4.28.1 hotfix (#9703)

* Adjusting token auth failure logging (#9701)

* 4.28.1 - increase patch version

---------

Co-authored-by: Mathew Charles <[email protected]>
Co-authored-by: azfuncgh <[email protected]>

Author: 3 people

build/common.props

@@ -5,7 +5,7 @@
     <LangVersion>latest</LangVersion>
     <MajorVersion>4</MajorVersion>
     <MinorVersion>28</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <BuildNumber Condition="'$(BuildNumber)' == '' ">0</BuildNumber>
     <PreviewVersion></PreviewVersion>
 

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -12,6 +12,7 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script;
 using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication;
 using Microsoft.Extensions.Logging;
@@ -155,6 +156,11 @@ private static bool AudienceValidator(IEnumerable<string> audiences, SecurityTok
 
         private static void LogAuthenticationFailure(AuthenticationFailedContext context)
         {
+            if (!context.Request.IsAdminRequest())
+            {
+                return;
+            }
+
             var loggerFactory = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>();
             var logger = loggerFactory.CreateLogger(ScriptConstants.LogCategoryHostAuthentication);
 
@@ -172,7 +178,7 @@ private static void LogAuthenticationFailure(AuthenticationFailedContext context
                     break;
             }
 
-            logger.LogError(context.Exception, message);
+            logger.LogDebug(context.Exception, message);
         }
     }
 }

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/JwtTokenAuthTests.cs

@@ -14,6 +14,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
+using Newtonsoft.Json;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests.Integration.WebHostEndToEnd
@@ -84,7 +85,7 @@ public async Task InvokeAdminApi_InvalidAudience_Fails(string headerName)
             var response = await _fixture.Host.HttpClient.SendAsync(request);
             Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
 
-            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Error);
+            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Debug);
             Assert.Equal(ScriptConstants.LogCategoryHostAuthentication, validationError.Category);
             Assert.Equal("Token audience validation failed for audience 'invalid'.", validationError.FormattedMessage);
             Assert.True(validationError.Exception.Message.StartsWith("IDX10231: Audience validation failed."));
@@ -112,7 +113,7 @@ public async Task InvokeAdminApi_InvalidIssuer_Fails(string headerName)
             var response = await _fixture.Host.HttpClient.SendAsync(request);
             Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
 
-            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Error);
+            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Debug);
             Assert.Equal(ScriptConstants.LogCategoryHostAuthentication, validationError.Category);
             Assert.Equal("Token issuer validation failed for issuer 'invalid'.", validationError.FormattedMessage);
             Assert.Equal("IDX10205: Issuer validation failed.", validationError.Exception.Message);
@@ -142,7 +143,7 @@ public async Task InvokeAdminApi_InvalidSignature_Fails(string headerName)
             var response = await _fixture.Host.HttpClient.SendAsync(request);
             Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
 
-            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Error);
+            var validationError = _fixture.Host.GetScriptHostLogMessages().Single(p => p.Level == LogLevel.Debug);
             Assert.Equal(ScriptConstants.LogCategoryHostAuthentication, validationError.Category);
             Assert.Equal("Token validation failed.", validationError.FormattedMessage);
             Assert.True(validationError.Exception.Message.StartsWith("IDX10503: Signature validation failed."));
@@ -160,6 +161,22 @@ public async Task InvokeAdminApi_ValidToken_UTF8Encoding_Succeeds()
             response.EnsureSuccessStatusCode();
         }
 
+        [Fact]
+        public async Task InvokeNonAdminApi_InvalidToken_DoesNotLogTokenAuthFailure()
+        {
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, $"api/HttpTrigger-Scenarios?code=test");
+            request.Content = new StringContent(JsonConvert.SerializeObject(new { scenario = "staticWebApp" }));
+            string key = SecretsUtility.GetEncryptionKeyValue();
+            string token = _fixture.Host.GenerateAdminJwtToken(issuer: "invalid");
+            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
+
+            var response = await _fixture.Host.HttpClient.SendAsync(request);
+            response.EnsureSuccessStatusCode();
+
+            var validationErrors = _fixture.Host.GetScriptHostLogMessages().Where(p => p.Category == ScriptConstants.LogCategoryHostAuthentication).ToArray();
+            Assert.Empty(validationErrors);
+        }
+
         public class TestFixture : EndToEndTestFixture
         {
             private TestScopedEnvironmentVariable _scopedEnvironment;