Configuration based whitelisting of /admin API internal auth (#10487)

Author: mathewc

src/WebJobs.Script.WebHost/Security/Authorization/Policies/AuthorizationOptionsExtensions.cs

@@ -8,6 +8,7 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Authentication;
+using Microsoft.Azure.WebJobs.Script.WebHost.Extensions;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authorization.Policies
@@ -52,7 +53,8 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                             return false;
                         }
 
-                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest())
+                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
+                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
                         {
                             return true;
                         }
@@ -74,7 +76,8 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                 {
                     if (c.Resource is AuthorizationFilterContext filterContext)
                     {
-                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest())
+                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
+                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
                         {
                             return true;
                         }

src/WebJobs.Script/Config/FunctionsHostingConfigOptions.cs

@@ -3,13 +3,16 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Azure.WebJobs.Script.Workers.Rpc;
 
 namespace Microsoft.Azure.WebJobs.Script.Config
 {
     public class FunctionsHostingConfigOptions
     {
         private readonly Dictionary<string, string> _features;
+        private PathString[] _allowedInternalAuthApis;
 
         public FunctionsHostingConfigOptions()
         {
@@ -91,6 +94,24 @@ internal bool SwtIssuerEnabled
             }
         }
 
+        /// <summary>
+        /// Gets or sets a string delimited by '|' that contains a list of admin APIs that are allowed to
+        /// be invoked internally by platform components.
+        /// </summary>
+        internal string InternalAuthApisAllowList
+        {
+            get
+            {
+                return GetFeature(ScriptConstants.HostingConfigInternalAuthApisAllowList);
+            }
+
+            set
+            {
+                _allowedInternalAuthApis = null;
+                _features[ScriptConstants.HostingConfigInternalAuthApisAllowList] = value;
+            }
+        }
+
         /// <summary>
         /// Gets a string delimited by '|' that contains the name of the apps with worker indexing disabled.
         /// </summary>
@@ -242,8 +263,34 @@ internal bool GetFeatureAsBooleanOrDefault(string name, bool defaultValue)
             {
                 return parsedInt != 0;
             }
-
             return defaultValue;
         }
+
+        internal bool CheckInternalAuthAllowList(HttpRequest httpRequest)
+        {
+            if (InternalAuthApisAllowList != null && _allowedInternalAuthApis == null)
+            {
+                // initialize our cached allow list on demand
+                _allowedInternalAuthApis = InternalAuthApisAllowList.Split(new[] { '|' }, StringSplitOptions.RemoveEmptyEntries).Select(p => new PathString(p)).ToArray();
+            }
+
+            if (_allowedInternalAuthApis != null)
+            {
+                // An allow list is configured, so we ensure that the current request
+                // matches any of the allowed APIs.
+                foreach (PathString ps in _allowedInternalAuthApis)
+                {
+                    if (httpRequest.Path.StartsWithSegments(ps, StringComparison.OrdinalIgnoreCase))
+                    {
+                        return true;
+                    }
+                }
+
+                return false;
+            }
+
+            // no allow list configured
+            return true;
+        }
     }
 }

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -13,7 +13,9 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -102,6 +104,13 @@ public static bool IsPlatformInternalRequest(this HttpRequest request, IEnvironm
             return string.Compare(value, "true", StringComparison.OrdinalIgnoreCase) == 0;
         }
 
+        public static bool IsInternalAuthAllowed(this HttpRequest httpRequest)
+        {
+            // Check to see if the specific API is allowed based on any configured allow list
+            var options = httpRequest.HttpContext.RequestServices.GetService<IOptions<FunctionsHostingConfigOptions>>().Value;
+            return options.CheckInternalAuthAllowList(httpRequest);
+        }
+
         private static IEnvironment GetEnvironment(HttpRequest request, IEnvironment environment = null)
         {
             return environment ?? request.HttpContext.RequestServices?.GetService<IEnvironment>() ?? SystemEnvironment.Instance;

src/WebJobs.Script/ScriptConstants.cs

@@ -143,6 +143,7 @@ public static class ScriptConstants
         public const string FeatureFlagEnableLegacyDurableVersionCheck = "EnableLegacyDurableVersionCheck";
         public const string HostingConfigSwtAuthenticationEnabled = "SwtAuthenticationEnabled";
         public const string HostingConfigSwtIssuerEnabled = "SwtIssuerEnabled";
+        public const string HostingConfigInternalAuthApisAllowList = "InternalAuthApisAllowList";
 
         public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
         public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/SamplesEndToEndTests_CSharp.cs

@@ -522,6 +522,33 @@ public async Task SyncTriggers_InternalAuth_Succeeds()
             }
         }
 
+        [Theory]
+        [InlineData("", HttpStatusCode.Unauthorized)]
+        [InlineData("|", HttpStatusCode.Unauthorized)]
+        [InlineData("/admin/host/foo|/admin/host/bar", HttpStatusCode.Unauthorized)]
+        [InlineData("/admin/host/status|/admin/host/synctriggers", HttpStatusCode.OK)]
+        public async Task SyncTriggers_InternalAuth_AllowListSpecified_ReturnsExpectedResult(string allowList, HttpStatusCode expected)
+        {
+            var options = _fixture.Host.WebHostServices.GetService<IOptions<FunctionsHostingConfigOptions>>().Value;
+
+            try
+            {
+                options.InternalAuthApisAllowList = allowList;
+
+                using (var httpClient = _fixture.Host.CreateHttpClient())
+                {
+                    string uri = "admin/host/synctriggers";
+                    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+                    HttpResponseMessage response = await httpClient.SendAsync(request);
+                    Assert.Equal(expected, response.StatusCode);
+                }
+            }
+            finally
+            {
+                options.InternalAuthApisAllowList = null;
+            }
+        }
+
         [Fact]
         public async Task SyncTriggers_ExternalUnauthorized_ReturnsUnauthorized()
         {

test/WebJobs.Script.Tests/Configuration/FunctionsHostingConfigOptionsTest.cs

@@ -139,7 +139,10 @@ public void Property_Validation()
                 (nameof(FunctionsHostingConfigOptions.ThrowOnMissingFunctionsWorkerRuntime), "THROW_ON_MISSING_FUNCTIONS_WORKER_RUNTIME=1", true),
                 (nameof(FunctionsHostingConfigOptions.WorkerIndexingDisabledApps), "WORKER_INDEXING_DISABLED_APPS=teststring", "teststring"),
                 (nameof(FunctionsHostingConfigOptions.WorkerIndexingEnabled), "WORKER_INDEXING_ENABLED=1", true),
-                (nameof(FunctionsHostingConfigOptions.WorkerRuntimeStrictValidationEnabled), "WORKER_RUNTIME_STRICT_VALIDATION_ENABLED=1", true)
+                (nameof(FunctionsHostingConfigOptions.WorkerRuntimeStrictValidationEnabled), "WORKER_RUNTIME_STRICT_VALIDATION_ENABLED=1", true),
+
+                (nameof(FunctionsHostingConfigOptions.InternalAuthApisAllowList), "InternalAuthApisAllowList=|", "|"),
+                (nameof(FunctionsHostingConfigOptions.InternalAuthApisAllowList), "InternalAuthApisAllowList=/admin/host/foo|/admin/host/bar", "/admin/host/foo|/admin/host/bar")
             };
 
             // use reflection to ensure that we have a test that uses every value exposed on FunctionsHostingConfigOptions
@@ -281,6 +284,20 @@ public void SwtIssuerEnabled_ReturnsExpectedValue()
             Assert.False(options.SwtIssuerEnabled);
         }
 
+        [Fact]
+        public void InternalAuthApisAllowList_ReturnsExpectedValue()
+        {
+            FunctionsHostingConfigOptions options = new FunctionsHostingConfigOptions();
+
+            Assert.Null(options.InternalAuthApisAllowList);
+
+            options.InternalAuthApisAllowList = string.Empty;
+            Assert.Equal(string.Empty, options.InternalAuthApisAllowList);
+
+            options.InternalAuthApisAllowList = "/admin/host/synctriggers|/admin/host/status";
+            Assert.Equal("/admin/host/synctriggers|/admin/host/status", options.InternalAuthApisAllowList);
+        }
+
         internal static IHostBuilder GetScriptHostBuilder(string fileName, string fileContent)
         {
             if (!string.IsNullOrEmpty(fileContent))

test/WebJobs.Script.Tests/Extensions/HttpRequestExtensionsTest.cs

@@ -10,8 +10,10 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.Tests.HttpWorker;
+using Microsoft.Extensions.Options;
 using Microsoft.WebJobs.Script.Tests;
 using Moq;
 using Xunit;
@@ -68,6 +70,36 @@ public void IsPlatformInternalRequest_ReturnsExpectedResult()
             }
         }
 
+        [Theory]
+        [InlineData("/admin/host/drain", null, true)] // no allow list
+        [InlineData("/admin/host/drain", "", false)] // empty allow list
+        [InlineData("/admin/host/drain", "|", false)] // empty allow list
+        [InlineData("/admin/host/drain", "/admin/host/foo|/admin/host/bar", false)] // target not in allow list
+        [InlineData("/admin/host/synctriggers", "/admin/host/status|/admin/host/synctriggers", true)] // target in allow list
+        [InlineData("/runtime/webhooks/foo/", "/admin/host/status|/admin/host/synctriggers|/runtime/webhooks", true)] // target in allow list
+        [InlineData("/runtime/webhooks/foo/bar?foo=1&bar=2", "/admin/host/status|/admin/host/synctriggers|/runtime/webhooks", true)] // target in allow list
+        [InlineData("/runtime/webhooks/foo/bar/", "/admin/host/status|/admin/host/synctriggers|/runtime/webhooks", true)] // target in allow list
+        [InlineData("/runtime/webhooks/foo/bar/", "/admin/host/status|/admin/host/synctriggers", false)] // target not in allow list
+        public void IsInternalAuthAllowed_ReturnsExpectedResult(string targetPath, string allowList, bool expected)
+        {
+            var options = new FunctionsHostingConfigOptions();
+
+            if (allowList != null)
+            {
+                options.InternalAuthApisAllowList = allowList;
+            }
+
+            var request = HttpTestHelpers.CreateHttpRequest("GET", $"http://host{targetPath}");
+
+            var environment = SystemEnvironment.Instance;
+            var servicesMock = new Mock<IServiceProvider>();
+            servicesMock.Setup(s => s.GetService(typeof(IEnvironment))).Returns(environment);
+            servicesMock.Setup(s => s.GetService(typeof(IOptions<FunctionsHostingConfigOptions>))).Returns(new OptionsWrapper<FunctionsHostingConfigOptions>(options));
+            request.HttpContext.RequestServices = servicesMock.Object;
+
+            Assert.Equal(expected, request.IsInternalAuthAllowed());
+        }
+
         [Fact]
         public void IsAppServiceInternalRequest_ReturnsExpectedResult()
         {