Fixing cache issue (#6561)

mathewc · ankitkumarr · commit 4451672463e8 · 2020-08-27T15:34:39.000-07:00
diff --git a/src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs b/src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs
@@ -385,7 +385,8 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin
         {
             if (keyValue != null)
             {
-                if (_authorizationCache.TryGetValue(keyValue, out (string, AuthorizationLevel) value))
+                string cacheKey = $"{keyValue}{functionName}";
+                if (_authorizationCache.TryGetValue(cacheKey, out (string, AuthorizationLevel) value))
                 {
                     // we've already authorized this key value so return the cached result
                     return value;
@@ -399,7 +400,7 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin
                 if (result.Item2 != AuthorizationLevel.Anonymous)
                 {
                     // key match
-                    _authorizationCache[keyValue] = result;
+                    _authorizationCache[cacheKey] = result;
                     return result;
                 }
                 else
diff --git a/test/WebJobs.Script.Tests/Security/SecretManagerTests.cs b/test/WebJobs.Script.Tests/Security/SecretManagerTests.cs
@@ -7,6 +7,7 @@
 using System.Linq;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
+using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Logging;
 using Microsoft.Azure.WebJobs.Script.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.WebHost;
@@ -63,8 +64,8 @@ public async Task CachedSecrets_UsedWhenPresent()
                     var functionSecrets = await secretManager.GetFunctionSecretsAsync("function1", true);
 
                     Assert.Equal(4, functionSecrets.Count);
-                    Assert.Equal("function1value", functionSecrets["test-function-1"]);
-                    Assert.Equal("function2value", functionSecrets["test-function-2"]);
+                    Assert.Equal("function1value1", functionSecrets["test-function1-1"]);
+                    Assert.Equal("function1value2", functionSecrets["test-function1-2"]);
                     Assert.Equal("hostfunction1value", functionSecrets["test-host-function-1"]);
                     Assert.Equal("hostfunction2value", functionSecrets["test-host-function-2"]);
 
@@ -87,6 +88,46 @@ public async Task CachedSecrets_UsedWhenPresent()
             }
         }
 
+        [Theory]
+        [InlineData("function1value1", "test-function1-1", "function1", AuthorizationLevel.Function)]
+        [InlineData("function1value2", "test-function1-2", "function1", AuthorizationLevel.Function)]
+        [InlineData("function2value1", "test-function2-1", "function2", AuthorizationLevel.Function)]
+        [InlineData("function2value2", "test-function2-2", "function2", AuthorizationLevel.Function)]
+        [InlineData("function2value1", null, "function1", AuthorizationLevel.Anonymous)]
+        [InlineData("function1value1", null, "function2", AuthorizationLevel.Anonymous)]
+        [InlineData("invalid", null, "function1", AuthorizationLevel.Anonymous)]
+        [InlineData("invalid", null, "function2", AuthorizationLevel.Anonymous)]
+        [InlineData("hostfunction1value", "test-host-function-1", "function1", AuthorizationLevel.Function)]
+        [InlineData("hostfunction2value", "test-host-function-2", "function1", AuthorizationLevel.Function)]
+        [InlineData("hostfunction1value", "test-host-function-1", "function2", AuthorizationLevel.Function)]
+        [InlineData("hostfunction2value", "test-host-function-2", "function2", AuthorizationLevel.Function)]
+        [InlineData("test-master-key", "master", "function1", AuthorizationLevel.Admin)]
+        [InlineData("test-master-key", "master", "function2", AuthorizationLevel.Admin)]
+        [InlineData("test-master-key", "master", null, AuthorizationLevel.Admin)]
+        [InlineData("system1value", "test-system-1", null, AuthorizationLevel.System)]
+        [InlineData("system2value", "test-system-2", null, AuthorizationLevel.System)]
+        public async Task GetAuthorizationLevelOrNullAsync_ReturnsExpectedResult(string keyValue, string expectedKeyName, string functionName, AuthorizationLevel expectedLevel)
+        {
+            using (var directory = new TempDirectory())
+            {
+                string startupContextPath = Path.Combine(directory.Path, Guid.NewGuid().ToString());
+                _testEnvironment.SetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteStartupContextCache, startupContextPath);
+                _testEnvironment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, TestEncryptionKey);
+
+                WriteStartContextCache(startupContextPath);
+
+                using (var secretManager = CreateSecretManager(directory.Path))
+                {
+                    for (int i = 0; i < 3; i++)
+                    {
+                        (string, AuthorizationLevel) result = await secretManager.GetAuthorizationLevelOrNullAsync(keyValue, functionName);
+                        Assert.Equal(result.Item2, expectedLevel);
+                        Assert.Equal(result.Item1, expectedKeyName);
+                    }
+                }
+            }
+        }
+
         private FunctionAppSecrets WriteStartContextCache(string path)
         {
             var secrets = new FunctionAppSecrets();
@@ -111,17 +152,17 @@ private FunctionAppSecrets WriteStartContextCache(string path)
                     Name = "function1",
                     Secrets = new Dictionary<string, string>
                     {
-                        { "test-function-1", "function1value" },
-                        { "test-function-2", "function2value" }
+                        { "test-function1-1", "function1value1" },
+                        { "test-function1-2", "function1value2" }
                     }
                 },
                 new FunctionAppSecrets.FunctionSecrets
                 {
                     Name = "function2",
                     Secrets = new Dictionary<string, string>
                     {
-                        { "test-function-1", "function1value" },
-                        { "test-function-2", "function2value" }
+                        { "test-function2-1", "function2value1" },
+                        { "test-function2-2", "function2value2" }
                     }
                 }
             };

Original file line number	Diff line number	Diff line change
`@@ -385,7 +385,8 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin`
`385`	`385`	`{`
`386`	`386`	`if (keyValue != null)`
`387`	`387`	`{`
`388`		`- if (_authorizationCache.TryGetValue(keyValue, out (string, AuthorizationLevel) value))`
	`388`	`+ string cacheKey = $"{keyValue}{functionName}";`
	`389`	`+ if (_authorizationCache.TryGetValue(cacheKey, out (string, AuthorizationLevel) value))`
`389`	`390`	`{`
`390`	`391`	`// we've already authorized this key value so return the cached result`
`391`	`392`	`return value;`
`@@ -399,7 +400,7 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin`
`399`	`400`	`if (result.Item2 != AuthorizationLevel.Anonymous)`
`400`	`401`	`{`
`401`	`402`	`// key match`
`402`		`- _authorizationCache[keyValue] = result;`
	`403`	`+ _authorizationCache[cacheKey] = result;`
`403`	`404`	`return result;`
`404`	`405`	`}`
`405`	`406`	`else`