[porting to V1] Geometric key size progression during snapshotting. Fixes #3034.

Author: alrod

src/WebJobs.Script.WebHost/Security/SecretManager.cs

@@ -103,6 +103,7 @@ public async virtual Task<HostSecretsInfo> GetHostSecretsAsync()
                         _traceWriter.Verbose(Resources.TraceNonDecryptedHostSecretRefresh);
                         _logger?.LogDebug(Resources.TraceNonDecryptedHostSecretRefresh);
                         await PersistSecretsAsync(hostSecrets, null, true);
+                        hostSecrets = GenerateHostSecrets(hostSecrets);
                         await RefreshSecretsAsync(hostSecrets);
                     }
 
@@ -157,13 +158,7 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                     string messageGeneratoin = string.Format(Resources.TraceFunctionSecretGeneration, functionName);
                     _traceWriter.Info(messageGeneratoin, traceProperties);
                     _logger?.LogInformation(messageGeneratoin);
-                    secrets = new FunctionSecrets
-                    {
-                        Keys = new List<Key>
-                        {
-                            GenerateKey(ScriptConstants.DefaultFunctionKeyName)
-                        }
-                    };
+                    secrets = GenerateFunctionSecrets();
 
                     await PersistSecretsAsync(secrets, functionName);
                 }
@@ -179,6 +174,7 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                     _traceWriter.Info(messageNonDecrypted, traceProperties);
                     _logger?.LogInformation(messageNonDecrypted);
                     await PersistSecretsAsync(secrets, functionName, true);
+                    secrets = GenerateFunctionSecrets(secrets);
                     await RefreshSecretsAsync(secrets, functionName);
                 }
 
@@ -417,6 +413,45 @@ private HostSecrets GenerateHostSecrets()
             };
         }
 
+        private static HostSecrets GenerateHostSecrets(HostSecrets secrets)
+        {
+            if (secrets.MasterKey.IsEncrypted)
+            {
+                secrets.MasterKey.Value = GenerateSecret();
+            }
+            secrets.SystemKeys = RegenerateKeys(secrets.SystemKeys);
+            secrets.FunctionKeys = RegenerateKeys(secrets.FunctionKeys);
+            return secrets;
+        }
+
+        private FunctionSecrets GenerateFunctionSecrets()
+        {
+            return new FunctionSecrets
+            {
+                Keys = new List<Key>
+                {
+                    GenerateKey(ScriptConstants.DefaultFunctionKeyName)
+                }
+            };
+        }
+
+        private static FunctionSecrets GenerateFunctionSecrets(FunctionSecrets secrets)
+        {
+            secrets.Keys = RegenerateKeys(secrets.Keys);
+            return secrets;
+        }
+        private static IList<Key> RegenerateKeys(IList<Key> list)
+        {
+            return list.Select(k =>
+            {
+                if (k.IsEncrypted)
+                {
+                    k.Value = GenerateSecret();
+                }
+                return k;
+            }).ToList();
+        }
+
         private Task RefreshSecretsAsync<T>(T secrets, string keyScope = null) where T : ScriptSecrets
         {
             var refreshedSecrets = secrets.Refresh(_keyValueConverterFactory);

test/WebJobs.Script.Tests/Security/SecretManagerTests.cs

@@ -527,9 +527,9 @@ public async Task GetHostSecrets_WhenNonDecryptedHostSecrets_SavesAndRefreshes()
                 }
 
                 Assert.NotNull(hostSecrets);
-                Assert.Equal(hostSecrets.MasterKey, "cryptoError");
+                Assert.NotEqual(hostSecrets.MasterKey, "cryptoError");
                 var result = JsonConvert.DeserializeObject<HostSecrets>(File.ReadAllText(Path.Combine(directory.Path, ScriptConstants.HostMetadataFileName)));
-                Assert.Equal(result.MasterKey.Value, "!cryptoError");
+                Assert.Equal(result.MasterKey.Value, "!" + hostSecrets.MasterKey);
                 Assert.Equal(1, Directory.GetFiles(directory.Path, $"host.{ScriptConstants.Snapshot}*").Length);
 
                 Assert.True(traceWriter.GetTraces().Any(
@@ -572,9 +572,9 @@ public async Task GetFunctiontSecrets_WhenNonDecryptedSecrets_SavesAndRefreshes(
                 }
 
                 Assert.NotNull(functionSecrets);
-                Assert.Equal(functionSecrets["Key1"], "cryptoError");
+                Assert.NotEqual(functionSecrets["Key1"], "cryptoError");
                 var result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, functionName + ".json")));
-                Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!cryptoError");
+                Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!" + functionSecrets["Key1"]);
                 Assert.Equal(1, Directory.GetFiles(directory.Path, $"{functionName}.{ScriptConstants.Snapshot}*").Length);
 
                 Assert.True(traceWriter.GetTraces().Any(
@@ -799,7 +799,10 @@ private Mock<IKeyValueConverterFactory> GetConverterFactoryMock(bool simulateWri
 
             var mockValueWriter = new Mock<IKeyValueWriter>();
             mockValueWriter.Setup(r => r.WriteValue(It.IsAny<Key>()))
-                .Returns<Key>(k => new Key(k.Name, simulateWriteConversion ? "!" + k.Value : k.Value) { IsEncrypted = simulateWriteConversion });
+                .Returns<Key>(k =>
+                {
+                    return new Key(k.Name, simulateWriteConversion ? "!" + k.Value : k.Value) { IsEncrypted = simulateWriteConversion };
+                });
 
             var mockValueConverterFactory = new Mock<IKeyValueConverterFactory>();
             mockValueConverterFactory.Setup(f => f.GetValueReader(It.IsAny<Key>()))