class AzureBlob::EntraIdSigner

:nodoc:

def authorization_header(uri:, verb:, headers: {}) 

def authorization_header(uri:, verb:, headers: {})
  "Bearer #{token}"
end

def delegation_key 

def delegation_key
  @delegation_key ||= UserDelegationKey.new(account_name:, signer: self)
end

def initialize(account_name:, host:, principal_id: nil) 

def initialize(account_name:, host:, principal_id: nil)
  @token = AzureBlob::IdentityToken.new(principal_id:)
  @account_name = account_name
  @host = host
end

def sas_token(uri, options = {}) 

def sas_token(uri, options = {})
  to_sign = [
    options[:permissions],
    options[:start],
    options[:expiry],
    CanonicalizedResource.new(uri, account_name, url_safe: false, service_name: :blob),
    delegation_key.signed_oid,
    delegation_key.signed_tid,
    delegation_key.signed_start,
    delegation_key.signed_expiry,
    delegation_key.signed_service,
    delegation_key.signed_version,
    nil,
    nil,
    nil,
    options[:ip],
    options[:protocol],
    SAS::Version,
    SAS::Resources::Blob,
    nil,
    nil,
    nil,
    options[:content_disposition],
    nil,
    nil,
    options[:content_type],
  ].join("\n")
  query = {
    SAS::Fields::Permissions => options[:permissions],
    SAS::Fields::Start => options[:start],
    SAS::Fields::Expiry => options[:expiry],
    SAS::Fields::SignedObjectId => delegation_key.signed_oid,
    SAS::Fields::SignedTenantId => delegation_key.signed_tid,
    SAS::Fields::SignedKeyStartTime => delegation_key.signed_start,
    SAS::Fields::SignedKeyExpiryTime => delegation_key.signed_expiry,
    SAS::Fields::SignedKeyService => delegation_key.signed_service,
    SAS::Fields::Signedkeyversion => delegation_key.signed_version,
    SAS::Fields::SignedIp => options[:ip],
    SAS::Fields::SignedProtocol => options[:protocol],
    SAS::Fields::Version => SAS::Version,
    SAS::Fields::Resource => SAS::Resources::Blob,
    SAS::Fields::Disposition => options[:content_disposition],
    SAS::Fields::Type => options[:content_type],
    SAS::Fields::Signature => sign(to_sign, key: delegation_key.to_s),
  }.reject { |_, value| value.nil? }
  URI.encode_www_form(**query)
end

def sign(body, key:) 

def sign(body, key:)
  Base64.strict_encode64(OpenSSL::HMAC.digest("sha256", key, body))
end