gitlab-fog-azure-rm 2.3.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa5ac286afc5ba0f3066194079050eb837ec86bb0e23a0e879ae34b6ccd18242
-  data.tar.gz: cc8affe1faf1d79f910c7d7e232386b592472981738a3122922ad370d4406294
+  metadata.gz: 61aaa2ad5deaa2d7cfc03c52d87f504147a30bb21656fa8d74a0a1e2c1335b7f
+  data.tar.gz: 170d555337f12f9262ecc0a482871d7e88429f0dd968a3d4ee3c0ec3d42300dd
 SHA512:
-  metadata.gz: 90faba724967de441a00eef32538b14dfbfbbce8a225d7052c965bd69110ab434316484da41b6b6de6e8ad3c7bf3cb5009cd25d634419f402a5fa31616f4764b
-  data.tar.gz: 7e9a772cdd278514751f4e3cd167ebe54c4c63b451c95ea701f48b475b5810638a8b847c6724e3ccf707152dbd4e509d45d2fe5ce897a2173ea88b9d5ea80c93
+  metadata.gz: c5bf104672cd6913ce0c701bc8da7da11d0e80a3a383adf9be76188712b5d2cdcc3f13ea1512c12775226999c266c357ca9b0a1bb01e03196773beb4a1f6c1d9
+  data.tar.gz: 354cd43f816764b22005eb1d0c4e89eecfd55d31b776107904e8f3b1c704b09bd596244517dba24869a2552258cbe98477daaec61ab7fd0042ecd9d21e58dc11

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+## 2.4.0
+
+- Refresh blob client whenever credentials needs to be refreshed !58
+
 ## 2.3.0
 
 - Bump default Azure Blob and SAS API versions to 2025-07-05 !56

data/gitlab-fog-azure-rm.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rubocop', '~> 0.89.1'
   spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'timecop'
   spec.add_development_dependency 'webmock'
   spec.add_development_dependency 'webrick', '~> 1.8'
 

data/lib/fog/azurerm/identity/credentials.rb

@@ -15,7 +15,7 @@ module Fog
         def refresh_needed?
           return true unless expires_at
 
-          Time.now >= expires_at + EXPIRATION_BUFFER
+          Time.now >= expires_at - EXPIRATION_BUFFER
         end
       end
     end

data/lib/fog/azurerm/identity/default_credentials.rb

@@ -11,7 +11,6 @@ module Fog
       def initialize(options)
         @options = options
         @credential_client = nil
-        @credentials = nil
       end
 
       def fetch_credentials_if_needed
@@ -37,7 +36,7 @@ module Fog
           client = klass.new(options)
 
           begin
-            credentials = client.fetch_credentials
+            credentials = client.fetch_credentials_if_needed
           rescue Fog::AzureRM::Identity::BaseClient::FetchCredentialsError
             next
           end
@@ -48,10 +47,7 @@ module Fog
           end
         end
 
-        return unless credentials
-
-        @credentials = credentials
-        @credentials
+        @credential_client
       end
     end
   end

data/lib/fog/azurerm/storage.rb

@@ -100,6 +100,9 @@ module Fog
             raise e.message
           end
 
+          @user_delegation_key_mutex = Mutex.new
+          @blob_client_mutex = Mutex.new
+
           options[:environment] = options[:environment] || ENV['AZURE_ENVIRONMENT'] || ENVIRONMENT_AZURE_CLOUD
           @environment = options[:environment]
           @options = options
@@ -114,24 +117,7 @@ module Fog
           @azure_storage_endpoint = options[:azure_storage_endpoint]
           @azure_storage_domain = options[:azure_storage_domain]
 
-          storage_blob_host =
-            @azure_storage_endpoint ||
-            if @azure_storage_domain.nil? || @azure_storage_domain.empty?
-              get_blob_endpoint(@azure_storage_account_name, true, @environment)
-            else
-              get_blob_endpoint_with_domain(@azure_storage_account_name, true, @azure_storage_domain)
-            end
-
-          azure_client = Azure::Storage::Common::Client.create({
-            storage_account_name: @azure_storage_account_name,
-            storage_access_key: @azure_storage_access_key,
-            signer: @azure_storage_token_signer
-          }.compact)
-          azure_client.storage_blob_host = storage_blob_host
-          @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client, api_version: @api_version)
-          @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
-          @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
-          @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug
+          refresh_blob_client
         end
 
         private
@@ -177,11 +163,16 @@ module Fog
           return nil unless @azure_storage_token_signer
 
           if @credential_client
-            @credentials = @credential_client.fetch_credentials_if_needed
-            @azure_storage_token_signer = token_signer
+            new_credentials = @credential_client.fetch_credentials_if_needed
+            changed = new_credentials != @credentials
+
+            if changed
+              @credentials = new_credentials
+              @azure_storage_token_signer = token_signer
+              refresh_blob_client
+            end
           end
 
-          @user_delegation_key_mutex ||= Mutex.new
           @user_delegation_key_mutex.synchronize do
             if @user_delegation_key_expiry.nil? || @user_delegation_key_expiry < requested_expiry
               start = Time.now
@@ -197,6 +188,35 @@ module Fog
 
           @user_delegation_key
         end
+
+        def refresh_blob_client
+          @blob_client_mutex.synchronize do
+            azure_client = create_azure_client
+            azure_client.storage_blob_host = storage_blob_host
+            @blob_client = Azure::Storage::Blob::BlobService.new(client: azure_client, api_version: @api_version)
+            @blob_client.with_filter(Fog::AzureRM::IdentityEncodingFilter.new)
+            @blob_client.with_filter(Azure::Storage::Common::Core::Filter::ExponentialRetryPolicyFilter.new)
+            @blob_client.with_filter(Azure::Core::Http::DebugFilter.new) if @debug
+          end
+        end
+
+        def storage_blob_host
+          return @azure_storage_endpoint if @azure_storage_endpoint
+
+          if @azure_storage_domain.nil? || @azure_storage_domain.empty?
+            get_blob_endpoint(@azure_storage_account_name, true, @environment)
+          else
+            get_blob_endpoint_with_domain(@azure_storage_account_name, true, @azure_storage_domain)
+          end
+        end
+
+        def create_azure_client
+          Azure::Storage::Common::Client.create({
+            storage_account_name: @azure_storage_account_name,
+            storage_access_key: @azure_storage_access_key,
+            signer: @azure_storage_token_signer
+          }.compact)
+        end
       end
     end
   end

data/lib/fog/azurerm/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AzureRM
-    VERSION = '2.3.0'.freeze
+    VERSION = '2.4.0'.freeze
   end
 end

data/test/requests/storage/test_get_blob_https_url.rb

@@ -224,4 +224,74 @@ class TestGetBlobHttpsUrl < Minitest::Test
     assert_equal "#{@url}?#{@token}", @mock_service.get_blob_https_url('test_container', 'test_blob', Time.now.utc + 3600)
     assert_equal "#{@url}?#{@token}", @mock_service.get_object_url('test_container', 'test_blob', Time.now.utc + 3600)
   end
+
+  def test_blob_client_refreshes_when_credentials_expire
+    # Setup an expired initial token
+    initial_token_response = {
+      'access_token' => 'initial_token',
+      'expires_on' => (Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER + 10).to_i
+    }
+
+    # Setup refreshed token response
+    refreshed_token_response = {
+      'access_token' => 'refreshed_token',
+      'expires_on' => (Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER * 3).to_i
+    }
+
+    # Mock the identity endpoint to return initial token first, then refreshed token
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=https://storage.azure.com")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(
+        { status: 200, body: initial_token_response.to_json },
+        { status: 200, body: refreshed_token_response.to_json }
+      )
+
+    # Setup user delegation key responses
+    delegation_response = <<~MSG
+      <UserDelegationKey>
+          <SignedOid>f81d4fae-7dec-11d0-a765-00a0c91e6bf6</SignedOid>
+          <SignedTid>72f988bf-86f1-41af-91ab-2d7cd011db47</SignedTid>
+          <SignedStart>2024-09-19T00:00:00Z</SignedStart>
+          <SignedExpiry>2024-09-26T00:00:00Z</SignedExpiry>
+          <SignedService>b</SignedService>
+          <SignedVersion>2020-02-10</SignedVersion>
+          <Value>UDELEGATIONKEY_INITIAL</Value>
+          <SignedKey>rL7...INITIAL</SignedKey>
+      </UserDelegationKey>
+    MSG
+
+    stub_request(:post, 'https://mockaccount.blob.core.windows.net?comp=userdelegationkey&restype=service')
+      .to_return(
+        { status: 200, headers: { 'Content-Type': 'application/xml' }, body: delegation_response }
+      )
+
+    service = Fog::AzureRM::Storage.new(storage_account_managed_identity)
+    initial_blob_client = service.instance_variable_get(:@blob_client)
+    refute_nil initial_blob_client
+
+    # First request should not refresh the blob client and token
+    requested_expiry = Time.now + 60
+    url1 = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+    refute_nil url1
+    assert url1.include?('https://mockaccount.blob.core.windows.net/test_container/test_blob')
+
+    second_blob_client = service.instance_variable_get(:@blob_client)
+    assert_equal initial_blob_client.object_id, second_blob_client.object_id
+
+    Timecop.travel(Time.now + ::Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER) do
+      credentials = service.instance_variable_get(:@credentials)
+      assert credentials.refresh_needed?
+
+      # Second request should tigger credential refresh and blob client update
+      url2 = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+      third_blob_client = service.instance_variable_get(:@blob_client)
+      credentials = service.instance_variable_get(:@credentials)
+      refute credentials.refresh_needed?
+
+      refute_nil url2
+      assert url2.include?('https://mockaccount.blob.core.windows.net/test_container/test_blob')
+      refute_nil third_blob_client
+      refute_equal third_blob_client.object_id, second_blob_client.object_id
+    end
+  end
 end

data/test/test_helper.rb

@@ -1,3 +1,4 @@
+require 'timecop'
 require 'webmock/minitest'
 WebMock.disable_net_connect! allow: %w[127.0.0.1]
 

data/test/unit/test_credentials.rb

@@ -0,0 +1,44 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestCredentials < Minitest::Test
+  def setup
+    @token = 'test-access-token'
+    @expires_at = Time.now + 3600 # 1 hour from now
+    @credentials = Fog::AzureRM::Identity::Credentials.new(@token, @expires_at)
+  end
+
+  def test_initialize
+    assert_equal @token, @credentials.token
+    assert_equal @expires_at, @credentials.expires_at
+  end
+
+  def test_refresh_needed_when_expires_at_is_nil
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, nil)
+    assert credentials.refresh_needed?
+  end
+
+  def test_refresh_needed_when_token_expires_soon
+    # Token expires in 5 minutes (less than 10 minute buffer)
+    expires_soon = Time.now + 300
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_soon)
+    assert credentials.refresh_needed?
+  end
+
+  def test_refresh_not_needed_when_token_has_time_left
+    # Token expires in 15 minutes (more than 10 minute buffer)
+    expires_later = Time.now + 900
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_later)
+    refute credentials.refresh_needed?
+  end
+
+  def test_refresh_needed_exactly_at_buffer_time
+    # Token expires exactly at buffer time (10 minutes)
+    expires_at_buffer = Time.now + Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER
+    credentials = Fog::AzureRM::Identity::Credentials.new(@token, expires_at_buffer)
+    assert credentials.refresh_needed?
+  end
+
+  def test_expiration_buffer_constant
+    assert_equal 600, Fog::AzureRM::Identity::Credentials::EXPIRATION_BUFFER
+  end
+end

data/test/unit/test_default_credentials.rb

@@ -9,7 +9,6 @@ class TestDefaultCredentials < Minitest::Test
   def test_initialize
     assert_instance_of Fog::AzureRM::DefaultCredentials, @default_credentials
     assert_nil @default_credentials.instance_variable_get(:@credential_client)
-    assert_nil @default_credentials.instance_variable_get(:@credentials)
   end
 
   def test_fetch_credentials_if_needed_with_no_credential_client
@@ -28,70 +27,55 @@ class TestDefaultCredentials < Minitest::Test
   end
 
   def test_credential_client_with_workflow_identity
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, 'fake_workflow_credentials'
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new('fake_workflow_credentials')
 
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      credentials = @default_credentials.send(:credential_client)
-      assert_equal 'fake_workflow_credentials', credentials
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      client = @default_credentials.send(:credential_client)
+      assert_equal workflow_client, client
+      assert_equal workflow_client, @default_credentials.instance_variable_get(:@credential_client)
     end
-
-    mock_workflow_client.verify
   end
 
   def test_credential_client_with_managed_identity
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, nil
-
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
-
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
-        credentials = @default_credentials.send(:credential_client)
-        assert_equal 'fake_managed_credentials', credentials
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new
+    managed_client = Struct.new(:fetch_credentials_if_needed).new('fake_managed_credentials')
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
+        client = @default_credentials.send(:credential_client)
+        assert_equal managed_client, client
+        assert_equal managed_client, @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 
   def test_credential_client_with_failed_workflow_identity
-    mock_workflow_client = Minitest::Mock.new
-    def mock_workflow_client.fetch_credentials
-      raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
-    end
+    workflow_client = Class.new do
+      def fetch_credentials_if_needed
+        raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
+      end
+    end.new
 
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+    managed_client = Struct.new(:fetch_credentials_if_needed).new('fake_managed_credentials')
 
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
-        credentials = @default_credentials.send(:credential_client)
-        assert_equal 'fake_managed_credentials', credentials
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
+        client = @default_credentials.send(:credential_client)
+        assert_equal managed_client, client
+        assert_equal managed_client, @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 
   def test_credential_client_with_no_credentials
-    mock_workflow_client = Minitest::Mock.new
-    mock_workflow_client.expect :fetch_credentials, nil
+    workflow_client = Struct.new(:fetch_credentials_if_needed).new
+    managed_client = Struct.new(:fetch_credentials_if_needed).new
 
-    mock_managed_client = Minitest::Mock.new
-    mock_managed_client.expect :fetch_credentials, nil
-
-    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
-      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, managed_client do
         assert_nil @default_credentials.send(:credential_client)
         assert_nil @default_credentials.instance_variable_get(:@credential_client)
       end
     end
-
-    mock_workflow_client.verify
-    mock_managed_client.verify
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-fog-azure-rm
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Shaffan Chaudhry
@@ -15,9 +15,10 @@ authors:
 - Azeem Sajid
 - Maham Nazir
 - Abbas Sheikh
+autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -89,6 +90,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -237,6 +252,7 @@ dependencies:
         version: 1.10.8
 description: This is a stripped-down fork of fog-azure-rm that enables Azure Blob
   Storage to be used with CarrierWave and Fog.
+email:
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -448,6 +464,7 @@ files:
 - test/requests/storage/test_save_page_blob.rb
 - test/requests/storage/test_wait_blob_copy_operation_to_finish.rb
 - test/test_helper.rb
+- test/unit/test_credentials.rb
 - test/unit/test_default_credentials.rb
 - test/unit/test_managed_identity_client.rb
 - test/unit/test_shared_access_signature_generator.rb
@@ -472,7 +489,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Module for the 'fog' gem to support Azure Blob Storage with CarrierWave and
   Fog.