Storage/STG101/Cross-tenant principal bound sas (#6863)

* Cross-tenant principal bound sas

* Fix test failure

Author: microzchang

sdk/storage/azure-storage-blobs/inc/azure/storage/blobs/blob_options.hpp

@@ -275,6 +275,11 @@ namespace Azure { namespace Storage { namespace Blobs {
      * will be truncated to second.
      */
     Azure::DateTime StartsOn = std::chrono::system_clock::now();
+
+    /**
+     * The delegated user tenant id in Azure AD.
+     */
+    Nullable<std::string> DelegatedUserTid;
   };
 
   /**

sdk/storage/azure-storage-blobs/src/blob_sas_builder.cpp

@@ -6,7 +6,7 @@
 #include <azure/core/http/http.hpp>
 #include <azure/storage/common/crypt.hpp>
 
-/* cSpell:ignore rscc, rscd, rsce, rscl, rsct, skoid, sktid, sduoid */
+/* cSpell:ignore rscc, rscd, rsce, rscl, rsct, skoid, sktid, skdutid, sduoid */
 
 namespace Azure { namespace Storage { namespace Sas {
 
@@ -261,10 +261,14 @@ namespace Azure { namespace Storage { namespace Sas {
         + canonicalName + "\n" + userDelegationKey.SignedObjectId + "\n"
         + userDelegationKey.SignedTenantId + "\n" + signedStartsOnStr + "\n" + signedExpiresOnStr
         + "\n" + userDelegationKey.SignedService + "\n" + userDelegationKey.SignedVersion
-        + "\n\n\n\n\n" + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "")
-        + "\n" + protocol + "\n" + SasVersion + "\n" + resource + "\n" + snapshotVersion + "\n"
-        + EncryptionScope + "\n" + CacheControl + "\n" + ContentDisposition + "\n" + ContentEncoding
-        + "\n" + ContentLanguage + "\n" + ContentType;
+        + "\n\n\n\n"
+        + (userDelegationKey.SignedDelegatedUserTid.HasValue()
+               ? userDelegationKey.SignedDelegatedUserTid.Value()
+               : "")
+        + "\n" + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "") + "\n"
+        + protocol + "\n" + SasVersion + "\n" + resource + "\n" + snapshotVersion + "\n"
+        + EncryptionScope + "\n\n\n" + CacheControl + "\n" + ContentDisposition + "\n"
+        + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;
 
     std::string signature = Azure::Core::Convert::Base64Encode(_internal::HmacSha256(
         std::vector<uint8_t>(stringToSign.begin(), stringToSign.end()),
@@ -294,6 +298,12 @@ namespace Azure { namespace Storage { namespace Sas {
         "sks", _internal::UrlEncodeQueryParameter(userDelegationKey.SignedService));
     builder.AppendQueryParameter(
         "skv", _internal::UrlEncodeQueryParameter(userDelegationKey.SignedVersion));
+    if (userDelegationKey.SignedDelegatedUserTid.HasValue())
+    {
+      builder.AppendQueryParameter(
+          "skdutid",
+          _internal::UrlEncodeQueryParameter(userDelegationKey.SignedDelegatedUserTid.Value()));
+    }
     if (!DelegatedUserObjectId.empty())
     {
       builder.AppendQueryParameter(
@@ -402,10 +412,14 @@ namespace Azure { namespace Storage { namespace Sas {
     return Permissions + "\n" + startsOnStr + "\n" + expiresOnStr + "\n" + canonicalName + "\n"
         + userDelegationKey.SignedObjectId + "\n" + userDelegationKey.SignedTenantId + "\n"
         + signedStartsOnStr + "\n" + signedExpiresOnStr + "\n" + userDelegationKey.SignedService
-        + "\n" + userDelegationKey.SignedVersion + "\n\n\n\n\n" + DelegatedUserObjectId + "\n"
-        + (IPRange.HasValue() ? IPRange.Value() : "") + "\n" + protocol + "\n" + SasVersion + "\n"
-        + resource + "\n" + snapshotVersion + "\n" + EncryptionScope + "\n" + CacheControl + "\n"
-        + ContentDisposition + "\n" + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;
+        + "\n" + userDelegationKey.SignedVersion + "\n\n\n\n"
+        + (userDelegationKey.SignedDelegatedUserTid.HasValue()
+               ? userDelegationKey.SignedDelegatedUserTid.Value()
+               : "")
+        + "\n" + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "") + "\n"
+        + protocol + "\n" + SasVersion + "\n" + resource + "\n" + snapshotVersion + "\n"
+        + EncryptionScope + "\n\n\n" + CacheControl + "\n" + ContentDisposition + "\n"
+        + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;
   }
 
 }}} // namespace Azure::Storage::Sas

sdk/storage/azure-storage-blobs/src/blob_service_client.cpp

@@ -184,6 +184,7 @@ namespace Azure { namespace Storage { namespace Blobs {
         Azure::DateTime::DateFormat::Rfc3339, Azure::DateTime::TimeFractionFormat::Truncate);
     protocolLayerOptions.KeyInfo.Expiry = expiresOn.ToString(
         Azure::DateTime::DateFormat::Rfc3339, Azure::DateTime::TimeFractionFormat::Truncate);
+    protocolLayerOptions.KeyInfo.DelegatedUserTid = options.DelegatedUserTid;
     return _detail::ServiceClient::GetUserDelegationKey(
         *m_pipeline, m_serviceUrl, protocolLayerOptions, _internal::WithReplicaStatus(context));
   }

sdk/storage/azure-storage-blobs/test/ut/blob_sas_test.cpp

@@ -880,7 +880,7 @@ namespace Azure { namespace Storage { namespace Test {
     return {};
   }
 
-  TEST_F(BlobSasTest, DISABLED_PrincipalBoundDelegationSas)
+  TEST_F(BlobSasTest, PrincipalBoundDelegationSas_LIVEONLY_)
   {
     auto sasStartsOn = std::chrono::system_clock::now() - std::chrono::minutes(5);
     auto sasExpiresOn = std::chrono::system_clock::now() + std::chrono::minutes(60);
@@ -930,4 +930,67 @@ namespace Azure { namespace Storage { namespace Test {
         InitStorageClientOptions<Blobs::BlobClientOptions>());
     EXPECT_THROW(blobClient2.GetProperties(), StorageException);
   }
+
+  TEST_F(BlobSasTest, DISABLED_PrincipalBoundDelegationSas_CrossTenant)
+  {
+    auto sasStartsOn = std::chrono::system_clock::now() - std::chrono::minutes(5);
+    auto sasExpiresOn = std::chrono::system_clock::now() + std::chrono::minutes(60);
+
+    auto keyCredential
+        = _internal::ParseConnectionString(StandardStorageConnectionString()).KeyCredential;
+    auto accountName = keyCredential->AccountName;
+    Azure::Identity::ClientSecretCredentialOptions credentialOptions;
+    credentialOptions.AdditionallyAllowedTenants = {"*"};
+    auto endUserCredential = std::make_shared<Azure::Identity::ClientSecretCredential>(
+        GetEnv("AZURE_TENANT_ID_CROSS_TENANT"),
+        GetEnv("AZURE_CLIENT_ID_CROSS_TENANT"),
+        GetEnv("AZURE_CLIENT_SECRET_CROSS_TENANT"));
+    auto delegatedUserObjectId = getObjectIdFromTokenCredential(endUserCredential);
+
+    auto blobServiceClient = Blobs::BlobServiceClient(
+        m_blobServiceClient->GetUrl(),
+        GetTestCredential(),
+        InitStorageClientOptions<Blobs::BlobClientOptions>());
+    Blobs::Models::UserDelegationKey userDelegationKey;
+    {
+      Blobs::GetUserDelegationKeyOptions options;
+      options.DelegatedUserTid = "4ab3a968-f1ae-47a6-b82c-f654612122a9";
+      userDelegationKey = blobServiceClient.GetUserDelegationKey(sasExpiresOn, options).Value;
+    }
+
+    auto blobContainerClient = *m_blobContainerClient;
+    auto blobClient = *m_blockBlobClient;
+    const std::string blobName = m_blobName;
+
+    Sas::BlobSasBuilder blobSasBuilder;
+    blobSasBuilder.Protocol = Sas::SasProtocol::HttpsAndHttp;
+    blobSasBuilder.StartsOn = sasStartsOn;
+    blobSasBuilder.ExpiresOn = sasExpiresOn;
+    blobSasBuilder.BlobContainerName = m_containerName;
+    blobSasBuilder.BlobName = blobName;
+    blobSasBuilder.Resource = Sas::BlobSasResource::Blob;
+    blobSasBuilder.DelegatedUserObjectId = delegatedUserObjectId;
+
+    blobSasBuilder.SetPermissions(Sas::BlobSasPermissions::All);
+    auto sasToken = blobSasBuilder.GenerateSasToken(userDelegationKey, accountName);
+
+    Blobs::BlockBlobClient blobClient1(
+        AppendQueryParameters(Azure::Core::Url(blobClient.GetUrl()), sasToken),
+        endUserCredential,
+        InitStorageClientOptions<Blobs::BlobClientOptions>());
+    EXPECT_NO_THROW(blobClient1.Download());
+
+    {
+      Blobs::GetUserDelegationKeyOptions options;
+      // Invalid Tenant Id
+      options.DelegatedUserTid = "00000000-0000-0000-0000-000000000000";
+      userDelegationKey = blobServiceClient.GetUserDelegationKey(sasExpiresOn, options).Value;
+    }
+    sasToken = blobSasBuilder.GenerateSasToken(userDelegationKey, accountName);
+    Blobs::BlockBlobClient blobClient2(
+        AppendQueryParameters(Azure::Core::Url(blobClient.GetUrl()), sasToken),
+        GetTestCredential(),
+        InitStorageClientOptions<Blobs::BlobClientOptions>());
+    EXPECT_THROW(blobClient2.Download(), StorageException);
+  }
 }}} // namespace Azure::Storage::Test

sdk/storage/azure-storage-blobs/test/ut/blob_service_client_test.cpp

@@ -321,7 +321,7 @@ namespace Azure { namespace Storage { namespace Test {
     EXPECT_EQ(
         downloadedProperties.DefaultServiceVersion.HasValue(),
         properties.DefaultServiceVersion.HasValue());
-    if (downloadedProperties.DefaultServiceVersion.HasValue())
+    if (downloadedProperties.DefaultServiceVersion.HasValue() && !m_testContext.IsPlaybackMode())
     {
       EXPECT_EQ(
           downloadedProperties.DefaultServiceVersion.Value(),

sdk/storage/azure-storage-files-datalake/inc/azure/storage/files/datalake/rest_client.hpp

@@ -27,7 +27,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
     /**
      * The version used for the operations to Azure storage services.
      */
-    constexpr static const char* ApiVersion = "2026-02-06";
+    constexpr static const char* ApiVersion = "2026-04-06";
   } // namespace _detail
   namespace Models {
     namespace _detail {

sdk/storage/azure-storage-files-datalake/src/datalake_sas_builder.cpp

@@ -6,7 +6,7 @@
 #include <azure/core/http/http.hpp>
 #include <azure/storage/common/crypt.hpp>
 
-/* cSpell:ignore rscc, rscd, rsce, rscl, rsct, skoid, sktid, saoid, suoid, scid, sduoid */
+/* cSpell:ignore rscc, rscd, rsce, rscl, rsct, skoid, sktid, saoid, suoid, scid, skdutid, sduoid */
 
 namespace Azure { namespace Storage { namespace Sas {
   namespace {
@@ -226,9 +226,12 @@ namespace Azure { namespace Storage { namespace Sas {
         + canonicalName + "\n" + userDelegationKey.SignedObjectId + "\n"
         + userDelegationKey.SignedTenantId + "\n" + signedStartsOnStr + "\n" + signedExpiresOnStr
         + "\n" + userDelegationKey.SignedService + "\n" + userDelegationKey.SignedVersion + "\n"
-        + PreauthorizedAgentObjectId + "\n" + AgentObjectId + "\n" + CorrelationId + "\n" + "\n"
-        + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "") + "\n"
-        + protocol + "\n" + SasVersion + "\n" + resource + "\n" + "\n" + EncryptionScope + "\n"
+        + PreauthorizedAgentObjectId + "\n" + AgentObjectId + "\n" + CorrelationId + "\n"
+        + (userDelegationKey.SignedDelegatedUserTid.HasValue()
+               ? userDelegationKey.SignedDelegatedUserTid.Value()
+               : "")
+        + "\n" + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "") + "\n"
+        + protocol + "\n" + SasVersion + "\n" + resource + "\n" + "\n" + EncryptionScope + "\n\n\n"
         + CacheControl + "\n" + ContentDisposition + "\n" + ContentEncoding + "\n" + ContentLanguage
         + "\n" + ContentType;
 
@@ -273,6 +276,12 @@ namespace Azure { namespace Storage { namespace Sas {
     {
       builder.AppendQueryParameter("scid", _internal::UrlEncodeQueryParameter(CorrelationId));
     }
+    if (userDelegationKey.SignedDelegatedUserTid.HasValue())
+    {
+      builder.AppendQueryParameter(
+          "skdutid",
+          _internal::UrlEncodeQueryParameter(userDelegationKey.SignedDelegatedUserTid.Value()));
+    }
     if (!DelegatedUserObjectId.empty())
     {
       builder.AppendQueryParameter(
@@ -365,10 +374,14 @@ namespace Azure { namespace Storage { namespace Sas {
         + userDelegationKey.SignedObjectId + "\n" + userDelegationKey.SignedTenantId + "\n"
         + signedStartsOnStr + "\n" + signedExpiresOnStr + "\n" + userDelegationKey.SignedService
         + "\n" + userDelegationKey.SignedVersion + "\n" + PreauthorizedAgentObjectId + "\n"
-        + AgentObjectId + "\n" + CorrelationId + "\n\n" + DelegatedUserObjectId + "\n"
-        + (IPRange.HasValue() ? IPRange.Value() : "") + "\n" + protocol + "\n" + SasVersion + "\n"
-        + resource + "\n" + "\n" + EncryptionScope + "\n" + CacheControl + "\n" + ContentDisposition
-        + "\n" + ContentEncoding + "\n" + ContentLanguage + "\n" + ContentType;
+        + AgentObjectId + "\n" + CorrelationId + "\n"
+        + (userDelegationKey.SignedDelegatedUserTid.HasValue()
+               ? userDelegationKey.SignedDelegatedUserTid.Value()
+               : "")
+        + "\n" + DelegatedUserObjectId + "\n" + (IPRange.HasValue() ? IPRange.Value() : "") + "\n"
+        + protocol + "\n" + SasVersion + "\n" + resource + "\n" + "\n" + EncryptionScope + "\n\n\n"
+        + CacheControl + "\n" + ContentDisposition + "\n" + ContentEncoding + "\n" + ContentLanguage
+        + "\n" + ContentType;
   }
 
 }}} // namespace Azure::Storage::Sas

sdk/storage/azure-storage-files-datalake/src/rest_client.cpp

@@ -61,7 +61,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.GetUrl().AppendQueryParameter("timeout", std::to_string(options.Timeout.Value()));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       if (options.ContinuationToken.HasValue() && !options.ContinuationToken.Value().empty())
       {
         request.GetUrl().AppendQueryParameter(
@@ -162,7 +162,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.GetUrl().AppendQueryParameter("timeout", std::to_string(options.Timeout.Value()));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       if (options.Resource.HasValue() && !options.Resource.Value().ToString().empty())
       {
         request.GetUrl().AppendQueryParameter(
@@ -350,7 +350,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.GetUrl().AppendQueryParameter("timeout", std::to_string(options.Timeout.Value()));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       if (options.Recursive.HasValue())
       {
         request.GetUrl().AppendQueryParameter(
@@ -448,7 +448,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
             "If-Unmodified-Since",
             options.IfUnmodifiedSince.Value().ToString(Azure::DateTime::DateFormat::Rfc1123));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       auto pRawResponse = pipeline.Send(request, context);
       auto httpStatusCode = pRawResponse->GetStatusCode();
       if (httpStatusCode != Core::Http::HttpStatusCode::Ok)
@@ -495,7 +495,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.SetHeader("x-ms-acl", options.Acl.Value());
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       auto pRawResponse = pipeline.Send(request, context);
       auto httpStatusCode = pRawResponse->GetStatusCode();
       if (httpStatusCode != Core::Http::HttpStatusCode::Ok)
@@ -548,7 +548,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.SetHeader("x-ms-undelete-source", options.UndeleteSource.Value());
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       auto pRawResponse = pipeline.Send(request, context);
       auto httpStatusCode = pRawResponse->GetStatusCode();
       if (httpStatusCode != Core::Http::HttpStatusCode::Ok)
@@ -599,7 +599,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
             "If-Unmodified-Since",
             options.IfUnmodifiedSince.Value().ToString(Azure::DateTime::DateFormat::Rfc1123));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       auto pRawResponse = pipeline.Send(request, context);
       auto httpStatusCode = pRawResponse->GetStatusCode();
       if (httpStatusCode != Core::Http::HttpStatusCode::Ok)
@@ -698,7 +698,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
             "If-Unmodified-Since",
             options.IfUnmodifiedSince.Value().ToString(Azure::DateTime::DateFormat::Rfc1123));
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       if (options.EncryptionKey.HasValue() && !options.EncryptionKey.Value().empty())
       {
         request.SetHeader("x-ms-encryption-key", options.EncryptionKey.Value());
@@ -782,7 +782,7 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
       {
         request.SetHeader("x-ms-proposed-lease-id", options.ProposedLeaseId.Value());
       }
-      request.SetHeader("x-ms-version", "2026-02-06");
+      request.SetHeader("x-ms-version", "2026-04-06");
       if (options.EncryptionKey.HasValue() && !options.EncryptionKey.Value().empty())
       {
         request.SetHeader("x-ms-encryption-key", options.EncryptionKey.Value());

sdk/storage/azure-storage-files-datalake/swagger/README.md

@@ -88,12 +88,12 @@ directive:
           "name": "ApiVersion",
           "modelAsString": false
           },
-        "enum": ["2026-02-06"]
+        "enum": ["2026-04-06"]
       };
   - from: swagger-document
     where: $.parameters
     transform: >
-      $.ApiVersionParameter.enum[0] = "2026-02-06";
+      $.ApiVersionParameter.enum[0] = "2026-04-06";
 ```
 
 ### Rename Operations