gitlab-fog-azure-rm 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d92167cf3193f73d9c97ae76465057206f076c4f2a14e1f8a12c677d77ca2f0
-  data.tar.gz: 04fce79fa98d5f6dbb512dc974678be18ccb45cc84921c6914e61a60f4a6a62c
+  metadata.gz: 6c0db6ddb892cbf22fdd3bd0a6aa859dc54256572f87ff5fa4af0ab478127ba1
+  data.tar.gz: ac3ee5c92ab35dae5050dbf71a68c5d4f74cb0549c1b2c6cd55bfb3676099141
 SHA512:
-  metadata.gz: a4eca952fa0daa27b5149654960ae75b4b875d128114388f2cc539b3a3e1bdd2874e03456f60b8da7a2b05f5d994cdcd58962940e2abc1c328bdddfec2f86960
-  data.tar.gz: b503003e15965b9076b1ad75b25fd1282dfae71f4eacd806be13c6bc004a9bad5843c491c568fe4ff7cc42e09f9d6ac367c4fc7db9b27efa62288badb5f3477b
+  metadata.gz: a876f5d3cd330701883c5185313faba45a00403577388a102d658b51a88cdf56bb1d46130668ad5b5e54557416048830dbc21bb458f844218e8cb9777ed7aca3
+  data.tar.gz: a6c70245610e9ad32f587005888bdfd8da48a6d0b52c48fdf5db0a9a7d7141bf33bf9ba74bda4c6a7793cc37648f65d3cb9bcfc5033d819874a22c26a69ae25e

data/.rubocop.yml

@@ -6,3 +6,7 @@ AllCops:
   Exclude:
     - 'lib/azure/**/*'
     - 'vendor/**/*'
+
+Style/Documentation:
+  Exclude:
+    - 'test/**/*'

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+## 2.2.0
+
+- Add support for workflow and managed identities !54
+
 ## 2.1.0
 
 - Drop IPAddr patches !52

data/gitlab-fog-azure-rm.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rubocop', '~> 0.89.1'
   spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'webmock'
   spec.add_development_dependency 'webrick', '~> 1.8'
 
   spec.add_dependency 'faraday', "~> 2.0"

data/lib/fog/azurerm/identity/base_client.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: trues
+
+require 'json'
+
+module Fog
+  module AzureRM
+    module Identity
+      # BaseClient is responsible for fetching credentials and refreshing
+      # them when necessary.
+      class BaseClient
+        include Fog::AzureRM::Utilities::General
+        attr_accessor :credentials
+
+        FetchCredentialsError = Class.new(RuntimeError)
+
+        DEFAULT_TIMEOUT_S = 30
+
+        def fetch_credentials
+          raise NotImplementedError
+        end
+
+        def fetch_credentials_if_needed
+          @credentials = fetch_credentials if @credentials.nil? || refresh_needed?
+
+          credentials
+        end
+
+        def refresh_needed?
+          return true unless @credentials
+
+          @credentials.refresh_needed?
+        end
+
+        protected
+
+        def process_token_response(response)
+          # If we get an unauthorized error, raising an exception allows the admin
+          # diagnose the error with the federated credentials.
+          raise FetchCredentialsError, response.to_s unless response.success?
+
+          body = ::JSON.parse(response.body)
+          access_token = body['access_token']
+
+          return unless access_token
+
+          expires_at = ::Time.now
+          expires_on = body['expires_on']
+          expires_at = ::Time.at(expires_on.to_i) if expires_on
+
+          Credentials.new(access_token, expires_at)
+        rescue ::JSON::ParserError # rubocop:disable Lint/SuppressedException
+        end
+
+        private
+
+        def get(url, params: nil, headers: nil)
+          Faraday.get(url, params, headers) do |req|
+            req.options.timeout = DEFAULT_TIMEOUT_S
+          end
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+
+        def post(url, body: nil, headers: nil)
+          Faraday.post(url, body, headers) do |req|
+            req.options.timeout = DEFAULT_TIMEOUT_S
+          end
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/credentials.rb

@@ -0,0 +1,23 @@
+module Fog
+  module AzureRM
+    module Identity
+      # Credentials stores the access token and its expiry.
+      class Credentials
+        attr_accessor :token, :expires_at
+
+        EXPIRATION_BUFFER = 600 # 10 minutes
+
+        def initialize(token, expires_at)
+          @token = token
+          @expires_at = expires_at
+        end
+
+        def refresh_needed?
+          return true unless expires_at
+
+          Time.now >= expires_at + EXPIRATION_BUFFER
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/default_credentials.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'json'
+require_relative 'base_client'
+
+module Fog
+  module AzureRM
+    # DefaultCredentials attempts to resolve the credentials necessary to access
+    # the Azure service.
+    class DefaultCredentials
+      def initialize(options)
+        @options = options
+        @credential_client = nil
+        @credentials = nil
+      end
+
+      def fetch_credentials_if_needed
+        return unless credential_client
+
+        credential_client.fetch_credentials_if_needed
+      end
+
+      private
+
+      attr_reader :options
+
+      def credential_client
+        return @credential_client if @credential_client
+
+        clients = [
+          Fog::AzureRM::Identity::WorkflowIdentityClient,
+          Fog::AzureRM::Identity::ManagedIdentityClient
+        ]
+
+        credentials = nil
+        clients.each do |klass|
+          client = klass.new(options)
+
+          begin
+            credentials = client.fetch_credentials
+          rescue Fog::AzureRM::Identity::BaseClient::FetchCredentialsError
+            next
+          end
+
+          if credentials
+            @credential_client = client
+            break
+          end
+        end
+
+        return unless credentials
+
+        @credentials = credentials
+        @credentials
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/managed_identity_client.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'faraday'
+
+module Fog
+  module AzureRM
+    module Identity
+      IDENTITY_ENDPOINT = 'http://169.254.169.254/metadata/identity/oauth2/token'
+      API_VERSION = '2018-02-01'
+
+      # ManagedIdentityClient fetches temporary credentials from the instance metadata endpoint.
+      class ManagedIdentityClient < BaseClient
+        include Fog::AzureRM::Utilities::General
+
+        attr_reader :resource
+
+        def initialize(options)
+          super()
+          @environment = options[:environment]
+          @resource = storage_resource(@environment)
+        end
+
+        # This method obtains a token via the Azure Instance Metadata Service (IMDS) endpoint:
+        # https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
+        def fetch_credentials
+          url = "#{identity_endpoint}?api-version=#{api_version}&resource=#{CGI.escape(resource)}"
+
+          client_id = ENV['AZURE_CLIENT_ID']
+          url += "&client_id=#{client_id}" if client_id
+
+          headers = { 'Metadata' => 'true' }
+          headers['X-IDENTITY-HEADER'] = ENV['IDENTITY_HEADER'] if ENV['IDENTITY_HEADER']
+
+          response = get(url, headers: headers)
+          process_token_response(response)
+        end
+
+        private
+
+        def identity_endpoint
+          ENV['IDENTITY_ENDPOINT'] || IDENTITY_ENDPOINT
+        end
+
+        def api_version
+          ENV['IDENTITY_ENDPOINT'] ? '2019-08-01' : API_VERSION
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity/workflow_identity_client.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Fog
+  module AzureRM
+    module Identity
+      # WorkflowIdentityClient attempts to fetch credentials for Azure Workflow Identity
+      # via the following environment variables:
+      #
+      # - AZURE_AUTHORITY_HOST - This can be used to override the default authority URL.
+      # - AZURE_TENANT_ID
+      # - AZURE_CLIENT_ID
+      # - AZURE_FEDERATED_TOKEN_FILE - This is a filename that stores the JWT token that
+      #   is exchanged for an OAuth2 token.
+      class WorkflowIdentityClient < BaseClient
+        include Fog::AzureRM::Utilities::General
+
+        attr_accessor :environment, :resource, :authority, :tenant_id, :client_id, :token_file
+
+        def initialize(options)
+          super()
+          @environment = options[:environment]
+          @resource = storage_resource(@environment)
+          @authority = ENV['AZURE_AUTHORITY_HOST'] || authority_url(@environment)
+          @tenant_id = ENV['AZURE_TENANT_ID']
+          @client_id = ENV['AZURE_CLIENT_ID']
+          @token_file = ENV['AZURE_FEDERATED_TOKEN_FILE']
+
+          normalize_authority!
+        end
+
+        def fetch_credentials
+          return unless authority && tenant_id && client_id
+          return unless ::File.exist?(token_file) && ::File.readable?(token_file)
+
+          oidc_token = ::File.read(token_file)
+          token_url = "#{authority}/#{tenant_id}/oauth2/v2.0/token"
+          scope = "#{storage_resource(@environment)}/.default"
+
+          data = {
+            client_id: client_id,
+            grant_type: 'client_credentials',
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: oidc_token,
+            scope: scope
+          }
+
+          response = post(token_url, body: data)
+
+          process_token_response(response)
+        rescue ::Faraday::Error => e
+          raise FetchCredentialsError, e.to_s
+        end
+
+        private
+
+        # The Azure Python SDK handles an authority with or without a scheme, so let's
+        # do this too: https://github.com/Azure/azure-sdk-for-python/pull/11050
+        def normalize_authority!
+          parsed = URI.parse(authority)
+
+          unless parsed.scheme
+            @authority = "https://#{authority.strip.chomp('/')}"
+            return
+          end
+
+          # rubocop:disable Style/IfUnlessModifier
+          unless parsed.scheme == 'https'
+            raise ArgumentError, "'#{authority}' is an invalid authority. The value must be a TLS protected (https) URL."
+          end
+          # rubocop:enable Style/IfUnlessModifier
+
+          @authority = authority.strip.chomp('/')
+        end
+      end
+    end
+  end
+end

data/lib/fog/azurerm/identity.rb

@@ -0,0 +1,5 @@
+require_relative 'identity/base_client'
+require_relative 'identity/credentials'
+require_relative 'identity/default_credentials'
+require_relative 'identity/managed_identity_client'
+require_relative 'identity/workflow_identity_client'

data/lib/fog/azurerm/storage.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'json'
+
 module Fog
   module AzureRM
     # This class registers models, requests and collections
@@ -80,6 +84,8 @@ module Fog
       class Real
         include Fog::AzureRM::Utilities::General
 
+        attr_accessor :options
+
         def initialize(options)
           begin
             require 'azure/storage/common'
@@ -93,19 +99,19 @@ module Fog
             raise e.message
           end
 
-          return unless @azure_storage_account_name != options[:azure_storage_account_name] ||
-                        @azure_storage_access_key != options[:azure_storage_access_key] ||
-                        @azure_storage_token_signer != options[:azure_storage_token_signer]
+          options[:environment] = options[:environment] || ENV['AZURE_ENVIRONMENT'] || ENVIRONMENT_AZURE_CLOUD
+          @environment = options[:environment]
+          @options = options
 
           @azure_storage_account_name = options[:azure_storage_account_name]
           @azure_storage_access_key = options[:azure_storage_access_key]
-          @azure_storage_token_signer = options[:azure_storage_token_signer]
+
+          load_credentials
+
+          @azure_storage_token_signer = token_signer
           @azure_storage_endpoint = options[:azure_storage_endpoint]
           @azure_storage_domain = options[:azure_storage_domain]
 
-          options[:environment] = 'AzureCloud' if options[:environment].nil?
-          @environment = options[:environment]
-
           storage_blob_host =
             @azure_storage_endpoint ||
             if @azure_storage_domain.nil? || @azure_storage_domain.empty?
@@ -128,6 +134,26 @@ module Fog
 
         private
 
+        def load_credentials
+          return options[:azure_storage_token_signer] if options[:azure_storage_token_signer]
+          return if @azure_storage_access_key && !@azure_storage_access_key.empty?
+
+          @credential_client = Fog::AzureRM::DefaultCredentials.new(options)
+          @credentials = @credential_client.fetch_credentials_if_needed
+        end
+
+        def token_signer
+          return options[:azure_storage_token_signer] if options[:azure_storage_token_signer]
+          return unless @credentials
+
+          access_token_signer(@credentials.token)
+        end
+
+        def access_token_signer(access_token)
+          cred = Azure::Storage::Common::Core::TokenCredential.new(access_token)
+          Azure::Storage::Common::Core::Auth::TokenSigner.new(cred)
+        end
+
         def signature_client(requested_expiry)
           access_key = @azure_storage_access_key.to_s
           user_delegation_key = user_delegation_key(requested_expiry)
@@ -148,6 +174,11 @@ module Fog
         def user_delegation_key(requested_expiry)
           return nil unless @azure_storage_token_signer
 
+          if @credential_client
+            @credentials = @credential_client.fetch_credentials_if_needed
+            @azure_storage_token_signer = token_signer
+          end
+
           @user_delegation_key_mutex ||= Mutex.new
           @user_delegation_key_mutex.synchronize do
             if @user_delegation_key_expiry.nil? || @user_delegation_key_expiry < requested_expiry

data/lib/fog/azurerm/utilities/general.rb

@@ -89,6 +89,28 @@ module Fog
           end
         end
 
+        # Per https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory,
+        # all endpoints use the same resource URL.
+        def storage_resource(_environment = ENVIRONMENT_AZURE_CLOUD)
+          'https://storage.azure.com'
+        end
+
+        # https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud#microsoft-entra-authentication-endpoints
+        def authority_url(environment = ENVIRONMENT_AZURE_CLOUD)
+          case environment
+          when ENVIRONMENT_AZURE_CHINA_CLOUD
+            'https://login.chinacloudapi.cn'
+          when ENVIRONMENT_AZURE_US_GOVERNMENT
+            'https://login.microsoftonline.us'
+          # This region is deprecated:
+          # https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud#azure-germany-microsoft-cloud-deutschland
+          when ENVIRONMENT_AZURE_GERMAN_CLOUD
+            'https://login.microsoftonline.de'
+          else
+            'https://login.microsoftonline.com'
+          end
+        end
+
         def get_blob_endpoint(storage_account_name, enable_https = false, environment = ENVIRONMENT_AZURE_CLOUD)
           protocol = enable_https ? 'https' : 'http'
           "#{protocol}://#{storage_account_name}.blob#{storage_endpoint_suffix(environment)}"

data/lib/fog/azurerm/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module AzureRM
-    VERSION = '2.1.0'.freeze
+    VERSION = '2.2.0'.freeze
   end
 end

data/lib/fog/azurerm.rb

@@ -9,6 +9,7 @@ require 'fog/json'
 require 'fog/azurerm/models/storage/sku_name'
 require 'fog/azurerm/models/storage/sku_tier'
 require 'fog/azurerm/models/storage/kind'
+require 'fog/azurerm/identity'
 
 module Fog
   # Main AzureRM fog Provider Module

data/rakefile

@@ -8,6 +8,7 @@ task :test do
   Dir.glob('test/test_*.rb').each { |file| require File.expand_path file, __dir__ }
   Dir.glob('test/models/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
   Dir.glob('test/requests/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
+  Dir.glob('test/unit/**/test_*.rb').each { |file| require File.expand_path file, __dir__ }
 end
 
 task :integration do

data/test/models/storage/test_directory.rb

@@ -112,7 +112,7 @@ class TestDirectory < Minitest::Test
     # Set private
     result = @directory.public = false
     assert !result
-    assert_equal nil, @directory.attributes[:acl]
+    assert_nil @directory.attributes[:acl]
   end
 
   def test_public_url_method_with_public_success

data/test/requests/storage/test_get_blob_https_url.rb

@@ -104,6 +104,55 @@ class TestGetBlobHttpsUrl < Minitest::Test
     end
   end
 
+  def test_get_blob_https_url_with_managed_identity
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=https://storage.azure.com")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    service = Fog::AzureRM::Storage.new(storage_account_managed_identity)
+
+    requested_expiry = Time.now + 60
+
+    response = <<~MSG
+      <UserDelegationKey>
+          <SignedOid>f81d4fae-7dec-11d0-a765-00a0c91e6bf6</SignedOid>
+          <SignedTid>72f988bf-86f1-41af-91ab-2d7cd011db47</SignedTid>
+          <SignedStart>2024-09-19T00:00:00Z</SignedStart>
+          <SignedExpiry>2024-09-26T00:00:00Z</SignedExpiry>
+          <SignedService>b</SignedService>
+          <SignedVersion>2020-02-10</SignedVersion>
+          <Value>UDELEGATIONKEYXYZ....</Value>
+          <SignedKey>rL7...ABC</SignedKey>
+      </UserDelegationKey>
+    MSG
+
+    stub_request(:post, 'https://mockaccount.blob.core.windows.net?comp=userdelegationkey&restype=service')
+      .to_return(status: 200, headers: { 'Content-Type': 'application/xml' }, body: response)
+
+    url = service.get_blob_https_url('test_container', 'test_blob', requested_expiry)
+
+    parsed = URI.parse(url)
+
+    assert_equal 'https', parsed.scheme
+    assert_equal 'mockaccount.blob.core.windows.net', parsed.host
+    assert_equal '/test_container/test_blob', parsed.path
+
+    params = parsed.query.split('&').to_h { |x| x.split('=') }
+
+    assert_equal 'r', params['sp']
+    assert_equal '2018-11-09', params['sv']
+    assert_equal 'b', params['sr']
+    assert_equal 'https', params['spr']
+    assert_equal '2024-09-19T00%3A00%3A00Z', params['skt']
+    assert_equal '2024-09-26T00%3A00%3A00Z', params['ske']
+    assert_equal 'b', params['sks']
+  end
+
   def test_get_blob_https_url_with_token_signer_success
     service = Fog::AzureRM::Storage.new(storage_account_credentials_with_token_signer)
     blob_client = service.instance_variable_get(:@blob_client)
@@ -132,7 +181,7 @@ class TestGetBlobHttpsUrl < Minitest::Test
     # second request within new expiry
     stubbed_times << ref_time + 10.5 * DAY
     requested_expiries << stubbed_times.last + 1 * DAY
-    # no additonal expected_user_delegation_key_starts
+    # no additional expected_user_delegation_key_starts
 
     user_delegation_key_starts = []
     mock_user_delegation_key = lambda do |start, expiry|

data/test/test_helper.rb

@@ -1,3 +1,6 @@
+require 'webmock/minitest'
+WebMock.disable_net_connect! allow: %w[127.0.0.1]
+
 if ENV['COVERAGE']
   require 'simplecov'
   SimpleCov.start do
@@ -42,6 +45,12 @@ def storage_account_credentials
   }
 end
 
+def storage_account_managed_identity
+  {
+    azure_storage_account_name: 'mockaccount'
+  }
+end
+
 def storage_account_credentials_with_endpoint
   storage_account_credentials.merge(
     {

data/test/unit/test_default_credentials.rb

@@ -0,0 +1,97 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestDefaultCredentials < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @default_credentials = Fog::AzureRM::DefaultCredentials.new(@options)
+  end
+
+  def test_initialize
+    assert_instance_of Fog::AzureRM::DefaultCredentials, @default_credentials
+    assert_nil @default_credentials.instance_variable_get(:@credential_client)
+    assert_nil @default_credentials.instance_variable_get(:@credentials)
+  end
+
+  def test_fetch_credentials_if_needed_with_no_credential_client
+    @default_credentials.stub(:credential_client, nil) do
+      assert_nil @default_credentials.fetch_credentials_if_needed
+    end
+  end
+
+  def test_fetch_credentials_if_needed_with_credential_client
+    mock_client = Minitest::Mock.new
+    mock_client.expect :fetch_credentials_if_needed, 'fake_credentials'
+    @default_credentials.instance_variable_set(:@credential_client, mock_client)
+
+    assert_equal 'fake_credentials', @default_credentials.fetch_credentials_if_needed
+    mock_client.verify
+  end
+
+  def test_credential_client_with_workflow_identity
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, 'fake_workflow_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      credentials = @default_credentials.send(:credential_client)
+      assert_equal 'fake_workflow_credentials', credentials
+    end
+
+    mock_workflow_client.verify
+  end
+
+  def test_credential_client_with_managed_identity
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, nil
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        credentials = @default_credentials.send(:credential_client)
+        assert_equal 'fake_managed_credentials', credentials
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+
+  def test_credential_client_with_failed_workflow_identity
+    mock_workflow_client = Minitest::Mock.new
+    def mock_workflow_client.fetch_credentials
+      raise ::Fog::AzureRM::Identity::BaseClient::FetchCredentialsError, 'Failed to fetch credentials'
+    end
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, 'fake_managed_credentials'
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        credentials = @default_credentials.send(:credential_client)
+        assert_equal 'fake_managed_credentials', credentials
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+
+  def test_credential_client_with_no_credentials
+    mock_workflow_client = Minitest::Mock.new
+    mock_workflow_client.expect :fetch_credentials, nil
+
+    mock_managed_client = Minitest::Mock.new
+    mock_managed_client.expect :fetch_credentials, nil
+
+    Fog::AzureRM::Identity::WorkflowIdentityClient.stub :new, mock_workflow_client do
+      Fog::AzureRM::Identity::ManagedIdentityClient.stub :new, mock_managed_client do
+        assert_nil @default_credentials.send(:credential_client)
+        assert_nil @default_credentials.instance_variable_get(:@credential_client)
+      end
+    end
+
+    mock_workflow_client.verify
+    mock_managed_client.verify
+  end
+end

data/test/unit/test_managed_identity_client.rb

@@ -0,0 +1,74 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestManagedIdentityClient < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @client = Fog::AzureRM::Identity::ManagedIdentityClient.new(@options)
+  end
+
+  def teardown
+    ENV.delete('AZURE_CLIENT_ID')
+    ENV.delete('IDENTITY_HEADER')
+    ENV.delete('IDENTITY_ENDPOINT')
+  end
+
+  def test_initialize
+    assert_equal 'https://storage.azure.com', @client.resource
+  end
+
+  def test_fetch_credentials_success
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    credentials = @client.fetch_credentials
+
+    assert_equal 'fake_token', credentials.token
+    assert_instance_of Time, credentials.expires_at
+  end
+
+  def test_fetch_credentials_timeout
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_raise(Faraday::Error)
+
+    assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+      @client.fetch_credentials
+    end
+  end
+
+  def test_fetch_credentials_unauthorized
+    stub_request(:get, "#{Fog::AzureRM::Identity::IDENTITY_ENDPOINT}?api-version=#{Fog::AzureRM::Identity::API_VERSION}&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true' })
+      .to_return(status: 401)
+
+    assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+      @client.fetch_credentials
+    end
+  end
+
+  def test_fetch_credentials_with_env_vars
+    token_response = {
+      'access_token' => 'fake_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['IDENTITY_HEADER'] = 'fake_identity_header'
+    ENV['IDENTITY_ENDPOINT'] = 'http://localhost:8080/metadata/identity/oauth2/token'
+
+    stub_request(:get, "http://localhost:8080/metadata/identity/oauth2/token?api-version=2019-08-01&client_id=fake_client_id&resource=#{CGI.escape(@client.resource)}")
+      .with(headers: { 'Metadata' => 'true', 'X-Identity-Header' => 'fake_identity_header' })
+      .to_return(status: 200, body: token_response.to_json)
+
+    credentials = @client.fetch_credentials
+
+    assert_equal 'fake_token', credentials.token
+    assert_instance_of Time, credentials.expires_at
+  end
+end

data/test/unit/test_workflow_identity_client.rb

@@ -0,0 +1,147 @@
+require File.expand_path '../test_helper', __dir__
+
+class TestWorkflowIdentityClient < Minitest::Test
+  def setup
+    @options = { environment: 'AzureCloud' }
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+  end
+
+  def teardown
+    ENV.delete('AZURE_TENANT_ID')
+    ENV.delete('AZURE_CLIENT_ID')
+    ENV.delete('AZURE_FEDERATED_TOKEN_FILE')
+    ENV.delete('AZURE_AUTHORITY_HOST')
+  end
+
+  def test_initialize
+    assert_equal 'https://storage.azure.com', @client.resource
+    assert_equal 'https://login.microsoftonline.com', @client.authority
+    assert_nil @client.tenant_id
+    assert_nil @client.client_id
+  end
+
+  def test_fetch_credentials_success
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    token_response = {
+      'access_token' => 'fake_access_token',
+      'expires_on' => (Time.now + 3600).to_i.to_s
+    }
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_return(status: 200, body: token_response.to_json)
+
+          credentials = @client.fetch_credentials
+
+          assert_equal 'fake_access_token', credentials.token
+          assert_instance_of Time, credentials.expires_at
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_failure
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_raise(Faraday::Error)
+
+          assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) do
+            @client.fetch_credentials
+          end
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_unauthorized
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    @client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+
+    File.stub :exist?, true do
+      File.stub :readable?, true do
+        File.stub :read, 'fake_oidc_token' do
+          stub_request(:post, "#{@client.authority}/fake_tenant_id/oauth2/v2.0/token")
+            .to_return(status: 403, body: '{"error":"invalid_client"}')
+
+          assert_raises(Fog::AzureRM::Identity::BaseClient::FetchCredentialsError) { @client.fetch_credentials }
+        end
+      end
+    end
+  end
+
+  def test_fetch_credentials_missing_env_vars
+    ENV['AZURE_TENANT_ID'] = nil
+    ENV['AZURE_CLIENT_ID'] = nil
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = nil
+
+    assert_nil @client.fetch_credentials
+  end
+
+  def test_fetch_credentials_missing_token_file
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'nonexistent_file'
+
+    File.stub :exist?, false do
+      assert_nil @client.fetch_credentials
+    end
+  end
+
+  def test_authority
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+
+    # Test with default AzureCloud environment
+    client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+    assert_equal 'https://login.microsoftonline.com', client.authority
+    assert_equal 'https://storage.azure.com', client.resource
+
+    # Test with AzureUSGovernment environment
+    gov_options = { environment: 'AzureUSGovernment' }
+    gov_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(gov_options)
+    assert_equal 'https://login.microsoftonline.us', gov_client.authority
+    assert_equal 'https://storage.azure.com', gov_client.resource
+
+    # Test with AzureChina environment
+    china_options = { environment: 'AzureChinaCloud' }
+    china_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(china_options)
+    assert_equal 'https://login.chinacloudapi.cn', china_client.authority
+    assert_equal 'https://storage.azure.com', china_client.resource
+
+    # Test with AzureGermanCloud environment
+    german_options = { environment: 'AzureGermanCloud' }
+    german_client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(german_options)
+    assert_equal 'https://login.microsoftonline.de', german_client.authority
+    assert_equal 'https://storage.azure.com', german_client.resource
+  end
+
+  def test_authority_normalize
+    ENV['AZURE_TENANT_ID'] = 'fake_tenant_id'
+    ENV['AZURE_CLIENT_ID'] = 'fake_client_id'
+    ENV['AZURE_FEDERATED_TOKEN_FILE'] = 'fake_token_file'
+    ENV['AZURE_AUTHORITY_HOST'] = 'login.microsoftonline.com'
+
+    # Test with default AzureCloud environment
+    client = Fog::AzureRM::Identity::WorkflowIdentityClient.new(@options)
+    assert_equal 'https://login.microsoftonline.com', client.authority
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-fog-azure-rm
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Shaffan Chaudhry
@@ -18,7 +18,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-17 00:00:00.000000000 Z
+date: 2024-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -90,6 +90,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -321,6 +335,12 @@ files:
 - lib/fog/azurerm/custom_fog_errors.rb
 - lib/fog/azurerm/docs/storage.md
 - lib/fog/azurerm/docs/structure.md
+- lib/fog/azurerm/identity.rb
+- lib/fog/azurerm/identity/base_client.rb
+- lib/fog/azurerm/identity/credentials.rb
+- lib/fog/azurerm/identity/default_credentials.rb
+- lib/fog/azurerm/identity/managed_identity_client.rb
+- lib/fog/azurerm/identity/workflow_identity_client.rb
 - lib/fog/azurerm/identity_encoding_filter.rb
 - lib/fog/azurerm/models/storage/directories.rb
 - lib/fog/azurerm/models/storage/directory.rb
@@ -430,6 +450,9 @@ files:
 - test/requests/storage/test_save_page_blob.rb
 - test/requests/storage/test_wait_blob_copy_operation_to_finish.rb
 - test/test_helper.rb
+- test/unit/test_default_credentials.rb
+- test/unit/test_managed_identity_client.rb
+- test/unit/test_workflow_identity_client.rb
 homepage: https://gitlab.com/gitlab-org/gitlab-fog-azure-rm
 licenses:
 - MIT
@@ -450,7 +473,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
+rubygems_version: 3.5.18
 signing_key:
 specification_version: 4
 summary: Module for the 'fog' gem to support Azure Blob Storage with CarrierWave and