Storage: add support for V4 signed URLs

[tseaver]

Partial support for the new feature: adds a version argument to Blob.generate_signed_url, and uses it to switch between the two signing algorithms.

Remaining work:

• Improve assertions for how variations in calling are handled (different methods, headers, etc.) See the data-driven tests in Data-driven V4 URL signing tests, and implementation changes google-cloud-dotnet#2882 for examples (even better, work out how to share them like the Firestore conformance tests).
• Add system tests for V4 blob signed URLs.
• Add Bucket.generate_signed_url, to permit listing bucket contents.
• Add system test for resumable upload using V4 blob signed URL.

Deferred work:

• Add system tests for V4 bucket signed URLs (in place, but currently skipped due to back-end case-flattening issue for the X-Goog-Signed header) (Storage: un-skip system tests for 'Bucket.generate_signed_url' #7625).
• Add support for signing URLs on GCE following Frank's Ruby PoC. (Storage: add support for signing URLs using IAM / tokens. #7627)
• Add system tests for CSEK upload / download using V4 blob-signed URLs (blocked by a similar back-end bug as above). (Storage: add systests for V4 signed URLs with CSEK headers #7626).

No longer in scope:

• Add Client.generate_signed_url, to permit listing buckets.

[tseaver]

The docs build failure on CI is unrelated to this PR: it was fixed in #7458.

[frankyn]

Doing a first pass.

[frankyn]

@tseaver this is supported in the Python auth library. Is this a typo?

Ref: https://github.com/googleapis/google-auth-library-python/blob/edfe24602051969e32917e82bcedd2bace43e260/google/auth/iam.py#L36

[tseaver]

@frankyn googleapis/google-auth-library-python#50 is still open: AFAIK, the only way to get signing done on GCE is to use the IAM-based workaround. I plan to add that here (following your Ruby PoC) once we're OK with the surface.

[tseaver]

@frankyn A question: the current Python V2 version allows for passing method="RESUMABLE", and converts that to "POST" and mutates the resource per https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable. Should V4 follow suit?

[frankyn]

At a blob level, yes. The resumable header is also supported when using V4 signed URLs.

One request I have is to state in the documentation that the HeaderName:HeaderValue is expected in a follow-up request. At the moment only the name is documented.

[tseaver]

Flaky spanner systest reported in #7504.

[tseaver]

@crwilcox Can you check what is hanging the Kokoro builds here?

[frankyn]

@tseaver please do not support signed URLs at a client level.

[crwilcox]

@tseaver do you need anything from me to move this along?

[frankyn]

Python doesn't have the timestamp offset bug mentioned in email.

[tseaver]

@frankyn As of 0d54faa, this PR is passing all the cross-language conformance tests from the dotnet repository. I have one system test passing as well (simple Blob GET). 734a9b3 adds V4 systests paralleling the existing V2 ones.

[tseaver]

@frankyn 68742be adds Bucket.generate_signed_url (with support for both V2 and V4). 6c5cfc7 adds systests for that feature.

[tseaver]

@frankyn I believe the only remaining work is to add support for IAM / access token signing: note that the feature does not exist yet for V2 in Python.

[frankyn]

@tseaver could you add a warning as log output that V2 will change to V4 in the future:

You have generated a signed URL using the default v2 signing implementation. In the future, this will default to v4. You may experience breaking changes if you use longer than 7 day expiration times with v4. To opt-in to the behavior specify version="v2".

[tseaver]

a384692

[tseaver]

@frankyn 2a956e5 adds the systest for signed resumable upload URLs (both V2 and V4), including round-tripping.

[tseaver]

@frankyn PTAL.

[frankyn]

Two nits and LGTM.
Thanks @tseaver!

[frankyn]

LGTM, pending tests. Thanks @tseaver!