Queue User Delegation SAS (#50347)

sdk/storage/Azure.Storage.Blobs/src/Azure.Storage.Blobs.csproj

@@ -106,5 +106,6 @@
     <Compile Include="$(AzureStorageSharedSources)\StorageBearerTokenChallengeAuthorizationPolicy.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)ISupportsTenantIdChallenges.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)AzureSasCredentialSynchronousPolicy.cs" LinkBase="Shared" />
+    <Compile Include="..\..\Azure.Storage.Common\src\Shared\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
   </ItemGroup>
 </Project>

sdk/storage/Azure.Storage.Blobs/src/BlobServiceClient.cs

@@ -1611,12 +1611,12 @@ private async Task<Response<UserDelegationKey>> GetUserDelegationKeyInternal(
 
                     if (startsOn.HasValue && startsOn.Value.Offset != TimeSpan.Zero)
                     {
-                        throw BlobErrors.InvalidDateTimeUtc(nameof(startsOn));
+                        throw Errors.InvalidDateTimeUtc(nameof(startsOn));
                     }
 
                     if (expiresOn.Offset != TimeSpan.Zero)
                     {
-                        throw BlobErrors.InvalidDateTimeUtc(nameof(expiresOn));
+                        throw Errors.InvalidDateTimeUtc(nameof(expiresOn));
                     }
 
                     KeyInfo keyInfo = new KeyInfo(expiresOn.ToString(Constants.Iso8601Format, CultureInfo.InvariantCulture))

sdk/storage/Azure.Storage.Blobs/src/Sas/BlobSasBuilder.cs

@@ -463,7 +463,7 @@ public BlobSasQueryParameters ToSasQueryParameters(UserDelegationKey userDelegat
 
             stringToSign = ToStringToSign(userDelegationKey, accountName);
 
-            string signature = ComputeHMACSHA256(userDelegationKey.Value, stringToSign);
+            string signature = SasExtensions.ComputeHMACSHA256(userDelegationKey.Value, stringToSign);
 
             BlobSasQueryParameters p = new BlobSasQueryParameters(
                 version: Version,
@@ -546,22 +546,6 @@ private static string GetCanonicalName(string account, string containerName, str
                ? $"/blob/{account}/{containerName}/{blobName.Replace("\\", "/")}"
                : $"/blob/{account}/{containerName}";
 
-        /// <summary>
-        /// ComputeHMACSHA256 generates a base-64 hash signature string for an
-        /// HTTP request or for a SAS.
-        /// </summary>
-        /// <param name="userDelegationKeyValue">
-        /// A <see cref="UserDelegationKey.Value"/> used to sign with a key
-        /// representing AD credentials.
-        /// </param>
-        /// <param name="message">The message to sign.</param>
-        /// <returns>The signed message.</returns>
-        private static string ComputeHMACSHA256(string userDelegationKeyValue, string message) =>
-            Convert.ToBase64String(
-                new HMACSHA256(
-                    Convert.FromBase64String(userDelegationKeyValue))
-                .ComputeHash(Encoding.UTF8.GetBytes(message)));
-
         /// <summary>
         /// Ensure the <see cref="BlobSasBuilder"/>'s properties are in a
         /// consistent state.

sdk/storage/Azure.Storage.Blobs/src/Shared/BlobErrors.cs

@@ -20,9 +20,6 @@ public static InvalidOperationException BlobOrContainerMissing(string leaseClien
             string blobContainerClient) =>
             new InvalidOperationException($"{leaseClient} requires either a {blobBaseClient} or {blobContainerClient}");
 
-        public static ArgumentException InvalidDateTimeUtc(string dateTime) =>
-            new ArgumentException($"{dateTime} must be UTC");
-
         internal static void VerifyHttpsCustomerProvidedKey(Uri uri, CustomerProvidedKey? customerProvidedKey)
         {
             if (customerProvidedKey.HasValue && !string.Equals(uri.Scheme, Constants.Https, StringComparison.OrdinalIgnoreCase))

sdk/storage/Azure.Storage.Common/src/Shared/Constants.cs

@@ -25,6 +25,7 @@ internal static class Constants
         /// Gets the default service version to use when building shared access
         /// signatures.
         /// </summary>
+        // TODO fix this
         public const string DefaultSasVersion = "2026-02-06";
 
         /// <summary>
@@ -435,6 +436,8 @@ internal static class Queue
             public const string UriSubDomain = "queue";
 
             public const string QueueTraitsMetadata = "metadata";
+
+            public const string Name = "Queue";
         }
 
         /// <summary>
@@ -631,6 +634,7 @@ internal static class Resource
                 public const string File = "f";
                 public const string Share = "s";
                 public const string Directory = "d";
+                public const string Queue = "q";
             }
 
             internal static class AccountServices

sdk/storage/Azure.Storage.Common/src/Shared/Errors.Clients.cs

@@ -35,6 +35,9 @@ public static ArgumentOutOfRangeException MustBeGreaterThanValueOrEqualToOtherVa
                 long value1)
             => new ArgumentOutOfRangeException(paramName, $"Value must be greater than {value0} or equal to {value1}");
 
+        public static ArgumentException InvalidDateTimeUtc(string dateTime) =>
+            new ArgumentException($"{dateTime} must be UTC");
+
         public static ArgumentException StreamMustBeReadable(string paramName)
             => new ArgumentException("Stream must be readable", paramName);
 

sdk/storage/Azure.Storage.Common/src/Shared/SasExtensions.cs

@@ -6,6 +6,7 @@
 using System.Globalization;
 using System.Net;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 using System.Text;
 
 namespace Azure.Storage.Sas
@@ -238,5 +239,21 @@ internal static string ValidateAndSanitizeRawPermissions(string permissions,
 
             return stringBuilder.ToString();
         }
+
+        /// <summary>
+        /// ComputeHMACSHA256 generates a base-64 hash signature string for an
+        /// HTTP request or for a SAS.
+        /// </summary>
+        /// <param name="userDelegationKeyValue">
+        /// A UserDelegationKey.Value used to sign with a key
+        /// representing AD credentials.
+        /// </param>
+        /// <param name="message">The message to sign.</param>
+        /// <returns>The signed message.</returns>
+        internal static string ComputeHMACSHA256(string userDelegationKeyValue, string message) =>
+            Convert.ToBase64String(
+                new HMACSHA256(
+                    Convert.FromBase64String(userDelegationKeyValue))
+                .ComputeHash(Encoding.UTF8.GetBytes(message)));
     }
 }

sdk/storage/Azure.Storage.Blobs/src/Sas/SasQueryParametersExtensions.cs → sdk/storage/Azure.Storage.Common/src/Shared/SasQueryParametersExtensions.cs

@@ -26,6 +26,8 @@ internal static void ParseKeyProperties(
             BlobSasQueryParameters
 #elif DataLakeSDK
             DataLakeSasQueryParameters
+#elif QueueSDK
+            QueueSasQueryParameters
 #endif
             parameters,
             IDictionary<string, string> values)

sdk/storage/Azure.Storage.Files.DataLake/src/Azure.Storage.Files.DataLake.csproj

@@ -36,7 +36,7 @@
     <Compile Include="$(AzureCoreSharedSources)XmlWriterExtensions.cs" LinkBase="SharedCore" />
   </ItemGroup>
   <ItemGroup>
-    <Compile Include="..\..\Azure.Storage.Blobs\src\Sas\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
+    <Compile Include="..\..\Azure.Storage.Common\src\Shared\SasQueryParametersExtensions.cs" Link="Shared\Sas\KeySasQueryParametersExtensions.cs" />
     <Compile Include="$(AzureStorageSharedSources)AggregatingProgressIncrementer.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)BufferExtensions.cs" LinkBase="Shared" />
     <Compile Include="$(AzureStorageSharedSources)ChecksumCalculatingStream.cs" LinkBase="Shared" />

sdk/storage/Azure.Storage.Queues/api/Azure.Storage.Queues.net8.0.cs

@@ -42,6 +42,12 @@ public QueueClient(System.Uri queueUri, Azure.Storage.StorageSharedKeyCredential
         public virtual System.Uri GenerateSasUri(Azure.Storage.Sas.QueueSasPermissions permissions, System.DateTimeOffset expiresOn) { throw null; }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public virtual System.Uri GenerateSasUri(Azure.Storage.Sas.QueueSasPermissions permissions, System.DateTimeOffset expiresOn, out string stringToSign) { throw null; }
+        public virtual System.Uri GenerateUserDelegationSasUri(Azure.Storage.Sas.QueueSasBuilder builder, Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public virtual System.Uri GenerateUserDelegationSasUri(Azure.Storage.Sas.QueueSasBuilder builder, Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey, out string stringToSign) { throw null; }
+        public virtual System.Uri GenerateUserDelegationSasUri(Azure.Storage.Sas.QueueSasPermissions permissions, System.DateTimeOffset expiresOn, Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public virtual System.Uri GenerateUserDelegationSasUri(Azure.Storage.Sas.QueueSasPermissions permissions, System.DateTimeOffset expiresOn, Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey, out string stringToSign) { throw null; }
         public virtual Azure.Response<System.Collections.Generic.IEnumerable<Azure.Storage.Queues.Models.QueueSignedIdentifier>> GetAccessPolicy(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<System.Collections.Generic.IEnumerable<Azure.Storage.Queues.Models.QueueSignedIdentifier>>> GetAccessPolicyAsync(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         protected internal virtual Azure.Storage.Queues.QueueServiceClient GetParentQueueServiceClientCore() { throw null; }
@@ -161,6 +167,8 @@ public QueueServiceClient(System.Uri serviceUri, Azure.Storage.StorageSharedKeyC
         public virtual Azure.AsyncPageable<Azure.Storage.Queues.Models.QueueItem> GetQueuesAsync(Azure.Storage.Queues.Models.QueueTraits traits = Azure.Storage.Queues.Models.QueueTraits.None, string prefix = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Storage.Queues.Models.QueueServiceStatistics> GetStatistics(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Storage.Queues.Models.QueueServiceStatistics>> GetStatisticsAsync(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Storage.Queues.Models.UserDelegationKey> GetUserDelegationKey(System.DateTimeOffset? startsOn, System.DateTimeOffset expiresOn, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Storage.Queues.Models.UserDelegationKey>> GetUserDelegationKeyAsync(System.DateTimeOffset? startsOn, System.DateTimeOffset expiresOn, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response SetProperties(Azure.Storage.Queues.Models.QueueServiceProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response> SetPropertiesAsync(Azure.Storage.Queues.Models.QueueServiceProperties properties, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
     }
@@ -425,6 +433,17 @@ internal UpdateReceipt() { }
         public System.DateTimeOffset NextVisibleOn { get { throw null; } }
         public string PopReceipt { get { throw null; } }
     }
+    public partial class UserDelegationKey
+    {
+        internal UserDelegationKey() { }
+        public System.DateTimeOffset SignedExpiresOn { get { throw null; } }
+        public string SignedObjectId { get { throw null; } }
+        public string SignedService { get { throw null; } }
+        public System.DateTimeOffset SignedStartsOn { get { throw null; } }
+        public string SignedTenantId { get { throw null; } }
+        public string SignedVersion { get { throw null; } }
+        public string Value { get { throw null; } }
+    }
 }
 namespace Azure.Storage.Queues.Specialized
 {
@@ -469,6 +488,7 @@ public partial class QueueSasBuilder
         public QueueSasBuilder() { }
         public QueueSasBuilder(Azure.Storage.Sas.QueueAccountSasPermissions permissions, System.DateTimeOffset expiresOn) { }
         public QueueSasBuilder(Azure.Storage.Sas.QueueSasPermissions permissions, System.DateTimeOffset expiresOn) { }
+        public string DelegatedUserObjectId { get { throw null; } set { } }
         public System.DateTimeOffset ExpiresOn { get { throw null; } set { } }
         public string Identifier { get { throw null; } set { } }
         public Azure.Storage.Sas.SasIPRange IPRange { get { throw null; } set { } }
@@ -486,6 +506,8 @@ public void SetPermissions(Azure.Storage.Sas.QueueAccountSasPermissions permissi
         public void SetPermissions(Azure.Storage.Sas.QueueSasPermissions permissions) { }
         public void SetPermissions(string rawPermissions) { }
         public void SetPermissions(string rawPermissions, bool normalize = false) { }
+        public Azure.Storage.Sas.QueueSasQueryParameters ToSasQueryParameters(Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey, string accountName) { throw null; }
+        public Azure.Storage.Sas.QueueSasQueryParameters ToSasQueryParameters(Azure.Storage.Queues.Models.UserDelegationKey userDelegationKey, string accountName, out string stringToSign) { throw null; }
         public Azure.Storage.Sas.SasQueryParameters ToSasQueryParameters(Azure.Storage.StorageSharedKeyCredential sharedKeyCredential) { throw null; }
         public Azure.Storage.Sas.SasQueryParameters ToSasQueryParameters(Azure.Storage.StorageSharedKeyCredential sharedKeyCredential, out string stringToSign) { throw null; }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
@@ -500,6 +522,18 @@ public enum QueueSasPermissions
         Update = 4,
         Process = 8,
     }
+    public sealed partial class QueueSasQueryParameters : Azure.Storage.Sas.SasQueryParameters
+    {
+        internal QueueSasQueryParameters() { }
+        public static new Azure.Storage.Sas.QueueSasQueryParameters Empty { get { throw null; } }
+        public System.DateTimeOffset KeyExpiresOn { get { throw null; } }
+        public string KeyObjectId { get { throw null; } }
+        public string KeyService { get { throw null; } }
+        public System.DateTimeOffset KeyStartsOn { get { throw null; } }
+        public string KeyTenantId { get { throw null; } }
+        public string KeyVersion { get { throw null; } }
+        public override string ToString() { throw null; }
+    }
 }
 namespace Microsoft.Extensions.Azure
 {