AzureSDKAutomation
diff --git a/‎sdk/storage/azure-storage-blob/CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions b/‎sdk/storage/azure-storage-blob/CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BlobSasImplUtil.java‎
Lines changed: 12 additions & 2 deletions b/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BlobSasImplUtil.java‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobContainerSasPermission.java‎
Lines changed: 54 additions & 0 deletions b/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobContainerSasPermission.java‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobSasPermission.java‎
Lines changed: 84 additions & 1 deletion b/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobSasPermission.java‎
Lines changed: 84 additions & 1 deletion
diff --git a/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobServiceSasSignatureValues.java‎
Lines changed: 50 additions & 0 deletions b/‎sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/sas/BlobServiceSasSignatureValues.java‎
Lines changed: 50 additions & 0 deletions
@@ -3,6 +3,8 @@
 ## 12.9.0-beta.3 (Unreleased)
 - Fixed a bug where interspersed element types returned by page listing would deserialize incorrectly.
 - Fixed a bug where BlobInputStream would not eTag lock on the blob, resulting in undesirable behavior if the blob was modified in the middle of reading. 
+- Added support for move and execute permissions on blob SAS and container SAS, and list permissions on blob SAS.
+- Added support to specify a preauthorized user id and correlation id for user delegation SAS.
 - Renamed BlobDownloadToFileOptions.rangeGetContentMd5 to BlobDownloadToFileOptions.retrieveContentRangeMd5
 
 ## 12.9.0-beta.2 (2020-10-08)
 
@@ -84,6 +84,10 @@ public class BlobSasImplUtil {
 
     private String contentType;
 
+    private String authorizedAadObjectId;
+
+    private String correlationId;
+
     /**
      * Creates a new {@link BlobSasImplUtil} with the specified parameters
      *
@@ -126,6 +130,8 @@ public BlobSasImplUtil(BlobServiceSasSignatureValues sasValues, String container
         this.contentEncoding = sasValues.getContentEncoding();
         this.contentLanguage = sasValues.getContentLanguage();
         this.contentType = sasValues.getContentType();
+        this.authorizedAadObjectId = sasValues.getPreauthorizedAgentObjectId();
+        this.correlationId = sasValues.getCorrelationId();
     }
 
     /**
@@ -199,6 +205,10 @@ private String encode(UserDelegationKey userDelegationKey, String signature) {
                 userDelegationKey.getSignedService());
             tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_SIGNED_KEY_VERSION,
                 userDelegationKey.getSignedVersion());
+
+            /* Only parameters relevant for user delegation SAS. */
+            tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_PREAUTHORIZED_AGENT_OBJECT_ID, this.authorizedAadObjectId);
+            tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_CORRELATION_ID, this.correlationId);
         }
         tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_SIGNED_RESOURCE, this.resource);
         tryAppendQueryParameter(sb, Constants.UrlConstants.SAS_SIGNED_PERMISSIONS, this.permissions);
@@ -314,9 +324,9 @@ private String stringToSign(final UserDelegationKey key, String canonicalName) {
             key.getSignedExpiry() == null ? "" : Constants.ISO_8601_UTC_DATE_FORMATTER.format(key.getSignedExpiry()),
             key.getSignedService() == null ? "" : key.getSignedService(),
             key.getSignedVersion() == null ? "" : key.getSignedVersion(),
-            "", /* saoid - empty since this applies to HNS only accounts. */
+            this.authorizedAadObjectId == null ? "" : this.authorizedAadObjectId,
             "", /* suoid - empty since this applies to HNS only accounts. */
-            "", /* cid - empty since this applies to HNS only accounts. */
+            this.correlationId == null ? "" : this.correlationId,
             this.sasIpRange == null ? "" : this.sasIpRange.toString(),
             this.protocol == null ? "" : this.protocol.toString(),
             version,
 
@@ -31,6 +31,10 @@ public final class BlobContainerSasPermission {
 
     private boolean tagsPermission;
 
+    private boolean movePermission;
+
+    private boolean executePermission;
+
     /**
      * Initializes an {@code BlobContainerSasPermission} object with all fields set to false.
      */
@@ -75,6 +79,12 @@ public static BlobContainerSasPermission parse(String permString) {
                 case 't':
                     permissions.tagsPermission = true;
                     break;
+                case 'm':
+                    permissions.movePermission = true;
+                    break;
+                case 'e':
+                    permissions.executePermission = true;
+                    break;
                 default:
                     throw new IllegalArgumentException(
                         String.format(Locale.ROOT, Constants.ENUM_COULD_NOT_BE_PARSED_INVALID_VALUE,
@@ -228,6 +238,42 @@ public BlobContainerSasPermission setTagsPermission(boolean tagsPermission) {
         return this;
     }
 
+    /**
+     * @return the move permission status.
+     */
+    public boolean hasMovePermission() {
+        return movePermission;
+    }
+
+    /**
+     * Sets the move permission status.
+     *
+     * @param hasMovePermission Permission status to set
+     * @return the updated BlobContainerSasPermission object.
+     */
+    public BlobContainerSasPermission setMovePermission(boolean hasMovePermission) {
+        this.movePermission = hasMovePermission;
+        return this;
+    }
+
+    /**
+     * @return the execute permission status.
+     */
+    public boolean hasExecutePermission() {
+        return executePermission;
+    }
+
+    /**
+     * Sets the execute permission status.
+     *
+     * @param hasExecutePermission Permission status to set
+     * @return the updated BlobContainerSasPermission object.
+     */
+    public BlobContainerSasPermission setExecutePermission(boolean hasExecutePermission) {
+        this.executePermission = hasExecutePermission;
+        return this;
+    }
+
     /**
      * Converts the given permissions to a {@code String}. Using this method will guarantee the permissions are in an
      * order accepted by the service.
@@ -272,6 +318,14 @@ public String toString() {
             builder.append('t');
         }
 
+        if (this.movePermission) {
+            builder.append('m');
+        }
+
+        if (this.executePermission) {
+            builder.append('e');
+        }
+
         return builder.toString();
     }
 }
@@ -29,6 +29,12 @@ public final class BlobSasPermission {
 
     private boolean tagsPermission;
 
+    private boolean listPermission;
+
+    private boolean movePermission;
+
+    private boolean executePermission;
+
     /**
      * Initializes a {@code BlobSasPermission} object with all fields set to false.
      */
@@ -41,7 +47,8 @@ public BlobSasPermission() {
      *
      * @param permString A {@code String} which represents the {@code BlobSasPermission}.
      * @return A {@code BlobSasPermission} generated from the given {@code String}.
-     * @throws IllegalArgumentException If {@code permString} contains a character other than r, a, c, w, d, x or t.
+     * @throws IllegalArgumentException If {@code permString} contains a character other than r, a, c, w, d, x, l, t,
+     * m, or e.
      */
     public static BlobSasPermission parse(String permString) {
         BlobSasPermission permissions = new BlobSasPermission();
@@ -70,6 +77,15 @@ public static BlobSasPermission parse(String permString) {
                 case 't':
                     permissions.tagsPermission = true;
                     break;
+                case 'l':
+                    permissions.listPermission = true;
+                    break;
+                case 'm':
+                    permissions.movePermission = true;
+                    break;
+                case 'e':
+                    permissions.executePermission = true;
+                    break;
                 default:
                     throw new IllegalArgumentException(
                         String.format(Locale.ROOT, Constants.ENUM_COULD_NOT_BE_PARSED_INVALID_VALUE,
@@ -205,6 +221,61 @@ public BlobSasPermission setTagsPermission(boolean tagsPermission) {
         return this;
     }
 
+    /**
+     * @return the list permission status.
+     */
+    public boolean hasListPermission() {
+        return listPermission;
+    }
+
+    /**
+     * Sets the list permission status.
+     *
+     * @param hasListPermission Permission status to set
+     * @return the updated BlobSasPermission object.
+     */
+    public BlobSasPermission setListPermission(boolean hasListPermission) {
+        this.listPermission = hasListPermission;
+        return this;
+    }
+
+    /**
+     * @return the move permission status.
+     */
+    public boolean hasMovePermission() {
+        return movePermission;
+    }
+
+    /**
+     * Sets the move permission status.
+     *
+     * @param hasMovePermission Permission status to set
+     * @return the updated BlobSasPermission object.
+     */
+    public BlobSasPermission setMovePermission(boolean hasMovePermission) {
+        this.movePermission = hasMovePermission;
+        return this;
+    }
+
+    /**
+     * @return the execute permission status.
+     */
+    public boolean hasExecutePermission() {
+        return executePermission;
+    }
+
+    /**
+     * Sets the execute permission status.
+     *
+     * @param hasExecutePermission Permission status to set
+     * @return the updated BlobSasPermission object.
+     */
+    public BlobSasPermission setExecutePermission(boolean hasExecutePermission) {
+        this.executePermission = hasExecutePermission;
+        return this;
+    }
+
+
     /**
      * Converts the given permissions to a {@code String}. Using this method will guarantee the permissions are in an
      * order accepted by the service.
@@ -242,10 +313,22 @@ public String toString() {
             builder.append('x');
         }
 
+        if (this.listPermission) {
+            builder.append('l');
+        }
+
         if (this.tagsPermission) {
             builder.append('t');
         }
 
+        if (this.movePermission) {
+            builder.append('m');
+        }
+
+        if (this.executePermission) {
+            builder.append('e');
+        }
+
         return builder.toString();
     }
 }
@@ -77,6 +77,10 @@ public final class BlobServiceSasSignatureValues {
 
     private String contentType;
 
+    private String preauthorizedAgentObjectId; /* saoid */
+
+    private String correlationId;
+
     /**
      * Creates an object with empty values for all fields.
      * @deprecated Please use {@link #BlobServiceSasSignatureValues(String)},
@@ -486,6 +490,52 @@ public BlobServiceSasSignatureValues setContentType(String contentType) {
         return this;
     }
 
+    /**
+     * @return The AAD object ID of a user assumed to be authorized by the owner of the user delegation key to perform
+     * the action granted by the SAS token. The service will validate the SAS token and ensure that the owner of the
+     * user delegation key has the required permissions before granting access but no additional permission check for
+     * the agent object id will be performed.
+     */
+    public String getPreauthorizedAgentObjectId() {
+        return preauthorizedAgentObjectId;
+    }
+
+    /**
+     * Sets the AAD object ID of a user assumed to be authorized by the owner of the user delegation key to perform the
+     * action granted by the SAS token.
+     *
+     * @param preauthorizedAgentObjectId The AAD object ID of a user assumed to be authorized by the owner of the user
+     * delegation key to perform the action granted by the SAS token. The service will validate the SAS token and
+     * ensure that the owner of the user delegation key has the required permissions before granting access but no
+     * additional permission check for the agent object id will be performed.
+     * @return the updated BlobServiceSASSignatureValues object
+     */
+    public BlobServiceSasSignatureValues setPreauthorizedAgentObjectId(String preauthorizedAgentObjectId) {
+        this.preauthorizedAgentObjectId = preauthorizedAgentObjectId;
+        return this;
+    }
+
+    /**
+     * @return the correlation id value for the SAS.
+     */
+    public String getCorrelationId() {
+        return correlationId;
+    }
+
+    /**
+     * Sets the correlation id value for the SAS.
+     *
+     * <p>Note: This parameter is only valid for user delegation SAS. </p>
+     *
+     * @param correlationId A correlation ID used to correlate the storage audit logs with the audit logs used by the
+     * principal generating and distributing SAS.
+     * @return the updated BlobServiceSasSignatureValues object
+     */
+    public BlobServiceSasSignatureValues setCorrelationId(String correlationId) {
+        this.correlationId = correlationId;
+        return this;
+    }
+
     /**
      * Uses an account's shared key credential to sign these signature values to produce the proper SAS query
      * parameters.