Adding HostingConfig for SWT token handling (#9704)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -13,12 +13,12 @@
 using System.Threading.Tasks;
 using Azure.Storage.Blobs;
 using Microsoft.Azure.WebJobs.Host.Executors;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.Description;
 using Microsoft.Azure.WebJobs.Script.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
@@ -54,30 +54,30 @@ public class FunctionsSyncManager : IFunctionsSyncManager, IDisposable
         private readonly ILogger _logger;
         private readonly HttpClient _httpClient;
         private readonly ISecretManagerProvider _secretManagerProvider;
-        private readonly IConfiguration _configuration;
         private readonly IHostIdProvider _hostIdProvider;
         private readonly IScriptWebHostEnvironment _webHostEnvironment;
         private readonly IEnvironment _environment;
         private readonly HostNameProvider _hostNameProvider;
         private readonly IFunctionMetadataManager _functionMetadataManager;
         private readonly SemaphoreSlim _syncSemaphore = new SemaphoreSlim(1, 1);
         private readonly IAzureStorageProvider _azureStorageProvider;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
         private BlobClient _hashBlobClient;
 
-        public FunctionsSyncManager(IConfiguration configuration, IHostIdProvider hostIdProvider, IOptionsMonitor<ScriptApplicationHostOptions> applicationHostOptions, ILogger<FunctionsSyncManager> logger, HttpClient httpClient, ISecretManagerProvider secretManagerProvider, IScriptWebHostEnvironment webHostEnvironment, IEnvironment environment, HostNameProvider hostNameProvider, IFunctionMetadataManager functionMetadataManager, IAzureStorageProvider azureStorageProvider)
+        public FunctionsSyncManager(IHostIdProvider hostIdProvider, IOptionsMonitor<ScriptApplicationHostOptions> applicationHostOptions, ILogger<FunctionsSyncManager> logger, HttpClient httpClient, ISecretManagerProvider secretManagerProvider, IScriptWebHostEnvironment webHostEnvironment, IEnvironment environment, HostNameProvider hostNameProvider, IFunctionMetadataManager functionMetadataManager, IAzureStorageProvider azureStorageProvider, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions)
         {
             _applicationHostOptions = applicationHostOptions;
             _logger = logger;
             _httpClient = httpClient;
             _secretManagerProvider = secretManagerProvider;
-            _configuration = configuration;
             _hostIdProvider = hostIdProvider;
             _webHostEnvironment = webHostEnvironment;
             _environment = environment;
             _hostNameProvider = hostNameProvider;
             _functionMetadataManager = functionMetadataManager;
             _azureStorageProvider = azureStorageProvider;
+            _hostingConfigOptions = functionsHostingConfigOptions;
         }
 
         internal bool ArmCacheEnabled
@@ -688,9 +688,6 @@ internal HttpRequestMessage BuildSetTriggersRequest()
         // of triggers. It'll verify app ownership using a SWT token valid for 5 minutes. It should be plenty.
         private async Task<(bool, string)> SetTriggersAsync(string content)
         {
-            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-
             string sanitizedContentString = content;
             if (ArmCacheEnabled)
             {
@@ -708,10 +705,17 @@ internal HttpRequestMessage BuildSetTriggersRequest()
                 var requestId = Guid.NewGuid().ToString();
                 request.Headers.Add(ScriptConstants.AntaresLogIdHeaderName, requestId);
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
-                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
+                if (_hostingConfigOptions.Value.SwtIssuerEnabled)
+                {
+                    string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                    request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+                }
+
+                string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
+
                 if (_environment.IsKubernetesManagedHosting())
                 {
                     request.Headers.Add(ScriptConstants.KubernetesManagedAppName, _environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName));

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -11,6 +11,7 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Extensions.Logging;
@@ -38,6 +39,7 @@ public class LinuxContainerMetricsPublisher : IMetricsPublisher
         private readonly IDisposable _standbyOptionsOnChangeSubscription;
         private readonly string _requestUri;
         private readonly IEnvironment _environment;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
         // Buffer for all memory activities for this container.
         private BlockingCollection<MemoryActivity> _memoryActivities;
@@ -63,14 +65,15 @@ public class LinuxContainerMetricsPublisher : IMetricsPublisher
         private string _stampName;
         private bool _initialized = false;
 
-        public LinuxContainerMetricsPublisher(IEnvironment environment, IOptionsMonitor<StandbyOptions> standbyOptions, ILogger<LinuxContainerMetricsPublisher> logger, HostNameProvider hostNameProvider, HttpClient httpClient = null)
+        public LinuxContainerMetricsPublisher(IEnvironment environment, IOptionsMonitor<StandbyOptions> standbyOptions, ILogger<LinuxContainerMetricsPublisher> logger, HostNameProvider hostNameProvider, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions, HttpClient httpClient = null)
         {
             _standbyOptions = standbyOptions ?? throw new ArgumentNullException(nameof(standbyOptions));
             _environment = environment ?? throw new ArgumentNullException(nameof(environment));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
             _hostNameProvider = hostNameProvider ?? throw new ArgumentNullException(nameof(hostNameProvider));
             _memoryActivities = new BlockingCollection<MemoryActivity>(new ConcurrentQueue<MemoryActivity>(), boundedCapacity: _maxBufferSize);
             _functionActivities = new BlockingCollection<FunctionActivity>(new ConcurrentQueue<FunctionActivity>(), boundedCapacity: _maxBufferSize);
+            _hostingConfigOptions = functionsHostingConfigOptions;
 
             _currentMemoryActivities = new ConcurrentQueue<MemoryActivity>();
             _currentFunctionActivities = new ConcurrentQueue<FunctionActivity>();
@@ -284,16 +287,20 @@ private HttpRequestMessage BuildRequest<TContent>(HttpMethod method, string path
                 Content = new ObjectContent<TContent>(content, new JsonMediaTypeFormatter())
             };
 
-            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-
             // add the required authentication headers
             request.Headers.Add(ContainerNameHeader, _containerName);
             request.Headers.Add(HostNameHeader, _hostNameProvider.Value);
-            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
             request.Headers.Add(StampNameHeader, _stampName);
 
+            if (_hostingConfigOptions.Value.SwtIssuerEnabled)
+            {
+                string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+            }
+
+            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
+
             return request;
         }
     }

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationHandler.cs

@@ -9,6 +9,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -18,11 +19,13 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication
     public class ArmAuthenticationHandler : AuthenticationHandler<ArmAuthenticationOptions>
     {
         private readonly ILogger _logger;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
-        public ArmAuthenticationHandler(IOptionsMonitor<ArmAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
+        public ArmAuthenticationHandler(IOptionsMonitor<ArmAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions)
             : base(options, logger, encoder, clock)
         {
             _logger = logger.CreateLogger<ArmAuthenticationHandler>();
+            _hostingConfigOptions = functionsHostingConfigOptions;
         }
 
         protected override Task<AuthenticateResult> HandleAuthenticateAsync()
@@ -35,7 +38,7 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         private AuthenticateResult HandleAuthenticate()
         {
             string token = null;
-            if (!Context.Request.Headers.TryGetValue(ScriptConstants.SiteRestrictedTokenHeaderName, out StringValues values))
+            if (!_hostingConfigOptions.Value.SwtAuthenticationEnabled || !Context.Request.Headers.TryGetValue(ScriptConstants.SiteRestrictedTokenHeaderName, out StringValues values))
             {
                 return AuthenticateResult.NoResult();
             }

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -12,6 +12,7 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script;
 using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication;
 using Microsoft.Extensions.Logging;
@@ -132,6 +133,11 @@ private static bool AudienceValidator(IEnumerable<string> audiences, SecurityTok
 
         private static void LogAuthenticationFailure(AuthenticationFailedContext context)
         {
+            if (!context.Request.IsAdminRequest())
+            {
+                return;
+            }
+
             var loggerFactory = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>();
             var logger = loggerFactory.CreateLogger(ScriptConstants.LogCategoryHostAuthentication);
 
@@ -149,7 +155,7 @@ private static void LogAuthenticationFailure(AuthenticationFailedContext context
                     break;
             }
 
-            logger.LogError(context.Exception, message);
+            logger.LogDebug(context.Exception, message);
         }
     }
 }

src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs

@@ -243,7 +243,8 @@ private static void AddLinuxContainerServices(this IServiceCollection services)
                     var logger = s.GetService<ILogger<LinuxContainerMetricsPublisher>>();
                     var standbyOptions = s.GetService<IOptionsMonitor<StandbyOptions>>();
                     var hostNameProvider = s.GetService<HostNameProvider>();
-                    return new LinuxContainerMetricsPublisher(environment, standbyOptions, logger, hostNameProvider);
+                    var hostingConfigOptions = s.GetService<IOptions<FunctionsHostingConfigOptions>>();
+                    return new LinuxContainerMetricsPublisher(environment, standbyOptions, logger, hostNameProvider, hostingConfigOptions);
                 }
 
                 return NullMetricsPublisher.Instance;

src/WebJobs.Script/Config/FunctionsHostingConfigOptions.cs

@@ -53,6 +53,38 @@ public string MaximumSupportedBundleV4Version
             }
         }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether SWT tokens should be accepted.
+        /// </summary>
+        public bool SwtAuthenticationEnabled
+        {
+            get
+            {
+                return GetFeatureOrDefault(ScriptConstants.HostingConfigSwtAuthenticationEnabled, "1") == "1";
+            }
+
+            set
+            {
+                _features[ScriptConstants.HostingConfigSwtAuthenticationEnabled] = value ? "1" : "0";
+            }
+        }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether SWT tokens should be sent on outgoing requests.
+        /// </summary>
+        public bool SwtIssuerEnabled
+        {
+            get
+            {
+                return GetFeatureOrDefault(ScriptConstants.HostingConfigSwtIssuerEnabled, "1") == "1";
+            }
+
+            set
+            {
+                _features[ScriptConstants.HostingConfigSwtIssuerEnabled] = value ? "1" : "0";
+            }
+        }
+
         /// <summary>
         /// Gets feature by name.
         /// </summary>
@@ -66,5 +98,16 @@ public string GetFeature(string name)
             }
             return null;
         }
+
+        /// <summary>
+        /// Gets a feature by name, returning the specified default value if not found.
+        /// </summary>
+        /// <param name="name">Feature name.</param>
+        /// <param name="defaultValue">The default value to use.</param>
+        /// <returns>String value from hostig configuration.</returns>
+        public string GetFeatureOrDefault(string name, string defaultValue)
+        {
+            return GetFeature(name) ?? defaultValue;
+        }
     }
 }

src/WebJobs.Script/ScriptConstants.cs

@@ -124,6 +124,8 @@ public static class ScriptConstants
         public const string FeatureFlagDisableWorkerIndexing = "DisableWorkerIndexing";
         public const string FeatureFlagEnableMultiLanguageWorker = "EnableMultiLanguageWorker";
         public const string FeatureFlagEnableLinuxEPExecutionCount = "EnableLinuxFEC";
+        public const string HostingConfigSwtAuthenticationEnabled = "SwtAuthenticationEnabled";
+        public const string HostingConfigSwtIssuerEnabled = "SwtIssuerEnabled";
 
         public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
         public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";

test/WebJobs.Script.Tests.Integration/Management/FunctionsSyncManagerTests.cs

@@ -47,6 +47,7 @@ public class FunctionsSyncManagerTests : IDisposable
         private readonly HostNameProvider _hostNameProvider;
         private readonly Mock<ISecretManagerProvider> _secretManagerProviderMock;
         private readonly Mock<ISecretManager> _secretManagerMock;
+        private readonly FunctionsHostingConfigOptions _hostingConfigOptions;
         private string _function1;
         private bool _emptyContent;
         private bool _secretsEnabled;
@@ -141,7 +142,10 @@ public FunctionsSyncManagerTests()
             var functionMetadataManager = TestFunctionMetadataManager.GetFunctionMetadataManager(new OptionsWrapper<ScriptJobHostOptions>(jobHostOptions), functionMetadataProvider, null, new OptionsWrapper<HttpWorkerOptions>(new HttpWorkerOptions()), loggerFactory, new OptionsWrapper<LanguageWorkerOptions>(CreateLanguageWorkerConfigSettings()));
             var azureStorageProvider = TestHelpers.GetAzureStorageProvider(configuration);
 
-            _functionsSyncManager = new FunctionsSyncManager(configuration, hostIdProviderMock.Object, optionsMonitor, loggerFactory.CreateLogger<FunctionsSyncManager>(), httpClient, _secretManagerProviderMock.Object, _mockWebHostEnvironment.Object, _mockEnvironment.Object, _hostNameProvider, functionMetadataManager, azureStorageProvider);
+            _hostingConfigOptions = new FunctionsHostingConfigOptions();
+            var hostingConfigOptionsWrapper = new OptionsWrapper<FunctionsHostingConfigOptions>(_hostingConfigOptions);
+
+            _functionsSyncManager = new FunctionsSyncManager(hostIdProviderMock.Object, optionsMonitor, loggerFactory.CreateLogger<FunctionsSyncManager>(), httpClient, _secretManagerProviderMock.Object, _mockWebHostEnvironment.Object, _mockEnvironment.Object, _hostNameProvider, functionMetadataManager, azureStorageProvider, hostingConfigOptionsWrapper);
         }
 
         private string GetExpectedSyncTriggersPayload(string postedConnection = DefaultTestConnection, string postedTaskHub = DefaultTestTaskHub, string durableVersion = "V2")
@@ -214,11 +218,13 @@ public void ArmCacheEnabled_VerifyDefault()
         }
 
         [Theory]
-        [InlineData(true)]
-        [InlineData(false)]
-        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
+        [InlineData(true, true)]
+        [InlineData(false, true)]
+        [InlineData(true, false)]
+        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled, bool swtIssuerEnabled)
         {
             _mockEnvironment.Setup(p => p.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteArmCacheEnabled)).Returns(cacheEnabled ? "1" : "0");
+            _hostingConfigOptions.SwtIssuerEnabled = swtIssuerEnabled;
 
             using (var env = new TestScopedEnvironmentVariable(_vars))
             {
@@ -234,7 +240,16 @@ public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
                 // verify expected headers
                 Assert.Equal(ScriptConstants.FunctionsUserAgent, _mockHttpHandler.LastRequest.Headers.UserAgent.ToString());
                 Assert.True(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName));
-                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+
+                if (swtIssuerEnabled)
+                {
+                    Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+                }
+                else
+                {
+                    Assert.False(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.SiteRestrictedTokenHeaderName));
+                }
+
                 Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
                 if (cacheEnabled)