Adding support for admin API isolation (#8457)

Author: mathewc

sample/CSharp/HttpTrigger-AdminLevel/function.json

@@ -0,0 +1,16 @@
+{
+  "bindings": [
+    {
+      "type": "httpTrigger",
+      "name": "req",
+      "direction": "in",
+      "methods": [ "get" ],
+      "authLevel": "admin"
+    },
+    {
+      "type": "http",
+      "name": "$return",
+      "direction": "out"
+    }
+  ]
+}

sample/CSharp/HttpTrigger-AdminLevel/run.csx

@@ -0,0 +1,15 @@
+using System.Net;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Primitives;
+
+public static IActionResult Run(HttpRequest req, TraceWriter log)
+{
+    log.Info("C# HTTP trigger function processed a request.");
+
+    if (req.Query.TryGetValue("name", out StringValues value))
+    {
+        return new OkObjectResult($"Hello {value.ToString()}");
+    }
+
+    return new BadRequestObjectResult("Please pass a name on the query string or in the request body");
+}

src/WebJobs.Script.WebHost/Middleware/VirtualFileSystemMiddleware.cs

@@ -104,6 +104,11 @@ private async Task<bool> AuthenticateAndAuthorize(HttpContext context)
             var authorizationPolicyProvider = context.RequestServices.GetRequiredService<IAuthorizationPolicyProvider>();
             var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
 
+            if (!AuthorizationOptionsExtensions.CheckPlatformInternal(context, allowAppServiceInternal: false))
+            {
+                return false;
+            }
+
             var policy = await authorizationPolicyProvider.GetPolicyAsync(PolicyNames.AdminAuthLevel);
             var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
 

src/WebJobs.Script.WebHost/Security/Authorization/Policies/AuthorizationOptionsExtensions.cs

@@ -1,12 +1,10 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-using System.Collections.Generic;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Filters;
-using Microsoft.AspNetCore.Routing;
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Authentication;
@@ -22,6 +20,18 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
             {
                 p.AddScriptAuthenticationSchemes();
                 p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Admin));
+                p.RequireAssertion(c =>
+                {
+                    if (c.Resource is AuthorizationFilterContext filterContext)
+                    {
+                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: false))
+                        {
+                            return false;
+                        }
+                    }
+
+                    return true;
+                });
             });
 
             options.AddPolicy(PolicyNames.SystemAuthLevel, p =>
@@ -37,6 +47,11 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                 {
                     if (c.Resource is AuthorizationFilterContext filterContext)
                     {
+                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: true))
+                        {
+                            return false;
+                        }
+
                         if (filterContext.HttpContext.Request.IsAppServiceInternalRequest())
                         {
                             return true;
@@ -96,5 +111,20 @@ private static void AddScriptAuthenticationSchemes(this AuthorizationPolicyBuild
             builder.AuthenticationSchemes.Add(AuthLevelAuthenticationDefaults.AuthenticationScheme);
             builder.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
         }
+
+        internal static bool CheckPlatformInternal(HttpContext httpContext, bool allowAppServiceInternal)
+        {
+            // when AdminIsolation is enabled, verify the request is platform internal
+            var environment = httpContext.RequestServices.GetRequiredService<IEnvironment>();
+            if (environment.IsAdminIsolationEnabled() &&
+                !(httpContext.Request.IsPlatformInternalRequest(environment) || (allowAppServiceInternal && httpContext.Request.IsAppServiceInternalRequest())))
+            {
+                // request must either be granted PlatformInternal by FrontEnd, or must be an internal
+                // request that has bypassed FrontEnd
+                return false;
+            }
+
+            return true;
+        }
     }
 }

src/WebJobs.Script/Environment/EnvironmentExtensions.cs

@@ -46,6 +46,11 @@ public static bool IsRuntimeScaleMonitoringEnabled(this IEnvironment environment
             return environment.GetEnvironmentVariable(FunctionsRuntimeScaleMonitoringEnabled) == "1";
         }
 
+        public static bool IsAdminIsolationEnabled(this IEnvironment environment)
+        {
+            return environment.GetEnvironmentVariable(FunctionsAdminIsolationEnabled) == "1";
+        }
+
         public static bool IsEasyAuthEnabled(this IEnvironment environment)
         {
             bool.TryParse(environment.GetEnvironmentVariable(EasyAuthEnabled), out bool isEasyAuthEnabled);

src/WebJobs.Script/Environment/EnvironmentSettingNames.cs

@@ -56,6 +56,7 @@ public static class EnvironmentSettingNames
         public const string AzureFilesContentShare = "WEBSITE_CONTENTSHARE";
         public const string AzureWebsiteRuntimeSiteName = "WEBSITE_DEPLOYMENT_ID";
         public const string FunctionsRuntimeScaleMonitoringEnabled = "FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED";
+        public const string FunctionsAdminIsolationEnabled = "FUNCTIONS_ADMIN_ISOLATION_ENABLED";
         public const string AzureWebsiteStartupContextCache = "WEBSITE_FUNCTIONS_STARTUPCONTEXT_CACHE";
         public const string AzureWebJobsFeatureFlags = "AzureWebJobsFeatureFlags";
         public const string CloudName = "WEBSITE_CLOUD_NAME";

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -13,6 +13,8 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Primitives;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -76,7 +78,7 @@ public static TValue GetItemOrDefault<TValue>(this HttpRequest request, string k
 
         public static bool IsAppServiceInternalRequest(this HttpRequest request, IEnvironment environment = null)
         {
-            environment = environment ?? SystemEnvironment.Instance;
+            environment = GetEnvironment(request, environment);
             if (!environment.IsAppService())
             {
                 return false;
@@ -88,6 +90,24 @@ public static bool IsAppServiceInternalRequest(this HttpRequest request, IEnviro
             return !request.Headers.Keys.Contains(ScriptConstants.AntaresLogIdHeaderName);
         }
 
+        public static bool IsPlatformInternalRequest(this HttpRequest request, IEnvironment environment = null)
+        {
+            environment = GetEnvironment(request, environment);
+            if (!environment.IsAppService())
+            {
+                return false;
+            }
+
+            var header = request.Headers[ScriptConstants.AntaresPlatformInternal];
+            string value = header.FirstOrDefault();
+            return string.Compare(value, "true", StringComparison.OrdinalIgnoreCase) == 0;
+        }
+
+        private static IEnvironment GetEnvironment(HttpRequest request, IEnvironment environment = null)
+        {
+            return environment ?? request.HttpContext.RequestServices?.GetService<IEnvironment>() ?? SystemEnvironment.Instance;
+        }
+
         public static bool IsColdStart(this HttpRequest request)
         {
             return !string.IsNullOrEmpty(request.GetHeaderValueOrDefault(ScriptConstants.AntaresColdStartHeaderName));

src/WebJobs.Script/ScriptConstants.cs

@@ -94,6 +94,7 @@ public static class ScriptConstants
         public const string AntaresColdStartHeaderName = "X-MS-COLDSTART";
         public const string SiteTokenHeaderName = "x-ms-site-restricted-token";
         public const string EasyAuthIdentityHeader = "x-ms-client-principal";
+        public const string AntaresPlatformInternal = "x-ms-platform-internal";
         public const string AzureVersionHeader = "x-ms-version";
         public const string XIdentityHeader = "X-IDENTITY-HEADER";
         public const string DynamicSku = "Dynamic";

test/WebJobs.Script.Tests.Integration/TestFunctionHost.cs

@@ -171,6 +171,14 @@ public TestFunctionHost(string scriptPath, string logPath,
             HttpClient = _testServer.CreateClient();
             HttpClient.Timeout = TimeSpan.FromMinutes(5);
 
+            var environment = _testServer.Services.GetService<IEnvironment>();
+            if (environment.IsAppService())
+            {
+                // host is configured to simulate an AppService environment
+                // all normal requests will go through the Antares FrontEnd and receive this header
+                HttpClient.DefaultRequestHeaders.Add(ScriptConstants.AntaresLogIdHeaderName, "xyz");
+            }
+
             var manager = _testServer.Host.Services.GetService<IScriptHostManager>();
             _hostService = manager as WebJobsScriptHostService;
 
@@ -208,6 +216,17 @@ public TestFunctionHost(string scriptPath, string logPath,
 
         public HttpClient HttpClient { get; private set; }
 
+        /// <summary>
+        /// Create a new HttpClient without default test configuration.
+        /// </summary>
+        public HttpClient CreateHttpClient()
+        {
+            var httpClient = _testServer.CreateClient();
+            httpClient.Timeout = TimeSpan.FromMinutes(5);
+
+            return httpClient;
+        }
+
         public async Task<string> GetMasterKeyAsync()
         {
             if (!SecretManagerProvider.SecretsEnabled)

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/EndToEndTestFixture.cs

@@ -14,6 +14,7 @@
 using Microsoft.Azure.WebJobs.Script.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.ExtensionBundle;
 using Microsoft.Azure.WebJobs.Script.Models;
+using Microsoft.Azure.WebJobs.Script.WebHost.Authentication;
 using Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.WebHost.Management;
 using Microsoft.Azure.WebJobs.Script.Workers.Rpc;
@@ -318,6 +319,12 @@ public void AssertScriptHostErrors()
             Assert.True(errors.Count > 0);
         }
 
+        public async Task AddMasterKey(HttpRequestMessage request)
+        {
+            var masterKey = await Host.GetMasterKeyAsync();
+            request.Headers.Add(AuthenticationLevelHandler.FunctionsKeyHeaderName, masterKey);
+        }
+
         private class TestExtensionBundleManager : IExtensionBundleManager
         {
             public Task<string> GetExtensionBundleBinPathAsync() => Task.FromResult<string>(null);