Migrate secrets if storage type is blob

Author: alrod

src/WebJobs.Script.WebHost/Security/KeyManagement/BlobStorageSecretsMigrationRepository.cs

@@ -0,0 +1,144 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public class BlobStorageSecretsMigrationRepository : ISecretsRepository, IDisposable
+    {
+        private readonly string _secretSentinelDirectoryPath;
+        private readonly string _accountConnectionString;
+        private readonly string _siteSlotName;
+        private readonly ILogger _logger;
+        private readonly Lazy<Task<BlobStorageSecretsRepository>> _blobStorageSecretsRepositoryTask;
+
+        public BlobStorageSecretsMigrationRepository(string secretSentinelDirectoryPath, string accountConnectionString, string siteSlotName, ILogger logger)
+        {
+            _secretSentinelDirectoryPath = secretSentinelDirectoryPath;
+            _accountConnectionString = accountConnectionString;
+            _siteSlotName = siteSlotName;
+            _logger = logger;
+
+            _blobStorageSecretsRepositoryTask = new Lazy<Task<BlobStorageSecretsRepository>>(BlobStorageSecretsRepositoryFactory);
+        }
+
+        public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
+
+        private BlobStorageSecretsRepository BlobStorageSecretsRepository => _blobStorageSecretsRepositoryTask.Value.Result;
+
+        private void BlobStorageSecretsMigrationRepository_SecretsChanged(object sender, SecretsChangedEventArgs e)
+        {
+            SecretsChanged?.Invoke(this, e);
+        }
+
+        private async Task<BlobStorageSecretsRepository> BlobStorageSecretsRepositoryFactory()
+        {
+            BlobStorageSecretsRepository blobStorageSecretsRepository = new BlobStorageSecretsRepository(_secretSentinelDirectoryPath, _accountConnectionString, _siteSlotName);
+            blobStorageSecretsRepository.SecretsChanged += BlobStorageSecretsMigrationRepository_SecretsChanged;
+            try
+            {
+                await CopyKeysFromFileSystemToBlobStorage(blobStorageSecretsRepository);
+            }
+            catch (Exception ex)
+            {
+                _logger?.LogTrace("{0}", ex.ToString());
+            }
+            return blobStorageSecretsRepository;
+        }
+
+        public async Task<string> ReadAsync(ScriptSecretsType type, string functionName)
+        {
+            return await BlobStorageSecretsRepository.ReadAsync(type, functionName);
+        }
+
+        public async Task WriteAsync(ScriptSecretsType type, string functionName, string secretsContent)
+        {
+            await BlobStorageSecretsRepository.WriteAsync(type, functionName, secretsContent);
+        }
+
+        public async Task WriteSnapshotAsync(ScriptSecretsType type, string functionName, string secretsContent)
+        {
+            await BlobStorageSecretsRepository.WriteSnapshotAsync(type, functionName, secretsContent);
+        }
+
+        public async Task PurgeOldSecretsAsync(IList<string> currentFunctions, ILogger logger)
+        {
+            await BlobStorageSecretsRepository.PurgeOldSecretsAsync(currentFunctions, logger);
+        }
+
+        public async Task<string[]> GetSecretSnapshots(ScriptSecretsType type, string functionName)
+        {
+            return await BlobStorageSecretsRepository.GetSecretSnapshots(type, functionName);
+        }
+
+        public void Dispose()
+        {
+            BlobStorageSecretsRepository.Dispose();
+        }
+
+        private async Task CopyKeysFromFileSystemToBlobStorage(BlobStorageSecretsRepository blobStorageSecretsRepository)
+        {
+            string migrateSentinelPath = Path.Combine(blobStorageSecretsRepository.SecretsSentinelFilePath, "migrate-sentinel.json");
+            if (File.Exists(migrateSentinelPath))
+            {
+                // Migration is already done
+                _logger?.LogTrace("Sentinel file is detected.");
+                return;
+            }
+
+            try
+            {
+                using (var stream = new FileStream(migrateSentinelPath, FileMode.CreateNew))
+                using (var writer = new StreamWriter(stream))
+                {
+                    //write file
+                    _logger?.LogTrace("Sentinel file created.");
+                }
+            }
+            catch (IOException)
+            {
+                _logger?.LogTrace("Sentinel file is already created by another instance.");
+                return;
+            }
+
+            string[] files = Directory.GetFiles(blobStorageSecretsRepository.SecretsSentinelFilePath.Replace("Sentinels", string.Empty));
+            if (await blobStorageSecretsRepository.BlobContainer.ExistsAsync())
+            {
+                BlobResultSegment resultSegment = await blobStorageSecretsRepository.BlobContainer.ListBlobsSegmentedAsync(blobStorageSecretsRepository.SecretsBlobPath + "/", null);
+
+                // Check for conflicts
+                if (resultSegment.Results.ToArray().Length > 0)
+                {
+                    _logger?.LogTrace("Conflict detected. Secrets container is not empty.");
+                    return;
+                }
+            }
+            else
+            {
+                await blobStorageSecretsRepository.BlobContainer.CreateIfNotExistsAsync();
+            }
+
+            if (files.Length > 0)
+            {
+                List<Task> copyTasks = new List<Task>();
+                foreach (string file in files)
+                {
+                    string blobName = Path.GetFileName(file);
+                    CloudBlockBlob cloudBlockBlob = blobStorageSecretsRepository.BlobContainer.GetBlockBlobReference(blobStorageSecretsRepository.SecretsBlobPath + "/" + blobName);
+                    Task copyTask = cloudBlockBlob.UploadFromFileAsync(file);
+                    copyTasks.Add(copyTask);
+                    _logger?.LogTrace("'{0}' was migrated.", cloudBlockBlob.StorageUri.PrimaryUri.AbsoluteUri.ToString());
+                }
+                await Task.WhenAll(copyTasks);
+            }
+            _logger?.LogTrace("Finished successfully.");
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/KeyManagement/BlobStorageSecretsRepository.cs

@@ -67,6 +67,30 @@ public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string a
 
         public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
 
+        public CloudBlobContainer BlobContainer
+        {
+            get
+            {
+                return _blobContainer;
+            }
+        }
+
+        public string SecretsSentinelFilePath
+        {
+            get
+            {
+                return _secretsSentinelFilePath;
+            }
+        }
+
+        public string SecretsBlobPath
+        {
+            get
+            {
+                return _secretsBlobPath;
+            }
+        }
+
         private string GetSecretsBlobPath(ScriptSecretsType secretsType, string functionName = null)
         {
             return secretsType == ScriptSecretsType.Host

src/WebJobs.Script.WebHost/Security/KeyManagement/DefaultSecretsRepositoryFactory.cs

@@ -8,19 +8,20 @@
 using System.Web;
 using Microsoft.Azure.WebJobs.Host;
 using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
     public sealed class DefaultSecretsRepositoryFactory : ISecretsRepositoryFactory
     {
-        public ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config)
+        public ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config, ILogger logger)
         {
             string secretStorageType = settingsManager.GetSetting(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
             string storageString = AmbientConnectionStringProvider.Instance.GetConnectionString(ConnectionStringNames.Storage);
             if (secretStorageType != null && secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase) && storageString != null)
             {
                 string siteSlotName = settingsManager.AzureWebsiteUniqueSlotName ?? config.HostConfig.HostId;
-                return new BlobStorageSecretsRepository(Path.Combine(webHostSettings.SecretsPath, "Sentinels"), storageString, siteSlotName);
+                return new BlobStorageSecretsMigrationRepository(Path.Combine(webHostSettings.SecretsPath, "Sentinels"), storageString, siteSlotName, logger);
             }
             else
             {

src/WebJobs.Script.WebHost/Security/KeyManagement/ISecretsRepositoryFactory.cs

@@ -3,11 +3,12 @@
 
 using System;
 using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
     public interface ISecretsRepositoryFactory
     {
-        ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config);
+        ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config, ILogger logger);
     }
 }

src/WebJobs.Script.WebHost/WebScriptHostManager.cs

@@ -75,7 +75,7 @@ public WebScriptHostManager(ScriptHostConfiguration config,
             config.IsSelfHost = webHostSettings.IsSelfHost;
 
             secretsRepositoryFactory = secretsRepositoryFactory ?? new DefaultSecretsRepositoryFactory();
-            var secretsRepository = secretsRepositoryFactory.Create(settingsManager, webHostSettings, config);
+            ISecretsRepository secretsRepository = secretsRepositoryFactory.Create(settingsManager, webHostSettings, config, loggerFactory.CreateLogger(ScriptConstants.LogCategoryMigration));
             _secretManager = secretManagerFactory.Create(settingsManager, loggerFactory.CreateLogger(ScriptConstants.LogCategoryHostGeneral), secretsRepository);
             eventGenerator = eventGenerator ?? new EtwEventGenerator();
 

src/WebJobs.Script/ScriptConstants.cs

@@ -48,6 +48,7 @@ public static class ScriptConstants
         public const string LogCategoryHost = "Host";
         public const string LogCategoryFunction = "Function";
         public const string LogCategoryWorker = "Worker";
+        public const string LogCategoryMigration = "Host.Migration";
         public const string ConsoleLoggingMode = "consoleLoggingMode";
 
         // Define all system parameters we inject with a prefix to avoid collisions

test/WebJobs.Script.Tests.Integration/Host/SecretsRepositoryMigrationTests.cs

@@ -0,0 +1,136 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Extensions.Logging;
+using Microsoft.WebJobs.Script.Tests;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using WebJobs.Script.Tests;
+using Xunit;
+using static Microsoft.Azure.WebJobs.Script.Tests.SecretsRepositoryTests;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Integration.Host
+{
+    public class SecretsRepositoryMigrationTests : IClassFixture<SecretsRepositoryMigrationTests.Fixture>
+    {
+        private readonly SecretsRepositoryMigrationTests.Fixture _fixture;
+        private readonly ScriptSettingsManager _settingsManager;
+
+        public SecretsRepositoryMigrationTests(SecretsRepositoryMigrationTests.Fixture fixture)
+        {
+            _fixture = fixture;
+            _settingsManager = ScriptSettingsManager.Instance;
+        }
+
+        [Fact]
+        public async Task SecretMigrate_Successful()
+        {
+            using (var directory = new TempDirectory())
+            {
+                try
+                {
+
+                    await _fixture.TestInitialize(SecretsRepositoryType.FileSystem, directory.Path);
+                    var loggerProvider = new TestLoggerProvider();
+
+                    var fileRepo = _fixture.GetFileSystemSecretsRepository();
+                    string hostContent = Guid.NewGuid().ToString();
+                    string functionContent = Guid.NewGuid().ToString();
+                    await fileRepo.WriteAsync(ScriptSecretsType.Host, "host", hostContent);
+                    await fileRepo.WriteAsync(ScriptSecretsType.Function, "test1", functionContent);
+
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteSlotName, "Production");
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteName, "test-app");
+
+                    var blobRepoMigration = _fixture.GetBlobStorageSecretsMigrationRepository(loggerProvider.CreateLogger(ScriptConstants.LogCategoryMigration));
+
+                    await blobRepoMigration.ReadAsync(ScriptSecretsType.Host, "host");
+                    var logs = loggerProvider.GetAllLogMessages().ToArray();
+                    Assert.Contains(logs[logs.Length - 1].FormattedMessage, "Finished successfully.");
+                    string hostContentFromBlob = await blobRepoMigration.ReadAsync(ScriptSecretsType.Host, "");
+                    Assert.Contains(hostContent, hostContentFromBlob);
+                    string hostContentFromFunction = await blobRepoMigration.ReadAsync(ScriptSecretsType.Function, "test1");
+                    Assert.Contains(functionContent, hostContentFromFunction);
+
+                    var blobRepoMigration2 = _fixture.GetBlobStorageSecretsMigrationRepository(loggerProvider.CreateLogger(""));
+                    await blobRepoMigration2.ReadAsync(ScriptSecretsType.Host, "host");
+                    logs = loggerProvider.GetAllLogMessages().ToArray();
+                    Assert.Contains(logs[logs.Length - 1].FormattedMessage, "Sentinel file is detected.");
+                }
+                finally
+                {
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteSlotName, null);
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteName, null);
+                }
+            }
+        }
+
+        [Fact]
+        public async Task SecretMigrate_Conflict()
+        {
+            using (var directory = new TempDirectory())
+            {
+                try
+                {
+                    await _fixture.TestInitialize(SecretsRepositoryType.FileSystem, directory.Path);
+                    var loggerProvider = new TestLoggerProvider();
+
+                    var fileRepo = _fixture.GetFileSystemSecretsRepository();
+                    string hostContent = Guid.NewGuid().ToString();
+                    string functionContent = Guid.NewGuid().ToString();
+                    await fileRepo.WriteAsync(ScriptSecretsType.Host, "host", hostContent);
+                    await fileRepo.WriteAsync(ScriptSecretsType.Function, "test1", functionContent);
+
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteSlotName, "Production");
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteName, "test-app");
+
+                    var blobRepo = _fixture.GetBlobStorageRepository();
+                    await blobRepo.WriteAsync(ScriptSecretsType.Host, "host", hostContent);
+                    await blobRepo.WriteAsync(ScriptSecretsType.Function, "test1", functionContent);
+
+
+                    var blobRepoMigration = _fixture.GetBlobStorageSecretsMigrationRepository(loggerProvider.CreateLogger(ScriptConstants.LogCategoryMigration));
+                    await blobRepoMigration.ReadAsync(ScriptSecretsType.Host, "host");
+
+                    var logs = loggerProvider.GetAllLogMessages().ToArray();
+                    Assert.Contains("Conflict detected", loggerProvider.GetAllLogMessages().ToList().Last().FormattedMessage);
+                }
+                finally
+                {
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteSlotName, null);
+                    _settingsManager.SetSetting(EnvironmentSettingNames.AzureWebsiteName, null);
+                    
+                }
+            }
+        }
+
+        public class Fixture : SecretsRepositoryTests.Fixture
+        {
+            public Fixture() : base()
+            {
+            }
+
+            public ISecretsRepository GetFileSystemSecretsRepository()
+            {
+                return new FileSystemSecretsRepository(SecretsDirectory);
+            }
+
+            public ISecretsRepository GetBlobStorageRepository()
+            {
+                return new BlobStorageSecretsRepository(Path.Combine(SecretsDirectory, "Sentinels"), BlobConnectionString, TestSiteName);
+            }
+
+            public BlobStorageSecretsMigrationRepository GetBlobStorageSecretsMigrationRepository(ILogger logger)
+            {
+                var repo = new BlobStorageSecretsMigrationRepository(Path.Combine(SecretsDirectory, "Sentinels"), BlobConnectionString, TestSiteName, logger);
+                return repo;
+            }
+        }
+    }
+}