porting ARM Auth functionality

brettsam · brettsam · commit 2942e616bdfa · 2019-01-11T13:50:27.000-08:00
diff --git a/src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs b/src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs
@@ -20,6 +20,7 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
     public class AuthorizationLevelAttribute : AuthorizationFilterAttribute
     {
         public const string FunctionsKeyHeaderName = "x-functions-key";
+        public const string ArmTokenHeaderName = "x-ms-site-restricted-token";
 
         public AuthorizationLevelAttribute(AuthorizationLevel level)
         {
@@ -48,20 +49,33 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
                 throw new ArgumentNullException("actionContext");
             }
 
+            var request = actionContext.Request;
+
             AuthorizationLevel requestAuthorizationLevel = actionContext.Request.GetAuthorizationLevel();
 
             // If the request has not yet been authenticated, authenticate it
-            var request = actionContext.Request;
             if (requestAuthorizationLevel == AuthorizationLevel.Anonymous)
             {
-                // determine the authorization level for the function and set it
-                // as a request property
-                var secretManager = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<ISecretManager>();
-
-                var result = await GetAuthorizationResultAsync(request, secretManager, EvaluateKeyMatch, KeyName);
-                requestAuthorizationLevel = result.AuthorizationLevel;
-                request.SetAuthorizationLevel(result.AuthorizationLevel);
-                request.SetProperty(ScriptConstants.AzureFunctionsHttpRequestKeyNameKey, result.KeyName);
+                string armToken = GetArmTokenHeader(actionContext);
+
+                if (armToken != null)
+                {
+                    if (SimpleWebTokenHelper.TryValidateToken(armToken, DateTime.UtcNow))
+                    {
+                        request.SetAuthorizationLevel(AuthorizationLevel.Admin);
+                    }
+                }
+                else
+                {
+                    // determine the authorization level for the function and set it
+                    // as a request property
+                    var secretManager = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<ISecretManager>();
+
+                    var result = await GetAuthorizationResultAsync(request, secretManager, EvaluateKeyMatch, KeyName);
+                    requestAuthorizationLevel = result.AuthorizationLevel;
+                    request.SetAuthorizationLevel(result.AuthorizationLevel);
+                    request.SetProperty(ScriptConstants.AzureFunctionsHttpRequestKeyNameKey, result.KeyName);
+                }
             }
 
             if (request.IsAuthDisabled() ||
@@ -78,6 +92,16 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             }
         }
 
+        internal static string GetArmTokenHeader(HttpActionContext actionContext)
+        {
+            if (actionContext.Request.Headers.TryGetValues(ArmTokenHeaderName, out IEnumerable<string> values))
+            {
+                return values.First();
+            }
+
+            return null;
+        }
+
         protected virtual string EvaluateKeyMatch(IDictionary<string, string> secrets, string keyName, string keyValue) => GetKeyMatchOrNull(secrets, keyName, keyValue);
 
         internal static Task<KeyAuthorizationResult> GetAuthorizationResultAsync(HttpRequestMessage request, ISecretManager secretManager, string keyName = null, string functionName = null)
diff --git a/src/WebJobs.Script.WebHost/GlobalSuppressions.cs b/src/WebJobs.Script.WebHost/GlobalSuppressions.cs
@@ -114,4 +114,6 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebHostResolver.#CreateDefaultLoggerFactory(Microsoft.Azure.WebJobs.Script.WebHost.WebHostSettings)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.FunctionsSystemLogsEventSource.#SetActivityId(System.String)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Controllers.AdminController.#Ping()")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2202:Do not dispose objects multiple times", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Security.SimpleWebTokenHelper.#Decrypt(System.Byte[],System.String)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Security.SimpleWebTokenHelper.#Decrypt(System.Byte[],System.String)")]
 
diff --git a/src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs b/src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs
@@ -0,0 +1,109 @@
+﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
+{
+    internal static class SimpleWebTokenHelper
+    {
+        public static string Decrypt(byte[] encryptionKey, string value)
+        {
+            var parts = value.Split(new[] { '.' }, StringSplitOptions.RemoveEmptyEntries);
+            if (parts.Length != 2 && parts.Length != 3)
+            {
+                throw new InvalidOperationException("Malformed token.");
+            }
+
+            var iv = Convert.FromBase64String(parts[0]);
+            var data = Convert.FromBase64String(parts[1]);
+            var base64KeyHash = parts.Length == 3 ? parts[2] : null;
+
+            if (!string.IsNullOrEmpty(base64KeyHash) && !string.Equals(GetSHA256Base64String(encryptionKey), base64KeyHash))
+            {
+                throw new InvalidOperationException(string.Format("Key with hash {0} does not exist.", base64KeyHash));
+            }
+
+            using (var aes = new AesManaged { Key = encryptionKey })
+            {
+                using (var ms = new MemoryStream())
+                {
+                    using (var cs = new CryptoStream(ms, aes.CreateDecryptor(aes.Key, iv), CryptoStreamMode.Write))
+                    using (var binaryWriter = new BinaryWriter(cs))
+                    {
+                        binaryWriter.Write(data, 0, data.Length);
+                    }
+
+                    return Encoding.UTF8.GetString(ms.ToArray());
+                }
+            }
+        }
+
+        public static bool TryValidateToken(string token, DateTime dateTime)
+        {
+            try
+            {
+                return ValidateToken(token, dateTime);
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        public static bool ValidateToken(string token, DateTime dateTime)
+        {
+            // Use WebSiteAuthEncryptionKey if available.
+            byte[] key = GetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey);
+
+            var data = Decrypt(key, token);
+
+            var parsedToken = data
+                // token = key1=value1;key2=value2
+                .Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries)
+                 // ["key1=value1", "key2=value2"]
+                 .Select(v => v.Split(new[] { '=' }, StringSplitOptions.RemoveEmptyEntries))
+                 // [["key1", "value1"], ["key2", "value2"]]
+                 .ToDictionary(k => k[0], v => v[1]);
+
+            return parsedToken.ContainsKey("exp") && dateTime < new DateTime(long.Parse(parsedToken["exp"]));
+        }
+
+        private static string GetSHA256Base64String(byte[] key)
+        {
+            using (var sha256 = new SHA256Managed())
+            {
+                return Convert.ToBase64String(sha256.ComputeHash(key));
+            }
+        }
+
+        internal static byte[] GetEncryptionKey(string keyName)
+        {
+            var hexOrBase64 = Environment.GetEnvironmentVariable(keyName);
+            if (string.IsNullOrEmpty(hexOrBase64))
+            {
+                throw new InvalidOperationException($"No {keyName} defined in the environment");
+            }
+
+            return hexOrBase64.ToKeyBytes();
+        }
+
+        public static byte[] ToKeyBytes(this string hexOrBase64)
+        {
+            // only support 32 bytes (256 bits) key length
+            if (hexOrBase64.Length == 64)
+            {
+                return Enumerable.Range(0, hexOrBase64.Length)
+                    .Where(x => x % 2 == 0)
+                    .Select(x => Convert.ToByte(hexOrBase64.Substring(x, 2), 16))
+                    .ToArray();
+            }
+
+            return Convert.FromBase64String(hexOrBase64);
+        }
+    }
+}
diff --git a/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj b/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj
@@ -509,6 +509,7 @@
     <Compile Include="Filters\EnableDebugModeAttribute.cs" />
     <Compile Include="Filters\RequiresRunningHostAttribute.cs" />
     <Compile Include="Security\SecretsUtility.cs" />
+    <Compile Include="Security\SimpleWebTokenHelper.cs" />
     <Compile Include="StandbyManager.cs" />
     <Compile Include="Controllers\AdminController.cs" />
     <Compile Include="Controllers\FunctionsController.cs" />
diff --git a/src/WebJobs.Script/EnvironmentSettingNames.cs b/src/WebJobs.Script/EnvironmentSettingNames.cs
@@ -25,6 +25,7 @@ public static class EnvironmentSettingNames
         public const string AppInsightsInstrumentationKey = "APPINSIGHTS_INSTRUMENTATIONKEY";
         public const string ProxySiteExtensionEnabledKey = "ROUTING_EXTENSION_VERSION";
         public const string FunctionsExtensionVersion = "FUNCTIONS_EXTENSION_VERSION";
+        public const string WebsiteAuthEncryptionKey = "WEBSITE_AUTH_ENCRYPTION_KEY";
 
         /// <summary>
         /// Environment variable dynamically set by the platform when it is safe to
diff --git a/test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs b/test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs
@@ -3,9 +3,12 @@
 
 using System;
 using System.Collections.Generic;
+using System.IO;
 using System.Net;
 using System.Net.Http;
 using System.Reflection;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web.Http;
@@ -14,6 +17,7 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Filters;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.WebJobs.Script.Tests;
 using Moq;
 using Xunit;
@@ -391,6 +395,76 @@ public async Task OnAuthorization_WithNamedKeyHeader_Succeeds()
             Assert.Null(actionContext.Response);
         }
 
+        [Fact]
+        public async Task OnAuthorization_Arm_Success_SetsAdminAuthLevel()
+        {
+            byte[] key = GenerateKeyBytes();
+            string keyString = GenerateKeyHexString(key);
+            string token = CreateSimpleWebToken(DateTime.UtcNow.AddMinutes(5), key);
+
+            var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
+
+            HttpRequestMessage request = new HttpRequestMessage();
+            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
+            actionContext.ControllerContext.Request = request;
+
+            using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebsiteAuthEncryptionKey, keyString))
+            {
+                await attribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
+            }
+
+            Assert.Null(actionContext.Response);
+            Assert.Equal(AuthorizationLevel.Admin, actionContext.Request.GetAuthorizationLevel());
+        }
+
+        [Fact]
+        public async Task OnAuthorization_Arm_Expired_ReturnsUnauthorized()
+        {
+            byte[] key = GenerateKeyBytes();
+            string keyString = GenerateKeyHexString(key);
+            string token = CreateSimpleWebToken(DateTime.UtcNow.AddMinutes(-5), key);
+
+            var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
+
+            HttpRequestMessage request = new HttpRequestMessage();
+            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
+            actionContext.ControllerContext.Request = request;
+
+            using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebsiteAuthEncryptionKey, keyString))
+            {
+                await attribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
+            }
+
+            Assert.Equal(HttpStatusCode.Unauthorized, actionContext.Response.StatusCode);
+            Assert.Equal(AuthorizationLevel.Anonymous, actionContext.Request.GetAuthorizationLevel());
+        }
+
+        [Fact]
+        public async Task OnAuthorization_Arm_Invalid_ReturnsUnauthorized()
+        {
+            byte[] key = GenerateKeyBytes();
+            string keyString = GenerateKeyHexString(key);
+            string token = CreateSimpleWebToken(DateTime.UtcNow.AddMinutes(5), key);
+            token = token.Substring(0, token.Length - 5);
+
+            var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
+
+            HttpRequestMessage request = new HttpRequestMessage();
+            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
+            actionContext.ControllerContext.Request = request;
+
+            using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebsiteAuthEncryptionKey, keyString))
+            {
+                await attribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
+            }
+
+            Assert.Equal(HttpStatusCode.Unauthorized, actionContext.Response.StatusCode);
+            Assert.Equal(AuthorizationLevel.Anonymous, actionContext.Request.GetAuthorizationLevel());
+        }
+
         protected static HttpActionContext CreateActionContext(MethodInfo action, System.Web.Http.HttpConfiguration config = null)
         {
             config = config ?? new System.Web.Http.HttpConfiguration();
@@ -406,6 +480,60 @@ protected static HttpActionContext CreateActionContext(MethodInfo action, System
             return actionContext;
         }
 
+        public static byte[] GenerateKeyBytes()
+        {
+            using (var aes = new AesManaged())
+            {
+                aes.GenerateKey();
+                return aes.Key;
+            }
+        }
+
+        public static string GenerateKeyHexString(byte[] key = null)
+        {
+            return BitConverter.ToString(key ?? GenerateKeyBytes()).Replace("-", string.Empty);
+        }
+
+        private static string CreateSimpleWebToken(DateTime validUntil, byte[] key = null) => EncryptSimpleWebToken($"exp={validUntil.Ticks}", key);
+
+        private static string EncryptSimpleWebToken(string value, byte[] key = null)
+        {
+            if (key == null)
+            {
+                key = SimpleWebTokenHelper.GetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey);
+            }
+
+            using (var aes = new AesManaged { Key = key })
+            {
+                // IV is always generated for the key every time
+                aes.GenerateIV();
+                var input = Encoding.UTF8.GetBytes(value);
+                var iv = Convert.ToBase64String(aes.IV);
+
+                using (var encrypter = aes.CreateEncryptor(aes.Key, aes.IV))
+                using (var cipherStream = new MemoryStream())
+                {
+                    using (var cryptoStream = new CryptoStream(cipherStream, encrypter, CryptoStreamMode.Write))
+                    using (var binaryWriter = new BinaryWriter(cryptoStream))
+                    {
+                        binaryWriter.Write(input);
+                        cryptoStream.FlushFinalBlock();
+                    }
+
+                    // return {iv}.{swt}.{sha236(key)}
+                    return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
+                }
+            }
+        }
+
+        private static string GetSHA256Base64String(byte[] key)
+        {
+            using (var sha256 = new SHA256Managed())
+            {
+                return Convert.ToBase64String(sha256.ComputeHash(key));
+            }
+        }
+
         public class TestController : ApiController
         {
             public void Get()
