Allow deleting non-reserved-system-keys that start with underscore (#6492)

Author: pragnagopa

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -249,12 +249,17 @@ private async Task<Dictionary<string, string>> GetHostSecretsByScope(string secr
 
         private async Task<IActionResult> DeleteFunctionSecretAsync(string keyName, string keyScope, ScriptSecretsType secretsType)
         {
-            if (keyName == null || keyName.StartsWith("_"))
+            if (keyName == null)
             {
-                // System keys cannot be deleted.
                 return BadRequest("Invalid key name.");
             }
 
+            if (IsBuiltInSystemKeyName(keyName))
+            {
+                // System keys cannot be deleted.
+                return BadRequest("Cannot delete System Key.");
+            }
+
             if ((secretsType == ScriptSecretsType.Function && keyScope != null && !IsFunction(keyScope)) ||
                 !await _secretManagerProvider.Current.DeleteSecretAsync(keyName, keyScope, secretsType))
             {
@@ -269,6 +274,15 @@ private async Task<IActionResult> DeleteFunctionSecretAsync(string keyName, stri
             return StatusCode(StatusCodes.Status204NoContent);
         }
 
+        internal bool IsBuiltInSystemKeyName(string keyName)
+        {
+            if (keyName.Equals(MasterKeyName, StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+            return false;
+        }
+
         private bool IsFunction(string functionName)
         {
             string json = null;

test/WebJobs.Script.Tests/Controllers/Admin/KeysControllerTests.cs

@@ -137,15 +137,29 @@ public async Task PutKey_Succeeds()
             _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Once);
         }
 
-        [Fact]
-        public async Task DeleteKey_Succeeds()
+        [Theory]
+        [InlineData("key1", false)]
+        [InlineData("_key1", false)]
+        [InlineData("_master", true)]
+        [InlineData("_MASter", true)]
+        public async Task DeleteKey_Tests(string keyName, bool invalidKey)
         {
-            _secretsManagerMock.Setup(p => p.DeleteSecretAsync("key2", "TestFunction1", ScriptSecretsType.Function)).ReturnsAsync(true);
+            _secretsManagerMock.Setup(p => p.DeleteSecretAsync(keyName, "TestFunction1", ScriptSecretsType.Function)).ReturnsAsync(true);
 
-            var result = (StatusCodeResult)(await _testController.Delete("TestFunction1", "key2"));
-            Assert.Equal(StatusCodes.Status204NoContent, result.StatusCode);
+            if (invalidKey)
+            {
+                var result = (BadRequestObjectResult)(await _testController.Delete("TestFunction1", keyName));
+                Assert.Equal("Cannot delete System Key.", result.Value);
 
-            _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Once);
+                _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Never);
+            }
+            else
+            {
+                var result = (StatusCodeResult)(await _testController.Delete("TestFunction1", keyName));
+                Assert.Equal(StatusCodes.Status204NoContent, result.StatusCode);
+
+                _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Once);
+            }
         }
 
         [Fact]
@@ -168,15 +182,6 @@ public async Task DeleteKey_NotAKey_ReturnsNotFound()
             _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Never);
         }
 
-        [Fact]
-        public async Task DeleteKey_InvalidKeyName_ReturnsBadRequest()
-        {
-            var result = (BadRequestObjectResult)(await _testController.Delete("TestFunction1", "_test"));
-            Assert.Equal("Invalid key name.", result.Value);
-
-            _functionsSyncManagerMock.Verify(p => p.TrySyncTriggersAsync(false), Times.Never);
-        }
-
         protected virtual void Dispose(bool disposing)
         {
             if (disposing)