gitlab-fog-azure-rm 2.1.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d92167cf3193f73d9c97ae76465057206f076c4f2a14e1f8a12c677d77ca2f0
-  data.tar.gz: 04fce79fa98d5f6dbb512dc974678be18ccb45cc84921c6914e61a60f4a6a62c
+  metadata.gz: fa5ac286afc5ba0f3066194079050eb837ec86bb0e23a0e879ae34b6ccd18242
+  data.tar.gz: cc8affe1faf1d79f910c7d7e232386b592472981738a3122922ad370d4406294
 SHA512:
-  metadata.gz: a4eca952fa0daa27b5149654960ae75b4b875d128114388f2cc539b3a3e1bdd2874e03456f60b8da7a2b05f5d994cdcd58962940e2abc1c328bdddfec2f86960
-  data.tar.gz: b503003e15965b9076b1ad75b25fd1282dfae71f4eacd806be13c6bc004a9bad5843c491c568fe4ff7cc42e09f9d6ac367c4fc7db9b27efa62288badb5f3477b
+  metadata.gz: 90faba724967de441a00eef32538b14dfbfbbce8a225d7052c965bd69110ab434316484da41b6b6de6e8ad3c7bf3cb5009cd25d634419f402a5fa31616f4764b
+  data.tar.gz: 7e9a772cdd278514751f4e3cd167ebe54c4c63b451c95ea701f48b475b5810638a8b847c6724e3ccf707152dbd4e509d45d2fe5ce897a2173ea88b9d5ea80c93

data/.rubocop.yml

@@ -6,3 +6,7 @@ AllCops:
   Exclude:
     - 'lib/azure/**/*'
     - 'vendor/**/*'
+
+Style/Documentation:
+  Exclude:
+    - 'test/**/*'

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Unreleased
 
+## 2.3.0
+
+- Bump default Azure Blob and SAS API versions to 2025-07-05 !56
+
+## 2.2.0
+
+- Add support for workflow and managed identities !54
+
 ## 2.1.0
 
 - Drop IPAddr patches !52

data/gitlab-fog-azure-rm.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rubocop', '~> 0.89.1'
   spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'webmock'
   spec.add_development_dependency 'webrick', '~> 1.8'
 
   spec.add_dependency 'faraday', "~> 2.0"

data/lib/azure/storage/blob/blob_service.rb

@@ -27,6 +27,7 @@ require "azure/storage/blob/page"
 require "azure/storage/blob/block"
 require "azure/storage/blob/append"
 require "azure/storage/blob/blob"
+require 'azure/storage/blob/default'
 
 module Azure::Storage
   include Azure::Storage::Common::Service
@@ -126,6 +127,8 @@ module Azure::Storage
       #
       # Accepted key/value pairs in options parameter are:
       #
+
+      # * +:api_version+                    - String. Override the default Blob service API version.
       # * +:use_development_storage+        - TrueClass|FalseClass. Whether to use storage emulator.
       # * +:development_storage_proxy_uri+  - String. Used with +:use_development_storage+ if emulator is hosted other than localhost.
       # * +:storage_connection_string+      - String. The storage connection string.

data/lib/azure/storage/blob/default.rb

@@ -29,7 +29,7 @@ require "rbconfig"
 module Azure::Storage::Blob
   module Default
     # Default REST service (STG) version number
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/azure/storage/common/core/auth/shared_access_signature_generator.rb

@@ -215,6 +215,7 @@ module Azure::Storage::Common::Core
       end
 
       # Construct the plaintext to the spec required for signatures
+      # See https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
       # @return [String]
       def signable_string_for_service(service_type, path, options)
         # Order is significant
@@ -236,8 +237,17 @@ module Azure::Storage::Common::Core
             @user_delegation_key.signed_start,
             @user_delegation_key.signed_expiry,
             @user_delegation_key.signed_service,
-            @user_delegation_key.signed_version
+            @user_delegation_key.signed_version,
+            # User delegation fields (supported since 2020-02-10)
+            options[:signed_authorized_user_object_id] || "",    # saoid
+            options[:signed_unauthorized_user_object_id] || "",  # suoid
+            options[:signed_correlation_id] || "",               # scid
+            # For 2025-07-05 USER DELEGATION SAS ONLY, add two empty lines after correlation ID
+            # This is the critical difference that was causing the signature mismatch with 2018-11-09.
+            "",
+            ""
           ]
+
         end
 
         signable_fields.concat [
@@ -248,7 +258,8 @@ module Azure::Storage::Common::Core
 
         signable_fields.concat [
           options[:resource],
-          options[:timestamp]
+          options[:timestamp] || "",
+          options[:signed_encryption_scope] || ""
         ] if service_type == Azure::Storage::Common::ServiceType::BLOB
 
         signable_fields.concat [

data/lib/azure/storage/common/default.rb

@@ -30,7 +30,7 @@ require "azure/storage/common/version"
 module Azure::Storage::Common
   module Default
     # Default REST service (STG) version number. This is used only for SAS generator.
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/fog/azurerm/identity/base_client.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: trues
+
+require 'json'
+
+module Fog
+  module AzureRM
+    module Identity
+      # BaseClient is responsible for fetching credentials and refreshing
+      # them when necessary.
+      class BaseClient
+        include Fog::AzureRM::Utilities::General
+        attr_accessor :credentials
+
+        FetchCredentialsError = Class.new(RuntimeError)
+
+        DEFAULT_TIMEOUT_S = 30
+
+        def fetch_credentials
+          raise NotImplementedError
+        end
+
+        def fetch_credentials_if_needed
+          @credentials = fetch_credentials if @credentials.nil? || refresh_needed?
+
+          credentials
+        end
+
+        def refresh_needed?
+          return true unless @credentials
+
+          @credentials.refresh_needed?
+        end
+
+        protected
+
+        def process_token_response(response)
+          # If we get an unauthorized error, raising an exception allows the admin
+          # diagnose the error with the federated credentials.
+          raise FetchCredentialsError, response.to_s unless response.success?
+
+          body = ::JSON.parse(response.body)
+          access_token = body['access_token']
+
+          return unless access_token
+
+          expires_at = ::Time.now
+          expires_on = body['expires_on']
+          expires_at = ::Time.at(expires_on.to_i) if expires_on
+
+          Credentials.new(access_token, expires_at)
+        rescue ::JSON::ParserError # rubocop:disable Lint/SuppressedException
+        end
+
+        private
+
+        def get(url, params: nil, headers: nil)
+          Faraday.get(url, params, headers) do |req|
+            req.options.timeout = DEFAULT_TIMEOUT_S
+          end
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+
+        def post(url, body: nil, headers: nil)
+          Faraday.post(url, body, headers) do |req|
+            req.options.timeout = DEFAULT_TIMEOUT_S
+          end
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/credentials.rb

@@ -0,0 +1,23 @@
+module Fog
+  module AzureRM
+    module Identity
+      # Credentials stores the access token and its expiry.
+      class Credentials
+        attr_accessor :token, :expires_at
+
+        EXPIRATION_BUFFER = 600 # 10 minutes
+
+        def initialize(token, expires_at)
+          @token = token
+          @expires_at = expires_at
+        end
+
+        def refresh_needed?
+          return true unless expires_at
+
+          Time.now >= expires_at + EXPIRATION_BUFFER
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/default_credentials.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'json'
+require_relative 'base_client'
+
+module Fog
+  module AzureRM
+    # DefaultCredentials attempts to resolve the credentials necessary to access
+    # the Azure service.
+    class DefaultCredentials
+      def initialize(options)
+        @options = options
+        @credential_client = nil
+        @credentials = nil
+      end
+
+      def fetch_credentials_if_needed
+        return unless credential_client
+
+        credential_client.fetch_credentials_if_needed
+      end
+
+      private
+
+      attr_reader :options
+
+      def credential_client
+        return @credential_client if @credential_client
+
+        clients = [
+          Fog::AzureRM::Identity::WorkflowIdentityClient,
+          Fog::AzureRM::Identity::ManagedIdentityClient
+        ]
+
+        credentials = nil
+        clients.each do |klass|
+          client = klass.new(options)
+
+          begin
+            credentials = client.fetch_credentials
+          rescue Fog::AzureRM::Identity::BaseClient::FetchCredentialsError
+            next
+          end
+
+          if credentials
+            @credential_client = client
+            break
+          end
+        end
+
+        return unless credentials
+
+        @credentials = credentials
+        @credentials
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/managed_identity_client.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'faraday'
+
+module Fog
+  module AzureRM
+    module Identity
+      IDENTITY_ENDPOINT = 'http://169.254.169.254/metadata/identity/oauth2/token'
+      API_VERSION = '2018-02-01'
+
+      # ManagedIdentityClient fetches temporary credentials from the instance metadata endpoint.
+      class ManagedIdentityClient < BaseClient
+        include Fog::AzureRM::Utilities::General
+
+        attr_reader :resource
+
+        def initialize(options)
+          super()
+          @environment = options[:environment]
+          @resource = storage_resource(@environment)
+        end
+
+        # This method obtains a token via the Azure Instance Metadata Service (IMDS) endpoint:
+        # https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
+        def fetch_credentials
+          url = "#{identity_endpoint}?api-version=#{api_version}&resource=#{CGI.escape(resource)}"
+
+          client_id = ENV['AZURE_CLIENT_ID']
+          url += "&client_id=#{client_id}" if client_id
+
+          headers = { 'Metadata' => 'true' }
+          headers['X-IDENTITY-HEADER'] = ENV['IDENTITY_HEADER'] if ENV['IDENTITY_HEADER']
+
+          response = get(url, headers: headers)
+          process_token_response(response)
+        end
+
+        private
+
+        def identity_endpoint
+          ENV['IDENTITY_ENDPOINT'] || IDENTITY_ENDPOINT
+        end
+
+        def api_version
+          ENV['IDENTITY_ENDPOINT'] ? '2019-08-01' : API_VERSION
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/workflow_identity_client.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Fog
+  module AzureRM
+    module Identity
+      # WorkflowIdentityClient attempts to fetch credentials for Azure Workflow Identity
+      # via the following environment variables:
+      #
+      # - AZURE_AUTHORITY_HOST - This can be used to override the default authority URL.
+      # - AZURE_TENANT_ID
+      # - AZURE_CLIENT_ID
+      # - AZURE_FEDERATED_TOKEN_FILE - This is a filename that stores the JWT token that
+      #   is exchanged for an OAuth2 token.
+      class WorkflowIdentityClient < BaseClient
+        include Fog::AzureRM::Utilities::General
+
+        attr_accessor :environment, :resource, :authority, :tenant_id, :client_id, :token_file
+
+        def initialize(options)
+          super()
+          @environment = options[:environment]
+          @resource = storage_resource(@environment)
+          @authority = ENV['AZURE_AUTHORITY_HOST'] || authority_url(@environment)
+          @tenant_id = ENV['AZURE_TENANT_ID']
+          @client_id = ENV['AZURE_CLIENT_ID']
+          @token_file = ENV['AZURE_FEDERATED_TOKEN_FILE']
+
+          normalize_authority!
+        end
+
+        def fetch_credentials
+          return unless authority && tenant_id && client_id
+          return unless ::File.exist?(token_file) && ::File.readable?(token_file)
+
+          oidc_token = ::File.read(token_file)
+          token_url = "#{authority}/#{tenant_id}/oauth2/v2.0/token"
+          scope = "#{storage_resource(@environment)}/.default"
+
+          data = {
+            client_id: client_id,
+            grant_type: 'client_credentials',
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: oidc_token,
+            scope: scope
+          }
+
+          response = post(token_url, body: data)
+
+          process_token_response(response)
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+
+        private
+
+        # The Azure Python SDK handles an authority with or without a scheme, so let's
+        # do this too: https://github.com/Azure/azure-sdk-for-python/pull/11050
+        def normalize_authority!
+          parsed = URI.parse(authority)
+
+          unless parsed.scheme
+            @authority = "https://#{authority.strip.chomp('/')}"
+            return
+          end
+
+          # rubocop:disable Style/IfUnlessModifier
+          unless parsed.scheme == 'https'
+            raise ArgumentError, "'#{authority}' is an invalid authority. The value must be a TLS protected (https) URL."
+          end
+          # rubocop:enable Style/IfUnlessModifier
+
+          @authority = authority.strip.chomp('/')
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity.rb

@@ -0,0 +1,5 @@
+require_relative 'identity/base_client'
+require_relative 'identity/credentials'
+require_relative 'identity/default_credentials'
+require_relative 'identity/managed_identity_client'
+require_relative 'identity/workflow_identity_client'

data/lib/fog/azurerm/storage.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'json'
+
 module Fog
   module AzureRM
     # This class registers models, requests and collections
@@ -9,6 +13,7 @@ module Fog
       recognizes :azure_storage_endpoint
       recognizes :azure_storage_domain
       recognizes :environment
+      recognizes :api_version
 
       recognizes :debug
 
@@ -80,6 +85,8 @@ module Fog
       class Real
         include Fog::AzureRM::Utilities::General
 
+        attr_accessor :options
+
         def initialize(options)
           begin
             require 'azure/storage/common'
@@ -93,19 +100,20 @@ module Fog
             raise e.message
           end
 
-          return unless @azure_storage_account_name != options[:azure_storage_account_name] ||
-                        @azure_storage_access_key != options[:azure_storage_access_key] ||
-                        @azure_storage_token_signer != options[:azure_storage_token_signer]
+          options[:environment] = options[:environment] || ENV['AZURE_ENVIRONMENT'] || ENVIRONMENT_AZURE_CLOUD
+          @environment = options[:environment]
+          @options = options
 
           @azure_storage_account_name = options[:azure_storage_account_name]
           @azure_storage_access_key = options[:azure_storage_access_key]
-          @azure_storage_token_signer = options[:azure_storage_token_signer]
+          @api_version = options[:api_version]
+
+          load_credentials
+
+          @azure_storage_token_signer = token_signer
           @azure_storage_endpoint = options[:azure_storage_endpoint]
           @azure_storage_domain = options[:azure_storage_domain]
 
-          options[:environment] = 'AzureCloud' if options[:environment].nil?
-          @environment = options[:environment]
-
           storage_blob_host =
             @azure_storage_endpoint ||
             if @azure_storage_domain.nil? || @azure_storage_domain.empty?
@@ -120,7 +128,7 @@ module Fog
             signer: @azure_storage_token_signer
           }.compact)
           azure_client.storage_blob_host = storage_blob_host
-          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client)
+          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client, api_version: @api_version)
           @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
           @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
           @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug
@@ -128,6 +136,26 @@ module Fog
 
         private
 
+        def load_credentials
+          return options[:azure_storage_token_signer] if options[:azure_storage_token_signer]
+          return if @azure_storage_access_key && !@azure_storage_access_key.empty?
+
+          @credential_client = Fog::AzureRM::DefaultCredentials.new(options)
+          @credentials = @credential_client.fetch_credentials_if_needed
+        end
+
+        def token_signer
+          return options[:azure_storage_token_signer] if options[:azure_storage_token_signer]
+          return unless @credentials
+
+          access_token_signer(@credentials.token)
+        end
+
+        def access_token_signer(access_token)
+          cred = Azure::Storage::Common::Core::TokenCredential.new(access_token)
+          Azure::Storage::Common::Core::Auth::TokenSigner.new(cred)
+        end
+
         def signature_client(requested_expiry)
           access_key = @azure_storage_access_key.to_s
           user_delegation_key = user_delegation_key(requested_expiry)
@@ -148,6 +176,11 @@ module Fog
         def user_delegation_key(requested_expiry)
           return nil unless @azure_storage_token_signer
 
+          if @credential_client
+            @credentials = @credential_client.fetch_credentials_if_needed
+            @azure_storage_token_signer = token_signer
+          end
+
           @user_delegation_key_mutex ||= Mutex.new
           @user_delegation_key_mutex.synchronize do
             if @user_delegation_key_expiry.nil? || @user_delegation_key_expiry < requested_expiry

data/lib/fog/azurerm/utilities/general.rb

@@ -89,6 +89,28 @@ module Fog
           end
         end
 
+        # Per https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory,
+        # all endpoints use the same resource URL.
+        def storage_resource(_environment = ENVIRONMENT_AZURE_CLOUD)
+          'https://storage.azure.com'
+        end
+
+        # https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud#microsoft-entra-authentication-endpoints
+        def authority_url(environment = ENVIRONMENT_AZURE_CLOUD)
+          case environment
+          when ENVIRONMENT_AZURE_CHINA_CLOUD
+            'https://login.chinacloudapi.cn'
+          when ENVIRONMENT_AZURE_US_GOVERNMENT
+            'https://login.microsoftonline.us'
+          # This region is deprecated:
+          # https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud#azure-germany-microsoft-cloud-deutschland
+          when ENVIRONMENT_AZURE_GERMAN_CLOUD
+            'https://login.microsoftonline.de'
+          else
+            'https://login.microsoftonline.com'
+          end
+        end
+
         def get_blob_endpoint(storage_account_name, enable_https = false, environment = ENVIRONMENT_AZURE_CLOUD)
           protocol = enable_https ? 'https' : 'http'
           "#{protocol}://#{storage_account_name}.blob#{storage_endpoint_suffix(environment)}"

data/lib/fog/azurerm/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AzureRM
-    VERSION = '2.1.0'.freeze
+    VERSION = '2.3.0'.freeze
   end
 end

data/lib/fog/azurerm.rb

@@ -9,6 +9,7 @@ require 'fog/json'
 require 'fog/azurerm/models/storage/sku_name'
 require 'fog/azurerm/models/storage/sku_tier'
 require 'fog/azurerm/models/storage/kind'
+require 'fog/azurerm/identity'
 
 module Fog
   # Main AzureRM fog Provider Module

data/rakefile

@@ -8,6 +8,7 @@ task :test do
   Dir.glob('test/test_*.rb').each { |file| require File.expand_path file, __dir__ }
   Dir.glob('test/models/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
   Dir.glob('test/requests/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
+  Dir.glob('test/unit/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
 end
 
 task :integration do

data/test/models/storage/test_directory.rb

@@ -112,7 +112,7 @@ class TestDirectory < Minitest::Test
     # Set private
     result = @directory.public = false
     assert !result
-    assert_equal nil, @directory.attributes[:acl]
+    assert_nil @directory.attributes[:acl]
   end
 
   def test_public_url_method_with_public_success

data/test/requests/storage/test_get_blob_https_url.rb

@@ -104,6 +104,55 @@ class TestGetBlobHttpsUrl < Minitest::Test
     end
   end
 
+  def test_get_blob_https_url_with_managed_identity
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=https://storage.azure.com")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    service = Fog::AzureRM::Storage.new(storage_account_managed_identity)
+
+    requested_expiry = Time.now + 60
+
+    response = <<~MSG
+      <UserDelegationKey>
+          <SignedOid>f81d4fae-7dec-11d0-a765-00a0c91e6bf6</SignedOid>
+          <SignedTid>72f988bf-86f1-41af-91ab-2d7cd011db47</SignedTid>
+          <SignedStart>2024-09-19T00:00:00Z</SignedStart>
+          <SignedExpiry>2024-09-26T00:00:00Z</SignedExpiry>
+          <SignedService>b</SignedService>
+          <SignedVersion>2020-02-10</SignedVersion>
+          <Value>UDELEGATIONKEYXYZ....</Value>
+          <SignedKey>rL7...ABC</SignedKey>
+      </UserDelegationKey>
+    MSG
+
+    stub_request(:post, 'https://mockaccount.blob.core.windows.net?comp=userdelegationkey&restype=service')
+      .to_return(status: 200, headers: { 'Content-Type': 'application/xml' }, body: response)
+
+    url = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+
+    parsed = URI.parse(url)
+
+    assert_equal 'https', parsed.scheme
+    assert_equal 'mockaccount.blob.core.windows.net', parsed.host
+    assert_equal '/test_container/test_blob', parsed.path
+
+    params = parsed.query.split('&').to_h { |x| x.split('=') }
+
+    assert_equal 'r', params['sp']
+    assert_equal '2025-07-05', params['sv']
+    assert_equal 'b', params['sr']
+    assert_equal 'https', params['spr']
+    assert_equal '2024-09-19T00%3A00%3A00Z', params['skt']
+    assert_equal '2024-09-26T00%3A00%3A00Z', params['ske']
+    assert_equal 'b', params['sks']
+  end
+
   def test_get_blob_https_url_with_token_signer_success
     service = Fog::AzureRM::Storage.new(storage_account_credentials_with_token_signer)
     blob_client = service.instance_variable_get(:@blob_client)
@@ -132,7 +181,7 @@ class TestGetBlobHttpsUrl < Minitest::Test
     # second request within new expiry
     stubbed_times << ref_time + 10.5 * DAY
     requested_expiries << stubbed_times.last + 1 * DAY
-    # no additonal expected_user_delegation_key_starts
+    # no additional expected_user_delegation_key_starts
 
     user_delegation_key_starts = []
     mock_user_delegation_key = lambda do |start, expiry|

data/test/test_helper.rb

@@ -1,3 +1,6 @@
+require 'webmock/minitest'
+WebMock.disable_net_connect! allow: %w[127.0.0.1]
+
 if ENV['COVERAGE']
   require 'simplecov'
   SimpleCov.start do
@@ -42,6 +45,12 @@ def storage_account_credentials
   }
 end
 
+def storage_account_managed_identity
+  {
+    azure_storage_account_name: 'mockaccount'
+  }
+end
+
 def storage_account_credentials_with_endpoint
   storage_account_credentials.merge(
     {

data/test/unit/test_default_credentials.rb

@@ -0,0 +1,97 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestDefaultCredentials < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @default_credentials = Fog::AzureRM::DefaultCredentials.new(@options)
+  end
+
+  def test_initialize
+    assert_instance_of Fog::AzureRM::DefaultCredentials, @default_credentials
+    assert_nil @default_credentials.instance_variable_get(:@credential_client)
+    assert_nil @default_credentials.instance_variable_get(:@credentials)
+  end
+
+  def test_fetch_credentials_if_needed_with_no_credential_client
+    @default_credentials.stub(:credential_client, nil) do
+      assert_nil @default_credentials.fetch_credentials_if_needed
+    end
+  end
+
+  def test_fetch_credentials_if_needed_with_credential_client
+    mock_client = Minitest::Mock.new
+    mock_client.expect :fetch_credentials_if_needed, 'fake_credentials'
+    @default_credentials.instance_variable_set(:@credential_client, mock_client)
+
+    assert_equal 'fake_credentials', @default_credentials.fetch_credentials_if_needed
+    mock_client.verify
+  end
+
+  def test_credential_client_with_workflow_identity
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, 'fake_workflow_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      credentials = @default_credentials.send(:credential_client)
+      assert_equal 'fake_workflow_credentials', credentials
+    end
+
+    mock_workflow_client.verify
+  end
+
+  def test_credential_client_with_managed_identity
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, nil
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        credentials = @default_credentials.send(:credential_client)
+        assert_equal 'fake_managed_credentials', credentials
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+
+  def test_credential_client_with_failed_workflow_identity
+    mock_workflow_client = Minitest::Mock.new
+    def mock_workflow_client.fetch_credentials
+      raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
+    end
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        credentials = @default_credentials.send(:credential_client)
+        assert_equal 'fake_managed_credentials', credentials
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+
+  def test_credential_client_with_no_credentials
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, nil
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, nil
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        assert_nil @default_credentials.send(:credential_client)
+        assert_nil @default_credentials.instance_variable_get(:@credential_client)
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+end

data/test/unit/test_managed_identity_client.rb

@@ -0,0 +1,74 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestManagedIdentityClient < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @client = Fog::AzureRM::Identity::ManagedIdentityClient.new(@options)
+  end
+
+  def teardown
+    ENV.delete('AZURE_CLIENT_ID')
+    ENV.delete('IDENTITY_HEADER')
+    ENV.delete('IDENTITY_ENDPOINT')
+  end
+
+  def test_initialize
+    assert_equal 'https://storage.azure.com', @client.resource
+  end
+
+  def test_fetch_credentials_success
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    credentials = @client.fetch_credentials
+
+    assert_equal 'fake_token', credentials.token
+    assert_instance_of Time, credentials.expires_at
+  end
+
+  def test_fetch_credentials_timeout
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_raise(Faraday::Error)
+
+    assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+      @client.fetch_credentials
+    end
+  end
+
+  def test_fetch_credentials_unauthorized
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 401)
+
+    assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+      @client.fetch_credentials
+    end
+  end
+
+  def test_fetch_credentials_with_env_vars
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['IDENTITY_HEADER'] = 'fake_identity_header'
+    ENV['IDENTITY_ENDPOINT'] = 'http://localhost:8080/metadata/identity/oauth2/token'
+
+    stub_request(:get, "http://localhost:8080/metadata/identity/oauth2/token?api-version=2019-08-01&client_id=fake_client_id&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true', 'X-Identity-Header' => 'fake_identity_header' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    credentials = @client.fetch_credentials
+
+    assert_equal 'fake_token', credentials.token
+    assert_instance_of Time, credentials.expires_at
+  end
+end

data/test/unit/test_shared_access_signature_generator.rb

@@ -0,0 +1,198 @@
+require File.expand_path '../test_helper', __dir__
+require 'azure/storage/common'
+require 'base64'
+require 'uri'
+
+class TestSharedAccessSignatureGeneration < Minitest::Test
+  def setup
+    @access_account_name = 'testaccount'
+    @access_key_base64 = Base64.strict_encode64('test-access-key')
+    @path = '/container/blob.txt'
+    @service_type = Azure::Storage::Common::ServiceType::BLOB
+
+    @service_options = {
+      service: 'b',
+      permissions: 'c',
+      start: '2025-09-10T17:00:00Z',
+      expiry: '2025-09-10T18:00:00Z',
+      resource: 'b',
+      protocol: 'https',
+      ip_range: '192.168.1.1-192.168.1.10'
+    }
+
+    @user_delegation_key = Azure::Storage::Common::Service::UserDelegationKey.new do |key|
+      key.signed_oid = 'user-object-id-123'
+      key.signed_tid = 'tenant-id-456'
+      key.signed_start = '2025-09-10T17:00:00Z'
+      key.signed_expiry = '2025-09-10T19:00:00Z'
+      key.signed_service = 'b'
+      key.signed_version = '2020-08-04'
+      key.value = Base64.strict_encode64('user-delegation-key-value')
+    end
+  end
+
+  def test_service_sas_signature_string_format
+    # Test regular service SAS (no user delegation key)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify service SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+    assert_equal '', lines[4]                                     # identifier (empty for service SAS)
+    assert_equal '192.168.1.1-192.168.1.10', lines[5] # ip_range
+    assert_equal 'https', lines[6] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[7] # version
+    assert_equal 'b', lines[8]                                    # resource
+    assert_equal '', lines[9]                                     # timestamp (empty)
+    assert_equal '', lines[10]                                    # encryption scope (empty)
+    # Response headers (all empty)
+    assert_equal '', lines[11]                                    # cache_control
+    assert_equal '', lines[12]                                    # content_disposition
+    assert_equal '', lines[13]                                    # content_encoding
+    assert_equal '', lines[14]                                    # content_language
+    assert_equal '', lines[15]                                    # content_type
+  end
+
+  def test_user_delegation_sas_signature_string_format
+    # Test user delegation SAS - always includes new 2025-07-05 format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify user delegation SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+
+    # User delegation key fields
+    assert_equal 'user-object-id-123', lines[4]                  # signed_oid
+    assert_equal 'tenant-id-456', lines[5]                       # signed_tid
+    assert_equal '2025-09-10T17:00:00Z', lines[6]                # signed_start
+    assert_equal '2025-09-10T19:00:00Z', lines[7]                # signed_expiry
+    assert_equal 'b', lines[8]                                   # signed_service
+    assert_equal '2020-08-04', lines[9]                          # signed_version
+
+    # New fields for user delegation SAS (empty by default)
+    assert_equal '', lines[10]                                   # saoid
+    assert_equal '', lines[11]                                   # suoid
+    assert_equal '', lines[12]                                   # scid
+
+    # Critical: Two empty lines - this was causing the signature mismatch!
+    assert_equal '', lines[13]                                   # First empty line
+    assert_equal '', lines[14]                                   # Second empty line
+
+    # Continue with remaining fields
+    assert_equal '192.168.1.1-192.168.1.10', lines[15] # ip_range
+    assert_equal 'https', lines[16] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[17] # version
+    assert_equal 'b', lines[18]                                  # resource
+    assert_equal '', lines[19]                                   # timestamp
+    assert_equal '', lines[20]                                   # encryption scope
+    # Response headers (all empty)
+    assert_equal '', lines[21]                                   # cache_control
+    assert_equal '', lines[22]                                   # content_disposition
+    assert_equal '', lines[23]                                   # content_encoding
+    assert_equal '', lines[24]                                   # content_language
+    assert_equal '', lines[25]                                   # content_type
+  end
+
+  def test_user_delegation_sas_with_optional_fields
+    # Test user delegation SAS with optional fields set
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    options_with_extras = @service_options.merge({
+                                                   signed_authorized_user_object_id: 'authorized-user-789',
+                                                   signed_unauthorized_user_object_id: 'unauthorized-user-000',
+                                                   signed_correlation_id: 'correlation-abc-123',
+                                                   signed_encryption_scope: 'test-encryption-scope',
+                                                   timestamp: '2025-09-10T17:30:00Z',
+                                                   cache_control: 'no-cache',
+                                                   content_type: 'application/json'
+                                                 })
+
+    result = sas.signable_string_for_service(@service_type, @path, options_with_extras)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify the optional fields are included
+    assert_equal 'authorized-user-789', lines[10]               # saoid
+    assert_equal 'unauthorized-user-000', lines[11]             # suoid
+    assert_equal 'correlation-abc-123', lines[12]               # scid
+    assert_equal '2025-09-10T17:30:00Z', lines[19]              # timestamp
+    assert_equal 'test-encryption-scope', lines[20]             # encryption scope
+    assert_equal 'no-cache', lines[21]                          # cache_control
+    assert_equal 'application/json', lines[25]                  # content_type
+  end
+
+  def test_table_service_signature_format
+    # Test table service (no blob-specific fields)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    table_options = {
+      service: 't',
+      permissions: 'rau',
+      expiry: '2025-09-10T18:00:00Z',
+      startpk: 'partition1',
+      startrk: 'row1',
+      endpk: 'partition2',
+      endrk: 'row2'
+    }
+
+    result = sas.signable_string_for_service(Azure::Storage::Common::ServiceType::TABLE, 'mytable', table_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Table service should not have blob-specific fields
+    assert_equal 'rau', lines[0]                                 # permissions
+    assert_equal '/table/testaccount/mytable', lines[3]          # canonicalized resource
+
+    # Should end with table-specific fields (no response headers for table)
+    expected_line_count = 12 # Basic fields + table fields, no blob fields
+    assert_equal expected_line_count, lines.length
+    assert_equal 'partition1', lines[8]                          # startpk
+    assert_equal 'row1', lines[9]                                # startrk
+    assert_equal 'partition2', lines[10]                         # endpk
+    assert_equal 'row2', lines[11]                               # endrk
+  end
+
+  def test_canonicalized_resource_format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    # Test with leading slash
+    result = sas.canonicalized_resource('blob', '/container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test without leading slash
+    result = sas.canonicalized_resource('blob', 'container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test table resource
+    result = sas.canonicalized_resource('table', 'mytable')
+    assert_equal '/table/testaccount/mytable', result
+  end
+
+  def test_sas_token_generation_creates_valid_query_string
+    # Test that generate_service_sas_token creates a valid query string
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    token = sas.generate_service_sas_token(@path, @service_options)
+
+    # Parse the query string
+    params = URI.decode_www_form(token).to_h
+
+    # Verify expected parameters are present
+    assert_equal 'c', params['sp'] # permissions
+    assert_equal '2025-09-10T17:00:00Z', params['st']           # start
+    assert_equal '2025-09-10T18:00:00Z', params['se']           # expiry
+    assert_equal 'b', params['sr']                               # resource
+    assert_equal 'https', params['spr']                          # protocol
+    assert_equal '192.168.1.1-192.168.1.10', params['sip'] # ip_range
+    assert params.key?('sig')                                    # signature should be present
+    refute_empty params['sig']                                   # signature should not be empty
+  end
+end

data/test/unit/test_workflow_identity_client.rb

@@ -0,0 +1,147 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestWorkflowIdentityClient < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+  end
+
+  def teardown
+    ENV.delete('AZURE_TENANT_ID')
+    ENV.delete('AZURE_CLIENT_ID')
+    ENV.delete('AZURE_FEDERATED_TOKEN_FILE')
+    ENV.delete('AZURE_AUTHORITY_HOST')
+  end
+
+  def test_initialize
+    assert_equal 'https://storage.azure.com', @client.resource
+    assert_equal 'https://login.microsoftonline.com', @client.authority
+    assert_nil @client.tenant_id
+    assert_nil @client.client_id
+  end
+
+  def test_fetch_credentials_success
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    token_response = {
+      'access_token' => 'fake_access_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_return(status: 200, body: token_response.to_json)
+
+          credentials = @client.fetch_credentials
+
+          assert_equal 'fake_access_token', credentials.token
+          assert_instance_of Time, credentials.expires_at
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_failure
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_raise(Faraday::Error)
+
+          assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+            @client.fetch_credentials
+          end
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_unauthorized
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_return(status: 403, body: '{"error":"invalid_client"}')
+
+          assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) { @client.fetch_credentials }
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_missing_env_vars
+    ENV['AZURE_TENANT_ID'] = nil
+    ENV['AZURE_CLIENT_ID'] = nil
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = nil
+
+    assert_nil @client.fetch_credentials
+  end
+
+  def test_fetch_credentials_missing_token_file
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'nonexistent_file'
+
+    File.stub :exist?, false do
+      assert_nil @client.fetch_credentials
+    end
+  end
+
+  def test_authority
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    # Test with default AzureCloud environment
+    client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+    assert_equal 'https://login.microsoftonline.com', client.authority
+    assert_equal 'https://storage.azure.com', client.resource
+
+    # Test with AzureUSGovernment environment
+    gov_options = { environment: 'AzureUSGovernment' }
+    gov_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(gov_options)
+    assert_equal 'https://login.microsoftonline.us', gov_client.authority
+    assert_equal 'https://storage.azure.com', gov_client.resource
+
+    # Test with AzureChina environment
+    china_options = { environment: 'AzureChinaCloud' }
+    china_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(china_options)
+    assert_equal 'https://login.chinacloudapi.cn', china_client.authority
+    assert_equal 'https://storage.azure.com', china_client.resource
+
+    # Test with AzureGermanCloud environment
+    german_options = { environment: 'AzureGermanCloud' }
+    german_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(german_options)
+    assert_equal 'https://login.microsoftonline.de', german_client.authority
+    assert_equal 'https://storage.azure.com', german_client.resource
+  end
+
+  def test_authority_normalize
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+    ENV['AZURE_AUTHORITY_HOST'] = 'login.microsoftonline.com'
+
+    # Test with default AzureCloud environment
+    client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+    assert_equal 'https://login.microsoftonline.com', client.authority
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-fog-azure-rm
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Shaffan Chaudhry
@@ -15,10 +15,9 @@ authors:
 - Azeem Sajid
 - Maham Nazir
 - Abbas Sheikh
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-17 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -90,6 +89,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -224,7 +237,6 @@ dependencies:
         version: 1.10.8
 description: This is a stripped-down fork of fog-azure-rm that enables Azure Blob
   Storage to be used with CarrierWave and Fog.
-email:
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -321,6 +333,12 @@ files:
 - lib/fog/azurerm/custom_fog_errors.rb
 - lib/fog/azurerm/docs/storage.md
 - lib/fog/azurerm/docs/structure.md
+- lib/fog/azurerm/identity.rb
+- lib/fog/azurerm/identity/base_client.rb
+- lib/fog/azurerm/identity/credentials.rb
+- lib/fog/azurerm/identity/default_credentials.rb
+- lib/fog/azurerm/identity/managed_identity_client.rb
+- lib/fog/azurerm/identity/workflow_identity_client.rb
 - lib/fog/azurerm/identity_encoding_filter.rb
 - lib/fog/azurerm/models/storage/directories.rb
 - lib/fog/azurerm/models/storage/directory.rb
@@ -430,6 +448,10 @@ files:
 - test/requests/storage/test_save_page_blob.rb
 - test/requests/storage/test_wait_blob_copy_operation_to_finish.rb
 - test/test_helper.rb
+- test/unit/test_default_credentials.rb
+- test/unit/test_managed_identity_client.rb
+- test/unit/test_shared_access_signature_generator.rb
+- test/unit/test_workflow_identity_client.rb
 homepage: https://gitlab.com/gitlab-org/gitlab-fog-azure-rm
 licenses:
 - MIT
@@ -450,8 +472,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Module for the 'fog' gem to support Azure Blob Storage with CarrierWave and
   Fog.