[Storage] az storage blob/container/share/file/queue/fs generate-sas: Add --user-delegation-tid to support cross tenant user delegated sas (#33187)

Author: calvinhzy

src/azure-cli/azure/cli/command_modules/storage/_params.py

@@ -24,7 +24,7 @@
                           get_api_version_type, blob_download_file_path_validator, blob_tier_validator, validate_subnet,
                           validate_immutability_arguments, validate_blob_name_for_upload, validate_share_close_handle,
                           blob_tier_validator_track2, services_type_v2, resource_type_type_v2, PermissionScopeAddAction,
-                          SshPublicKeyAddAction, user_delegation_oid_validator)
+                          SshPublicKeyAddAction, user_delegation_oid_validator, user_delegation_tid_validator)
 
 
 def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statements, too-many-lines, too-many-branches, line-too-long
@@ -979,6 +979,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage blob restore', resource_type=ResourceType.MGMT_STORAGE) as c:
         from ._validators import BlobRangeAddAction
@@ -1702,6 +1705,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     for cmd in ['acquire', 'renew', 'break', 'change', 'release']:
         with self.argument_context(f'storage container lease {cmd}') as c:
@@ -1970,6 +1976,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage share update') as c:
         c.extra('share_name', share_name_type, options_list=('--name', '-n'), required=True)
@@ -2185,6 +2194,8 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                 help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                      'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                      'to the user specified in this value.')
+        c.extra('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                help='The delegated user tenant id in Azure AD. This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage file list') as c:
         c.extra('share_name', share_name_type, required=True)
@@ -2338,6 +2349,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage queue list') as c:
         c.argument('include_metadata', help='Specify that queue metadata be returned in the response.')
@@ -2587,6 +2601,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage fs list') as c:
         c.argument('include_metadata', arg_type=get_three_state_flag(),
@@ -2717,6 +2734,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage fs file generate-sas') as c:
         t_file_system_permissions = self.get_sdk('_models#FileSystemSasPermissions',
@@ -2753,6 +2773,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='Specifies the Entra ID of the user that is authorized to use the resulting SAS URL. '
                         'The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued '
                         'to the user specified in this value.')
+        c.argument('user_delegation_tid', validator=user_delegation_tid_validator, is_preview=True,
+                   help='The delegated user tenant id in Azure AD. '
+                        'This parameter can only be specified when using OAuth.')
 
     with self.argument_context('storage fs file list') as c:
         c.extra('file_system_name', options_list=['-f', '--file-system'],

src/azure-cli/azure/cli/command_modules/storage/_validators.py

@@ -1562,8 +1562,13 @@ def as_user_validator(namespace):
 def user_delegation_oid_validator(namespace):
     if namespace.user_delegation_oid and not namespace.as_user:
         raise argparse.ArgumentError(
-            None, "incorrect usage: need to specify '--as-user' when '--user-delegation-oid' is "
-                  "provided")
+            None, "incorrect usage: need to specify '--as-user' when '--user-delegation-oid' is provided")
+
+
+def user_delegation_tid_validator(namespace):
+    if namespace.user_delegation_tid and not namespace.user_delegation_oid:
+        raise argparse.ArgumentError(
+            None, "incorrect usage: need to specify '--user-delegation-oid' when '--user-delegation-tid' is provided")
 
 
 def validator_change_feed_retention_days(namespace):

src/azure-cli/azure/cli/command_modules/storage/operations/blob.py

@@ -839,7 +839,7 @@ def generate_sas_blob_uri(cmd, client, permission=None, expiry=None, start=None,
                           protocol=None, cache_control=None, content_disposition=None,
                           content_encoding=None, content_language=None,
                           content_type=None, full_uri=False, as_user=False, snapshot=None, user_delegation_oid=None,
-                          **kwargs):
+                          user_delegation_tid=None, **kwargs):
     from ..url_quote_util import encode_url_path
     from urllib.parse import quote
     t_generate_blob_sas = get_sdk(cmd.cli_ctx, ResourceType.DATA_STORAGE_BLOB,
@@ -850,7 +850,8 @@ def generate_sas_blob_uri(cmd, client, permission=None, expiry=None, start=None,
     account_key = None
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
-            get_datetime_from_string(start) if start else datetime.utcnow(), get_datetime_from_string(expiry))
+            get_datetime_from_string(start) if start else datetime.utcnow(), get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
     else:
         account_key = client.credential.account_key
 
@@ -889,7 +890,8 @@ def generate_sas_blob_uri(cmd, client, permission=None, expiry=None, start=None,
 def generate_container_shared_access_signature(cmd, client, container_name, permission=None, expiry=None,
                                                start=None, id=None, ip=None, protocol=None, cache_control=None,
                                                content_disposition=None, content_encoding=None, content_language=None,
-                                               content_type=None, user_delegation_oid=None, as_user=False, **kwargs):
+                                               content_type=None, user_delegation_oid=None, user_delegation_tid=None,
+                                               as_user=False, **kwargs):
     t_generate_container_sas = get_sdk(cmd.cli_ctx, ResourceType.DATA_STORAGE_BLOB,
                                        '_shared_access_signature#generate_container_sas')
 
@@ -898,7 +900,8 @@ def generate_container_shared_access_signature(cmd, client, container_name, perm
     account_key = None
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
-            get_datetime_from_string(start) if start else datetime.utcnow(), get_datetime_from_string(expiry))
+            get_datetime_from_string(start) if start else datetime.utcnow(), get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
     else:
         account_key = client.credential.account_key
 

src/azure-cli/azure/cli/command_modules/storage/operations/file.py

@@ -538,7 +538,8 @@ def _file_share_exists(client, resource_group_name, account_name, share_name):
 
 # pylint: disable=redefined-builtin
 def generate_sas_file(cmd, client, share_name=None, directory_name=None, file_name=None, permission=None, expiry=None,
-                      start=None, id=None, ip=None, protocol=None, as_user=False, user_delegation_oid=None, **kwargs):
+                      start=None, id=None, ip=None, protocol=None, as_user=False, user_delegation_oid=None,
+                      user_delegation_tid=None, **kwargs):
     t_generate_file_sas = get_sdk(cmd.cli_ctx, ResourceType.DATA_STORAGE_FILESHARE,
                                   '_shared_access_signature#generate_file_sas')
     file_path = file_name
@@ -552,7 +553,8 @@ def generate_sas_file(cmd, client, share_name=None, directory_name=None, file_na
         from datetime import datetime
         user_delegation_key = client.get_user_delegation_key(
             start=get_datetime_from_string(start) if start else datetime.utcnow(),
-            expiry=get_datetime_from_string(expiry))
+            expiry=get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
     else:
         account_key = client.credential.account_key
 

src/azure-cli/azure/cli/command_modules/storage/operations/fileshare.py

@@ -57,7 +57,8 @@ def share_exists(cmd, client, **kwargs):
 
 def generate_share_sas(cmd, client, share_name=None, permission=None, expiry=None, start=None, policy_id=None, ip=None,
                        protocol=None, cache_control=None, content_disposition=None, content_encoding=None,
-                       content_language=None, content_type=None, as_user=False, user_delegation_oid=None):
+                       content_language=None, content_type=None, as_user=False, user_delegation_oid=None,
+                       user_delegation_tid=None):
     generate_share_sas_fn = cmd.get_models('_shared_access_signature#generate_share_sas')
 
     sas_kwargs = {'protocol': protocol}
@@ -67,7 +68,8 @@ def generate_share_sas(cmd, client, share_name=None, permission=None, expiry=Non
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
             start=get_datetime_from_string(start) if start else datetime.utcnow(),
-            expiry=get_datetime_from_string(expiry))
+            expiry=get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
     else:
         account_key = client.credential.account_key
 

src/azure-cli/azure/cli/command_modules/storage/operations/filesystem.py

@@ -39,14 +39,15 @@ def generate_sas_fs_uri(client, cmd, file_system, permission=None,
                         protocol=None, cache_control=None, content_disposition=None,
                         content_encoding=None, content_language=None,
                         content_type=None, full_uri=False, as_user=False, encryption_scope=None,
-                        user_delegation_oid=None):
+                        user_delegation_oid=None, user_delegation_tid=None):
     generate_file_system_sas = cmd.get_models('_shared_access_signature#generate_file_system_sas')
 
     sas_kwargs = {}
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
             get_datetime_from_string(start) if start else datetime.utcnow(),
-            get_datetime_from_string(expiry))
+            get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
 
     sas_token = generate_file_system_sas(account_name=client.account_name, file_system_name=file_system,
                                          credential=user_delegation_key if as_user else client.credential.account_key,

src/azure-cli/azure/cli/command_modules/storage/operations/fs_directory.py

@@ -99,15 +99,16 @@ def generate_sas_directory_uri(client, cmd, file_system_name, directory_name, pe
                                protocol=None, cache_control=None, content_disposition=None,
                                content_encoding=None, content_language=None,
                                content_type=None, full_uri=False, as_user=False, encryption_scope=None,
-                               user_delegation_oid=None):
+                               user_delegation_oid=None, user_delegation_tid=None):
     from urllib.parse import quote
     generate_directory_sas = cmd.get_models('_shared_access_signature#generate_directory_sas')
 
     sas_kwargs = {}
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
             get_datetime_from_string(start) if start else datetime.utcnow(),
-            get_datetime_from_string(expiry))
+            get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
 
     sas_token = generate_directory_sas(account_name=client.account_name, file_system_name=file_system_name,
                                        directory_name=directory_name,

src/azure-cli/azure/cli/command_modules/storage/operations/fs_file.py

@@ -154,15 +154,16 @@ def generate_sas_file_uri(client, cmd, file_system_name, path, permission=None,
                           protocol=None, cache_control=None, content_disposition=None,
                           content_encoding=None, content_language=None,
                           content_type=None, full_uri=False, as_user=False, encryption_scope=None,
-                          user_delegation_oid=None):
+                          user_delegation_oid=None, user_delegation_tid=None):
     from urllib.parse import quote
     generate_file_sas = cmd.get_models('_shared_access_signature#generate_file_sas')
 
     sas_kwargs = {}
     if as_user:
         user_delegation_key = client.get_user_delegation_key(
             get_datetime_from_string(start) if start else datetime.utcnow(),
-            get_datetime_from_string(expiry))
+            get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
 
     directory_name, file_name = os.path.split(path)
 

src/azure-cli/azure/cli/command_modules/storage/operations/queue.py

@@ -43,7 +43,8 @@ def queue_exists(cmd, client, **kwargs):
 
 
 def generate_queue_sas(cmd, client, queue_name=None, permission=None, expiry=None, start=None,
-                       policy_id=None, ip=None, protocol=None, as_user=False, user_delegation_oid=None):
+                       policy_id=None, ip=None, protocol=None, as_user=False, user_delegation_oid=None,
+                       user_delegation_tid=None):
     generate_queue_sas_fn = cmd.get_models('_shared_access_signature#generate_queue_sas')
 
     sas_kwargs = {'protocol': protocol}
@@ -54,7 +55,8 @@ def generate_queue_sas(cmd, client, queue_name=None, permission=None, expiry=Non
         from datetime import datetime
         user_delegation_key = client.get_user_delegation_key(
             start=get_datetime_from_string(start) if start else datetime.utcnow(),
-            expiry=get_datetime_from_string(expiry))
+            expiry=get_datetime_from_string(expiry),
+            delegated_user_tid=user_delegation_tid)
     else:
         account_key = client.credential.account_key