[BUG] Azure.Data.Tables sas token does not allow access to table entity

[ssiltanen]

Describe the bug
Sas tokens created with Azure.Data.Tables do not work when used to access table entities. However using sas token created with Microsoft.Azure.Cosmos.Table works when used with this library and example code. Therefore it seems that the issue lies within the sas created with this library.

Expected behavior

1. Create Read permission sas token
2. Fetch table entity with above sas token
3. Entity is returned successfully

Actual behavior (include Exception or Stack Trace)

1. Create Read permission sas token
2. Fetch table entity with above sas token
3. Exception is thrown:

Azure.RequestFailedException: Service request failed.
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)

Content:
{"odata.error":{"code":"AuthenticationFailed","message":{"lang":"en-US","value":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:140cbc06-4002-006e-393a-eb1478000000\nTime:2021-01-15T12:30:30.4515696Z"}}}

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: REDACTED
x-ms-error-code: REDACTED
Date: Fri, 15 Jan 2021 12:30:29 GMT
Content-Length: 299
Content-Type: application/json

   at Azure.Data.Tables.TableRestClient.QueryEntitiesWithPartitionAndRowKey(String table, String partitionKey, String rowKey, Nullable`1 timeout, QueryOptions queryOptions, CancellationToken cancellationToken)
   at Azure.Data.Tables.TableClient.GetEntity[T](String partitionKey, String rowKey, IEnumerable`1 select, CancellationToken cancellationToken)
   at <StartupCode$FSI_0015>.$FSI_0015.main@()

To Reproduce
F# interactive script to reproduce.

#r "nuget: Azure.Data.Tables, 3.0.0-beta.5"

open System
open Azure.Data.Tables
open Azure.Data.Tables.Sas

let storageBaseUri = "https://<storagename>.table.core.windows.net/"
let connString = "<connection string to above storage>"
let accountName = "<account name to above storage>"
let accountKey = "<account key to above storage>"

let tableName = "sastest"
let partitionKey = "123"
let rowKey = "abc"

// Create client with admin rights to insert row and sas token
let adminTableClient = TableServiceClient(connString).GetTableClient(tableName)

// Insert the test row
adminTableClient.CreateIfNotExists()
adminTableClient.AddEntity(TableEntity(partitionKey, rowKey)) |> ignore

// Create read only sas token to a single partition
let sas =
    let builder = adminTableClient.GetSasBuilder(TableSasPermissions.Read, DateTimeOffset.UtcNow.AddMonths 1)
    builder.StartsOn <- DateTimeOffset.UtcNow
    builder.PartitionKeyStart <- partitionKey
    builder.PartitionKeyEnd <- partitionKey
    builder.Protocol <- TableSasProtocol.Https
    let cred = TableSharedKeyCredential(accountName, accountKey)
    builder.Sign(cred)

// Try to fetch the created row
// However at the moment calling GetEntity here throws an exception
let entity =
    let urib = UriBuilder(storageBaseUri)
    urib.Query <- sas
    TableServiceClient(urib.Uri)
        .GetTableClient(tableName)
        .GetEntity<TableEntity>(partitionKey, rowKey).Value

// Should print the timestamp of created row, if the GetEntity call succeeded
printfn "%O" entity.Timestamp

Environment:

• Azure.Data.Tables, 3.0.0-beta.5
• .NET SDK (reflecting any global.json):

Version:   5.0.100
Commit:    5044b93829

Runtime Environment:
OS Name:     Mac OS X
OS Version:  10.15
OS Platform: Darwin
RID:         osx.10.15-x64
Base Path:   /usr/local/share/dotnet/sdk/5.0.100/

Host (useful for support):
 Version: 5.0.0
 Commit:  cf258a14b7

.NET SDKs installed:
 3.1.301 [/usr/local/share/dotnet/sdk]
 5.0.100 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
 Microsoft.AspNetCore.App 3.1.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
 Microsoft.AspNetCore.App 5.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
 Microsoft.NETCore.App 3.1.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
 Microsoft.NETCore.App 5.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

• IDE and version : Visual studio code 1.52.1

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @wmengmsft, @MehaKaushik, @shurd

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

@ssiltanen I can reproduce this, but I'm not sure why this works for the Microsoft.Azure.Cosmos.Table client.

In my testing, the above example works if you either set the StartsOn value a couple seconds in the past, or sleep a couple seconds in the script before attempting to use the token. This seems to indicate that the service is being a bit conservative with enforcing the start time, but that we have a valid Sas token.

In your repro with Microsoft.Azure.Cosmos.Table, does the st= value in the Sas token look to be formatted any differently?

[ssiltanen]

@christothes

The format of the working sas made with Microsoft.Azure.Cosmos.Table:
"sv=2017-07-29&tn=sastest&spk=123&epk=123&sig=<sig>&spr=https&st=2021-01-18T07%3A57%3A42Z&se=2021-02-17T07%3A57%3A42Z&sp=r"

After reading your reply, I tried both removing the start time and setting it back in time 1 minute but I was unable to make either work. Here the setups.

let sasStartInPast =
    let builder = adminTableClient.GetSasBuilder(TableSasPermissions.Read, DateTimeOffset.UtcNow.AddMonths 1)
    builder.StartsOn <- DateTimeOffset.UtcNow.AddMinutes(-1.)
    builder.PartitionKeyStart <- partitionKey
    builder.PartitionKeyEnd <- partitionKey
    builder.Protocol <- TableSasProtocol.Https
    let cred = TableSharedKeyCredential(accountName, accountKey)
    builder.Sign(cred)
    
 let sasWithoutStart =
    let builder = adminTableClient.GetSasBuilder(TableSasPermissions.Read, DateTimeOffset.UtcNow.AddMonths 1)
    builder.PartitionKeyStart <- partitionKey
    builder.PartitionKeyEnd <- partitionKey
    builder.Protocol <- TableSasProtocol.Https
    let cred = TableSharedKeyCredential(accountName, accountKey)
    builder.Sign(cred)

Both sas tokens results the same exception as above in the original post

Azure.RequestFailedException: Service request failed.
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)

Content:
{"odata.error":{"code":"AuthenticationFailed","message":{"lang":"en-US","value":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:21e4a3e8-d002-0043-6e72-eda70b000000\nTime:2021-01-18T08:20:42.8240033Z"}}}

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: REDACTED
x-ms-error-code: REDACTED
Date: Mon, 18 Jan 2021 08:20:42 GMT
Content-Length: 299
Content-Type: application/json

   at Azure.Data.Tables.TableRestClient.QueryEntitiesWithPartitionAndRowKey(String table, String partitionKey, String rowKey, Nullable`1 timeout, QueryOptions queryOptions, CancellationToken cancellationToken)
   at Azure.Data.Tables.TableClient.GetEntity[T](String partitionKey, String rowKey, IEnumerable`1 select, CancellationToken cancellationToken)
   at <StartupCode$FSI_0020>.$FSI_0020.main@()
Stopped due to error

[christothes]

@ssiltanen Thank you - I see the problem now. We were generating the wrong query string argument names for the srk and epk. I'll have a fix out for this shortly.

[ssiltanen]

@christothes Wasn't that issue fixed already here #17535

[christothes]

@christothes Wasn't that issue fixed already here #17535

That issue was that the values were transposed - but it turns out they were also totally the wrong strings :)