gitlab-fog-azure-rm 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c0db6ddb892cbf22fdd3bd0a6aa859dc54256572f87ff5fa4af0ab478127ba1
-  data.tar.gz: ac3ee5c92ab35dae5050dbf71a68c5d4f74cb0549c1b2c6cd55bfb3676099141
+  metadata.gz: fa5ac286afc5ba0f3066194079050eb837ec86bb0e23a0e879ae34b6ccd18242
+  data.tar.gz: cc8affe1faf1d79f910c7d7e232386b592472981738a3122922ad370d4406294
 SHA512:
-  metadata.gz: a876f5d3cd330701883c5185313faba45a00403577388a102d658b51a88cdf56bb1d46130668ad5b5e54557416048830dbc21bb458f844218e8cb9777ed7aca3
-  data.tar.gz: a6c70245610e9ad32f587005888bdfd8da48a6d0b52c48fdf5db0a9a7d7141bf33bf9ba74bda4c6a7793cc37648f65d3cb9bcfc5033d819874a22c26a69ae25e
+  metadata.gz: 90faba724967de441a00eef32538b14dfbfbbce8a225d7052c965bd69110ab434316484da41b6b6de6e8ad3c7bf3cb5009cd25d634419f402a5fa31616f4764b
+  data.tar.gz: 7e9a772cdd278514751f4e3cd167ebe54c4c63b451c95ea701f48b475b5810638a8b847c6724e3ccf707152dbd4e509d45d2fe5ce897a2173ea88b9d5ea80c93

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+## 2.3.0
+
+- Bump default Azure Blob and SAS API versions to 2025-07-05 !56
+
 ## 2.2.0
 
 - Add support for workflow and managed identities !54

data/lib/azure/storage/blob/blob_service.rb

@@ -27,6 +27,7 @@ require "azure/storage/blob/page"
 require "azure/storage/blob/block"
 require "azure/storage/blob/append"
 require "azure/storage/blob/blob"
+require 'azure/storage/blob/default'
 
 module Azure::Storage
   include Azure::Storage::Common::Service
@@ -126,6 +127,8 @@ module Azure::Storage
       #
       # Accepted key/value pairs in options parameter are:
       #
+
+      # * +:api_version+                    - String. Override the default Blob service API version.
       # * +:use_development_storage+        - TrueClass|FalseClass. Whether to use storage emulator.
       # * +:development_storage_proxy_uri+  - String. Used with +:use_development_storage+ if emulator is hosted other than localhost.
       # * +:storage_connection_string+      - String. The storage connection string.

data/lib/azure/storage/blob/default.rb

@@ -29,7 +29,7 @@ require "rbconfig"
 module Azure::Storage::Blob
   module Default
     # Default REST service (STG) version number
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/azure/storage/common/core/auth/shared_access_signature_generator.rb

@@ -215,6 +215,7 @@ module Azure::Storage::Common::Core
       end
 
       # Construct the plaintext to the spec required for signatures
+      # See https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
       # @return [String]
       def signable_string_for_service(service_type, path, options)
         # Order is significant
@@ -236,8 +237,17 @@ module Azure::Storage::Common::Core
             @user_delegation_key.signed_start,
             @user_delegation_key.signed_expiry,
             @user_delegation_key.signed_service,
-            @user_delegation_key.signed_version
+            @user_delegation_key.signed_version,
+            # User delegation fields (supported since 2020-02-10)
+            options[:signed_authorized_user_object_id] || "",    # saoid
+            options[:signed_unauthorized_user_object_id] || "",  # suoid
+            options[:signed_correlation_id] || "",               # scid
+            # For 2025-07-05 USER DELEGATION SAS ONLY, add two empty lines after correlation ID
+            # This is the critical difference that was causing the signature mismatch with 2018-11-09.
+            "",
+            ""
           ]
+
         end
 
         signable_fields.concat [
@@ -248,7 +258,8 @@ module Azure::Storage::Common::Core
 
         signable_fields.concat [
           options[:resource],
-          options[:timestamp]
+          options[:timestamp] || "",
+          options[:signed_encryption_scope] || ""
         ] if service_type == Azure::Storage::Common::ServiceType::BLOB
 
         signable_fields.concat [

data/lib/azure/storage/common/default.rb

@@ -30,7 +30,7 @@ require "azure/storage/common/version"
 module Azure::Storage::Common
   module Default
     # Default REST service (STG) version number. This is used only for SAS generator.
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/fog/azurerm/storage.rb

@@ -13,6 +13,7 @@ module Fog
       recognizes :azure_storage_endpoint
       recognizes :azure_storage_domain
       recognizes :environment
+      recognizes :api_version
 
       recognizes :debug
 
@@ -105,6 +106,7 @@ module Fog
 
           @azure_storage_account_name = options[:azure_storage_account_name]
           @azure_storage_access_key = options[:azure_storage_access_key]
+          @api_version = options[:api_version]
 
           load_credentials
 
@@ -126,7 +128,7 @@ module Fog
             signer: @azure_storage_token_signer
           }.compact)
           azure_client.storage_blob_host = storage_blob_host
-          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client)
+          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client, api_version: @api_version)
           @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
           @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
           @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug

data/lib/fog/azurerm/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AzureRM
-    VERSION = '2.2.0'.freeze
+    VERSION = '2.3.0'.freeze
   end
 end

data/test/requests/storage/test_get_blob_https_url.rb

@@ -145,7 +145,7 @@ class TestGetBlobHttpsUrl < Minitest::Test
     params = parsed.query.split('&').to_h { |x| x.split('=') }
 
     assert_equal 'r', params['sp']
-    assert_equal '2018-11-09', params['sv']
+    assert_equal '2025-07-05', params['sv']
     assert_equal 'b', params['sr']
     assert_equal 'https', params['spr']
     assert_equal '2024-09-19T00%3A00%3A00Z', params['skt']

data/test/unit/test_shared_access_signature_generator.rb

@@ -0,0 +1,198 @@
+require File.expand_path '../test_helper', __dir__
+require 'azure/storage/common'
+require 'base64'
+require 'uri'
+
+class TestSharedAccessSignatureGeneration < Minitest::Test
+  def setup
+    @access_account_name = 'testaccount'
+    @access_key_base64 = Base64.strict_encode64('test-access-key')
+    @path = '/container/blob.txt'
+    @service_type = Azure::Storage::Common::ServiceType::BLOB
+
+    @service_options = {
+      service: 'b',
+      permissions: 'c',
+      start: '2025-09-10T17:00:00Z',
+      expiry: '2025-09-10T18:00:00Z',
+      resource: 'b',
+      protocol: 'https',
+      ip_range: '192.168.1.1-192.168.1.10'
+    }
+
+    @user_delegation_key = Azure::Storage::Common::Service::UserDelegationKey.new do |key|
+      key.signed_oid = 'user-object-id-123'
+      key.signed_tid = 'tenant-id-456'
+      key.signed_start = '2025-09-10T17:00:00Z'
+      key.signed_expiry = '2025-09-10T19:00:00Z'
+      key.signed_service = 'b'
+      key.signed_version = '2020-08-04'
+      key.value = Base64.strict_encode64('user-delegation-key-value')
+    end
+  end
+
+  def test_service_sas_signature_string_format
+    # Test regular service SAS (no user delegation key)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify service SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+    assert_equal '', lines[4]                                     # identifier (empty for service SAS)
+    assert_equal '192.168.1.1-192.168.1.10', lines[5] # ip_range
+    assert_equal 'https', lines[6] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[7] # version
+    assert_equal 'b', lines[8]                                    # resource
+    assert_equal '', lines[9]                                     # timestamp (empty)
+    assert_equal '', lines[10]                                    # encryption scope (empty)
+    # Response headers (all empty)
+    assert_equal '', lines[11]                                    # cache_control
+    assert_equal '', lines[12]                                    # content_disposition
+    assert_equal '', lines[13]                                    # content_encoding
+    assert_equal '', lines[14]                                    # content_language
+    assert_equal '', lines[15]                                    # content_type
+  end
+
+  def test_user_delegation_sas_signature_string_format
+    # Test user delegation SAS - always includes new 2025-07-05 format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify user delegation SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+
+    # User delegation key fields
+    assert_equal 'user-object-id-123', lines[4]                  # signed_oid
+    assert_equal 'tenant-id-456', lines[5]                       # signed_tid
+    assert_equal '2025-09-10T17:00:00Z', lines[6]                # signed_start
+    assert_equal '2025-09-10T19:00:00Z', lines[7]                # signed_expiry
+    assert_equal 'b', lines[8]                                   # signed_service
+    assert_equal '2020-08-04', lines[9]                          # signed_version
+
+    # New fields for user delegation SAS (empty by default)
+    assert_equal '', lines[10]                                   # saoid
+    assert_equal '', lines[11]                                   # suoid
+    assert_equal '', lines[12]                                   # scid
+
+    # Critical: Two empty lines - this was causing the signature mismatch!
+    assert_equal '', lines[13]                                   # First empty line
+    assert_equal '', lines[14]                                   # Second empty line
+
+    # Continue with remaining fields
+    assert_equal '192.168.1.1-192.168.1.10', lines[15] # ip_range
+    assert_equal 'https', lines[16] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[17] # version
+    assert_equal 'b', lines[18]                                  # resource
+    assert_equal '', lines[19]                                   # timestamp
+    assert_equal '', lines[20]                                   # encryption scope
+    # Response headers (all empty)
+    assert_equal '', lines[21]                                   # cache_control
+    assert_equal '', lines[22]                                   # content_disposition
+    assert_equal '', lines[23]                                   # content_encoding
+    assert_equal '', lines[24]                                   # content_language
+    assert_equal '', lines[25]                                   # content_type
+  end
+
+  def test_user_delegation_sas_with_optional_fields
+    # Test user delegation SAS with optional fields set
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    options_with_extras = @service_options.merge({
+                                                   signed_authorized_user_object_id: 'authorized-user-789',
+                                                   signed_unauthorized_user_object_id: 'unauthorized-user-000',
+                                                   signed_correlation_id: 'correlation-abc-123',
+                                                   signed_encryption_scope: 'test-encryption-scope',
+                                                   timestamp: '2025-09-10T17:30:00Z',
+                                                   cache_control: 'no-cache',
+                                                   content_type: 'application/json'
+                                                 })
+
+    result = sas.signable_string_for_service(@service_type, @path, options_with_extras)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify the optional fields are included
+    assert_equal 'authorized-user-789', lines[10]               # saoid
+    assert_equal 'unauthorized-user-000', lines[11]             # suoid
+    assert_equal 'correlation-abc-123', lines[12]               # scid
+    assert_equal '2025-09-10T17:30:00Z', lines[19]              # timestamp
+    assert_equal 'test-encryption-scope', lines[20]             # encryption scope
+    assert_equal 'no-cache', lines[21]                          # cache_control
+    assert_equal 'application/json', lines[25]                  # content_type
+  end
+
+  def test_table_service_signature_format
+    # Test table service (no blob-specific fields)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    table_options = {
+      service: 't',
+      permissions: 'rau',
+      expiry: '2025-09-10T18:00:00Z',
+      startpk: 'partition1',
+      startrk: 'row1',
+      endpk: 'partition2',
+      endrk: 'row2'
+    }
+
+    result = sas.signable_string_for_service(Azure::Storage::Common::ServiceType::TABLE, 'mytable', table_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Table service should not have blob-specific fields
+    assert_equal 'rau', lines[0]                                 # permissions
+    assert_equal '/table/testaccount/mytable', lines[3]          # canonicalized resource
+
+    # Should end with table-specific fields (no response headers for table)
+    expected_line_count = 12 # Basic fields + table fields, no blob fields
+    assert_equal expected_line_count, lines.length
+    assert_equal 'partition1', lines[8]                          # startpk
+    assert_equal 'row1', lines[9]                                # startrk
+    assert_equal 'partition2', lines[10]                         # endpk
+    assert_equal 'row2', lines[11]                               # endrk
+  end
+
+  def test_canonicalized_resource_format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    # Test with leading slash
+    result = sas.canonicalized_resource('blob', '/container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test without leading slash
+    result = sas.canonicalized_resource('blob', 'container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test table resource
+    result = sas.canonicalized_resource('table', 'mytable')
+    assert_equal '/table/testaccount/mytable', result
+  end
+
+  def test_sas_token_generation_creates_valid_query_string
+    # Test that generate_service_sas_token creates a valid query string
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    token = sas.generate_service_sas_token(@path, @service_options)
+
+    # Parse the query string
+    params = URI.decode_www_form(token).to_h
+
+    # Verify expected parameters are present
+    assert_equal 'c', params['sp'] # permissions
+    assert_equal '2025-09-10T17:00:00Z', params['st']           # start
+    assert_equal '2025-09-10T18:00:00Z', params['se']           # expiry
+    assert_equal 'b', params['sr']                               # resource
+    assert_equal 'https', params['spr']                          # protocol
+    assert_equal '192.168.1.1-192.168.1.10', params['sip'] # ip_range
+    assert params.key?('sig')                                    # signature should be present
+    refute_empty params['sig']                                   # signature should not be empty
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-fog-azure-rm
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Shaffan Chaudhry
@@ -15,10 +15,9 @@ authors:
 - Azeem Sajid
 - Maham Nazir
 - Abbas Sheikh
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -238,7 +237,6 @@ dependencies:
         version: 1.10.8
 description: This is a stripped-down fork of fog-azure-rm that enables Azure Blob
   Storage to be used with CarrierWave and Fog.
-email:
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -452,6 +450,7 @@ files:
 - test/test_helper.rb
 - test/unit/test_default_credentials.rb
 - test/unit/test_managed_identity_client.rb
+- test/unit/test_shared_access_signature_generator.rb
 - test/unit/test_workflow_identity_client.rb
 homepage: https://gitlab.com/gitlab-org/gitlab-fog-azure-rm
 licenses:
@@ -473,8 +472,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.18
-signing_key:
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Module for the 'fog' gem to support Azure Blob Storage with CarrierWave and
   Fog.