Storage: authenticated requests must reject http endpoints by default

[jhendrixMSFT]

This was done for Entra authentication in azcore, see #21674. It should be expanded to all authentication schemes in blob storage.

For authentication types where http is allowed (SAS?), you can provide a mechanism to turn off the https requirement.

[vibhansa-msft]

As these checks are being done in AzCore already, so we need to do any specific handling in storage moudles?

[vibhansa-msft]

I see core is already handling this for Key, SAS and OAuth as part of this pr :https://github.com/Azure/azure-sdk-for-go/pull/21832/files

[jhendrixMSFT]

Does it also need to be applied to shared key authentication?

[vibhansa-msft]

Other than SAS it shall be ok to reject http. SAS can be created only for http endpoint so not allowing http there may not work. For other modes it shall be ok. As part of the above PR, which I linked, I see key auth related changes are also done in core itself so is there any expectation or code change from the storage SDK side?

[jhendrixMSFT]

azblob has its own SharedKeyCredential policy that needs to be updated https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/storage/azblob/internal/exported/shared_key_credential.go#L189-L218

[roelarents]

Did you think about compatibility with azurite? We use that in a test setup, without https. Of course we could go and setup a https infra in the test setup with self signed certs and all that. But it would be nice if this new requirement could be toggled.

edit: a bit more elaboration

[souravgupta-msft]

Hi @roelarents. We have discussed this scenario internally and have decided to re-enable http endpoints for shared key based auth mode. You can currently either use SAS (where http is supported) or enable HTTPS in Azurite.
We'll do a release next week to fix this.