Merge pull request #5479 from Azure/dev

Merging dev to master

Author: mhoeger

build/python.props

@@ -1,5 +1,5 @@
 <Project>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Functions.PythonWorker" Version="1.0.201911015" />
+    <PackageReference Include="Microsoft.Azure.Functions.PythonWorker" Version="1.0.201912137" />
   </ItemGroup>
-</Project>
+</Project>

src/WebJobs.Script.Grpc/generate_protos.bat

@@ -34,7 +34,7 @@ setlocal
 @rem enter Script.Rpc directory
 cd /d %~dp0
 
-set NUGET_PATH=%UserProfile%\.nuget\packages
+set NUGET_PATH="%UserProfile%\.nuget\packages"
 set GRPC_TOOLS_PATH=%NUGET_PATH%\grpc.tools\1.20.1\tools\windows_x86
 set PROTO_PATH=.\azure-functions-language-worker-protobuf\src\proto
 set PROTO=.\azure-functions-language-worker-protobuf\src\proto\FunctionRpc.proto

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -20,6 +20,7 @@
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Controllers
 {
     [Authorize(Policy = PolicyNames.AdminAuthLevel)]
+    [ResourceContainsSecrets]
     public class KeysController : Controller
     {
         private const string MasterKeyName = "_master";

src/WebJobs.Script.WebHost/Diagnostics/LinuxContainerEventGenerator.cs

@@ -38,7 +38,7 @@ public LinuxContainerEventGenerator(IEnvironment environment, Action<string> wri
 
         public static string DetailsEventRegex { get; } = $"{ScriptConstants.LinuxFunctionDetailsEventStreamName} (?<AppName>[^,]*),(?<FunctionName>[^,]*),\\\\\"(?<InputBindings>.*)\\\\\",\\\\\"(?<OutputBindings>.*)\\\\\",(?<ScriptType>[^,]*),(?<IsDisabled>[0|1])";
 
-        public static string AzureMonitorEventRegex { get; } = $"{ScriptConstants.LinuxAzureMonitorEventStreamName} (?<Level>[0-6]),(?<ResourceId>[^,]*),(?<OperationName>[^,]*),(?<Category>[^,]*),(?<RegionName>[^,]*),(?<Properties>[^,]*),(?<ContainerName>[^,\"]*),(?<TenantId>[^,\"]*),(?<EventTimestamp>[^,]+)";
+        public static string AzureMonitorEventRegex { get; } = $"{ScriptConstants.LinuxAzureMonitorEventStreamName} (?<Level>[0-6]),(?<ResourceId>[^,]*),(?<OperationName>[^,]*),(?<Category>[^,]*),(?<RegionName>[^,]*),\"(?<Properties>[^,]*)\",(?<ContainerName>[^,\"]*),(?<TenantId>[^,\"]*),(?<EventTimestamp>[^,]+)";
 
         private string StampName
         {
@@ -104,7 +104,7 @@ private void ConsoleWriter(string evt)
 
         public override void LogAzureMonitorDiagnosticLogEvent(LogLevel level, string resourceId, string operationName, string category, string regionName, string properties)
         {
-            _writeEvent($"{ScriptConstants.LinuxAzureMonitorEventStreamName} {(int)ToEventLevel(level)},{resourceId},{operationName},{category},{regionName},{properties},{_containerName},{TenantId}, {DateTime.UtcNow.ToString()}");
+            _writeEvent($"{ScriptConstants.LinuxAzureMonitorEventStreamName} {(int)ToEventLevel(level)},{resourceId},{operationName},{category},{regionName},{NormalizeString(properties)},{_containerName},{TenantId},{DateTime.UtcNow.ToString()}");
         }
     }
 }

src/WebJobs.Script.WebHost/Filters/ArmExtensionResourceFilter.cs

@@ -0,0 +1,53 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Controllers;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Azure.WebJobs.Script.Extensions;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
+{
+    /// <summary>
+    /// Resource filter used to ensure secrets aren't returned for GET requests made via the Functions ARM extension
+    /// API (hostruntime), unless properly authorized.
+    /// </summary>
+    /// <remarks>
+    /// All our first class ARM APIs handle RBAC naturally. For the hostruntime bridge, the runtime collaborates
+    /// based on request details coming from ARM/Geo.
+    /// </remarks>
+    public sealed class ArmExtensionResourceFilter : IAsyncResourceFilter
+    {
+        public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
+        {
+            // We only want to apply this filter for GET extension ARM requests that were forwarded directly to us via
+            // hostruntime bridge, not hostruntime requests initiated internally by the geomaster. The latter requests
+            // won't have the x-ms-arm-request-tracking-id header.
+            var request = context.HttpContext.Request;
+            bool isArmExtensionRequest = request.HasHeader(ScriptConstants.AntaresARMRequestTrackingIdHeader) &&
+                request.HasHeader(ScriptConstants.AntaresARMExtensionsRouteHeader);
+
+            if (isArmExtensionRequest && string.Equals(request.Method, "GET", StringComparison.OrdinalIgnoreCase))
+            {
+                // requests made by owner/co-admin are not filtered
+                if (!request.HasHeaderValue(ScriptConstants.AntaresClientAuthorizationSourceHeader, "legacy"))
+                {
+                    var controllerActionDescriptor = context.ActionDescriptor as ControllerActionDescriptor;
+                    if (controllerActionDescriptor != null && controllerActionDescriptor.MethodInfo != null &&
+                        Utility.GetHierarchicalAttributeOrNull<ResourceContainsSecretsAttribute>(controllerActionDescriptor.MethodInfo) != null)
+                    {
+                        // if the resource returned by the action contains secrets, fail the request
+                        context.HttpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                        await context.HttpContext.Response.WriteAsync(Resources.UnauthorizedArmExtensionResourceRequest);
+                        return;
+                    }
+                }
+            }
+
+            await next();
+        }
+    }
+}

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -229,10 +229,17 @@ private async Task PublishActivity<T>(ConcurrentQueue<T> currentActivities, Bloc
 
         internal async Task SendRequest<T>(ConcurrentQueue<T> activitiesToPublish, string publishPath)
         {
-            var request = BuildRequest(HttpMethod.Post, publishPath, activitiesToPublish.ToArray());
-            _logger.LogDebug($"Publishing {activitiesToPublish.Count()} activities to {publishPath}.");
-            HttpResponseMessage response = await _httpClient.SendAsync(request);
-            response.EnsureSuccessStatusCode();
+            try
+            {
+                var request = BuildRequest(HttpMethod.Post, publishPath, activitiesToPublish.ToArray());
+
+                HttpResponseMessage response = await _httpClient.SendAsync(request);
+                response.EnsureSuccessStatusCode();
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, $"Failed to publish status to {publishPath}");
+            }
         }
 
         public void Initialize()

src/WebJobs.Script.WebHost/Middleware/AppServiceHeaderFixupMiddleware.cs

@@ -1,18 +1,18 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
-using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Extensions.Primitives;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Middleware
 {
     public class AppServiceHeaderFixupMiddleware
     {
-        private const string DisguisedHostHeader = "DISGUISED-HOST";
-        private const string HostHeader = "HOST";
-        private const string ForwardedProtocolHeader = "X-Forwarded-Proto";
+        internal const string DisguisedHostHeader = "DISGUISED-HOST";
+        internal const string HostHeader = "HOST";
+        internal const string ForwardedProtocolHeader = "X-Forwarded-Proto";
         private readonly RequestDelegate _next;
 
         public AppServiceHeaderFixupMiddleware(RequestDelegate next)
@@ -29,7 +29,11 @@ public async Task Invoke(HttpContext httpContext)
 
             if (httpContext.Request.Headers.TryGetValue(ForwardedProtocolHeader, out value))
             {
-                httpContext.Request.Scheme = value;
+                string scheme = value.FirstOrDefault();
+                if (!string.IsNullOrEmpty(scheme))
+                {
+                    httpContext.Request.Scheme = scheme;
+                }
             }
 
             await _next(httpContext);

src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs

@@ -294,4 +294,7 @@
   <data name="TraceStaleHostSecretRefresh" xml:space="preserve">
     <value>Stale host secrets detected. Refreshing secrets.</value>
   </data>
+  <data name="UnauthorizedArmExtensionResourceRequest" xml:space="preserve">
+    <value>GET requests for this resource via the hostruntime extensions API are not authorized. Please use an alternate first class ARM API.</value>
+  </data>
 </root>

src/WebJobs.Script.WebHost/Properties/Resources.resx

@@ -0,0 +1,16 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    /// <summary>
+    /// Attribute applied to actions to indicate whether the resource returned by an action
+    /// contains secrets.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public class ResourceContainsSecretsAttribute : Attribute
+    {
+    }
+}