Storage/Storage Client Options Support Audiences (#4957) (#4966)

Storage Client Options Support Audiences.

Author: microzchang

sdk/storage/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "cpp",
   "TagPrefix": "cpp/storage",
-  "Tag": "cpp/storage_a5249cec25"
+  "Tag": "cpp/storage_e44851d82e"
 }

sdk/storage/azure-storage-blobs/inc/azure/storage/blobs/blob_options.hpp

@@ -6,6 +6,7 @@
 #include "azure/storage/blobs/rest_client.hpp"
 
 #include <azure/core/internal/client_options.hpp>
+#include <azure/core/internal/extendable_enumeration.hpp>
 #include <azure/core/match_conditions.hpp>
 #include <azure/core/modified_conditions.hpp>
 #include <azure/storage/common/access_conditions.hpp>
@@ -20,6 +21,35 @@
 
 namespace Azure { namespace Storage { namespace Blobs {
 
+  namespace Models {
+
+    /**
+     * @brief Audiences available for Blobs
+     *
+     */
+    class BlobAudience final : public Azure::Core::_internal::ExtendableEnumeration<BlobAudience> {
+    public:
+      /**
+       * @brief Construct a new BlobAudience object
+       *
+       * @param blobAudience The Azure Active Directory audience to use when forming authorization
+       * scopes. For the Language service, this value corresponds to a URL that identifies the Azure
+       * cloud where the resource is located. For more information: See
+       * https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
+       */
+      explicit BlobAudience(std::string blobAudience)
+          : ExtendableEnumeration(std::move(blobAudience))
+      {
+      }
+
+      /**
+       * @brief Default Audience. Use to acquire a token for authorizing requests to any Azure
+       * Storage account.
+       */
+      AZ_STORAGE_BLOBS_DLLEXPORT const static BlobAudience PublicAudience;
+    };
+  } // namespace Models
+
   /**
    * @brief Specifies access conditions for a container.
    */
@@ -165,6 +195,13 @@ namespace Azure { namespace Storage { namespace Blobs {
      * to prompt a challenge in order to discover the correct tenant for the resource.
      */
     bool EnableTenantDiscovery = false;
+
+    /**
+     * The Audience to use for authentication with Azure Active Directory (AAD).
+     * #Azure::Storage::Blobs::Models::BlobAudience::PublicAudience will be assumed if Audience is
+     * not set.
+     */
+    Azure::Nullable<Models::BlobAudience> Audience;
   };
 
   /**

sdk/storage/azure-storage-blobs/src/blob_client.cpp

@@ -86,7 +86,9 @@ namespace Azure { namespace Storage { namespace Blobs {
     perRetryPolicies.emplace_back(std::make_unique<_internal::StoragePerRetryPolicy>());
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::BlobAudience::PublicAudience.ToString());
       perRetryPolicies.emplace_back(
           std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
               credential, tokenContext, options.EnableTenantDiscovery));

sdk/storage/azure-storage-blobs/src/blob_container_client.cpp

@@ -169,7 +169,9 @@ namespace Azure { namespace Storage { namespace Blobs {
     std::unique_ptr<Azure::Core::Http::Policies::HttpPolicy> tokenAuthPolicy;
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::BlobAudience::PublicAudience.ToString());
       tokenAuthPolicy = std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
           credential, tokenContext, options.EnableTenantDiscovery);
       perRetryPolicies.emplace_back(tokenAuthPolicy->Clone());

sdk/storage/azure-storage-blobs/src/blob_options.cpp

@@ -5,6 +5,10 @@
 
 namespace Azure { namespace Storage { namespace Blobs {
 
+  namespace Models {
+    const BlobAudience BlobAudience::PublicAudience(Azure::Storage::_internal::StorageScope);
+  } // namespace Models
+
   BlobQueryInputTextOptions BlobQueryInputTextOptions::CreateCsvTextOptions(
       const std::string& recordSeparator,
       const std::string& columnSeparator,

sdk/storage/azure-storage-blobs/src/blob_service_client.cpp

@@ -82,7 +82,9 @@ namespace Azure { namespace Storage { namespace Blobs {
     std::unique_ptr<Azure::Core::Http::Policies::HttpPolicy> tokenAuthPolicy;
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::BlobAudience::PublicAudience.ToString());
       tokenAuthPolicy = std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
           credential, tokenContext, options.EnableTenantDiscovery);
       perRetryPolicies.emplace_back(tokenAuthPolicy->Clone());

sdk/storage/azure-storage-blobs/test/ut/bearer_token_test.cpp

@@ -49,6 +49,18 @@ namespace Azure { namespace Storage { namespace Test {
         clientOptions);
     EXPECT_NO_THROW(blobClient.GetProperties());
 
+    // With custom audience
+    auto blobUrl = Azure::Core::Url(m_blockBlobClient->GetUrl());
+    clientOptions.Audience = Blobs::Models::BlobAudience(
+        blobUrl.GetScheme() + "://" + blobUrl.GetHost() + "/.default");
+    blobClient = Blobs::BlobClient(
+        m_blockBlobClient->GetUrl(),
+        std::make_shared<Azure::Identity::ClientSecretCredential>(
+            "", AadClientId(), AadClientSecret(), options),
+        clientOptions);
+    EXPECT_NO_THROW(blobClient.GetProperties());
+    clientOptions.Audience.Reset();
+
     // With error tenantId
     clientOptions.EnableTenantDiscovery = true;
     options.AdditionallyAllowedTenants = {"*"};

sdk/storage/azure-storage-blobs/test/ut/blob_container_client_test.cpp

@@ -1439,4 +1439,33 @@ namespace Azure { namespace Storage { namespace Test {
       EXPECT_FALSE(downloadResponse.Details.ObjectReplicationDestinationPolicyId.Value().empty());
     }
   }
+
+  TEST_F(BlobContainerClientTest, Audience)
+  {
+    auto credential = std::make_shared<Azure::Identity::ClientSecretCredential>(
+        AadTenantId(),
+        AadClientId(),
+        AadClientSecret(),
+        InitStorageClientOptions<Azure::Identity::ClientSecretCredentialOptions>());
+    auto clientOptions = InitStorageClientOptions<Blobs::BlobClientOptions>();
+
+    // default audience
+    auto containerClient
+        = Blobs::BlobContainerClient(m_blobContainerClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(containerClient.GetProperties());
+
+    // custom audience
+    auto containerUrl = Azure::Core::Url(containerClient.GetUrl());
+    clientOptions.Audience = Blobs::Models::BlobAudience(
+        containerUrl.GetScheme() + "://" + containerUrl.GetHost() + "/.default");
+    containerClient
+        = Blobs::BlobContainerClient(m_blobContainerClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(containerClient.GetProperties());
+
+    // error audience
+    clientOptions.Audience = Blobs::Models::BlobAudience("https://disk.compute.azure.com/.default");
+    containerClient
+        = Blobs::BlobContainerClient(m_blobContainerClient->GetUrl(), credential, clientOptions);
+    EXPECT_THROW(containerClient.GetProperties(), StorageException);
+  }
 }}} // namespace Azure::Storage::Test

sdk/storage/azure-storage-blobs/test/ut/blob_service_client_test.cpp

@@ -497,4 +497,33 @@ namespace Azure { namespace Storage { namespace Test {
     auto destContainerClient2 = serviceClient.GetBlobContainerClient(destContainerName2);
     destContainerClient2.Delete();
   }
+
+  TEST_F(BlobServiceClientTest, Audience)
+  {
+    auto credential = std::make_shared<Azure::Identity::ClientSecretCredential>(
+        AadTenantId(),
+        AadClientId(),
+        AadClientSecret(),
+        InitStorageClientOptions<Azure::Identity::ClientSecretCredentialOptions>());
+    auto clientOptions = InitStorageClientOptions<Blobs::BlobClientOptions>();
+
+    // default audience
+    auto serviceClient
+        = Blobs::BlobServiceClient(m_blobServiceClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(serviceClient.GetProperties());
+
+    // custom audience
+    auto serviceUrl = Azure::Core::Url(serviceClient.GetUrl());
+    clientOptions.Audience = Blobs::Models::BlobAudience(
+        serviceUrl.GetScheme() + "://" + serviceUrl.GetHost() + "/.default");
+    serviceClient
+        = Blobs::BlobServiceClient(m_blobServiceClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(serviceClient.GetProperties());
+
+    // error audience
+    clientOptions.Audience = Blobs::Models::BlobAudience("https://disk.compute.azure.com/.default");
+    serviceClient
+        = Blobs::BlobServiceClient(m_blobServiceClient->GetUrl(), credential, clientOptions);
+    EXPECT_THROW(serviceClient.GetProperties(), StorageException);
+  }
 }}} // namespace Azure::Storage::Test

sdk/storage/azure-storage-blobs/test/ut/block_blob_client_test.cpp

@@ -2026,4 +2026,32 @@ namespace Azure { namespace Storage { namespace Test {
     EXPECT_EQ(properties.CopyStatus.Value(), Blobs::Models::CopyStatus::Aborted);
   }
 
+  TEST_F(BlockBlobClientTest, Audience)
+  {
+    auto credential = std::make_shared<Azure::Identity::ClientSecretCredential>(
+        AadTenantId(),
+        AadClientId(),
+        AadClientSecret(),
+        InitStorageClientOptions<Azure::Identity::ClientSecretCredentialOptions>());
+    auto clientOptions = InitStorageClientOptions<Blobs::BlobClientOptions>();
+
+    // default audience
+    auto blockBlobClient
+        = Blobs::BlockBlobClient(m_blockBlobClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(blockBlobClient.GetProperties());
+
+    // custom audience
+    auto blobUrl = Azure::Core::Url(blockBlobClient.GetUrl());
+    clientOptions.Audience = Blobs::Models::BlobAudience(
+        blobUrl.GetScheme() + "://" + blobUrl.GetHost() + "/.default");
+    blockBlobClient
+        = Blobs::BlockBlobClient(m_blockBlobClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(blockBlobClient.GetProperties());
+
+    // error audience
+    clientOptions.Audience = Blobs::Models::BlobAudience("https://disk.compute.azure.com/.default");
+    blockBlobClient
+        = Blobs::BlockBlobClient(m_blockBlobClient->GetUrl(), credential, clientOptions);
+    EXPECT_THROW(blockBlobClient.GetProperties(), StorageException);
+  }
 }}} // namespace Azure::Storage::Test

sdk/storage/azure-storage-files-datalake/CMakeLists.txt

@@ -65,6 +65,7 @@ set(
     src/datalake_file_client.cpp
     src/datalake_file_system_client.cpp
     src/datalake_lease_client.cpp
+    src/datalake_options.cpp
     src/datalake_path_client.cpp
     src/datalake_responses.cpp
     src/datalake_sas_builder.cpp

sdk/storage/azure-storage-files-datalake/inc/azure/storage/files/datalake/datalake_options.hpp

@@ -78,6 +78,33 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
        */
       static std::string SerializeAcls(const std::vector<Acl>& aclsArray);
     };
+
+    /**
+     * @brief Audiences available for Blobs
+     *
+     */
+    class DataLakeAudience final
+        : public Azure::Core::_internal::ExtendableEnumeration<DataLakeAudience> {
+    public:
+      /**
+       * @brief Construct a new DataLakeAudience object
+       *
+       * @param dataLakeAudience The Azure Active Directory audience to use when forming
+       * authorization scopes. For the Language service, this value corresponds to a URL that
+       * identifies the Azure cloud where the resource is located. For more information: See
+       * https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
+       */
+      explicit DataLakeAudience(std::string dataLakeAudience)
+          : ExtendableEnumeration(std::move(dataLakeAudience))
+      {
+      }
+
+      /**
+       * @brief Default Audience. Use to acquire a token for authorizing requests to any Azure
+       * Storage account.
+       */
+      AZ_STORAGE_FILES_DATALAKE_DLLEXPORT const static DataLakeAudience PublicAudience;
+    };
   } // namespace Models
 
   using DownloadFileToOptions = Blobs::DownloadBlobToOptions;
@@ -143,6 +170,13 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
      * to prompt a challenge in order to discover the correct tenant for the resource.
      */
     bool EnableTenantDiscovery = false;
+
+    /**
+     * The Audience to use for authentication with Azure Active Directory (AAD).
+     * #Azure::Storage::Files::DataLake::Models::DataLakeAudience::PublicAudience will be assumed if
+     * Audience is not set.
+     */
+    Azure::Nullable<Models::DataLakeAudience> Audience;
   };
 
   /**

sdk/storage/azure-storage-files-datalake/src/datalake_file_system_client.cpp

@@ -97,7 +97,9 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
     perRetryPolicies.emplace_back(std::make_unique<_internal::StoragePerRetryPolicy>());
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::DataLakeAudience::PublicAudience.ToString());
       perRetryPolicies.emplace_back(
           std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
               credential, tokenContext, options.EnableTenantDiscovery));

sdk/storage/azure-storage-files-datalake/src/datalake_options.cpp

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#include "azure/storage/files/datalake/datalake_options.hpp"
+
+namespace Azure { namespace Storage { namespace Files { namespace DataLake { namespace Models {
+
+  const DataLakeAudience DataLakeAudience::PublicAudience(Azure::Storage::_internal::StorageScope);
+
+}}}}} // namespace Azure::Storage::Files::DataLake::Models

sdk/storage/azure-storage-files-datalake/src/datalake_path_client.cpp

@@ -95,7 +95,9 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
     perRetryPolicies.emplace_back(std::make_unique<_internal::StoragePerRetryPolicy>());
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::DataLakeAudience::PublicAudience.ToString());
       perRetryPolicies.emplace_back(
           std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
               credential, tokenContext, options.EnableTenantDiscovery));

sdk/storage/azure-storage-files-datalake/src/datalake_service_client.cpp

@@ -91,7 +91,9 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake {
     perRetryPolicies.emplace_back(std::make_unique<_internal::StoragePerRetryPolicy>());
     {
       Azure::Core::Credentials::TokenRequestContext tokenContext;
-      tokenContext.Scopes.emplace_back(_internal::StorageScope);
+      tokenContext.Scopes.emplace_back(
+          options.Audience.HasValue() ? options.Audience.Value().ToString()
+                                      : Models::DataLakeAudience::PublicAudience.ToString());
       perRetryPolicies.emplace_back(
           std::make_unique<_internal::StorageBearerTokenAuthenticationPolicy>(
               credential, tokenContext, options.EnableTenantDiscovery));

sdk/storage/azure-storage-files-datalake/src/datalake_utilities.cpp

@@ -98,6 +98,10 @@ namespace Azure { namespace Storage { namespace Files { namespace DataLake { nam
     blobOptions.ApiVersion = options.ApiVersion;
     blobOptions.CustomerProvidedKey = options.CustomerProvidedKey;
     blobOptions.EnableTenantDiscovery = options.EnableTenantDiscovery;
+    if (options.Audience.HasValue())
+    {
+      blobOptions.Audience = Blobs::Models::BlobAudience(options.Audience.Value().ToString());
+    }
     return blobOptions;
   }
 

sdk/storage/azure-storage-files-datalake/test/ut/datalake_file_system_client_test.cpp

@@ -907,4 +907,33 @@ namespace Azure { namespace Storage { namespace Test {
     }
   }
 
+  TEST_F(DataLakeFileSystemClientTest, Audience)
+  {
+    auto credential = std::make_shared<Azure::Identity::ClientSecretCredential>(
+        AadTenantId(),
+        AadClientId(),
+        AadClientSecret(),
+        InitStorageClientOptions<Azure::Identity::ClientSecretCredentialOptions>());
+    auto clientOptions = InitStorageClientOptions<Files::DataLake::DataLakeClientOptions>();
+
+    // default audience
+    auto fileSystemClient = Files::DataLake::DataLakeFileSystemClient(
+        m_fileSystemClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(fileSystemClient.GetProperties());
+
+    // custom audience
+    auto fileSystemUrl = Azure::Core::Url(fileSystemClient.GetUrl());
+    clientOptions.Audience = Files::DataLake::Models::DataLakeAudience(
+        fileSystemUrl.GetScheme() + "://" + fileSystemUrl.GetHost() + "/.default");
+    fileSystemClient = Files::DataLake::DataLakeFileSystemClient(
+        m_fileSystemClient->GetUrl(), credential, clientOptions);
+    EXPECT_NO_THROW(fileSystemClient.GetProperties());
+
+    // error audience
+    clientOptions.Audience
+        = Files::DataLake::Models::DataLakeAudience("https://disk.compute.azure.com/.default");
+    fileSystemClient = Files::DataLake::DataLakeFileSystemClient(
+        m_fileSystemClient->GetUrl(), credential, clientOptions);
+    EXPECT_THROW(fileSystemClient.GetProperties(), StorageException);
+  }
 }}} // namespace Azure::Storage::Test