pomerium / pomerium / 26985500573

52%

Build Type

push

github

Committed by web-flow

Commit Message

fix(azblob): strict signing on blob operations ordering with BeforeRead middleware (#6420)

## Summary

Similar to s3 audit middleware the implementation of the azblob provider
signs requests with different sets of criteria. Headers with the
`x-ms-*` headers are included in the request signature when strict
verification is enabled, which can cause issues with signing.

The fix is to add `PerCallPolicies` to the client which can only be done
by providing `ClientOptions` to the Client used by the underlying bucket
URI.

The azure client is not available through the typical `asFunc(...)` type
casting by BeforeRead/BeforeWrite/BeforeList methods on the go-cloud
bucket.

It's not possible to change the header key to something without
`x-ms-*`, since those headers are how metadata is surfaced in the cloud
provider audit logs for correlation with Pomerium.


The only solution I could find is unfortunately copying over how the
default client is constructed from the go-cloud/azblob upstream, and
adding a `PerCallPolicies` for adding `x-ms` headers through context
propagation.


## Related issues


[ENG-4102](https://linear.app/pomerium/issue/ENG-4102/bug-strict-signing-on-azure-inconsistent-with-custom-header-middleware)

## User Explanation

N/A

## AI disclosure

none

## Checklist

- [X] reference any related issues
- [X] updated unit tests
- [X] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [X] disclosed AI usage (or wrote "none") per AI_POLICY.md
- [X] ready for review

Coverage Stats

10 of 74 new or added lines in 3 files covered. (13.51%)

38 existing lines in 10 files now uncovered.

36768 of 70482 relevant lines covered (52.17%)

463.46 hits per line