milismsft · milismsft · Jan 28, 2021 · Jan 28, 2021 · Jan 30, 2021 · Feb 1, 2021
@@ -8,9 +8,10 @@ public enum AuthorizationTokenType {
     PrimaryReadonlyMasterKey,
     SecondaryMasterKey,
     SecondaryReadonlyMasterKey,
-    SystemReadOnly, 
+    SystemReadOnly,
     SystemReadWrite,
     SystemAll,
     ResourceToken,
-    AadToken
+    AadToken,
+    SasToken
 }
@@ -170,6 +170,7 @@ public static final class Properties {
         public static final String MASTER_TOKEN = "master";
         public static final String RESOURCE_TOKEN = "resource";
         public static final String AAD_TOKEN = "aad";
+        public static final String SAS_TOKEN = "sas";
         public static final String TOKEN_VERSION = "1.0";
         public static final String AUTH_SCHEMA_TYPE = "type";
         public static final String AUTH_VERSION = "ver";

@@ -7,7 +7,7 @@
  * Used internally. Contains string constants to work with the paths in the Azure Cosmos DB database service.
  */
 public class Paths {
-    static final String ROOT = "/";
+    public static final String ROOT = "/";
     static final char ROOT_CHAR = '/';
     static final char ESCAPE_CHAR = '\\';
 

@@ -48,6 +48,7 @@
 import com.azure.cosmos.implementation.routing.PartitionKeyInternalHelper;
 import com.azure.cosmos.implementation.routing.PartitionKeyRangeIdentity;
 import com.azure.cosmos.implementation.routing.Range;
+import com.azure.cosmos.implementation.sastokens.SasTokenAuthorizationHelper;
 import com.azure.cosmos.models.CosmosChangeFeedRequestOptions;
 import com.azure.cosmos.models.CosmosItemIdentity;
 import com.azure.cosmos.models.CosmosQueryRequestOptions;
@@ -120,6 +121,7 @@ public class RxDocumentClientImpl implements AsyncDocumentClient, IAuthorization
     private final BaseAuthorizationTokenProvider authorizationTokenProvider;
     private final UserAgentContainer userAgentContainer;
     private final boolean hasAuthKeyResourceToken;
+    private final boolean hasAuthKeySasToken;
     private final Configs configs;
     private final boolean connectionSharingAcrossClientsEnabled;
     private AzureKeyCredential credential;
@@ -291,19 +293,30 @@ private RxDocumentClientImpl(URI serviceEndpoint,
             this.authorizationTokenType = AuthorizationTokenType.Invalid;
 
             if (this.credential != null) {
-                hasAuthKeyResourceToken = false;
+                this.hasAuthKeyResourceToken = false;
+                this.hasAuthKeySasToken = false;
                 this.authorizationTokenProvider = new BaseAuthorizationTokenProvider(this.credential);
             } else if (masterKeyOrResourceToken != null && ResourceTokenAuthorizationHelper.isResourceToken(masterKeyOrResourceToken)) {
                 this.authorizationTokenProvider = null;
-                hasAuthKeyResourceToken = true;
+                this.hasAuthKeyResourceToken = true;
+                this.hasAuthKeySasToken = false;
                 this.authorizationTokenType = AuthorizationTokenType.ResourceToken;
-            } else if(masterKeyOrResourceToken != null && !ResourceTokenAuthorizationHelper.isResourceToken(masterKeyOrResourceToken)) {
+            } else if (masterKeyOrResourceToken != null && SasTokenAuthorizationHelper.isSasToken(masterKeyOrResourceToken)) {
+                this.authorizationTokenProvider = null;
+                this.hasAuthKeyResourceToken = false;
+                this.hasAuthKeySasToken = true;
+                this.authorizationTokenType = AuthorizationTokenType.SasToken;
+            } else if(masterKeyOrResourceToken != null
+                    && !ResourceTokenAuthorizationHelper.isResourceToken(masterKeyOrResourceToken)
+                    && !SasTokenAuthorizationHelper.isSasToken(masterKeyOrResourceToken)) {
                 this.credential = new AzureKeyCredential(this.masterKeyOrResourceToken);
-                hasAuthKeyResourceToken = false;
+                this.hasAuthKeyResourceToken = false;
+                this.hasAuthKeySasToken = false;
                 this.authorizationTokenType = AuthorizationTokenType.PrimaryMasterKey;
                 this.authorizationTokenProvider = new BaseAuthorizationTokenProvider(this.credential);
             } else {
-                hasAuthKeyResourceToken = false;
+                this.hasAuthKeyResourceToken = false;
+                this.hasAuthKeySasToken = false;
                 this.authorizationTokenProvider = null;
                 if (tokenCredential != null) {
                     this.tokenCredentialScopes = new String[] {
@@ -1500,7 +1513,7 @@ public String getUserAuthorizationToken(String resourceName,
         } else if (credential != null) {
             return this.authorizationTokenProvider.generateKeyAuthorizationSignature(requestVerb, resourceName,
                     resourceType, headers);
-        } else if (masterKeyOrResourceToken != null && hasAuthKeyResourceToken && resourceTokensMap == null) {
+        } else if (masterKeyOrResourceToken != null && (hasAuthKeyResourceToken || hasAuthKeySasToken) && resourceTokensMap == null) {
             return masterKeyOrResourceToken;
         } else {
             assert resourceTokensMap != null;

@@ -99,6 +99,7 @@ public static Mono<RxDocumentServiceRequest> createAsync(
 
 
             case ResourceToken:
+            case SasToken:
                 authorizationToken = request.getHeaders().get(HttpConstants.HttpHeaders.AUTHORIZATION);
                 break;
 

@@ -0,0 +1,116 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.cosmos.implementation.sastokens;
+
+import java.util.Locale;
+
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_CREATE_DATABASES_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_DELETE_DATABASES_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_LIST_DATABASES_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_READ_ALL_ACCESS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_READ_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_ACCOUNT_WRITE_ALL_ACCESS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINERS_READ_ALL_ACCESS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINERS_WRITE_ALL_ACCESS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINER_DELETE_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINER_READ_OFFER_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINER_READ_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINER_REPLACE_OFFER_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_CONTAINER_REPLACE_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_CREATE_CONTAINERS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_DELETE_CONTAINERS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_DELETE_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_LIST_CONTAINERS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_READ_ALL_ACCESS_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_READ_OFFER_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_READ_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_REPLACE_OFFER_VALUE;
+import static com.azure.cosmos.implementation.sastokens.PermissionScopeValues.SCOPE_DATABASE_WRITE_ALL_ACCESS_VALUE;
+
+/**
+ * Represents permission scope settings applicable to control plane related operations.
+ */
+public enum ControlPlanePermissionScope {
+    // REQUIRED: This enum must be kept in sync with the ControlPlanePermissionScope enum in backend services.
+
+    /**
+     * Cosmos account read scope.
+     */
+    SCOPE_ACCOUNT_READ("AccountRead", SCOPE_ACCOUNT_READ_VALUE),
+    SCOPE_ACCOUNT_LIST_DATABASES("AccountListDatabases", SCOPE_ACCOUNT_LIST_DATABASES_VALUE),
+
+    /**
+     * Cosmos database read scope.
+     */
+    SCOPE_DATABASE_READ("DatabaseRead", SCOPE_DATABASE_READ_VALUE),
+    SCOPE_DATABASE_READ_OFFER("DatabaseReadOffer", SCOPE_DATABASE_READ_OFFER_VALUE),
+    SCOPE_DATABASE_LIST_CONTAINERS("DatabaseListContainers", SCOPE_DATABASE_LIST_CONTAINERS_VALUE),
+
+    /**
+     * Cosmos Container read scope.
+     */
+    SCOPE_CONTAINER_READ("ContainerRead", SCOPE_CONTAINER_READ_VALUE),
+    SCOPE_CONTAINER_READ_OFFER("ContainerReadOffer", SCOPE_CONTAINER_READ_OFFER_VALUE),
+
+    /**
+     * Composite read scopes.
+     */
+    SCOPE_ACCOUNT_READ_ALL_ACCESS("AccountReadAllAccess", SCOPE_ACCOUNT_READ_ALL_ACCESS_VALUE),
+    SCOPE_DATABASE_READ_ALL_ACCESS("DatabaseReadAllAccess", SCOPE_DATABASE_READ_ALL_ACCESS_VALUE),
+    SCOPE_CONTAINER_READ_ALL_ACCESS("ContainersReadAllAccess", SCOPE_CONTAINERS_READ_ALL_ACCESS_VALUE),
+
+    /**
+     * Cosmos account write scope.
+     */
+    SCOPE_ACCOUNT_CREATE_DATABASES("AccountCreateDatabases", SCOPE_ACCOUNT_CREATE_DATABASES_VALUE),
+    SCOPE_ACCOUNT_DELETE_DATABASES("AccountDeleteDatabases", SCOPE_ACCOUNT_DELETE_DATABASES_VALUE),
+
+    /**
+     * Cosmos database write scope.
+     */
+    SCOPE_DATABASE_DELETE("DatabaseDelete", SCOPE_DATABASE_DELETE_VALUE),
+    SCOPE_DATABASE_REPLACE_OFFER("DatabaseReplaceOffer", SCOPE_DATABASE_REPLACE_OFFER_VALUE),
+    SCOPE_DATABASE_CREATE_CONTAINERS("DatabaseCreateContainers", SCOPE_DATABASE_CREATE_CONTAINERS_VALUE),
+    SCOPE_DATABASE_DELETE_CONTAINERS("DatabaseDeleteContainers", SCOPE_DATABASE_DELETE_CONTAINERS_VALUE),
+
+    /**
+     * Cosmos Container write scope.
+     */
+    SCOPE_CONTAINER_REPLACE("ContainerReplace", SCOPE_CONTAINER_REPLACE_VALUE),
+    SCOPE_CONTAINER_DELETE("ContainerDelete", SCOPE_CONTAINER_DELETE_VALUE),
+    SCOPE_CONTAINER_REPLACE_OFFER("ContainerReplaceOffer", SCOPE_CONTAINER_REPLACE_OFFER_VALUE),
+
+    /**
+     * Composite write scopes.
+     */
+    SCOPE_ACCOUNT_WRITE_ALL_ACCESS("AccountFullAllAccess", SCOPE_ACCOUNT_WRITE_ALL_ACCESS_VALUE),
+    SCOPE_DATABASE_WRITE_ALL_ACCESS("DatabaseWriteAllAccess", SCOPE_DATABASE_WRITE_ALL_ACCESS_VALUE),
+    SCOPE_CONTAINER_WRITE_ALL_ACCESS("ContainersWriteAllAccess", SCOPE_CONTAINERS_WRITE_ALL_ACCESS_VALUE),
+
+    NONE("None", (short) 0x0);
+
+
+    private final short value;
+    private final String stringValue;
+    private final String toLowerStringValue;
+
+    ControlPlanePermissionScope(String stringValue, short scopeBitMask) {
+        this.stringValue = stringValue;
+        this.toLowerStringValue = stringValue.toLowerCase(Locale.ROOT);
+        this.value = scopeBitMask;
+    }
+
+    @Override
+    public String toString() {
+        return this.stringValue;
+    }
+
+    public String toLowerCase() {
+        return this.toLowerStringValue;
+    }
+
+    public short value() {
+        return this.value;
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -99,6 +99,7 @@ public static Mono<RxDocumentServiceRequest> createAsync( @@
                 case ResourceToken:
+                case SasToken:
                     authorizationToken = request.getHeaders().get(HttpConstants.HttpHeaders.AUTHORIZATION);
                     break;
@@ Expand Down @@