Add support for identity SAS

[c-w]

Since API version 2018-11-09, we can use Azure Active Directory credentials to authenticate with storage services which is crucial for enterprise and multi-tenancy use-cases. This pull request adds support for this functionality.

Relevant supporting content:

• Get User Delegation Key
• Create a user delegation SAS
• Python Azure Storage SDK identity SAS implementation

When running the integration tests locally, I noticed that a few of them fail with this branch. However, several of the integration tests also fail for me with the current master branch. Any help that you could provide with regards to working on the integration tests would be much appreciated.

This change also adds a new integration test for the identity SAS which requires three new environment variables to be set: AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET. These environment variables specify the Azure Active Directory identity to use for the new integration test. Note that the identity must be granted the "Storage Blob Data Contributor" and "Storage Blob Delegator" permissions on the storage account. The following bash script can be used to set up the required Azure Active Directory configuration and environment variables:

## create service principal for integration tests

service_principal_name="azure-storage-ruby-integtest"  # CHANGE ME

sp="$(az ad sp create-for-rbac --name "${service_principal_name}" --skip-assignment -o json)"
sp_tenant="$(jq -r '.tenant' <<< "${sp}")"
sp_client="$(jq -r '.appId' <<< "${sp}")"
sp_secret="$(jq -r '.password' <<< "${sp}")"

## assign permissions to service principal

storage_resource_id="$(az storage account show --name "${AZURE_STORAGE_ACCOUNT}" -o json | jq -r '.id')"

while ! az role assignment create --role "Storage Blob Data Contributor" --assignee "${sp_client}" --scope "${storage_resource_id}"; do sleep 2s; done

while ! az role assignment create --role "Storage Blob Delegator" --assignee "${sp_client}" --scope "${storage_resource_id}"; do sleep 2s; done

## export environment variables required for integration tests

export AZURE_TENANT_ID="${sp_tenant}"
export AZURE_CLIENT_ID="${sp_client}"
export AZURE_CLIENT_SECRET="${sp_secret}"

[coveralls]

Coverage increased (+0.04%) to 87.092% when pulling 04e0917 on c-w:user-delegation-key into 5cf7a82 on Azure:dev.

[yaxia]

We merged the code of azure-ruby-asm-core and fixed the merge validation. Please resolve the conflicts on the latest code.
There are also several comments:

1. Any scenario that you require the minimum Ruby version to v2.4?
2. As the API version is upgrade to 2018-11-09, there are some server behavior changes. @katmsft will work on the mitigation based on this PR.
3. Since the api version is bumped up from 2017-11-09, we don't have a timeline to support all the feature in 2018-11-09 and 2018-03-28.

PS: there string-to-sign in the doc: Create a user delegation SAS was wrong. I've sent a PR to fix it. If you already have code to generate the delegation SAS, please modify it accordingly (no signed identifier, singed resource type and signed blob snapshot time should be added).

[katmsft]

My major concern was about dropping ruby version 2.3.0 and the version bumps up (2.0.0 instead of 1.2.0). Please rebase to the latest dev branch and change them. Thanks!
Also, we can only use target testing to verify the E2E scenario for user delegation key, please confirm in the thread that this is already covered. Thanks for your contribution!

[katmsft]

Why 2.3 is also dropped? Can we add it back?

[c-w]

I dropped support for 2.3 since it's been end of life since 2019-03-31. I will add back the version.

[c-w]

Added back support for 2.3 in 04e0917.

[katmsft]

2.3 would be still in support matrix for latest Nokogiri.

[c-w]

Added back support for 2.3 in 04e0917.

[katmsft]

Also, 2.3 :)

[c-w]

Added back support for 2.3 in 04e0917.

[katmsft]

2.3 :)

[c-w]

Added back support for 2.3 in 04e0917.

[katmsft]

2.3

[c-w]

Added back support for 2.3 in 04e0917.

[katmsft]

Because this is breaking change, common will have to bump up to 2.0.0 among all other services.

[c-w]

Bumped versions to 2.0.0 in 04e0917.

[c-w]

@katmsft

My major concern was about dropping ruby version 2.3.0 and the version bumps up (2.0.0 instead of 1.2.0). Please rebase to the latest dev branch and change them. Thanks!

I updated the pull request to use Ruby 2.3 as the minimum version and bumped the versions of azure-storage-blob and azure-storage-common to 2.0.0

Also, we can only use target testing to verify the E2E scenario for user delegation key, please confirm in the thread that this is already covered. Thanks for your contribution!

For testing, test/integration/auth/user_delegation_key_shared_access_signature_test.rb implements and end-to-end test that reaches out to a real Azure Storage account to create a shared access signature via user delegation key. The test worked when I submitted this pull request. Could you confirm that the test accurately reflects the new functionality and that it's working during your validation?

You can run the test by setting the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET in addition to AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_ACCESS_KEY required by the rest of the integration tests.

@yaxia

We merged the code of azure-ruby-asm-core and fixed the merge validation. Please resolve the conflicts on the latest code.

Done. I rebased with the Azure:dev branch and force-pushed to this branch.

Any scenario that you require the minimum Ruby version to v2.4?

I dropped support for 2.3 since it's been end of life since 2019-03-31. I can add back the version since the code should still work on 2.3.

As the API version is upgrade to 2018-11-09, there are some server behavior changes.

As per the comment in common/lib/azure/storage/common/default.rb, the API version upgrade in this pull request should only affect the SAS generator. Is it necessary to also update all the other versions or would it be possible to stay on 2017-11-09 for everything and only use 2018-11-09 for SAS generation?

The string-to-sign in the doc: Create a user delegation SAS was wrong. If you already have code to generate the delegation SAS, please modify it accordingly (no signed identifier, singed resource type and signed blob snapshot time should be added).

Since the docs were incorrect when I was working on this, I adapted the implementation of the signature from the Python SDK (see code) so the code in this pull request should already be correct.

[katmsft]

LGTM except the blob version in default.rb. This will be fixed after the PR being merged.