Add identifiable secrets generation using Microsoft.Security.Utilities (michaelcfanning) (#8202)

Author: mathewc

src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs

@@ -15,8 +15,10 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Extensions.Logging;
-using DataProtectionCostants = Microsoft.Azure.Web.DataProtection.Constants;
+
+using DataProtectionConstants = Microsoft.Azure.Web.DataProtection.Constants;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
@@ -254,7 +256,7 @@ public async Task<KeyOperationResult> SetMasterKeyAsync(string value = null)
                 if (value == null)
                 {
                     // Generate a new secret (clear)
-                    masterKey = GenerateSecret();
+                    masterKey = SecretGenerator.GenerateMasterKeyValue();
                     result = OperationResult.Created;
                 }
                 else
@@ -303,7 +305,7 @@ private async Task<KeyOperationResult> AddOrUpdateSecretAsync(ScriptSecretsType
         {
             OperationResult result = OperationResult.NotFound;
 
-            secret = secret ?? GenerateSecret();
+            secret = secret ?? SecretGenerator.GenerateFunctionKeyValue();
 
             await ModifyFunctionSecretsAsync(secretsType, keyScope, secrets =>
             {
@@ -493,10 +495,10 @@ private HostSecrets GenerateHostSecrets()
         {
             return new HostSecrets
             {
-                MasterKey = GenerateKey(ScriptConstants.DefaultMasterKeyName),
+                MasterKey = GenerateMasterKey(),
                 FunctionKeys = new List<Key>
             {
-                GenerateKey(ScriptConstants.DefaultFunctionKeyName)
+                GenerateFunctionKey(),
             },
                 SystemKeys = new List<Key>()
             };
@@ -506,10 +508,10 @@ private HostSecrets GenerateHostSecrets(HostSecrets secrets)
         {
             if (secrets.MasterKey.IsEncrypted)
             {
-                secrets.MasterKey.Value = GenerateSecret();
+                secrets.MasterKey.Value = SecretGenerator.GenerateMasterKeyValue();
             }
-            secrets.SystemKeys = RegenerateKeys(secrets.SystemKeys);
-            secrets.FunctionKeys = RegenerateKeys(secrets.FunctionKeys);
+            secrets.SystemKeys = RegenerateKeys(secrets.SystemKeys, SecretGenerator.SystemKeySeed);
+            secrets.FunctionKeys = RegenerateKeys(secrets.FunctionKeys, SecretGenerator.FunctionKeySeed);
             return secrets;
         }
 
@@ -519,24 +521,24 @@ private FunctionSecrets GenerateFunctionSecrets()
             {
                 Keys = new List<Key>
                 {
-                    GenerateKey(ScriptConstants.DefaultFunctionKeyName)
+                    GenerateFunctionKey()
                 }
             };
         }
 
         private FunctionSecrets GenerateFunctionSecrets(FunctionSecrets secrets)
         {
-            secrets.Keys = RegenerateKeys(secrets.Keys);
+            secrets.Keys = RegenerateKeys(secrets.Keys, SecretGenerator.FunctionKeySeed);
             return secrets;
         }
 
-        private IList<Key> RegenerateKeys(IList<Key> list)
+        private IList<Key> RegenerateKeys(IList<Key> list, ulong seed)
         {
             return list.Select(k =>
             {
                 if (k.IsEncrypted)
                 {
-                    k.Value = GenerateSecret();
+                    k.Value = SecretGenerator.GenerateIdentifiableSecret(seed);
                 }
                 return k;
             }).ToList();
@@ -594,31 +596,32 @@ private HostSecrets ReadHostSecrets(HostSecrets hostSecrets)
             };
         }
 
-        private Key GenerateKey(string name = null)
+        private Key GenerateMasterKey()
         {
-            string secret = GenerateSecret();
+            string secret = SecretGenerator.GenerateMasterKeyValue();
 
-            return CreateKey(name, secret);
+            return CreateKey(ScriptConstants.DefaultMasterKeyName, secret);
         }
 
-        private Key CreateKey(string name, string secret)
+        private Key GenerateFunctionKey()
         {
-            var key = new Key(name, secret);
+            string secret = SecretGenerator.GenerateFunctionKeyValue();
 
-            return _keyValueConverterFactory.WriteKey(key);
+            return CreateKey(ScriptConstants.DefaultFunctionKeyName, secret);
         }
 
-        internal static string GenerateSecret()
+        private Key CreateKey(string name, ulong seed)
         {
-            using (var rng = RandomNumberGenerator.Create())
-            {
-                byte[] data = new byte[40];
-                rng.GetBytes(data);
-                string secret = Convert.ToBase64String(data);
+            string secret = SecretGenerator.GenerateIdentifiableSecret(seed);
 
-                // Replace pluses as they are problematic as URL values
-                return secret.Replace('+', 'a');
-            }
+            return CreateKey(name, secret);
+        }
+
+        private Key CreateKey(string name, string secret)
+        {
+            var key = new Key(name, secret);
+
+            return _keyValueConverterFactory.WriteKey(key);
         }
 
         private void OnSecretsChanged(object sender, SecretsChangedEventArgs e)
@@ -725,22 +728,22 @@ private void InitializeCache()
         private string GetEncryptionKeysHashes()
         {
             string result = string.Empty;
-            string azureWebsiteLocalEncryptionKey = SystemEnvironment.Instance.GetEnvironmentVariable(DataProtectionCostants.AzureWebsiteLocalEncryptionKey) ?? string.Empty;
+            string azureWebsiteLocalEncryptionKey = SystemEnvironment.Instance.GetEnvironmentVariable(DataProtectionConstants.AzureWebsiteLocalEncryptionKey) ?? string.Empty;
             SHA256Managed hash = new SHA256Managed();
 
             if (!string.IsNullOrEmpty(azureWebsiteLocalEncryptionKey))
             {
                 byte[] hashBytes = hash.ComputeHash(Encoding.UTF8.GetBytes(azureWebsiteLocalEncryptionKey));
                 string azureWebsiteLocalEncryptionKeyHash = Convert.ToBase64String(hashBytes);
-                result += $"{DataProtectionCostants.AzureWebsiteLocalEncryptionKey}={azureWebsiteLocalEncryptionKeyHash};";
+                result += $"{DataProtectionConstants.AzureWebsiteLocalEncryptionKey}={azureWebsiteLocalEncryptionKeyHash};";
             }
 
-            string azureWebsiteEnvironmentMachineKey = SystemEnvironment.Instance.GetEnvironmentVariable(DataProtectionCostants.AzureWebsiteEnvironmentMachineKey) ?? string.Empty;
+            string azureWebsiteEnvironmentMachineKey = SystemEnvironment.Instance.GetEnvironmentVariable(DataProtectionConstants.AzureWebsiteEnvironmentMachineKey) ?? string.Empty;
             if (!string.IsNullOrEmpty(azureWebsiteEnvironmentMachineKey))
             {
                 byte[] hashBytes = hash.ComputeHash(Encoding.UTF8.GetBytes(azureWebsiteEnvironmentMachineKey));
                 string azureWebsiteEnvironmentMachineKeyHash = Convert.ToBase64String(hashBytes);
-                result += $"{DataProtectionCostants.AzureWebsiteEnvironmentMachineKey}={azureWebsiteEnvironmentMachineKeyHash};";
+                result += $"{DataProtectionConstants.AzureWebsiteEnvironmentMachineKey}={azureWebsiteEnvironmentMachineKeyHash};";
             }
 
             return result;

src/WebJobs.Script.WebHost/Security/SecretGenerator.cs

@@ -0,0 +1,49 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using Microsoft.Security.Utilities;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
+{
+    /// <summary>
+    /// Generates identifiable secret values for use as Azure Functions keys.
+    /// </summary>
+    public static class SecretGenerator
+    {
+        public const string AzureFunctionsSignature = "AzFu";
+
+        // Seeds (passed to the Marvin checksum algorithm) for grouping
+        // Azure Functions Host keys. See references from unit tests for
+        // information on how these seeds were generated/are versioned.
+        public const ulong MasterKeySeed = 0x4d61737465723030;
+        public const ulong SystemKeySeed = 0x53797374656d3030;
+        public const ulong FunctionKeySeed = 0x46756e6374693030;
+
+        public static string GenerateMasterKeyValue()
+        {
+            return GenerateIdentifiableSecret(MasterKeySeed);
+        }
+
+        public static string GenerateFunctionKeyValue()
+        {
+            return GenerateIdentifiableSecret(FunctionKeySeed);
+        }
+
+        public static string GenerateSystemKeyValue()
+        {
+            return GenerateIdentifiableSecret(SystemKeySeed);
+        }
+
+        internal static string GenerateIdentifiableSecret(ulong seed)
+        {
+            // Return a generated secret with a completely URL-safe base64-encoding
+            // alphabet, 'a-zA-Z0-9' as well as '-' and '_'. We preserve the trailing
+            // equal sign padding in the token in order to improve the ability to
+            // match against the general token format (with performing a checksum
+            // validation. This is safe in Azure Functions utilization because a
+            // token will only appear in a URL as a query string parameter, where
+            // equal signs do not require encoding.
+            return IdentifiableSecrets.GenerateUrlSafeBase64Key(seed, 40, AzureFunctionsSignature, elidePadding: false);
+        }
+    }
+}

src/WebJobs.Script.WebHost/WebHooks/DefaultScriptWebHookProvider.cs

@@ -8,6 +8,7 @@
 using Microsoft.Azure.WebJobs.Description;
 using Microsoft.Azure.WebJobs.Host.Config;
 using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using HttpHandler = Microsoft.Azure.WebJobs.IAsyncConverter<System.Net.Http.HttpRequestMessage, System.Net.Http.HttpResponseMessage>;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
@@ -77,7 +78,7 @@ private async Task<string> GetOrCreateExtensionKey(string extensionName)
             if (!hostSecrets.SystemKeys.TryGetValue(keyName, out keyValue))
             {
                 // if the requested secret doesn't exist, create it on demand
-                keyValue = SecretManager.GenerateSecret();
+                keyValue = SecretGenerator.GenerateSystemKeyValue();
                 await secretManager.AddOrUpdateFunctionSecretAsync(keyName, keyValue, HostKeyScopes.SystemKeys, ScriptSecretsType.Host);
             }
 

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -79,6 +79,7 @@
     <PackageReference Include="Microsoft.Azure.WebJobs.Logging" Version="4.0.2" />
     <PackageReference Include="Microsoft.Azure.WebSites.DataProtection" Version="2.1.91-alpha" />
     <PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.20.0" />
+    <PackageReference Include="Microsoft.Security.Utilities" Version="1.3.0" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.2.3" />
     <PackageReference Include="protobuf-net" Version="3.0.0" />
     <!-- The System.Interactive.Async assembly is required to be deployed. See https://github.com/Azure/azure-functions-host/issues/6203 -->

src/WebJobs.Script/runtimeassemblies.json

@@ -1378,6 +1378,10 @@
       "name": "System.Transactions.Local",
       "resolutionPolicy": "minorMatchOrLower"
     },
+    {
+      "name": "Microsoft.Security.Utilities",
+      "resolutionPolicy": "private"
+    },
     {
       "name": "System.ValueTuple",
       "resolutionPolicy": "minorMatchOrLower"

test/WebJobs.Script.Tests/DefaultScriptWebHookProviderTests.cs

@@ -8,7 +8,9 @@
 using Microsoft.Azure.WebJobs.Description;
 using Microsoft.Azure.WebJobs.Host.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Extensions.Logging;
+using Microsoft.Security.Utilities;
 using Microsoft.WebJobs.Script.Tests;
 using Moq;
 using Xunit;
@@ -18,40 +20,72 @@ namespace Microsoft.Azure.WebJobs.Script.Tests
     public class DefaultScriptWebHookProviderTests
     {
         private const string TestHostName = "test.azurewebsites.net";
-
-        private readonly HostSecretsInfo _hostSecrets;
-        private readonly Mock<ISecretManager> _mockSecretManager;
-        private readonly IScriptWebHookProvider _webHookProvider;
-
-        public DefaultScriptWebHookProviderTests()
-        {
-            _mockSecretManager = new Mock<ISecretManager>(MockBehavior.Strict);
-            _hostSecrets = new HostSecretsInfo();
-            _mockSecretManager.Setup(p => p.GetHostSecretsAsync()).ReturnsAsync(_hostSecrets);
-            var mockSecretManagerProvider = new Mock<ISecretManagerProvider>(MockBehavior.Strict);
-            mockSecretManagerProvider.Setup(p => p.Current).Returns(_mockSecretManager.Object);
-            var loggerProvider = new TestLoggerProvider();
-            var loggerFactory = new LoggerFactory();
-            loggerFactory.AddProvider(loggerProvider);
-            var testEnvironment = new TestEnvironment();
-            testEnvironment.SetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteHostName, TestHostName);
-            var hostNameProvider = new HostNameProvider(testEnvironment);
-            _webHookProvider = new DefaultScriptWebHookProvider(mockSecretManagerProvider.Object, hostNameProvider);
-        }
+        private const string TestUrlRoot = "https://test.azurewebsites.net/runtime/webhooks/testextension?code=";
 
         [Fact]
         public void GetUrl_ReturnsExpectedResult()
         {
-            _hostSecrets.SystemKeys = new Dictionary<string, string>
+            var webHookProvider = CreateDefaultScriptWebHookProvider(out Mock<ISecretManager> mockSecretManager, out HostSecretsInfo hostSecrets);
+            mockSecretManager.Setup(p => p.GetHostSecretsAsync()).ReturnsAsync(hostSecrets);
+
+            // When an extension has an existing secret, it should be returned.
+            hostSecrets.SystemKeys = new Dictionary<string, string>
             {
                 { "testextension_extension", "abc123" }
             };
 
             var configProvider = new TestExtensionConfigProvider();
-            var url = _webHookProvider.GetUrl(configProvider);
+            var url = webHookProvider.GetUrl(configProvider);
             Assert.Equal("https://test.azurewebsites.net/runtime/webhooks/testextension?code=abc123", url.ToString());
         }
 
+        [Fact]
+        public void GetUrl_GeneratesIdentifiableSystemSecret()
+        {
+            string secretValue = string.Empty;
+
+            var webHookProvider = CreateDefaultScriptWebHookProvider(out Mock<ISecretManager> mockSecretManager, out HostSecretsInfo hostSecrets);
+            mockSecretManager.Setup(p => p.GetHostSecretsAsync()).ReturnsAsync(hostSecrets);
+
+            mockSecretManager.Setup(p =>
+                p.AddOrUpdateFunctionSecretAsync(
+                    "testextension_extension",
+                    It.IsAny<string>(),
+                    HostKeyScopes.SystemKeys,
+                    ScriptSecretsType.Host))
+                        .Callback<string, string, string, ScriptSecretsType>((key, secret, scope, type) => secretValue = secret)
+                        .Returns(() => Task.FromResult(new KeyOperationResult(secretValue, OperationResult.Created)));
+
+            // When an extension has no existing secret, one should be generated using
+            // the Azure Functions system key seed and standard fixed signature.
+
+            var configProvider = new TestExtensionConfigProvider();
+            var url = webHookProvider.GetUrl(configProvider);
+            Assert.Equal($"{TestUrlRoot}{secretValue}", url.ToString());
+            Assert.True(IdentifiableSecrets.ValidateBase64Key(secretValue,
+                                                              SecretGenerator.SystemKeySeed,
+                                                              SecretGenerator.AzureFunctionsSignature,
+                                                              encodeForUrl: true));
+        }
+
+        private static DefaultScriptWebHookProvider CreateDefaultScriptWebHookProvider(out Mock<ISecretManager> mockSecretManager, out HostSecretsInfo hostSecrets)
+        {
+            mockSecretManager = new Mock<ISecretManager>(MockBehavior.Strict);
+            hostSecrets = new HostSecretsInfo();
+            hostSecrets.SystemKeys = new Dictionary<string, string>();
+            hostSecrets.FunctionKeys = new Dictionary<string, string>();
+            mockSecretManager.Setup(p => p.GetHostSecretsAsync()).ReturnsAsync(hostSecrets);
+            var mockSecretManagerProvider = new Mock<ISecretManagerProvider>(MockBehavior.Strict);
+            mockSecretManagerProvider.Setup(p => p.Current).Returns(mockSecretManager.Object);
+            var loggerProvider = new TestLoggerProvider();
+            var loggerFactory = new LoggerFactory();
+            loggerFactory.AddProvider(loggerProvider);
+            var testEnvironment = new TestEnvironment();
+            testEnvironment.SetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteHostName, TestHostName);
+            var hostNameProvider = new HostNameProvider(testEnvironment);
+            return new DefaultScriptWebHookProvider(mockSecretManagerProvider.Object, hostNameProvider);
+        }
+
         [Extension("My Test Extension", configurationSection: "TestExtension")]
         private class TestExtensionConfigProvider : IExtensionConfigProvider, IAsyncConverter<HttpRequestMessage, HttpResponseMessage>
         {