gitlab-fog-azure-rm 2.2.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c0db6ddb892cbf22fdd3bd0a6aa859dc54256572f87ff5fa4af0ab478127ba1
-  data.tar.gz: ac3ee5c92ab35dae5050dbf71a68c5d4f74cb0549c1b2c6cd55bfb3676099141
+  metadata.gz: 61aaa2ad5deaa2d7cfc03c52d87f504147a30bb21656fa8d74a0a1e2c1335b7f
+  data.tar.gz: 170d555337f12f9262ecc0a482871d7e88429f0dd968a3d4ee3c0ec3d42300dd
 SHA512:
-  metadata.gz: a876f5d3cd330701883c5185313faba45a00403577388a102d658b51a88cdf56bb1d46130668ad5b5e54557416048830dbc21bb458f844218e8cb9777ed7aca3
-  data.tar.gz: a6c70245610e9ad32f587005888bdfd8da48a6d0b52c48fdf5db0a9a7d7141bf33bf9ba74bda4c6a7793cc37648f65d3cb9bcfc5033d819874a22c26a69ae25e
+  metadata.gz: c5bf104672cd6913ce0c701bc8da7da11d0e80a3a383adf9be76188712b5d2cdcc3f13ea1512c12775226999c266c357ca9b0a1bb01e03196773beb4a1f6c1d9
+  data.tar.gz: 354cd43f816764b22005eb1d0c4e89eecfd55d31b776107904e8f3b1c704b09bd596244517dba24869a2552258cbe98477daaec61ab7fd0042ecd9d21e58dc11

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Unreleased
 
+## 2.4.0
+
+- Refresh blob client whenever credentials needs to be refreshed !58
+
+## 2.3.0
+
+- Bump default Azure Blob and SAS API versions to 2025-07-05 !56
+
 ## 2.2.0
 
 - Add support for workflow and managed identities !54

data/gitlab-fog-azure-rm.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rubocop', '~> 0.89.1'
   spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'timecop'
   spec.add_development_dependency 'webmock'
   spec.add_development_dependency 'webrick', '~> 1.8'
 

data/lib/azure/storage/blob/blob_service.rb

@@ -27,6 +27,7 @@ require "azure/storage/blob/page"
 require "azure/storage/blob/block"
 require "azure/storage/blob/append"
 require "azure/storage/blob/blob"
+require 'azure/storage/blob/default'
 
 module Azure::Storage
   include Azure::Storage::Common::Service
@@ -126,6 +127,8 @@ module Azure::Storage
       #
       # Accepted key/value pairs in options parameter are:
       #
+
+      # * +:api_version+                    - String. Override the default Blob service API version.
       # * +:use_development_storage+        - TrueClass|FalseClass. Whether to use storage emulator.
       # * +:development_storage_proxy_uri+  - String. Used with +:use_development_storage+ if emulator is hosted other than localhost.
       # * +:storage_connection_string+      - String. The storage connection string.

data/lib/azure/storage/blob/default.rb

@@ -29,7 +29,7 @@ require "rbconfig"
 module Azure::Storage::Blob
   module Default
     # Default REST service (STG) version number
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/azure/storage/common/core/auth/shared_access_signature_generator.rb

@@ -215,6 +215,7 @@ module Azure::Storage::Common::Core
       end
 
       # Construct the plaintext to the spec required for signatures
+      # See https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
       # @return [String]
       def signable_string_for_service(service_type, path, options)
         # Order is significant
@@ -236,8 +237,17 @@ module Azure::Storage::Common::Core
             @user_delegation_key.signed_start,
             @user_delegation_key.signed_expiry,
             @user_delegation_key.signed_service,
-            @user_delegation_key.signed_version
+            @user_delegation_key.signed_version,
+            # User delegation fields (supported since 2020-02-10)
+            options[:signed_authorized_user_object_id] || "",    # saoid
+            options[:signed_unauthorized_user_object_id] || "",  # suoid
+            options[:signed_correlation_id] || "",               # scid
+            # For 2025-07-05 USER DELEGATION SAS ONLY, add two empty lines after correlation ID
+            # This is the critical difference that was causing the signature mismatch with 2018-11-09.
+            "",
+            ""
           ]
+
         end
 
         signable_fields.concat [
@@ -248,7 +258,8 @@ module Azure::Storage::Common::Core
 
         signable_fields.concat [
           options[:resource],
-          options[:timestamp]
+          options[:timestamp] || "",
+          options[:signed_encryption_scope] || ""
         ] if service_type == Azure::Storage::Common::ServiceType::BLOB
 
         signable_fields.concat [

data/lib/azure/storage/common/default.rb

@@ -30,7 +30,7 @@ require "azure/storage/common/version"
 module Azure::Storage::Common
   module Default
     # Default REST service (STG) version number. This is used only for SAS generator.
-    STG_VERSION = "2018-11-09"
+    STG_VERSION = "2025-07-05"
 
     # The number of default concurrent requests for parallel operation.
     DEFAULT_PARALLEL_OPERATION_THREAD_COUNT = 1

data/lib/fog/azurerm/identity/credentials.rb

@@ -15,7 +15,7 @@ module Fog
         def refresh_needed?
           return true unless expires_at
 
-          Time.now >= expires_at + EXPIRATION_BUFFER
+          Time.now >= expires_at - EXPIRATION_BUFFER
         end
       end
     end

data/lib/fog/azurerm/identity/default_credentials.rb

@@ -11,7 +11,6 @@ module Fog
       def initialize(options)
         @options = options
         @credential_client = nil
-        @credentials = nil
       end
 
       def fetch_credentials_if_needed
@@ -37,7 +36,7 @@ module Fog
           client = klass.new(options)
 
           begin
-            credentials = client.fetch_credentials
+            credentials = client.fetch_credentials_if_needed
           rescue Fog::AzureRM::Identity::BaseClient::FetchCredentialsError
             next
           end
@@ -48,10 +47,7 @@ module Fog
           end
         end
 
-        return unless credentials
-
-        @credentials = credentials
-        @credentials
+        @credential_client
       end
     end
   end

data/lib/fog/azurerm/storage.rb

@@ -13,6 +13,7 @@ module Fog
       recognizes :azure_storage_endpoint
       recognizes :azure_storage_domain
       recognizes :environment
+      recognizes :api_version
 
       recognizes :debug
 
@@ -99,12 +100,16 @@ module Fog
             raise e.message
           end
 
+          @user_delegation_key_mutex = Mutex.new
+          @blob_client_mutex = Mutex.new
+
           options[:environment] = options[:environment] || ENV['AZURE_ENVIRONMENT'] || ENVIRONMENT_AZURE_CLOUD
           @environment = options[:environment]
           @options = options
 
           @azure_storage_account_name = options[:azure_storage_account_name]
           @azure_storage_access_key = options[:azure_storage_access_key]
+          @api_version = options[:api_version]
 
           load_credentials
 
@@ -112,24 +117,7 @@ module Fog
           @azure_storage_endpoint = options[:azure_storage_endpoint]
           @azure_storage_domain = options[:azure_storage_domain]
 
-          storage_blob_host =
-            @azure_storage_endpoint ||
-            if @azure_storage_domain.nil? || @azure_storage_domain.empty?
-              get_blob_endpoint(@azure_storage_account_name, true, @environment)
-            else
-              get_blob_endpoint_with_domain(@azure_storage_account_name, true, @azure_storage_domain)
-            end
-
-          azure_client = Azure::Storage::Common::Client.create({
-            storage_account_name: @azure_storage_account_name,
-            storage_access_key: @azure_storage_access_key,
-            signer: @azure_storage_token_signer
-          }.compact)
-          azure_client.storage_blob_host = storage_blob_host
-          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client)
-          @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
-          @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
-          @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug
+          refresh_blob_client
         end
 
         private
@@ -175,11 +163,16 @@ module Fog
           return nil unless @azure_storage_token_signer
 
           if @credential_client
-            @credentials = @credential_client.fetch_credentials_if_needed
-            @azure_storage_token_signer = token_signer
+            new_credentials = @credential_client.fetch_credentials_if_needed
+            changed = new_credentials != @credentials
+
+            if changed
+              @credentials = new_credentials
+              @azure_storage_token_signer = token_signer
+              refresh_blob_client
+            end
           end
 
-          @user_delegation_key_mutex ||= Mutex.new
           @user_delegation_key_mutex.synchronize do
             if @user_delegation_key_expiry.nil? || @user_delegation_key_expiry < requested_expiry
               start = Time.now
@@ -195,6 +188,35 @@ module Fog
 
           @user_delegation_key
         end
+
+        def refresh_blob_client
+          @blob_client_mutex.synchronize do
+            azure_client = create_azure_client
+            azure_client.storage_blob_host = storage_blob_host
+            @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client, api_version: @api_version)
+            @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
+            @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
+            @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug
+          end
+        end
+
+        def storage_blob_host
+          return @azure_storage_endpoint if @azure_storage_endpoint
+
+          if @azure_storage_domain.nil? || @azure_storage_domain.empty?
+            get_blob_endpoint(@azure_storage_account_name, true, @environment)
+          else
+            get_blob_endpoint_with_domain(@azure_storage_account_name, true, @azure_storage_domain)
+          end
+        end
+
+        def create_azure_client
+          Azure::Storage::Common::Client.create({
+            storage_account_name: @azure_storage_account_name,
+            storage_access_key: @azure_storage_access_key,
+            signer: @azure_storage_token_signer
+          }.compact)
+        end
       end
     end
   end

data/lib/fog/azurerm/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AzureRM
-    VERSION = '2.2.0'.freeze
+    VERSION = '2.4.0'.freeze
   end
 end

data/test/requests/storage/test_get_blob_https_url.rb

@@ -145,7 +145,7 @@ class TestGetBlobHttpsUrl < Minitest::Test
     params = parsed.query.split('&').to_h { |x| x.split('=') }
 
     assert_equal 'r', params['sp']
-    assert_equal '2018-11-09', params['sv']
+    assert_equal '2025-07-05', params['sv']
     assert_equal 'b', params['sr']
     assert_equal 'https', params['spr']
     assert_equal '2024-09-19T00%3A00%3A00Z', params['skt']
@@ -224,4 +224,74 @@ class TestGetBlobHttpsUrl < Minitest::Test
     assert_equal "#{@url}?#{@token}", @mock_service.get_blob_https_url('test_container', 'test_blob', Time.now.utc + 3600)
     assert_equal "#{@url}?#{@token}", @mock_service.get_object_url('test_container', 'test_blob', Time.now.utc + 3600)
   end
+
+  def test_blob_client_refreshes_when_credentials_expire
+    # Setup an expired initial token
+    initial_token_response = {
+      'access_token' => 'initial_token',
+      'expires_on' => (Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER + 10).to_i
+    }
+
+    # Setup refreshed token response
+    refreshed_token_response = {
+      'access_token' => 'refreshed_token',
+      'expires_on' => (Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER * 3).to_i
+    }
+
+    # Mock the identity endpoint to return initial token first, then refreshed token
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=https://storage.azure.com")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(
+        { status: 200, body: initial_token_response.to_json },
+        { status: 200, body: refreshed_token_response.to_json }
+      )
+
+    # Setup user delegation key responses
+    delegation_response = <<~MSG
+      <UserDelegationKey>
+          <SignedOid>f81d4fae-7dec-11d0-a765-00a0c91e6bf6</SignedOid>
+          <SignedTid>72f988bf-86f1-41af-91ab-2d7cd011db47</SignedTid>
+          <SignedStart>2024-09-19T00:00:00Z</SignedStart>
+          <SignedExpiry>2024-09-26T00:00:00Z</SignedExpiry>
+          <SignedService>b</SignedService>
+          <SignedVersion>2020-02-10</SignedVersion>
+          <Value>UDELEGATIONKEY_INITIAL</Value>
+          <SignedKey>rL7...INITIAL</SignedKey>
+      </UserDelegationKey>
+    MSG
+
+    stub_request(:post, 'https://mockaccount.blob.core.windows.net?comp=userdelegationkey&restype=service')
+      .to_return(
+        { status: 200, headers: { 'Content-Type': 'application/xml' }, body: delegation_response }
+      )
+
+    service = Fog::AzureRM::Storage.new(storage_account_managed_identity)
+    initial_blob_client = service.instance_variable_get(:@blob_client)
+    refute_nil initial_blob_client
+
+    # First request should not refresh the blob client and token
+    requested_expiry = Time.now + 60
+    url1 = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+    refute_nil url1
+    assert url1.include?('https://mockaccount.blob.core.windows.net/test_container/test_blob')
+
+    second_blob_client = service.instance_variable_get(:@blob_client)
+    assert_equal initial_blob_client.object_id, second_blob_client.object_id
+
+    Timecop.travel(Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER) do
+      credentials = service.instance_variable_get(:@credentials)
+      assert credentials.refresh_needed?
+
+      # Second request should tigger credential refresh and blob client update
+      url2 = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+      third_blob_client = service.instance_variable_get(:@blob_client)
+      credentials = service.instance_variable_get(:@credentials)
+      refute credentials.refresh_needed?
+
+      refute_nil url2
+      assert url2.include?('https://mockaccount.blob.core.windows.net/test_container/test_blob')
+      refute_nil third_blob_client
+      refute_equal third_blob_client.object_id, second_blob_client.object_id
+    end
+  end
 end

data/test/test_helper.rb

@@ -1,3 +1,4 @@
+require 'timecop'
 require 'webmock/minitest'
 WebMock.disable_net_connect! allow: %w[127.0.0.1]
 

data/test/unit/test_credentials.rb

@@ -0,0 +1,44 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestCredentials < Minitest::Test
+  def setup
+    @token = 'test-access-token'
+    @expires_at = Time.now + 3600 # 1 hour from now
+    @credentials = Fog::AzureRM::Identity::Credentials.new(@token, @expires_at)
+  end
+
+  def test_initialize
+    assert_equal @token, @credentials.token
+    assert_equal @expires_at, @credentials.expires_at
+  end
+
+  def test_refresh_needed_when_expires_at_is_nil
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, nil)
+    assert credentials.refresh_needed?
+  end
+
+  def test_refresh_needed_when_token_expires_soon
+    # Token expires in 5 minutes (less than 10 minute buffer)
+    expires_soon = Time.now + 300
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_soon)
+    assert credentials.refresh_needed?
+  end
+
+  def test_refresh_not_needed_when_token_has_time_left
+    # Token expires in 15 minutes (more than 10 minute buffer)
+    expires_later = Time.now + 900
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_later)
+    refute credentials.refresh_needed?
+  end
+
+  def test_refresh_needed_exactly_at_buffer_time
+    # Token expires exactly at buffer time (10 minutes)
+    expires_at_buffer = Time.now + Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_at_buffer)
+    assert credentials.refresh_needed?
+  end
+
+  def test_expiration_buffer_constant
+    assert_equal 600, Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER
+  end
+end

data/test/unit/test_default_credentials.rb

@@ -9,7 +9,6 @@ class TestDefaultCredentials < Minitest::Test
   def test_initialize
     assert_instance_of Fog::AzureRM::DefaultCredentials, @default_credentials
     assert_nil @default_credentials.instance_variable_get(:@credential_client)
-    assert_nil @default_credentials.instance_variable_get(:@credentials)
   end
 
   def test_fetch_credentials_if_needed_with_no_credential_client
@@ -28,70 +27,55 @@ class TestDefaultCredentials < Minitest::Test
   end
 
   def test_credential_client_with_workflow_identity
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, 'fake_workflow_credentials'
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new('fake_workflow_credentials')
 
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      credentials = @default_credentials.send(:credential_client)
-      assert_equal 'fake_workflow_credentials', credentials
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      client = @default_credentials.send(:credential_client)
+      assert_equal workflow_client, client
+      assert_equal workflow_client, @default_credentials.instance_variable_get(:@credential_client)
     end
-
-    mock_workflow_client.verify
   end
 
   def test_credential_client_with_managed_identity
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, nil
-
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
-
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
-        credentials = @default_credentials.send(:credential_client)
-        assert_equal 'fake_managed_credentials', credentials
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new
+    managed_client = Struct.new(:fetch_credentials_if_needed).new('fake_managed_credentials')
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
+        client = @default_credentials.send(:credential_client)
+        assert_equal managed_client, client
+        assert_equal managed_client, @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 
   def test_credential_client_with_failed_workflow_identity
-    mock_workflow_client = Minitest::Mock.new
-    def mock_workflow_client.fetch_credentials
-      raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
-    end
+    workflow_client = Class.new do
+      def fetch_credentials_if_needed
+        raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
+      end
+    end.new
 
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+    managed_client = Struct.new(:fetch_credentials_if_needed).new('fake_managed_credentials')
 
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
-        credentials = @default_credentials.send(:credential_client)
-        assert_equal 'fake_managed_credentials', credentials
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
+        client = @default_credentials.send(:credential_client)
+        assert_equal managed_client, client
+        assert_equal managed_client, @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 
   def test_credential_client_with_no_credentials
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, nil
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new
+    managed_client = Struct.new(:fetch_credentials_if_needed).new
 
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, nil
-
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
         assert_nil @default_credentials.send(:credential_client)
         assert_nil @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 end

data/test/unit/test_shared_access_signature_generator.rb

@@ -0,0 +1,198 @@
+require File.expand_path '../test_helper', __dir__
+require 'azure/storage/common'
+require 'base64'
+require 'uri'
+
+class TestSharedAccessSignatureGeneration < Minitest::Test
+  def setup
+    @access_account_name = 'testaccount'
+    @access_key_base64 = Base64.strict_encode64('test-access-key')
+    @path = '/container/blob.txt'
+    @service_type = Azure::Storage::Common::ServiceType::BLOB
+
+    @service_options = {
+      service: 'b',
+      permissions: 'c',
+      start: '2025-09-10T17:00:00Z',
+      expiry: '2025-09-10T18:00:00Z',
+      resource: 'b',
+      protocol: 'https',
+      ip_range: '192.168.1.1-192.168.1.10'
+    }
+
+    @user_delegation_key = Azure::Storage::Common::Service::UserDelegationKey.new do |key|
+      key.signed_oid = 'user-object-id-123'
+      key.signed_tid = 'tenant-id-456'
+      key.signed_start = '2025-09-10T17:00:00Z'
+      key.signed_expiry = '2025-09-10T19:00:00Z'
+      key.signed_service = 'b'
+      key.signed_version = '2020-08-04'
+      key.value = Base64.strict_encode64('user-delegation-key-value')
+    end
+  end
+
+  def test_service_sas_signature_string_format
+    # Test regular service SAS (no user delegation key)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify service SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+    assert_equal '', lines[4]                                     # identifier (empty for service SAS)
+    assert_equal '192.168.1.1-192.168.1.10', lines[5] # ip_range
+    assert_equal 'https', lines[6] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[7] # version
+    assert_equal 'b', lines[8]                                    # resource
+    assert_equal '', lines[9]                                     # timestamp (empty)
+    assert_equal '', lines[10]                                    # encryption scope (empty)
+    # Response headers (all empty)
+    assert_equal '', lines[11]                                    # cache_control
+    assert_equal '', lines[12]                                    # content_disposition
+    assert_equal '', lines[13]                                    # content_encoding
+    assert_equal '', lines[14]                                    # content_language
+    assert_equal '', lines[15]                                    # content_type
+  end
+
+  def test_user_delegation_sas_signature_string_format
+    # Test user delegation SAS - always includes new 2025-07-05 format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    result = sas.signable_string_for_service(@service_type, @path, @service_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify user delegation SAS structure
+    assert_equal 'c', lines[0] # permissions
+    assert_equal '2025-09-10T17:00:00Z', lines[1]                # start
+    assert_equal '2025-09-10T18:00:00Z', lines[2]                # expiry
+    assert_equal '/blob/testaccount/container/blob.txt', lines[3] # canonicalized resource
+
+    # User delegation key fields
+    assert_equal 'user-object-id-123', lines[4]                  # signed_oid
+    assert_equal 'tenant-id-456', lines[5]                       # signed_tid
+    assert_equal '2025-09-10T17:00:00Z', lines[6]                # signed_start
+    assert_equal '2025-09-10T19:00:00Z', lines[7]                # signed_expiry
+    assert_equal 'b', lines[8]                                   # signed_service
+    assert_equal '2020-08-04', lines[9]                          # signed_version
+
+    # New fields for user delegation SAS (empty by default)
+    assert_equal '', lines[10]                                   # saoid
+    assert_equal '', lines[11]                                   # suoid
+    assert_equal '', lines[12]                                   # scid
+
+    # Critical: Two empty lines - this was causing the signature mismatch!
+    assert_equal '', lines[13]                                   # First empty line
+    assert_equal '', lines[14]                                   # Second empty line
+
+    # Continue with remaining fields
+    assert_equal '192.168.1.1-192.168.1.10', lines[15] # ip_range
+    assert_equal 'https', lines[16] # protocol
+    assert_equal Azure::Storage::Common::Default::STG_VERSION, lines[17] # version
+    assert_equal 'b', lines[18]                                  # resource
+    assert_equal '', lines[19]                                   # timestamp
+    assert_equal '', lines[20]                                   # encryption scope
+    # Response headers (all empty)
+    assert_equal '', lines[21]                                   # cache_control
+    assert_equal '', lines[22]                                   # content_disposition
+    assert_equal '', lines[23]                                   # content_encoding
+    assert_equal '', lines[24]                                   # content_language
+    assert_equal '', lines[25]                                   # content_type
+  end
+
+  def test_user_delegation_sas_with_optional_fields
+    # Test user delegation SAS with optional fields set
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64, @user_delegation_key)
+
+    options_with_extras = @service_options.merge({
+                                                   signed_authorized_user_object_id: 'authorized-user-789',
+                                                   signed_unauthorized_user_object_id: 'unauthorized-user-000',
+                                                   signed_correlation_id: 'correlation-abc-123',
+                                                   signed_encryption_scope: 'test-encryption-scope',
+                                                   timestamp: '2025-09-10T17:30:00Z',
+                                                   cache_control: 'no-cache',
+                                                   content_type: 'application/json'
+                                                 })
+
+    result = sas.signable_string_for_service(@service_type, @path, options_with_extras)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Verify the optional fields are included
+    assert_equal 'authorized-user-789', lines[10]               # saoid
+    assert_equal 'unauthorized-user-000', lines[11]             # suoid
+    assert_equal 'correlation-abc-123', lines[12]               # scid
+    assert_equal '2025-09-10T17:30:00Z', lines[19]              # timestamp
+    assert_equal 'test-encryption-scope', lines[20]             # encryption scope
+    assert_equal 'no-cache', lines[21]                          # cache_control
+    assert_equal 'application/json', lines[25]                  # content_type
+  end
+
+  def test_table_service_signature_format
+    # Test table service (no blob-specific fields)
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    table_options = {
+      service: 't',
+      permissions: 'rau',
+      expiry: '2025-09-10T18:00:00Z',
+      startpk: 'partition1',
+      startrk: 'row1',
+      endpk: 'partition2',
+      endrk: 'row2'
+    }
+
+    result = sas.signable_string_for_service(Azure::Storage::Common::ServiceType::TABLE, 'mytable', table_options)
+    lines = result.split("\n", -1) # Preserve training newlines
+
+    # Table service should not have blob-specific fields
+    assert_equal 'rau', lines[0]                                 # permissions
+    assert_equal '/table/testaccount/mytable', lines[3]          # canonicalized resource
+
+    # Should end with table-specific fields (no response headers for table)
+    expected_line_count = 12 # Basic fields + table fields, no blob fields
+    assert_equal expected_line_count, lines.length
+    assert_equal 'partition1', lines[8]                          # startpk
+    assert_equal 'row1', lines[9]                                # startrk
+    assert_equal 'partition2', lines[10]                         # endpk
+    assert_equal 'row2', lines[11]                               # endrk
+  end
+
+  def test_canonicalized_resource_format
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    # Test with leading slash
+    result = sas.canonicalized_resource('blob', '/container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test without leading slash
+    result = sas.canonicalized_resource('blob', 'container/blob.txt')
+    assert_equal '/blob/testaccount/container/blob.txt', result
+
+    # Test table resource
+    result = sas.canonicalized_resource('table', 'mytable')
+    assert_equal '/table/testaccount/mytable', result
+  end
+
+  def test_sas_token_generation_creates_valid_query_string
+    # Test that generate_service_sas_token creates a valid query string
+    sas = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(@access_account_name, @access_key_base64)
+
+    token = sas.generate_service_sas_token(@path, @service_options)
+
+    # Parse the query string
+    params = URI.decode_www_form(token).to_h
+
+    # Verify expected parameters are present
+    assert_equal 'c', params['sp'] # permissions
+    assert_equal '2025-09-10T17:00:00Z', params['st']           # start
+    assert_equal '2025-09-10T18:00:00Z', params['se']           # expiry
+    assert_equal 'b', params['sr']                               # resource
+    assert_equal 'https', params['spr']                          # protocol
+    assert_equal '192.168.1.1-192.168.1.10', params['sip'] # ip_range
+    assert params.key?('sig')                                    # signature should be present
+    refute_empty params['sig']                                   # signature should not be empty
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-fog-azure-rm
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Shaffan Chaudhry
@@ -18,7 +18,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 2025-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -90,6 +90,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -450,8 +464,10 @@ files:
 - test/requests/storage/test_save_page_blob.rb
 - test/requests/storage/test_wait_blob_copy_operation_to_finish.rb
 - test/test_helper.rb
+- test/unit/test_credentials.rb
 - test/unit/test_default_credentials.rb
 - test/unit/test_managed_identity_client.rb
+- test/unit/test_shared_access_signature_generator.rb
 - test/unit/test_workflow_identity_client.rb
 homepage: https://gitlab.com/gitlab-org/gitlab-fog-azure-rm
 licenses:
@@ -473,7 +489,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.18
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Module for the 'fog' gem to support Azure Blob Storage with CarrierWave and