azure-blob 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7eab2543de0e2e4663211095fd459507761bf270038308464723270506f63ac5
-  data.tar.gz: 1c0b7016bf21df9c1134be50eb2555f14f9f4b76e9a8664e70e003cee5b04208
+  metadata.gz: 94edcaaaa7717925c1fb8238b9e7420949b26c98c90344cbf54930d5e0ff3b19
+  data.tar.gz: aae153da753212659590ed4a3ae029c86cf7ed66b4f924dac1a5f3a5ff3b2e05
 SHA512:
-  metadata.gz: 6f03e61001c0c41ed31661116d5f7ed5d5f95f91e8ded26d40aa72d446119e835c281d852904e00b02f68fd536d0451e4e71401410ab41ec68f7ff97fb030a88
-  data.tar.gz: b0b1beb93ad7b3950bddb41dfb6e04354e08b46e29f5f3db5d474ddd4964cd09d65776a1f57625d103d1e56e9a0d235579372c74a867fa2080beabcfc757395f
+  metadata.gz: 102c3d5fd08761199413e96bd8e4bae8a84ac5478d7bb1202e232fbff346703f7cb3b8f344553983b607dbacec56942452ce18aa0afc184a4c994d31dc94118c
+  data.tar.gz: 646636874dd381757595f82999dd0b7b5647a740512c8e2baf86bdc2045e579cdf78354a4690c746452280efb7ff92cbf9c49c95775ccbcf6a690eb0ae05131f

data/.terraform.lock.hcl

@@ -0,0 +1,22 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.113.0"
+  constraints = "~> 3.0"
+  hashes = [
+    "h1:eEUtt0lrLdpVaF6FiDq8BGQPgEcykmhj0aNIL7hTOGw=",
+    "zh:12479f5664288943400447b55e50df675c28ae82ad8d373cc2e5682f3a3411f0",
+    "zh:1b42a14e80e568429d3b55fed753ca3ef0df9dcdfa107890d7264599c020940f",
+    "zh:381be6ca617f848de3baa3985a6e1788e91a803afe04a3c5c727453528b6310d",
+    "zh:3e70e2e07b6db1c363de3e5d0ca47f27fc956473df03329c7d2e54d3ac29176b",
+    "zh:87c7633aeaa828098c6055da9e67d4acaf4b46748b6b3f0267e105e55f05de25",
+    "zh:8d0d98226901f874770dd5220d4701a12ae8bd586994615aa7dcba12b9736bec",
+    "zh:9fd913acd42a60c3a90a18ce803567ef861db8779a59aacced91f2cbd86de9d9",
+    "zh:b6f3f7ae0a055437fb36c139af9bb3135e7f4dad172157ae1eb0177dc74d703f",
+    "zh:b927027ba2bf40d34e03d742fd2b6c5299023b5ab8e6f05e50aac76a46ad1094",
+    "zh:ceb5187b9d2a439f4e48944f3ffeeeaf47a03dbe6f3325ea1775bf659ce0aa88",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fb9d78dfeca7489bffca9b1a1f3abee7f16dbbcba31388aea1102062c1d6dce8",
+  ]
+}

data/CHANGELOG.md

@@ -1,8 +1,14 @@
 ## [Unreleased]
 
+## [0.5.0] 2024-09-09
+
+- Added support for Managed Identities (Entra ID)
+
 ## [0.4.2] 2024-06-06
 
-Documentation
+- Documentation
+- Fix an issue with integrity check on multi block upload
+
 
 ## [0.4.1] 2024-05-27
 

data/README.md

@@ -4,7 +4,7 @@ This gem was built to replace azure-storage-blob (deprecated) in Active Storage,
 
 ## Active Storage
 
-## Migration
+### Migration
 To migrate from azure-storage-blob to azure-blob:
 
 1. Replace `azure-storage-blob` in your Gemfile with `azure-blob`
@@ -12,6 +12,29 @@ To migrate from azure-storage-blob to azure-blob:
 3. Change the `AzureStorage` service to `AzureBlob`  in your Active Storage config (`config/storage.yml`)
 4. Restart or deploy the app.
 
+### Managed Identity (Entra ID)
+
+AzureBlob supports managed identities on :
+- Azure VM
+- App Service
+- Azure Functions (Untested but should work)
+- Azure Containers (Untested but should work)
+
+AKS support will likely require more work. Contributions are welcome.
+
+To authenticate through managed identities instead of a shared key, omit `storage_access_key` from your `storage.yml` file.
+
+It is recommended to add the identity's `principal_id` to the config.
+
+ActiveStorage config example:
+
+```
+prod:
+  service: AzureBlob
+  container: container_name
+  storage_account_name: account_name
+  principal_id: 71b34410-4c50-451d-b456-95ead1b18cce
+```
 
 ## Standalone
 
@@ -42,6 +65,42 @@ For the full list of methods: https://www.rubydoc.info/gems/azure-blob/AzureBlob
 
 ### Dev environment
 
+A dev environment is supplied through Nix with [devenv](https://devenv.sh/).
+
+1. Install [devenv](https://devenv.sh/).
+2. Enter the dev environment by cd into the repo and running `devenv shell` (or `direnv allow` if you are a direnv user).
+3. Log into azure CLI with `az login`
+4. `terraform init`
+5. `terraform apply` This will generate the necessary infrastructure on azure.
+6. Generate devenv.local.nix with your private key and container information: `generate-env-file`
+7. If you are using direnv, the environment will reload automatically. If not, exit the shell and reopen it by hitting <C-d> and running `devenv shell` again.
+
+#### Entra ID
+
+To test with Entra ID, the `AZURE_ACCESS_KEY` environment variable must be unset and the code must be ran or proxied through a VPS with the proper roles.
+
+For cost saving, the terraform variable `create_vm` is false by default.
+To create the VPS, Create a var file `var.tfvars` containing:
+
+```
+create_vm = true
+```
+and re-apply terraform: `terraform apply -var-file=var.tfvars`.
+
+This will create the VPS and required managed identities.
+
+`bin/rake test_azure_vm` and `bin/rake test_app_service` will establish a VPN connection to the VM or App service container and run the test suite. You might be prompted for a sudo password when the VPN starts (sshuttle).
+
+After you are done, run terraform again without the var file (`terraform apply`) to destroy the VPS and App service application.
+
+#### Cleanup
+
+Some tests copied over from Rails don't clean after themselves. A rake task is provided to empty your containers and keep cost low: `bin/rake flush_test_container`
+
+#### Run without devenv/nix
+
+If you prefer not using devenv/nix:
+
 Ensure your version of Ruby fit the minimum version in `azure-blob.gemspec`
 
 and setup those Env variables:
@@ -51,19 +110,6 @@ and setup those Env variables:
 - `AZURE_PRIVATE_CONTAINER`
 - `AZURE_PUBLIC_CONTAINER`
 
-
-A dev environment setup is also supplied through Nix with [devenv](https://devenv.sh/).
-
-To use the Nix environment:
-1. install [devenv](https://devenv.sh/)
-2. Copy `devenv.local.nix.example` to `devenv.local.nix`
-3. Insert your azure credentials into `devenv.local.nix`
-4. Start the shell with `devenv shell` or with [direnv](https://direnv.net/).
-
-### Tests
-
-`bin/rake test`
-
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -2,21 +2,57 @@
 
 require "bundler/gem_tasks"
 require "minitest/test_task"
-require 'azure_blob'
+require "azure_blob"
+require_relative "test/support/app_service_vpn"
+require_relative "test/support/azure_vm_vpn"
 
-Minitest::TestTask.create
+Minitest::TestTask.create(:test_rails) do
+  self.test_globs = [ "test/rails/**/test_*.rb",
+                     "test/rails/**/*_test.rb", ]
+end
+
+Minitest::TestTask.create(:test_client) do
+  self.test_globs = [ "test/client/**/test_*.rb",
+                     "test/client/**/*_test.rb", ]
+end
 
 task default: %i[test]
 
+task :test do
+  Rake::Task["test_client"].execute
+  Rake::Task["test_rails"].execute
+end
+
+task :test_app_service do |t|
+  vpn = AppServiceVpn.new
+  ENV["IDENTITY_ENDPOINT"] = vpn.endpoint
+  ENV["IDENTITY_HEADER"] = vpn.header
+  Rake::Task["test_entra_id"].execute
+ensure
+  vpn.kill
+end
+
+task :test_azure_vm do |t|
+  vpn = AzureVmVpn.new
+  Rake::Task["test_entra_id"].execute
+ensure
+  vpn.kill
+end
+
+task :test_entra_id do |t|
+  ENV["AZURE_ACCESS_KEY"] = nil
+  Rake::Task["test"].execute
+end
+
 task :flush_test_container do |t|
   AzureBlob::Client.new(
     account_name: ENV["AZURE_ACCOUNT_NAME"],
     access_key: ENV["AZURE_ACCESS_KEY"],
     container: ENV["AZURE_PRIVATE_CONTAINER"],
-  ).delete_prefix ''
+  ).delete_prefix ""
   AzureBlob::Client.new(
     account_name: ENV["AZURE_ACCOUNT_NAME"],
     access_key: ENV["AZURE_ACCESS_KEY"],
     container: ENV["AZURE_PUBLIC_CONTAINER"],
-  ).delete_prefix ''
+  ).delete_prefix ""
 end

data/azure-blob.gemspec

@@ -13,6 +13,7 @@ Gem::Specification.new do |spec|
   spec.license = "MIT"
   spec.required_ruby_version = ">= 3.1"
 
+  spec.metadata["rubygems_mfa_required"] = "true"
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
   spec.metadata["changelog_uri"] = "https://github.com/testdouble/azure-blob/blob/main/CHANGELOG.md"

data/devenv.lock

@@ -108,16 +108,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1715542476,
+        "lastModified": 1725001927,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44072e24566c5bcc0b7aa9178a0104f4cfffab19",
-        "treeHash": "3f9021e4c33de6fe59b88ac8c3019fc49136dc2a",
+        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
+        "treeHash": "1e85443cc9f0ba302df2cf61cacb8014943e2d19",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -129,11 +129,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1713939467,
+        "lastModified": 1724737223,
         "owner": "bobvanderlinden",
         "repo": "nixpkgs-ruby",
-        "rev": "c1ba161adf31119cfdbb24489766a7bcd4dbe881",
-        "treeHash": "0d32620317b29f94d6718684f030dd2fc2f30cb2",
+        "rev": "175b5867babcbc471b94be9fd5576f2973bbdb6d",
+        "treeHash": "2fe3404ac0eeb7bcb7ac7b5f5f8b9b6a7e460147",
         "type": "github"
       },
       "original": {
@@ -160,16 +160,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1715542476,
+        "lastModified": 1725001927,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44072e24566c5bcc0b7aa9178a0104f4cfffab19",
-        "treeHash": "3f9021e4c33de6fe59b88ac8c3019fc49136dc2a",
+        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
+        "treeHash": "1e85443cc9f0ba302df2cf61cacb8014943e2d19",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }

data/devenv.nix

@@ -1,12 +1,36 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 
 {
+  env = {
+    LD_LIBRARY_PATH = "${config.devenv.profile}/lib";
+  };
+
   packages = with pkgs; [
     git
     libyaml
+    terraform
+    azure-cli
+    glib
+    vips
+    sshuttle
+    sshpass
+    rsync
   ];
 
-
   languages.ruby.enable = true;
-  languages.ruby.version = "3.1.5";
+  languages.ruby.version = "3.1.6";
+
+  scripts.generate-env-file.exec = ''
+    terraform output -raw devenv_local_nix > devenv.local.nix
+  '';
+
+  scripts.proxy-vps.exec = ''
+    exec sshuttle -e "ssh -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" -r "$(terraform output --raw vm_username)@$(terraform output --raw vm_ip)" 0/0
+  '';
+
+  scripts.start-app-service-ssh.exec = ''
+      resource_group=$(terraform output --raw "resource_group")
+      app_name=$(terraform output --raw "app_service_app_name")
+      exec az webapp create-remote-connection --resource-group $resource_group --name $app_name
+  '';
 }

data/devenv.yaml

@@ -1,6 +1,6 @@
 allowUnfree: true
 inputs:
   nixpkgs:
-    url: github:NixOS/nixpkgs/nixos-23.11
+    url: github:NixOS/nixpkgs/nixos-24.05
   nixpkgs-ruby:
     url: github:bobvanderlinden/nixpkgs-ruby

data/input.tf

@@ -0,0 +1,44 @@
+variable "location" {
+  type    = string
+  default = "westus2"
+}
+
+variable "prefix" {
+  type    = string
+  default = "azure-blob"
+}
+
+variable "storage_account_name" {
+  type    = string
+  default = "azureblobrubygemdev"
+}
+
+variable "create_vm" {
+  type    = bool
+  default = false
+}
+
+variable "vm_size" {
+  type    = string
+  default = "Standard_B2s"
+}
+
+variable "vm_username" {
+  type    = string
+  default = "azureblob"
+}
+
+variable "vm_password" {
+  type    = string
+  default = "qwe123QWE!@#"
+}
+
+variable "create_app_service" {
+  type    = bool
+  default = false
+}
+
+variable "ssh_key" {
+  type    = string
+  default = ""
+}

data/lib/active_storage/service/azure_blob_service.rb

@@ -35,7 +35,7 @@ module ActiveStorage
   class Service::AzureBlobService < Service
     attr_reader :client, :container, :signer
 
-    def initialize(storage_account_name:, storage_access_key:, container:, public: false, **options)
+    def initialize(storage_account_name:, storage_access_key: nil, container:, public: false, **options)
       @container = container
       @public = public
       @client = AzureBlob::Client.new(

data/lib/azure_blob/client.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
-require_relative "signer"
 require_relative "block_list"
 require_relative "blob_list"
 require_relative "blob"
 require_relative "http"
+require_relative "shared_key_signer"
+require_relative "entra_id_signer"
 require "time"
 require "base64"
 
@@ -12,10 +13,13 @@ module AzureBlob
   # AzureBlob Client class. You interact with the Azure Blob api
   # through an instance of this class.
   class Client
-    def initialize(account_name:, access_key:, container:)
+    def initialize(account_name:, access_key:, container:, **options)
       @account_name = account_name
       @container = container
-      @signer = Signer.new(account_name:, access_key:)
+
+      @signer = !access_key.nil? && !access_key.empty?  ?
+        AzureBlob::SharedKeySigner.new(account_name:, access_key:) :
+        AzureBlob::EntraIdSigner.new(account_name:, **options.slice(:principal_id))
     end
 
     # Create a blob of type block. Will automatically split the the blob in multiple block and send the blob in pieces (blocks) if the blob is too big.

data/lib/azure_blob/entra_id_signer.rb

@@ -0,0 +1,115 @@
+require "base64"
+require "openssl"
+require "net/http"
+require "rexml/document"
+
+require_relative "canonicalized_resource"
+require_relative "identity_token"
+
+require_relative "user_delegation_key"
+
+module AzureBlob
+  class EntraIdSigner # :nodoc:
+    attr_reader :token
+    attr_reader :account_name
+
+    def initialize(account_name:, principal_id: nil)
+      @token = AzureBlob::IdentityToken.new(principal_id:)
+      @account_name = account_name
+    end
+
+    def authorization_header(uri:, verb:, headers: {})
+      "Bearer #{token}"
+    end
+
+    def sas_token(uri, options = {})
+      to_sign = [
+        options[:permissions],
+        options[:start],
+        options[:expiry],
+        CanonicalizedResource.new(uri, account_name, url_safe: false, service_name: :blob),
+        delegation_key.signed_oid,
+        delegation_key.signed_tid,
+        delegation_key.signed_start,
+        delegation_key.signed_expiry,
+        delegation_key.signed_service,
+        delegation_key.signed_version,
+        nil,
+        nil,
+        nil,
+        options[:ip],
+        options[:protocol],
+        SAS::Version,
+        SAS::Resources::Blob,
+        nil,
+        nil,
+        nil,
+        options[:content_disposition],
+        nil,
+        nil,
+        options[:content_type],
+      ].join("\n")
+
+      query = {
+        SAS::Fields::Permissions => options[:permissions],
+        SAS::Fields::Start => options[:start],
+        SAS::Fields::Expiry => options[:expiry],
+
+        SAS::Fields::SignedObjectId => delegation_key.signed_oid,
+        SAS::Fields::SignedTenantId => delegation_key.signed_tid,
+        SAS::Fields::SignedKeyStartTime => delegation_key.signed_start,
+        SAS::Fields::SignedKeyExpiryTime => delegation_key.signed_expiry,
+        SAS::Fields::SignedKeyService => delegation_key.signed_service,
+        SAS::Fields::Signedkeyversion => delegation_key.signed_version,
+
+
+        SAS::Fields::SignedIp => options[:ip],
+        SAS::Fields::SignedProtocol => options[:protocol],
+        SAS::Fields::Version => SAS::Version,
+        SAS::Fields::Resource => SAS::Resources::Blob,
+
+        SAS::Fields::Disposition => options[:content_disposition],
+        SAS::Fields::Type => options[:content_type],
+        SAS::Fields::Signature => sign(to_sign, key: delegation_key.to_s),
+
+      }.reject { |_, value| value.nil? }
+
+      URI.encode_www_form(**query)
+    end
+
+    private
+
+    def delegation_key
+      @delegation_key ||= UserDelegationKey.new(account_name:, signer: self)
+    end
+
+    def sign(body, key:)
+      Base64.strict_encode64(OpenSSL::HMAC.digest("sha256", key, body))
+    end
+
+    module SAS # :nodoc:
+      Version = "2024-05-04"
+      module Fields # :nodoc:
+        Permissions = :sp
+        Version = :sv
+        Start = :st
+        Expiry = :se
+        Resource = :sr
+        Signature = :sig
+        Disposition = :rscd
+        Type = :rsct
+        SignedObjectId = :skoid
+        SignedTenantId = :sktid
+        SignedKeyStartTime = :skt
+        SignedKeyExpiryTime = :ske
+        SignedKeyService = :sks
+        Signedkeyversion = :skv
+        SignedIp = :sip
+        SignedProtocol = :spr
+      end
+      module Resources # :nodoc:
+        Blob = :b
+      end
+    end
+  end
+end

data/lib/azure_blob/http.rb

@@ -7,7 +7,14 @@ require "rexml"
 
 module AzureBlob
   class Http # :nodoc:
-    class Error < AzureBlob::Error; end
+    class Error < AzureBlob::Error
+      attr_reader :body, :status
+      def initialize(body: nil, status: nil)
+        @body = body
+        @status = status
+        super(body)
+      end
+    end
     class FileNotFoundError < Error; end
     class ForbidenError < Error; end
     class IntegrityError < Error; end
@@ -44,6 +51,15 @@ module AzureBlob
       true
     end
 
+    def post(content)
+      sign_request("POST") if signer
+      @response = http.start do |http|
+        http.post(uri, content, headers)
+      end
+      raise_error  unless success?
+      response.body
+    end
+
     def head
       sign_request("HEAD") if signer
       @response = http.start do |http|
@@ -91,7 +107,7 @@ module AzureBlob
     end
 
     def raise_error
-      raise error_from_response.new(@response.body)
+      raise error_from_response.new(body: @response.body, status: @response.code&.to_i)
     end
 
     def status

data/lib/azure_blob/identity_token.rb

@@ -0,0 +1,65 @@
+require "json"
+
+module AzureBlob
+  class IdentityToken
+    RESOURCE_URI = "https://storage.azure.com/"
+    EXPIRATION_BUFFER = 600 # 10 minutes
+
+    IDENTITY_ENDPOINT = ENV["IDENTITY_ENDPOINT"] || "http://169.254.169.254/metadata/identity/oauth2/token"
+    API_VERSION = ENV["IDENTITY_ENDPOINT"] ? "2019-08-01" : "2018-02-01"
+
+    def initialize(principal_id: nil)
+      @identity_uri = URI.parse(IDENTITY_ENDPOINT)
+      params = {
+        'api-version': API_VERSION,
+        resource: RESOURCE_URI,
+      }
+      params[:principal_id] = principal_id if principal_id
+      @identity_uri.query = URI.encode_www_form(params)
+    end
+
+    def to_s
+      refresh if expired?
+      token
+    end
+
+    private
+
+    def expired?
+      token.nil? || Time.now >= (expiration - EXPIRATION_BUFFER)
+    end
+
+    def refresh
+      headers =  { "Metadata" => "true" }
+      headers["X-IDENTITY-HEADER"] = ENV["IDENTITY_HEADER"] if ENV["IDENTITY_HEADER"]
+
+      attempt = 0
+      begin
+        attempt += 1
+        response = JSON.parse(AzureBlob::Http.new(identity_uri, headers).get)
+      rescue AzureBlob::Http::Error => error
+        if should_retry?(error, attempt)
+          attempt = 1 if error.status == 410
+          delay = exponential_backoff(error, attempt)
+          Kernel.sleep(delay)
+          retry
+        end
+        raise
+      end
+      @token = response["access_token"]
+      @expiration = Time.at(response["expires_on"].to_i)
+    end
+
+    def should_retry?(error, attempt)
+      is_500 = error.status/500 == 1
+      (is_500 || [ 404, 408, 410, 429 ].include?(error.status)) && attempt < 5
+    end
+
+    def exponential_backoff(error, attempt)
+      EXPONENTIAL_BACKOFF[attempt -1] || raise(AzureBlob::Error.new("Exponential backoff out of bounds!"))
+    end
+    EXPONENTIAL_BACKOFF = [ 2, 6, 14, 30 ]
+
+    attr_reader :identity_uri, :expiration, :token
+  end
+end

data/lib/azure_blob/{signer.rb → shared_key_signer.rb}

@@ -6,7 +6,7 @@ require_relative "canonicalized_headers"
 require_relative "canonicalized_resource"
 
 module AzureBlob
-  class Signer # :nodoc:
+  class SharedKeySigner # :nodoc:
     def initialize(account_name:, access_key:)
       @account_name = account_name
       @access_key = Base64.decode64(access_key)
@@ -71,12 +71,12 @@ module AzureBlob
       URI.encode_www_form(**query)
     end
 
+    private
+
     def sign(body)
       Base64.strict_encode64(OpenSSL::HMAC.digest("sha256", access_key, body))
     end
 
-    private
-
     def sanitize_headers(headers)
       headers = headers.dup
       headers[:"Content-Length"] = nil if headers[:"Content-Length"].to_i == 0

data/lib/azure_blob/user_delegation_key.rb

@@ -0,0 +1,67 @@
+require_relative "http"
+
+module AzureBlob
+  class UserDelegationKey # :nodoc:
+    EXPIRATION = 25200 # 7 hours
+    EXPIRATION_BUFFER = 3600 # 1 hours
+    def initialize(account_name:, signer:)
+      @uri = URI.parse(
+        "https://#{account_name}.blob.core.windows.net/?restype=service&comp=userdelegationkey"
+      )
+
+      @signer = signer
+
+      refresh
+    end
+
+    def to_s
+      user_delegation_key
+    end
+
+    def refresh
+      return unless expired?
+      now = Time.now.utc
+
+
+      start = now.iso8601
+      @expiration = (now + EXPIRATION)
+      expiry = @expiration.iso8601
+
+      content = <<-XML.gsub!(/[[:space:]]+/, " ").strip!
+        <?xml version="1.0" encoding="utf-8"?>
+        <KeyInfo>
+            <Start>#{start}</Start>
+            <Expiry>#{expiry}</Expiry>
+        </KeyInfo>
+      XML
+
+      response  = Http.new(uri, signer:).post(content)
+
+      doc = REXML::Document.new(response)
+
+      @signed_oid  = doc.get_elements("/UserDelegationKey/SignedOid").first.get_text.to_s
+      @signed_tid = doc.get_elements("/UserDelegationKey/SignedTid").first.get_text.to_s
+      @signed_start = doc.get_elements("/UserDelegationKey/SignedStart").first.get_text.to_s
+      @signed_expiry = doc.get_elements("/UserDelegationKey/SignedExpiry").first.get_text.to_s
+      @signed_service = doc.get_elements("/UserDelegationKey/SignedService").first.get_text.to_s
+      @signed_version = doc.get_elements("/UserDelegationKey/SignedVersion").first.get_text.to_s
+      @user_delegation_key = Base64.decode64(doc.get_elements("/UserDelegationKey/Value").first.get_text.to_s)
+    end
+
+    attr_reader :signed_oid,
+      :signed_tid,
+      :signed_start,
+      :signed_expiry,
+      :signed_service,
+      :signed_version,
+      :user_delegation_key
+
+    private
+
+    def expired?
+      expiration.nil? || Time.now >= (expiration - EXPIRATION_BUFFER)
+    end
+
+    attr_reader :uri, :user_delegation_key, :signer, :expiration
+  end
+end

data/lib/azure_blob/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AzureBlob
-  VERSION = "0.4.2"
+  VERSION = "0.5.0"
 end

data/main.tf

@@ -0,0 +1,187 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+locals {
+  public_ssh_key = var.ssh_key != "" ? var.ssh_key : file("~/.ssh/id_rsa.pub")
+}
+
+resource "azurerm_resource_group" "main" {
+  name     = var.prefix
+  location = var.location
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_storage_account" "main" {
+  name                     = var.storage_account_name
+  resource_group_name      = azurerm_resource_group.main.name
+  location                 = azurerm_resource_group.main.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_storage_container" "private" {
+  name                  = "private"
+  storage_account_name  = azurerm_storage_account.main.name
+  container_access_type = "private"
+}
+
+resource "azurerm_storage_container" "public" {
+  name                  = "public"
+  storage_account_name  = azurerm_storage_account.main.name
+  container_access_type = "blob"
+}
+
+resource "azurerm_virtual_network" "main" {
+  count               = var.create_vm ? 1 : 0
+  name                = "${var.prefix}-network"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_subnet" "main" {
+  count                = var.create_vm ? 1 : 0
+  name                 = "${var.prefix}-main"
+  resource_group_name  = azurerm_resource_group.main.name
+  virtual_network_name = azurerm_virtual_network.main[0].name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_network_interface" "main" {
+  count               = var.create_vm ? 1 : 0
+  name                = "${var.prefix}-nic"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+
+  ip_configuration {
+    name                          = "${var.prefix}-ip-config"
+    subnet_id                     = azurerm_subnet.main[0].id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.main[0].id
+  }
+
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_public_ip" "main" {
+  count               = var.create_vm ? 1 : 0
+  name                = "${var.prefix}-public-ip"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  allocation_method   = "Static"
+
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_user_assigned_identity" "vm" {
+  location            = azurerm_resource_group.main.location
+  name                = "${var.prefix}-vm"
+  resource_group_name = azurerm_resource_group.main.name
+}
+
+
+resource "azurerm_role_assignment" "vm" {
+  scope                = azurerm_storage_account.main.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_user_assigned_identity.vm.principal_id
+}
+
+resource "azurerm_linux_virtual_machine" "main" {
+  count                           = var.create_vm ? 1 : 0
+  name                            = "${var.prefix}-vm"
+  computer_name                   = var.prefix
+  resource_group_name             = azurerm_resource_group.main.name
+  location                        = azurerm_resource_group.main.location
+  size                            = var.vm_size
+  admin_username                  = var.vm_username
+  admin_password                  = var.vm_password
+  disable_password_authentication = true
+  network_interface_ids           = [azurerm_network_interface.main[0].id]
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.vm.id]
+  }
+
+  admin_ssh_key {
+    username   = var.vm_username
+    public_key = local.public_ssh_key
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts"
+    version   = "latest"
+  }
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  tags = {
+    source = "Terraform"
+  }
+}
+
+resource "azurerm_service_plan" "main" {
+  count               = var.create_app_service ? 1 : 0
+  name                = "${var.prefix}-appserviceplan"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  os_type             = "Linux"
+  sku_name            = "B1"
+}
+
+resource "azurerm_linux_web_app" "main" {
+  count               = var.create_app_service ? 1 : 0
+  name                = "${var.prefix}-app"
+  service_plan_id     = azurerm_service_plan.main[0].id
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.vm.id]
+  }
+
+  site_config {
+    application_stack {
+      node_version = "20-lts"
+    }
+  }
+}
+
+resource "azurerm_app_service_source_control" "main" {
+  count                  = var.create_app_service ? 1 : 0
+  app_id                 = azurerm_linux_web_app.main[0].id
+  repo_url               = "https://github.com/Azure-Samples/nodejs-docs-hello-world"
+  branch                 = "master"
+  use_manual_integration = true
+  use_mercurial          = false
+}

data/output.tf

@@ -0,0 +1,30 @@
+output "devenv_local_nix" {
+  sensitive = true
+  value     = <<EOT
+{pkgs, lib, ...}:{
+  env = {
+    AZURE_ACCOUNT_NAME = "${azurerm_storage_account.main.name}";
+    AZURE_ACCESS_KEY = "${azurerm_storage_account.main.primary_access_key}";
+    AZURE_PRIVATE_CONTAINER = "${azurerm_storage_container.private.name}";
+    AZURE_PUBLIC_CONTAINER = "${azurerm_storage_container.public.name}";
+    AZURE_PRINCIPAL_ID = "${azurerm_user_assigned_identity.vm.principal_id}";
+  };
+}
+EOT
+}
+
+output "vm_ip" {
+  value = var.create_vm ? azurerm_public_ip.main[0].ip_address : ""
+}
+
+output "vm_username" {
+  value = var.vm_username
+}
+
+output "app_service_app_name" {
+  value = var.create_app_service ? azurerm_linux_web_app.main[0].name : ""
+}
+
+output "resource_group" {
+  value = azurerm_resource_group.main.name
+}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: azure-blob
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Joé Dupuis
@@ -34,6 +34,7 @@ files:
 - ".envrc"
 - ".rubocop.yml"
 - ".standard.yml"
+- ".terraform.lock.hcl"
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
@@ -43,6 +44,7 @@ files:
 - devenv.lock
 - devenv.nix
 - devenv.yaml
+- input.tf
 - lib/active_storage/service/azure_blob_service.rb
 - lib/azure_blob.rb
 - lib/azure_blob/blob.rb
@@ -52,15 +54,21 @@ files:
 - lib/azure_blob/canonicalized_resource.rb
 - lib/azure_blob/client.rb
 - lib/azure_blob/const.rb
+- lib/azure_blob/entra_id_signer.rb
 - lib/azure_blob/errors.rb
 - lib/azure_blob/http.rb
+- lib/azure_blob/identity_token.rb
 - lib/azure_blob/metadata.rb
-- lib/azure_blob/signer.rb
+- lib/azure_blob/shared_key_signer.rb
+- lib/azure_blob/user_delegation_key.rb
 - lib/azure_blob/version.rb
+- main.tf
+- output.tf
 homepage: https://github.com/testdouble/azure-blob
 licenses:
 - MIT
 metadata:
+  rubygems_mfa_required: 'true'
   homepage_uri: https://github.com/testdouble/azure-blob
   source_code_uri: https://github.com/testdouble/azure-blob
   changelog_uri: https://github.com/testdouble/azure-blob/blob/main/CHANGELOG.md