Fix SAS token generation for directory-scoped access

sdk/storage/src/shared_access_signature/service_sas.rs

@@ -100,6 +100,7 @@ pub struct BlobSharedAccessSignature {
     identifier: Option<String>,
     ip: Option<String>,
     protocol: Option<SasProtocol>,
+    signed_directory_depth: Option<u32>, // sdd
 }
 
 impl BlobSharedAccessSignature {
@@ -120,6 +121,7 @@ impl BlobSharedAccessSignature {
             identifier: None,
             ip: None,
             protocol: None,
+            signed_directory_depth: None,
         }
     }
 
@@ -128,6 +130,7 @@ impl BlobSharedAccessSignature {
         identifier: String => Some(identifier),
         ip: String => Some(ip),
         protocol: SasProtocol => Some(protocol),
+        signed_directory_depth: u32 => Some(signed_directory_depth),
     }
 
     fn sign(&self) -> String {
@@ -179,9 +182,63 @@ impl SasToken for BlobSharedAccessSignature {
             elements.push(format!("spr={protocol}"))
         }
 
+        if let Some(signed_directory_depth) = &self.signed_directory_depth {
+            elements.push(format!("sdd={signed_directory_depth}"))
+        }
+
         let sig = self.sign();
         elements.push(format!("sig={}", format_form(sig)));
 
         elements.join("&")
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use time::Duration;
+
+    const MOCK_SECRET_KEY: &str = "RZfi3m1W7eyQ5zD4ymSmGANVdJ2SDQmg4sE89SW104s=";
+    const MOCK_CANONICALIZED_RESOURCE: &str = "/blob/STORAGE_ACCOUNT_NAME/CONTAINER_NAME/";
+
+    #[test]
+    fn test_blob_scoped_sas_token() {
+        let permissions = BlobSasPermissions {
+            read: true,
+            ..Default::default()
+        };
+        let signed_token = BlobSharedAccessSignature::new(
+            String::from(MOCK_SECRET_KEY),
+            String::from(MOCK_CANONICALIZED_RESOURCE),
+            permissions,
+            OffsetDateTime::UNIX_EPOCH + Duration::days(7),
+            BlobSignedResource::Blob,
+        )
+        .token();
+        // BlobSignedResource::Blob
+        assert!(signed_token.contains("sr=b"));
+        // this assert will be a bad idea if we ever add a new field that ends with "sdd"
+        assert!(!signed_token.contains("sdd="));
+    }
+
+    #[test]
+    fn test_directory_scoped_sas_token() {
+        let permissions = BlobSasPermissions {
+            read: true,
+            ..Default::default()
+        };
+        let signed_token = BlobSharedAccessSignature::new(
+            String::from(MOCK_SECRET_KEY),
+            String::from(MOCK_CANONICALIZED_RESOURCE),
+            permissions,
+            OffsetDateTime::UNIX_EPOCH + Duration::days(7),
+            BlobSignedResource::Directory,
+        )
+        .signed_directory_depth(2_u32)
+        .token();
+        // BlobSignedResource::Blob
+        assert!(signed_token.contains("sr=d"));
+        // signed_directory_depth = 2
+        assert!(signed_token.contains("sdd=2"));
+    }
+}