azure: Create SAS for blobs

Creating SAS url for ignition blobs using user
delegated credentials.

Author: rna-afk

pkg/infrastructure/azure/azure.go

@@ -17,6 +17,8 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
 	"github.com/coreos/stream-metadata-go/arch"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
@@ -275,7 +277,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		blobContainer := createBlobContainerOutput.BlobContainer
 		logrus.Debugf("BlobContainer.ID=%s", *blobContainer.ID)
 
-		_, err = CreatePageBlob(ctx, &CreatePageBlobInput{
+		err = CreatePageBlob(ctx, &CreatePageBlobInput{
 			StorageURL:         storageURL,
 			BlobURL:            blobURL,
 			ImageURL:           imageURL,
@@ -740,8 +742,25 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 		blobIgnitionContainer = createBlobContainerOutput.BlobContainer
 		logrus.Debugf("BlobIgnitionContainer.ID=%s", *blobIgnitionContainer.ID)
 	}
-
 	sasURL := ""
+	now := time.Now().UTC().Add(-10 * time.Second)
+	expiry := now.Add(1 * time.Hour)
+	info := service.KeyInfo{
+		Start:  to.Ptr(now.UTC().Format(sas.TimeFormat)),
+		Expiry: to.Ptr(expiry.UTC().Format(sas.TimeFormat)),
+	}
+
+	serviceClient, err := service.NewClient(fmt.Sprintf("https://%s.blob.core.windows.net/", p.StorageAccountName),
+		session.TokenCreds,
+		&service.ClientOptions{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create service client: %w", err)
+	}
+	udc, err := serviceClient.GetUserDelegationCredential(context.Background(), info, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create user delegation credentials: %w", err)
+	}
 
 	if in.InstallConfig.Config.Azure.CustomerManagedKey == nil {
 		logrus.Debugf("Creating a Block Blob for ignition shim")
@@ -774,7 +793,7 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 			lengthBootstrapFile = (((lengthBootstrapFile / 512) + 1) * 512)
 		}
 
-		sasURL, err = CreatePageBlob(ctx, &CreatePageBlobInput{
+		err = CreatePageBlob(ctx, &CreatePageBlobInput{
 			StorageURL:         p.StorageURL,
 			BlobURL:            blobURL,
 			ImageURL:           "",
@@ -790,6 +809,22 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 			return nil, fmt.Errorf("failed to create PageBlob for ignition shim: %w", err)
 		}
 	}
+
+	// Should we separate azurestack from azure when using the user delegated SAS?
+	// Azurestack is generating an SAS url at this point.
+	if sasURL != "" {
+		sasQueryParams, err := sas.BlobSignatureValues{
+			Protocol:    sas.ProtocolHTTPS,
+			StartTime:   time.Now().UTC().Add(time.Second * -10),
+			ExpiryTime:  time.Now().UTC().Add(1 * time.Hour),
+			Permissions: to.Ptr(sas.ContainerPermissions{Read: true, List: true, Write: true, Create: true}).String(),
+			BlobName:    blobName,
+		}.SignWithUserDelegation(udc)
+		if err != nil {
+			return nil, fmt.Errorf("failed to sign blob %s: %w", blobURL, err)
+		}
+		sasURL = fmt.Sprintf("https://%s.blob.core.windows.net/ignition/%s?%s", p.StorageAccountName, blobName, sasQueryParams.Encode())
+	}
 	ignShim, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(sasURL, in.InstallConfig.Config.AdditionalTrustBundle, in.InstallConfig.Config.Proxy)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ignition shim: %w", err)

pkg/infrastructure/azure/storage.go

@@ -231,6 +231,7 @@ type CreatePageBlobInput struct {
 	ImageURL           string
 	StorageAccountName string
 	BootstrapIgnData   []byte
+	UserDelegatedSAS   *sas.UserDelegationCredential
 	ImageLength        int64
 	AuthType           azic.AuthenticationType
 	TokenCredential    azcore.TokenCredential
@@ -245,7 +246,7 @@ type CreatePageBlobOutput struct {
 }
 
 // CreatePageBlob creates a blob and uploads a file from a URL to it.
-func CreatePageBlob(ctx context.Context, in *CreatePageBlobInput) (string, error) {
+func CreatePageBlob(ctx context.Context, in *CreatePageBlobInput) error {
 	logrus.Debugf("Getting page blob client")
 
 	pageBlobClient, err := pageblob.NewClient(
@@ -258,19 +259,19 @@ func CreatePageBlob(ctx context.Context, in *CreatePageBlobInput) (string, error
 		},
 	)
 	if err != nil {
-		return "", fmt.Errorf("failed to get page blob client: %w", err)
+		return fmt.Errorf("failed to get page blob client: %w", err)
 	}
 
 	logrus.Debugf("Creating Page blob and uploading image to it")
 	if in.ImageURL == "" {
 		_, err = pageBlobClient.Create(ctx, in.ImageLength, nil)
 		if err != nil {
-			return "", fmt.Errorf("failed to create page blob with image contents: %w", err)
+			return fmt.Errorf("failed to create page blob with image contents: %w", err)
 		}
 		// This image (example: ignition shim) needs to be uploaded from a local file.
 		err = doUploadPages(ctx, pageBlobClient, in.BootstrapIgnData, in.ImageLength)
 		if err != nil {
-			return "", fmt.Errorf("failed to upload page blob image contents: %w", err)
+			return fmt.Errorf("failed to upload page blob image contents: %w", err)
 		}
 	} else {
 		// This is used in terraform, not sure if it matters
@@ -282,26 +283,15 @@ func CreatePageBlob(ctx context.Context, in *CreatePageBlobInput) (string, error
 			Metadata: metadata,
 		})
 		if err != nil {
-			return "", fmt.Errorf("failed to create page blob with image URL: %w", err)
+			return fmt.Errorf("failed to create page blob with image URL: %w", err)
 		}
 
 		err = doUploadPagesFromURL(ctx, pageBlobClient, in.ImageURL, in.ImageLength)
 		if err != nil {
-			return "", fmt.Errorf("failed to upload page blob image from URL %s: %w", in.ImageURL, err)
+			return fmt.Errorf("failed to upload page blob image from URL %s: %w", in.ImageURL, err)
 		}
 	}
-
-	// SAS not supported when using managed identity.
-	if in.AuthType == azic.ManagedIdentityAuth {
-		return pageBlobClient.URL(), nil
-	}
-
-	// Is this addition OK for when CreatePageBlob() is called from InfraReady()
-	sasURL, err := pageBlobClient.GetSASURL(sas.BlobPermissions{Read: true}, time.Now().Add(time.Minute*60), &blob.GetSASURLOptions{})
-	if err != nil {
-		return "", fmt.Errorf("failed to get Page Blob SAS URL: %w", err)
-	}
-	return sasURL, nil
+	return nil
 }
 
 func doUploadPages(ctx context.Context, pageBlobClient *pageblob.Client, imageData []byte, imageLength int64) error {
@@ -454,6 +444,7 @@ type CreateBlockBlobInput struct {
 	CloudEnvironment   aztypes.CloudEnvironment
 	ContainerName      string
 	BlobName           string
+	UserDelegatedSAS   *sas.UserDelegationCredential
 	StorageSuffix      string
 	ARMEndpoint        string
 	Region             string
@@ -512,12 +503,7 @@ func createBlockBlob(ctx context.Context, in *CreateBlockBlobInput, sharedKeyCre
 	if in.AuthType == azic.ManagedIdentityAuth {
 		return blockBlobClient.URL(), nil
 	}
-
-	sasURL, err := blockBlobClient.GetSASURL(sas.BlobPermissions{Read: true}, time.Now().Add(time.Minute*60), &blob.GetSASURLOptions{})
-	if err != nil {
-		return "", fmt.Errorf("failed to get SAS URL: %w", err)
-	}
-	return sasURL, nil
+	return "", nil
 }
 
 func createBlockBlobOnStack(ctx context.Context, in *CreateBlockBlobInput) (string, error) {
@@ -598,6 +584,7 @@ func uploadBlockBlobOnStack(in *CreateBlockBlobInput, key string) (string, error
 	}
 	return sas, nil
 }
+
 // CustomerManagedKeyInput contains the input parameters for creating the
 // customer managed key and identity.
 type CustomerManagedKeyInput struct {