Add lazy signing support for WebDAV StorageCliClient

 Implements on-demand URL signing for WebDAV blobstore to support
  dual endpoints (internal for Diego, public for external users).

  - Add supports_lazy_signing? method to detect DAV provider
  - Add sign_internal_url and sign_public_url methods for DAV
  - StorageCliBlob generates URLs on-demand when lazy signing enabled
  - Non-DAV providers continue using eager signing (pre-generated URLs)
  - Add comprehensive test coverage for lazy signing functionality

  This maintains backward compatibility with existing fog/webdav behavior
  where internal and public signed URLs are generated on-demand with
  different endpoints.

Author: kathap

lib/cloud_controller/blobstore/storage_cli/storage_cli_blob.rb

@@ -3,18 +3,26 @@ module Blobstore
     class StorageCliBlob < Blob
       attr_reader :key
 
-      def initialize(key, properties: nil, signed_url: nil)
+      def initialize(key, properties: nil, signed_url: nil, storage_cli_client: nil, expires_in_seconds: 3600)
         @key = key
         @signed_url = signed_url if signed_url
+        @storage_cli_client = storage_cli_client
+        @expires_in_seconds = expires_in_seconds
         # Set properties to an empty hash if nil to avoid nil errors
         @properties = properties || {}
       end
 
       def internal_download_url
+        # For DAV with lazy signing support, generate URL on-demand
+        return @storage_cli_client.sign_internal_url(@key, verb: 'get', expires_in_seconds: @expires_in_seconds) if @storage_cli_client&.supports_lazy_signing?
+
         signed_url
       end
 
       def public_download_url
+        # For DAV with lazy signing support, generate URL on-demand
+        return @storage_cli_client.sign_public_url(@key, verb: 'get', expires_in_seconds: @expires_in_seconds) if @storage_cli_client&.supports_lazy_signing?
+
         signed_url
       end
 

lib/cloud_controller/blobstore/storage_cli/storage_cli_client.rb

@@ -168,8 +168,29 @@ def blob(key)
         properties = properties(key)
         return nil if properties.nil? || properties.empty?
 
-        signed_url = sign_url(partitioned_key(key), verb: 'get', expires_in_seconds: 3600)
-        StorageCliBlob.new(key, properties:, signed_url:)
+        # For DAV with lazy signing support, pass client reference for on-demand signing
+        # For other providers, generate signed URL eagerly
+        if supports_lazy_signing?
+          StorageCliBlob.new(key, properties: properties, storage_cli_client: self, expires_in_seconds: 3600)
+        else
+          signed_url = sign_url(partitioned_key(key), verb: 'get', expires_in_seconds: 3600)
+          StorageCliBlob.new(key, properties:, signed_url:)
+        end
+      end
+
+      def supports_lazy_signing?
+        # Only DAV with external signer needs lazy signing for internal vs public endpoints
+        @storage_type == 'dav'
+      end
+
+      def sign_internal_url(key, verb:, expires_in_seconds:)
+        stdout, _status = run_cli('sign-internal', partitioned_key(key), verb.to_s.downcase, "#{expires_in_seconds}s")
+        stdout.strip
+      end
+
+      def sign_public_url(key, verb:, expires_in_seconds:)
+        stdout, _status = run_cli('sign-public', partitioned_key(key), verb.to_s.downcase, "#{expires_in_seconds}s")
+        stdout.strip
       end
 
       def files_for(prefix, _ignored_directory_prefixes=[])

spec/unit/lib/cloud_controller/blobstore/storage_cli/storage_cli_blob_spec.rb

@@ -18,15 +18,134 @@ module Blobstore
       end
 
       describe 'download_urls' do
-        it 'returns the internal download URL of the blob' do
-          expect(blob.internal_download_url).to eq(signed_url)
+        context 'with pre-generated signed URL (eager signing for non-DAV providers)' do
+          it 'returns the internal download URL of the blob' do
+            expect(blob.internal_download_url).to eq(signed_url)
+          end
+
+          it 'returns the public download URL of the blob' do
+            expect(blob.public_download_url).to eq(signed_url)
+          end
+        end
+
+        context 'with lazy signing (for DAV provider)' do
+          let(:storage_cli_client) { double('StorageCliClient') }
+
+          before do
+            allow(storage_cli_client).to receive(:supports_lazy_signing?).and_return(true)
+          end
+
+          subject(:lazy_blob) do
+            StorageCliBlob.new(
+              'dr/op/droplet-guid',
+              properties: properties,
+              storage_cli_client: storage_cli_client,
+              expires_in_seconds: 3600
+            )
+          end
+
+          describe '#internal_download_url' do
+            it 'calls sign_internal_url on the storage_cli_client' do
+              expect(storage_cli_client).to receive(:sign_internal_url).with(
+                'dr/op/droplet-guid',
+                verb: 'get',
+                expires_in_seconds: 3600
+              ).and_return('https://blobstore.internal:4443/read/cc-droplets/dr/op/droplet-guid?md5=internal123&expires=789')
+
+              url = lazy_blob.internal_download_url
+
+              expect(url).to eq('https://blobstore.internal:4443/read/cc-droplets/dr/op/droplet-guid?md5=internal123&expires=789')
+            end
+
+            it 'generates URL on-demand each time it is called' do
+              call_count = 0
+              allow(storage_cli_client).to receive(:sign_internal_url) do
+                call_count += 1
+                "https://blobstore.internal/url-#{call_count}"
+              end
+
+              url1 = lazy_blob.internal_download_url
+              url2 = lazy_blob.internal_download_url
+
+              expect(url1).to eq('https://blobstore.internal/url-1')
+              expect(url2).to eq('https://blobstore.internal/url-2')
+              expect(call_count).to eq(2)
+            end
+          end
+
+          describe '#public_download_url' do
+            it 'calls sign_public_url on the storage_cli_client' do
+              expect(storage_cli_client).to receive(:sign_public_url).with(
+                'dr/op/droplet-guid',
+                verb: 'get',
+                expires_in_seconds: 3600
+              ).and_return('https://blobstore.example.com/read/cc-droplets/dr/op/droplet-guid?md5=public456&expires=999')
+
+              url = lazy_blob.public_download_url
+
+              expect(url).to eq('https://blobstore.example.com/read/cc-droplets/dr/op/droplet-guid?md5=public456&expires=999')
+            end
+
+            it 'generates URL on-demand each time it is called' do
+              call_count = 0
+              allow(storage_cli_client).to receive(:sign_public_url) do
+                call_count += 1
+                "https://blobstore.public/url-#{call_count}"
+              end
+
+              url1 = lazy_blob.public_download_url
+              url2 = lazy_blob.public_download_url
+
+              expect(url1).to eq('https://blobstore.public/url-1')
+              expect(url2).to eq('https://blobstore.public/url-2')
+              expect(call_count).to eq(2)
+            end
+          end
+
+          it 'uses custom expires_in_seconds when provided' do
+            custom_blob = StorageCliBlob.new(
+              'test-key',
+              properties: properties,
+              storage_cli_client: storage_cli_client,
+              expires_in_seconds: 7200
+            )
+
+            expect(storage_cli_client).to receive(:sign_internal_url).with(
+              'test-key',
+              verb: 'get',
+              expires_in_seconds: 7200
+            ).and_return('url')
+
+            custom_blob.internal_download_url
+          end
         end
 
-        it 'returns the public download URL of the blob' do
-          expect(blob.public_download_url).to eq(signed_url)
+        context 'when storage_cli_client does not support lazy signing' do
+          let(:storage_cli_client) { double('StorageCliClient') }
+
+          before do
+            allow(storage_cli_client).to receive(:supports_lazy_signing?).and_return(false)
+          end
+
+          subject(:non_lazy_blob) do
+            StorageCliBlob.new(
+              'test-blob',
+              properties: properties,
+              signed_url: signed_url,
+              storage_cli_client: storage_cli_client
+            )
+          end
+
+          it 'falls back to using pre-generated signed_url for internal_download_url' do
+            expect(non_lazy_blob.internal_download_url).to eq(signed_url)
+          end
+
+          it 'falls back to using pre-generated signed_url for public_download_url' do
+            expect(non_lazy_blob.public_download_url).to eq(signed_url)
+          end
         end
 
-        context 'when signed_url is not provided' do
+        context 'when signed_url is not provided and no storage_cli_client' do
           subject(:blob_without_signed_url) { StorageCliBlob.new('test-blob', properties:) }
 
           it 'raises an error when accessing internal_download_url' do