const string DefaultSasVersion = "2026-02-06";
+        // TODO fix this
+        public const string DefaultSasVersion = "2025-07-05";
 
         /// <summary>
         /// Max download range size while requesting a transactional hash.
@@ -435,6 +436,8 @@ internal static class Queue
             public const string UriSubDomain = "queue";
 
             public const string QueueTraitsMetadata = "metadata";
+
+            public const string Name = "Queue";
         }
 
         /// <summary>
@@ -631,6 +634,7 @@ internal static class Resource
                 public const string File = "f";
                 public const string Share = "s";
                 public const string Directory = "d";
+                public const string Queue = "q";
             }
 
             internal static class AccountServices

sdk/storage/Azure.Storage.Common/src/Shared/Errors.Clients.cs

@@ -35,6 +35,9 @@ public static ArgumentOutOfRangeException MustBeGreaterThanValueOrEqualToOtherVa
                 long value1)
             => new ArgumentOutOfRangeException(paramName, $"Value must be greater than {value0} or equal to {value1}");
 
+        public static ArgumentException InvalidDateTimeUtc(string dateTime) =>
+            new ArgumentException($"{dateTime} must be UTC");
+
         public static ArgumentException StreamMustBeReadable(string paramName)
             => new ArgumentException("Stream must be readable", paramName);
 

sdk/storage/Azure.Storage.Common/src/Shared/SasExtensions.cs

@@ -6,6 +6,7 @@
 using System.Globalization;
 using System.Net;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 using System.Text;
 
 namespace Azure.Storage.Sas
@@ -238,5 +239,21 @@ internal static string ValidateAndSanitizeRawPermissions(string permissions,
 
             return stringBuilder.ToString();
         }
+
+        /// <summary>
+        /// ComputeHMACSHA256 generates a base-64 hash signature string for an
+        /// HTTP request or for a SAS.
+        /// </summary>
+        /// <param name="userDelegationKeyValue">
+        /// A UserDelegationKey.Value used to sign with a key
+        /// representing AD credentials.
+        /// </param>
+        /// <param name="message">The message to sign.</param>
+        /// <returns>The signed message.</returns>
+        internal static string ComputeHMACSHA256(string userDelegationKeyValue, string message) =>
+            Convert.ToBase64String(
+                new HMACSHA256(
+                    Convert.FromBase64String(userDelegationKeyValue))
+                .ComputeHash(Encoding.UTF8.GetBytes(message)));
     }
 }

sdk/storage/Azure.Storage.Blobs/src/Sas/SasQueryParametersExtensions.cs renamed to sdk/storage/Azure.Storage.Common/src/Shared/SasQueryParametersExtensions.cs

@@ -26,6 +26,8 @@ internal static void ParseKeyProperties(
             BlobSasQueryParameters
 #elif DataLakeSDK
             DataLakeSasQueryParameters
+#elif QueueSDK
+            QueueSasQueryParameters
 #endif
             parameters,
             IDictionary<string, string> values)

sdk/storage/Azure.Storage.Files.DataLake/src/Azure.Storage.Files.DataLake.csproj

@@ -36,7 +36,7 @@
     <Compile Include="$(AzureCoreSharedSources)XmlWriterExtensions.cs" LinkBase="SharedCore" />
   </ItemGroup>
   <ItemGroup>
-    <Compile Include="..\..\Azure.Storage.Blobs\src\Sas\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
+    <Compile Include="..\..\Azure.Storage.Common\src\Shared\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
     <Compile Include="$(AzureStorageSharedSources)AggregatingProgressIncrementer.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)BufferExtensions.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)ChecksumCalculatingStream.cs" LinkBase="Shared" />

sdk/storage/Azure.Storage.Queues/src/Azure.Storage.Queues.csproj

@@ -73,5 +73,7 @@
     <Compile Include="$(AzureStorageSharedSources)ISupportsTenantIdChallenges.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)AzureSasCredentialSynchronousPolicy.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)SyncAsyncEventHandlerExtensions.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureStorageSharedSources)UserDelegationKeyProperties.cs" LinkBase="Shared" />
+    <Compile Include="..\..\Azure.Storage.Common\src\Shared\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
   </ItemGroup>
 </Project>