azurite doesn't authenticate sas tokens generated for sv=2021-04-10

Which service(blob, file, queue, table) does this issue concern?

blob

Which version of the Azurite was used?

azurite:3.16.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

DockerHub

What’s the Node.js version?

N/A

What problem was encountered?

Blob read urls generated with sv=2021-04-10 (using python package azure-storage-blob==12.10.0) don’t work with azurite 3.16.0. Tokens generated with same code against real azure storage servers work.

Steps to reproduce the issue?

Generate read access urls, e.g. with:

    def get_read_access_blob_url(self, container_name, blob_name):
        """
        Get a read access url for a blob. Url will be valid for one hour
        :param container_name: string, name of container
        :param blob_name: string, name of blob to generate url for
        :return: string
        """

        current_datetime_in_utc = datetime.datetime.utcnow()

        # start should be at beginning of previous hour
        start = (current_datetime_in_utc - datetime.timedelta(hours=1)).replace(minute=0, second=0)

        # expiry should be at end of next hour
        expiry = (current_datetime_in_utc + datetime.timedelta(hours=1)).replace(minute=59, second=59)

        shared_access_signature_token = azure.storage.blob.generate_blob_sas(
            account_name=self._blob_service_client.account_name,
            account_key=self._blob_service_client.credential.account_key,
            container_name=container_name,
            blob_name=blob_name,
            permission=azure.storage.blob.BlobSasPermissions(read=True),
            start=start,
            expiry=expiry,
            content_type='image/jpeg')

        blob_client = self._blob_service_client.get_blob_client(
            container=container_name,
            blob=blob_name)

        return "{blob_url}?{shared_access_signature_token}".format(
            blob_url=blob_client.url, shared_access_signature_token=shared_access_signature_token)

then access them. Here’s an example url used to access azurite container, and the response:

http "http://localhost:10000/devstoreaccount1/photos/2d705c9f-69b1-4f33-adfd-fc2abb31e572/7c9f1df0-9937-4bfa-b56b-b3c517120217.jpg?st=2022-03-24T03%3A00%3A00Z&se=2022-03-24T05%3A59%3A59Z&sp=rt&sv=2021-04-10&sr=b&rsct=image/jpeg&sig=Up20oUr/r00MAbndKVCt9AgaiJ2YOSsprdbutL1NhQA%3D" --verbose
GET /devstoreaccount1/photos/2d705c9f-69b1-4f33-adfd-fc2abb31e572/7c9f1df0-9937-4bfa-b56b-b3c517120217.jpg?st=2022-03-24T03%3A00%3A00Z&se=2022-03-24T05%3A59%3A59Z&sp=rt&sv=2021-04-10&sr=b&rsct=image/jpeg&sig=Up20oUr/r00MAbndKVCt9AgaiJ2YOSsprdbutL1NhQA%3D HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:10000
User-Agent: HTTPie/3.0.2



HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
Connection: keep-alive
Date: Thu, 24 Mar 2022 04:25:13 GMT
Keep-Alive: timeout=5
Server: Azurite-Blob/3.16.0
Transfer-Encoding: chunked
content-type: application/xml
x-ms-error-code: AuthorizationFailure
x-ms-request-id: 123257fa-2e2d-42cb-9a60-d7ebf8d3fa65

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error>
  <Code>AuthorizationFailure</Code>
  <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
RequestId:123257fa-2e2d-42cb-9a60-d7ebf8d3fa65
Time:2022-03-24T04:25:13.829Z</Message>
</Error>

If possible, please provide the debug log using the -d parameter, replacing <pathtodebuglog> with an appropriate path for your OS, or review the instructions for docker containers:

Debug file: debug.txt

(Only the last couple of lines should be relevant. Most of the log messages before are due to my data bootstrap code that runs without any hiccups)

Have you found a mitigation/solution?

Generating sas tokens with sv=2020-06-12