CNTRLPLANE-3167: support STS/IRSA credentials and standalone Velero

go.mod

@@ -5,6 +5,8 @@ go 1.25.7
 toolchain go1.25.8
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
 	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0
 	github.com/onsi/gomega v1.39.1
 	github.com/openshift/hive/apis v0.0.0-20241220022629-3f49f26197ff
@@ -17,17 +19,22 @@ require (
 )
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/openshift/api v0.0.0-20260304122341-cf5d8996109f // indirect
 	github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -36,6 +43,7 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect

go.sum

@@ -1,4 +1,16 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
@@ -79,6 +91,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -136,6 +150,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
+github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
@@ -211,6 +227,8 @@ github.com/openshift/hypershift/api v0.0.0-20260417092826-5431b93cee3c h1:f4yyfN
 github.com/openshift/hypershift/api v0.0.0-20260417092826-5431b93cee3c/go.mod h1:mC9+bqb81FmG924VOO+7P0ofKQgvY1SdPhFp0oJ9U44=
 github.com/openshift/velero v0.10.2-0.20260323191807-216dd62a1caf h1:idCUwNL/RfZIeS1bpUvf6LaYZJSmKCSE2GP6tc1caYI=
 github.com/openshift/velero v0.10.2-0.20260323191807-216dd62a1caf/go.mod h1:vrmFMtokf4UjYmykfPvmI/xinTU3Ljz4F6JO3pLYxKs=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -282,6 +300,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -348,6 +368,7 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

pkg/azblobsas/delegation.go

@@ -0,0 +1,178 @@
+package azblobsas
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+var httpDo = http.DefaultClient.Do
+
+// UserDelegationKey holds the key returned by the Azure Storage
+// Get User Delegation Key API.
+type UserDelegationKey struct {
+	SignedOID     string `xml:"SignedOid"`
+	SignedTID     string `xml:"SignedTid"`
+	SignedStart   string `xml:"SignedStart"`
+	SignedExpiry  string `xml:"SignedExpiry"`
+	SignedService string `xml:"SignedService"`
+	SignedVersion string `xml:"SignedVersion"`
+	Value         string `xml:"Value"`
+}
+
+type keyInfoRequest struct {
+	XMLName xml.Name `xml:"KeyInfo"`
+	Start   string   `xml:"Start"`
+	Expiry  string   `xml:"Expiry"`
+}
+
+// GetUserDelegationKey calls the Azure Storage REST API to obtain a user
+// delegation key signed by the AAD identity represented by bearerToken.
+func GetUserDelegationKey(ctx context.Context, account, bearerToken string, start, expiry time.Time, endpoint string) (*UserDelegationKey, error) {
+	var host string
+	if endpoint != "" {
+		parsed, err := url.Parse(strings.TrimRight(endpoint, "/"))
+		if err != nil {
+			return nil, fmt.Errorf("invalid endpoint %q: %w", endpoint, err)
+		}
+		host = parsed.Scheme + "://" + parsed.Host
+	} else {
+		host = fmt.Sprintf("https://%s.blob.core.windows.net", account)
+	}
+
+	reqURL := host + "/?restype=service&comp=userdelegationkey"
+
+	body, err := xml.Marshal(keyInfoRequest{
+		Start:  start.UTC().Format("2006-01-02T15:04:05Z"),
+		Expiry: expiry.UTC().Format("2006-01-02T15:04:05Z"),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("marshalling delegation key request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, reqURL, bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("creating delegation key request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+bearerToken)
+	req.Header.Set("x-ms-version", sasVersion)
+	req.Header.Set("Content-Type", "application/xml")
+
+	resp, err := httpDo(req)
+	if err != nil {
+		return nil, fmt.Errorf("calling Get User Delegation Key: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("reading delegation key response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("Get User Delegation Key returned %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	var key UserDelegationKey
+	if err := xml.Unmarshal(respBody, &key); err != nil {
+		return nil, fmt.Errorf("parsing delegation key response: %w", err)
+	}
+
+	return &key, nil
+}
+
+// UserDelegationSASOptions holds parameters for generating a User Delegation SAS URL.
+type UserDelegationSASOptions struct {
+	Account       string
+	Container     string
+	Blob          string
+	DelegationKey *UserDelegationKey
+	Expiry        time.Duration
+	Endpoint      string
+}
+
+// GenerateUserDelegationSASBlobURL creates a User Delegation SAS URL with
+// read permission for a single blob.
+func GenerateUserDelegationSASBlobURL(opts UserDelegationSASOptions) (string, error) {
+	if opts.Account == "" || opts.Container == "" || opts.Blob == "" {
+		return "", fmt.Errorf("account, container, and blob are required")
+	}
+	if opts.DelegationKey == nil {
+		return "", fmt.Errorf("delegation key is required")
+	}
+
+	keyBytes, err := base64.StdEncoding.DecodeString(opts.DelegationKey.Value)
+	if err != nil {
+		return "", fmt.Errorf("invalid base64 delegation key: %w", err)
+	}
+
+	now := nowFunc().UTC()
+	expiry := opts.Expiry
+	if expiry <= 0 {
+		expiry = DefaultSASExpiry
+	}
+	expiryTime := now.Add(expiry)
+
+	signedStart := now.Format("2006-01-02T15:04:05Z")
+	signedExpiry := expiryTime.Format("2006-01-02T15:04:05Z")
+	canonicalizedResource := fmt.Sprintf("/blob/%s/%s/%s", opts.Account, opts.Container, opts.Blob)
+
+	// String to sign for User Delegation SAS, version 2020-12-06+
+	// https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#version-2020-12-06-and-later
+	stringToSign := strings.Join([]string{
+		"r",                              // signedPermissions
+		signedStart,                      // signedStart
+		signedExpiry,                     // signedExpiry
+		canonicalizedResource,            // canonicalizedResource
+		opts.DelegationKey.SignedOID,     // signedKeyObjectId
+		opts.DelegationKey.SignedTID,     // signedKeyTenantId
+		opts.DelegationKey.SignedStart,   // signedKeyStart
+		opts.DelegationKey.SignedExpiry,  // signedKeyExpiry
+		opts.DelegationKey.SignedService, // signedKeyService
+		opts.DelegationKey.SignedVersion, // signedKeyVersion
+		"",                              // signedAuthorizedUserObjectId
+		"",                              // signedUnauthorizedUserObjectId
+		"",                              // signedCorrelationId
+		"",                              // signedIP
+		"https",                         // signedProtocol
+		sasVersion,                      // signedVersion
+		"b",                             // signedResource (blob)
+		"",                              // signedSnapshotTime
+		"",                              // signedEncryptionScope
+		"",                              // rscc (Cache-Control)
+		"",                              // rscd (Content-Disposition)
+		"",                              // rsce (Content-Encoding)
+		"",                              // rscl (Content-Language)
+		"",                              // rsct (Content-Type)
+	}, "\n")
+
+	sig := hmacSHA256(keyBytes, []byte(stringToSign))
+	signature := base64.StdEncoding.EncodeToString(sig)
+
+	host, scheme := buildHostScheme(opts.Account, opts.Endpoint)
+
+	params := url.Values{}
+	params.Set("sv", sasVersion)
+	params.Set("st", signedStart)
+	params.Set("se", signedExpiry)
+	params.Set("sr", "b")
+	params.Set("sp", "r")
+	params.Set("spr", "https")
+	params.Set("skoid", opts.DelegationKey.SignedOID)
+	params.Set("sktid", opts.DelegationKey.SignedTID)
+	params.Set("skt", opts.DelegationKey.SignedStart)
+	params.Set("ske", opts.DelegationKey.SignedExpiry)
+	params.Set("sks", opts.DelegationKey.SignedService)
+	params.Set("skv", opts.DelegationKey.SignedVersion)
+	params.Set("sig", signature)
+
+	blobPath := "/" + uriEncode(opts.Container) + "/" + uriEncode(opts.Blob)
+	return fmt.Sprintf("%s://%s%s?%s", scheme, host, blobPath, params.Encode()), nil
+}