3.21.1 hotfix (#9794)

* 3.21.1

---------

Co-authored-by: Tony Choi <[email protected]>

* Bump minor version to 1

* Adding additional WebJobs assemblies to deps validation exclusion (#9795) (#9796)

---------

Co-authored-by: Fabio Cavalcante <[email protected]>
Co-authored-by: Tony Choi <[email protected]>
Co-authored-by: Tony Choi <[email protected]>
Co-authored-by: jzaballos <[email protected]>

Author: 5 people

build/common.props

@@ -5,7 +5,7 @@
     <LangVersion>latest</LangVersion>
     <MajorVersion>3</MajorVersion>
     <MinorVersion>21</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <Version Condition=" '$(BuildNumber)' != '' ">$(VersionPrefix)-$(BuildNumber)</Version>
     <Version Condition=" '$(Version)' == '' ">$(VersionPrefix)</Version>

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -80,7 +80,25 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
                             }
                         });
 
-        private static TokenValidationParameters CreateTokenValidationParameters()
+        private static string[] GetValidAudiences()
+        {
+            if (SystemEnvironment.Instance.IsPlaceholderModeEnabled()
+                && SystemEnvironment.Instance.IsLinuxConsumptionOnAtlas())
+            {
+                return new string[]
+                {
+                    ScriptSettingsManager.Instance.GetSetting(ContainerName)
+                };
+            }
+
+            return new string[]
+            {
+                string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+            };
+        }
+
+        public static TokenValidationParameters CreateTokenValidationParameters()
         {
             var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();
             var result = new TokenValidationParameters();
@@ -89,11 +107,7 @@ private static TokenValidationParameters CreateTokenValidationParameters()
                 result.IssuerSigningKeys = signingKeys;
                 result.AudienceValidator = AudienceValidator;
                 result.IssuerValidator = IssuerValidator;
-                result.ValidAudiences = new string[]
-                {
-                    string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                    string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
-                };
+                result.ValidAudiences = GetValidAudiences();
                 result.ValidIssuers = new string[]
                 {
                     AppServiceCoreUri,

src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs

@@ -15,14 +15,14 @@ public static class SimpleWebTokenHelper
         /// <summary>
         /// A SWT or a Simple Web Token is a token that's made of key=value pairs separated
         /// by &. We only specify expiration in ticks from now (exp={ticks})
-        /// The SWT is then returned as an encrypted string
+        /// The SWT is then returned as an encrypted string.
         /// </summary>
-        /// <param name="validUntil">Datetime for when the token should expire</param>
-        /// <param name="key">Optional key to encrypt the token with</param>
-        /// <returns>a SWT signed by this app</returns>
+        /// <param name="validUntil">Datetime for when the token should expire.</param>
+        /// <param name="key">Optional key to encrypt the token with.</param>
+        /// <returns>a SWT signed by this app.</returns>
         public static string CreateToken(DateTime validUntil, byte[] key = null) => Encrypt($"exp={validUntil.Ticks}", key);
 
-        internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null)
+        internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null, bool includesSignature = false)
         {
             key = key ?? SecretsUtility.GetEncryptionKey(environment);
 
@@ -43,23 +43,31 @@ internal static string Encrypt(string value, byte[] key = null, IEnvironment env
                         cryptoStream.FlushFinalBlock();
                     }
 
-                    // return {iv}.{swt}.{sha236(key)}
-                    return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
+                    if (includesSignature)
+                    {
+                        return $"{Convert.ToBase64String(aes.IV)}.{Convert.ToBase64String(cipherStream.ToArray())}.{GetSHA256Base64String(aes.Key)}.{Convert.ToBase64String(ComputeHMACSHA256(aes.Key, input))}";
+                    }
+                    else
+                    {
+                        // return {iv}.{swt}.{sha236(key)}
+                        return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
+                    }
                 }
             }
         }
 
         public static string Decrypt(byte[] encryptionKey, string value)
         {
             var parts = value.Split(new[] { '.' }, StringSplitOptions.RemoveEmptyEntries);
-            if (parts.Length != 2 && parts.Length != 3)
+            if (parts.Length != 2 && parts.Length != 3 && parts.Length != 4)
             {
                 throw new InvalidOperationException("Malformed token.");
             }
 
             var iv = Convert.FromBase64String(parts[0]);
             var data = Convert.FromBase64String(parts[1]);
             var base64KeyHash = parts.Length == 3 ? parts[2] : null;
+            var signature = parts.Length == 4 ? Convert.FromBase64String(parts[3]) : null;
 
             if (!string.IsNullOrEmpty(base64KeyHash) && !string.Equals(GetSHA256Base64String(encryptionKey), base64KeyHash))
             {
@@ -76,11 +84,25 @@ public static string Decrypt(byte[] encryptionKey, string value)
                         binaryWriter.Write(data, 0, data.Length);
                     }
 
-                    return Encoding.UTF8.GetString(ms.ToArray());
+                    var input = ms.ToArray();
+                    if (signature != null && !signature.SequenceEqual(ComputeHMACSHA256(encryptionKey, input)))
+                    {
+                        throw new InvalidOperationException("Signature mismatches!");
+                    }
+
+                    return Encoding.UTF8.GetString(input);
                 }
             }
         }
 
+        private static byte[] ComputeHMACSHA256(byte[] key, byte[] input)
+        {
+            using (var hmacSha256 = new HMACSHA256(key))
+            {
+                return hmacSha256.ComputeHash(input);
+            }
+        }
+
         public static string Decrypt(string value, IEnvironment environment = null)
         {
             byte[] key = SecretsUtility.GetEncryptionKey(environment);

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -86,9 +86,9 @@ public static bool IsAppServiceInternalRequest(this HttpRequest request, IEnviro
             }
 
             // this header will *always* be present on requests originating externally (i.e. going
-            // through the Anatares front end). For requests originating internally it will NOT be
+            // through the Antares front end). For requests originating internally it will NOT be
             // present.
-            return !request.Headers.Keys.Contains(ScriptConstants.AntaresLogIdHeaderName);
+            return !request.Headers.ContainsKey(ScriptConstants.AntaresLogIdHeaderName);
         }
 
         public static bool IsPlatformInternalRequest(this HttpRequest request, IEnvironment environment = null)

test/WebJobs.Script.Tests/DependencyTests.cs

@@ -20,6 +20,8 @@ public class DependencyTests
         {
             "Microsoft.Azure.WebJobs.Script.WebHost.dll",
             "Microsoft.Azure.WebJobs.dll",
+            "Microsoft.Azure.WebJobs.Script.dll",
+            "Microsoft.Azure.WebJobs.Script.Grpc.dll",
             "Microsoft.Azure.WebJobs.Host.dll",
             "Microsoft.Azure.WebJobs.Logging.ApplicationInsights.dll",
             "Microsoft.Azure.WebJobs.Script.Abstractions.dll",

test/WebJobs.Script.Tests/Extensions/ScriptJwtBearerExtensionsTests.cs

@@ -0,0 +1,71 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Extensions.DependencyInjection;
+using Xunit;
+using static Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Extensions
+{
+    public class ScriptJwtBearerExtensionsTests
+    {
+        [Theory]
+        [InlineData(true, true)]
+        [InlineData(true, false)]
+        [InlineData(false, true)]
+        [InlineData(false, false)]
+        public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlaceholderModeEnabled, bool isLinuxConsumptionOnAtlas)
+        {
+            var containerName = "RandomContainerName";
+            var siteName = "RandomSiteName";
+            ScriptSettingsManager.Instance.SetSetting(AzureWebsiteName, siteName);
+
+            var expectedWithSiteName = new string[]
+            {
+                string.Format(ScriptConstants.SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                string.Format(ScriptConstants.SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+            };
+            var expectedWithContainerName = new string[]
+            {
+                containerName
+            };
+
+            var testData = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+
+            if (isPlaceholderModeEnabled)
+            {
+                testData[AzureWebsitePlaceholderMode] = "1";
+            }
+
+            if (isLinuxConsumptionOnAtlas)
+            {
+                testData[AzureWebsiteInstanceId] = string.Empty;
+                testData[ContainerName] = containerName;
+            }
+
+            testData[ContainerEncryptionKey] = Convert.ToBase64String(TestHelpers.GenerateKeyBytes());
+            using (new TestScopedEnvironmentVariable(testData))
+            {
+                var tokenValidationParameters = ScriptJwtBearerExtensions.CreateTokenValidationParameters();
+                var audiences = tokenValidationParameters.ValidAudiences.ToList();
+
+                if (isPlaceholderModeEnabled &&
+                    isLinuxConsumptionOnAtlas)
+                {
+                    Assert.Equal(audiences.Count, expectedWithContainerName.Length);
+                    Assert.Equal(audiences[0], expectedWithContainerName[0]);
+                }
+                else
+                {
+                    Assert.Equal(audiences.Count, expectedWithSiteName.Length);
+                    Assert.True(audiences.Contains(expectedWithSiteName[0]));
+                    Assert.True(audiences.Contains(expectedWithSiteName[1]));
+                }
+            }
+        }
+    }
+}

test/WebJobs.Script.Tests/Helpers/SimpleWebTokenTests.cs

@@ -2,9 +2,12 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
+using Newtonsoft.Json;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests.Helpers
@@ -86,11 +89,63 @@ public void Validate_Token_Uses_Website_Encryption_Key_If_Container_Encryption_K
             Assert.True(SimpleWebTokenHelper.TryValidateToken(token, new SystemClock()));
         }
 
+        [Fact]
+        public void Validate_Token_Checks_Signature_If_Signature_Is_Available()
+        {
+            var websiteAuthEncryptionKey = TestHelpers.GenerateKeyBytes();
+            var websiteAuthEncryptionStringKey = TestHelpers.GenerateKeyHexString(websiteAuthEncryptionKey);
+
+            var timeStamp = DateTime.UtcNow.AddHours(1);
+
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, websiteAuthEncryptionStringKey);
+
+            var token = SimpleWebTokenHelper.Encrypt($"exp={timeStamp.Ticks}", websiteAuthEncryptionKey, includesSignature: true);
+
+            Assert.True(SimpleWebTokenHelper.TryValidateToken(token, new SystemClock()));
+        }
+
+        [Fact]
+        public void Encrypt_And_Decrypt_Context_With_Signature()
+        {
+            var websiteAuthEncryptionKey = TestHelpers.GenerateKeyBytes();
+            var websiteAuthEncryptionStringKey = TestHelpers.GenerateKeyHexString(websiteAuthEncryptionKey);
+            var hostContext = GetHostAssignmentContext();
+            var hostContextJson = JsonConvert.SerializeObject(hostContext);
+
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, websiteAuthEncryptionStringKey);
+
+            var encryptedHostContextWithSignature = SimpleWebTokenHelper.Encrypt(hostContextJson, websiteAuthEncryptionKey, includesSignature: true);
+
+            var decryptedHostContextJson = SimpleWebTokenHelper.Decrypt(websiteAuthEncryptionKey, encryptedHostContextWithSignature);
+
+            Assert.Equal(hostContextJson, decryptedHostContextJson);
+        }
+
         public void Dispose()
         {
             // Clean up
             Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, string.Empty);
             Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
         }
+
+        private static HostAssignmentContext GetHostAssignmentContext()
+        {
+            var hostAssignmentContext = new HostAssignmentContext();
+            hostAssignmentContext.SiteId = 1;
+            hostAssignmentContext.SiteName = "sitename";
+            hostAssignmentContext.LastModifiedTime = DateTime.UtcNow.Add(TimeSpan.FromMinutes(new Random().Next()));
+            hostAssignmentContext.Environment = new Dictionary<string, string>();
+            hostAssignmentContext.MSIContext = new MSIContext();
+            hostAssignmentContext.EncryptedTokenServiceSpecializationPayload = "payload";
+            hostAssignmentContext.TokenServiceApiEndpoint = "endpoints";
+            hostAssignmentContext.CorsSettings = new CorsSettings();
+            hostAssignmentContext.EasyAuthSettings = new EasyAuthSettings();
+            hostAssignmentContext.Secrets = new FunctionAppSecrets();
+            hostAssignmentContext.IsWarmupRequest = false;
+
+            return hostAssignmentContext;
+        }
     }
 }