KeyVaultSecretsRepository will now page through all secrets in Key Vault.

gzuber · gzuber · commit 497bd1999803 · 2020-09-30T13:05:15.000-07:00
diff --git a/release_notes.md b/release_notes.md
@@ -28,6 +28,7 @@
         - Issue [#6574](https://github.com/Azure/azure-functions-host/issues/6574)
             - Metadata / Input binding data of type DateTime will not be serialzed as string
     If you are using these properties, please ensure your app is able to detect and handle the new schema.
+- Fixes [#6031](https://github.com/Azure/azure-functions-host/issues/6031), an issue where having a large number of secrets in a Key Vault Secrets Repository would cause Function and Host secrets to regenerate constantly. These secrets should no longer regenerate due to this error.
 
 **Release sprint:** Sprint 84
 [ [bugs](https://github.com/Azure/azure-functions-host/issues?q=is%3Aissue+milestone%3A%22Functions+Sprint+84%22+label%3Abug+is%3Aclosed) | [features](https://github.com/Azure/azure-functions-host/issues?q=is%3Aissue+milestone%3A%22Functions+Sprint+84%22+label%3Afeature+is%3Aclosed) ]
diff --git a/src/WebJobs.Script.WebHost/Security/KeyManagement/KeyVaultSecretsRepository.cs b/src/WebJobs.Script.WebHost/Security/KeyManagement/KeyVaultSecretsRepository.cs
@@ -68,17 +68,23 @@ public override async Task WriteAsync(ScriptSecretsType type, string functionNam
             Dictionary<string, string> dictionary = GetDictionaryFromScriptSecrets(secrets, functionName);
 
             // Delete existing keys
-            string prefix = (type == ScriptSecretsType.Host) ? HostPrefix : FunctionPrefix + Normalize(functionName);
+            List<IEnumerable<SecretItem>> secretsPages = await GetKeyVaultSecretsPagesAsync(_keyVaultClient.Value, GetVaultBaseUrl());
             List<Task> deleteTasks = new List<Task>();
-            foreach (SecretItem item in await _keyVaultClient.Value.GetSecretsAsync(GetVaultBaseUrl()))
+            string prefix = (type == ScriptSecretsType.Host) ? HostPrefix : FunctionPrefix + Normalize(functionName);
+
+            foreach (SecretItem item in FindSecrets(secretsPages, x => x.Identifier.Name.StartsWith(prefix)))
             {
-                // Delete only keys which are no longer exist in passed secrets
-                if (item.Identifier.Name.StartsWith(prefix) && !dictionary.Keys.Contains(item.Identifier.Name))
+                // Delete only keys which no longer exist in passed-in secrets
+                if (!dictionary.Keys.Contains(item.Identifier.Name))
                 {
                     deleteTasks.Add(_keyVaultClient.Value.DeleteSecretAsync(GetVaultBaseUrl(), item.Identifier.Name));
                 }
             }
-            await Task.WhenAll(deleteTasks);
+
+            if (deleteTasks.Any())
+            {
+                await Task.WhenAll(deleteTasks);
+            }
 
             // Set new secrets
             List<Task> setTasks = new List<Task>();
@@ -112,28 +118,28 @@ public override Task<string[]> GetSecretSnapshots(ScriptSecretsType type, string
 
         private async Task<ScriptSecrets> ReadHostSecrets()
         {
-            IPage<SecretItem> secretItems = await _keyVaultClient.Value.GetSecretsAsync(GetVaultBaseUrl());
+            List<IEnumerable<SecretItem>> secretsPages = await GetKeyVaultSecretsPagesAsync(_keyVaultClient.Value, GetVaultBaseUrl());
             List<Task<SecretBundle>> tasks = new List<Task<SecretBundle>>();
 
             // Add master key task
-            SecretItem masterItem = secretItems.FirstOrDefault(x => x.Identifier.Name.StartsWith(MasterKey));
-            if (masterItem != null)
+            List<SecretItem> masterItems = FindSecrets(secretsPages, x => x.Identifier.Name.StartsWith(MasterKey));
+            if (masterItems.Count > 0)
             {
-                tasks.Add(_keyVaultClient.Value.GetSecretAsync(GetVaultBaseUrl(), masterItem.Identifier.Name));
+                tasks.Add(_keyVaultClient.Value.GetSecretAsync(GetVaultBaseUrl(), masterItems[0].Identifier.Name));
             }
             else
             {
                 return null;
             }
 
             // Add functionKey tasks
-            foreach (SecretItem item in secretItems.Where(x => x.Identifier.Name.StartsWith(FunctionKeyPrefix)))
+            foreach (SecretItem item in FindSecrets(secretsPages, x => x.Identifier.Name.StartsWith(FunctionKeyPrefix)))
             {
                 tasks.Add(_keyVaultClient.Value.GetSecretAsync(GetVaultBaseUrl(), item.Identifier.Name));
             }
 
             // Add systemKey tasks
-            foreach (SecretItem item in secretItems.Where(x => x.Identifier.Name.StartsWith(SystemKeyPrefix)))
+            foreach (SecretItem item in FindSecrets(secretsPages, x => x.Identifier.Name.StartsWith(SystemKeyPrefix)))
             {
                 tasks.Add(_keyVaultClient.Value.GetSecretAsync(GetVaultBaseUrl(), item.Identifier.Name));
             }
@@ -168,13 +174,15 @@ private async Task<ScriptSecrets> ReadHostSecrets()
 
         private async Task<ScriptSecrets> ReadFunctionSecrets(string functionName)
         {
-            IPage<SecretItem> secretItems = await _keyVaultClient.Value.GetSecretsAsync(GetVaultBaseUrl());
+            List<IEnumerable<SecretItem>> secretsPages = await GetKeyVaultSecretsPagesAsync(_keyVaultClient.Value, GetVaultBaseUrl());
             List<Task<SecretBundle>> tasks = new List<Task<SecretBundle>>();
             string prefix = $"{FunctionPrefix}{Normalize(functionName)}--";
-            foreach (SecretItem item in secretItems.Where(x => x.Identifier.Name.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)))
+
+            foreach (SecretItem item in FindSecrets(secretsPages, x => x.Identifier.Name.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)))
             {
                 tasks.Add(_keyVaultClient.Value.GetSecretAsync(GetVaultBaseUrl(), item.Identifier.Name));
             }
+
             if (!tasks.Any())
             {
                 return null;
@@ -195,6 +203,40 @@ private async Task<ScriptSecrets> ReadFunctionSecrets(string functionName)
             return functionSecrets;
         }
 
+        public static async Task<List<IEnumerable<SecretItem>>> GetKeyVaultSecretsPagesAsync(KeyVaultClient keyVaultClient, string keyVaultBaseUrl)
+        {
+            IPage<SecretItem> secretItems = await keyVaultClient.GetSecretsAsync(keyVaultBaseUrl);
+            List<IEnumerable<SecretItem>> secretsPages = new List<IEnumerable<SecretItem>>() { secretItems };
+
+            while (!string.IsNullOrEmpty(secretItems.NextPageLink))
+            {
+                secretItems = await keyVaultClient.GetSecretsNextAsync(secretItems.NextPageLink);
+                secretsPages.Add(secretItems);
+            }
+
+            return secretsPages;
+        }
+
+        public static List<SecretItem> FindSecrets(List<IEnumerable<SecretItem>> secretsPages, Func<SecretItem, bool> comparison = null)
+        {
+            // if no comparison is provided, every item is a match
+            if (comparison == null)
+            {
+                comparison = x => true;
+            }
+
+            var secretItems = new List<SecretItem>();
+            foreach (IEnumerable<SecretItem> secretsPage in secretsPages)
+            {
+                foreach (SecretItem secretItem in secretsPage.Where(x => comparison(x)))
+                {
+                    secretItems.Add(secretItem);
+                }
+            }
+
+            return secretItems;
+        }
+
         private string GetVaultBaseUrl()
         {
             return $"https://{_vaultName}.vault.azure.net";
diff --git a/test/WebJobs.Script.Tests.Integration/Host/SecretsRepositoryTests.cs b/test/WebJobs.Script.Tests.Integration/Host/SecretsRepositoryTests.cs
@@ -16,6 +16,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Rest.Azure;
 using Microsoft.WebJobs.Script.Tests;
 using WebJobs.Script.Tests;
 using Xunit;
@@ -134,6 +135,78 @@ public async Task ReadAsync_ReadsExpectedFile(SecretsRepositoryType repositoryTy
             }
         }
 
+        [Theory] // Only for Key Vault to test paging over large number of secrets
+        [InlineData(SecretsRepositoryType.KeyVault, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.KeyVault, ScriptSecretsType.Function)]
+        public async Task ReadAsync_ReadsExpectedKeyVaultPages(SecretsRepositoryType repositoryType, ScriptSecretsType secretsType)
+        {
+            using (var directory = new TempDirectory())
+            {
+                await _fixture.TestInitialize(repositoryType, directory.Path);
+                ScriptSecrets testSecrets = null;
+                int keyCount = 35;
+
+                List<Key> functionKeys = new List<Key>();
+                for (int i = 0; i < keyCount; ++i)
+                {
+                    functionKeys.Add(new Key(KeyName + Guid.NewGuid().ToString(), "test" + i.ToString()));
+                }
+
+                if (secretsType == ScriptSecretsType.Host)
+                {
+                    testSecrets = new HostSecrets()
+                    {
+                        MasterKey = new Key("master", "test"),
+                        FunctionKeys = functionKeys,
+                        SystemKeys = new List<Key>() { new Key(KeyName, "test") }
+                    };
+                }
+                else
+                {
+                    testSecrets = new FunctionSecrets()
+                    {
+                        Keys = functionKeys
+                    };
+                }
+                string testFunctionName = secretsType == ScriptSecretsType.Host ? "host" : functionName;
+
+                await _fixture.WriteSecret(testFunctionName, testSecrets);
+
+                var target = _fixture.GetNewSecretRepository();
+
+                ScriptSecrets secretsContent = await target.ReadAsync(secretsType, testFunctionName);
+
+                if (secretsType == ScriptSecretsType.Host)
+                {
+                    Assert.Equal((secretsContent as HostSecrets).MasterKey.Name, "master");
+                    Assert.Equal((secretsContent as HostSecrets).MasterKey.Value, "test");
+
+                    Assert.Equal((secretsContent as HostSecrets).FunctionKeys.Count, functionKeys.Count);
+                    foreach (Key originalKey in functionKeys)
+                    {
+                        var matchingKeys = (secretsContent as HostSecrets).FunctionKeys.Where(x => string.Equals(x.Name, originalKey.Name));
+                        Assert.Equal(matchingKeys.Count(), 1);
+                        Assert.Equal(matchingKeys.First().Value, originalKey.Value);
+                    }
+
+                    Assert.Equal((secretsContent as HostSecrets).SystemKeys[0].Name, KeyName);
+                    Assert.Equal((secretsContent as HostSecrets).SystemKeys[0].Value, "test");
+                }
+                else
+                {
+                    Assert.Equal((secretsContent as FunctionSecrets).Keys.Count, functionKeys.Count);
+                    foreach (Key originalKey in functionKeys)
+                    {
+                        var matchingKeys = (secretsContent as FunctionSecrets).Keys.Where(x => string.Equals(x.Name, originalKey.Name));
+                        Assert.Equal(matchingKeys.Count(), 1);
+                        Assert.Equal(matchingKeys.First().Value, originalKey.Value);
+                    }
+                }
+
+            }
+        }
+
+
         [Theory]
         [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Host)]
         [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Function)]
@@ -565,9 +638,13 @@ private async Task ClearAllBlobSecrets()
 
             private async Task ClearAllKeyVaultSecrets()
             {
-                foreach (SecretItem item in await KeyVaultClient.GetSecretsAsync(GetKeyVaultBaseUrl()))
+                var secretsPages = await KeyVaultSecretsRepository.GetKeyVaultSecretsPagesAsync(KeyVaultClient, GetKeyVaultBaseUrl());
+                foreach (IPage<SecretItem> secretsPage in secretsPages)
                 {
-                    await KeyVaultClient.DeleteSecretAsync(GetKeyVaultBaseUrl(), item.Identifier.Name);
+                    foreach (SecretItem item in secretsPage)
+                    {
+                        await KeyVaultClient.DeleteSecretAsync(GetKeyVaultBaseUrl(), item.Identifier.Name);
+                    }
                 }
             }
         }
diff --git a/test/WebJobs.Script.Tests/Security/KeyVaultSecretsRepositoryTests.cs b/test/WebJobs.Script.Tests/Security/KeyVaultSecretsRepositoryTests.cs
@@ -1,8 +1,13 @@
 ﻿// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
+using System.Linq;
+using Autofac.Core.Lifetime;
+using Microsoft.Azure.KeyVault.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Rest.Azure;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests
@@ -53,5 +58,50 @@ public void FunctionKeys(string functionName, string secretName)
 
             Assert.True(dictionary[$"function--{KeyVaultSecretsRepository.Normalize(functionName)}--{KeyVaultSecretsRepository.Normalize(secretName)}"] == "test");
         }
+
+        [Theory]
+        [MemberData(nameof(FindSecretsDataProvider.TestCases), MemberType = typeof(FindSecretsDataProvider))]
+        public void FindSecrets(Func<SecretItem, bool> comparison, List<string> expectedMatches)
+        {
+            List<IEnumerable<SecretItem>> secretsPages = new List<IEnumerable<SecretItem>>()
+            {
+                new List<SecretItem>()
+                {
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/Atlanta"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/Seattle"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/NewYork"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/Chicago")
+                },
+                new List<SecretItem>()
+                {
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/Portland"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/Austin"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/SanDiego"),
+                    new SecretItem("https://testkeyvault.vault.azure.net/secrets/LosAngeles")
+                }
+            };
+
+            var matches = KeyVaultSecretsRepository.FindSecrets(secretsPages, comparison);
+
+            Assert.Equal(expectedMatches.Count, matches.Count);
+            foreach (string name in expectedMatches)
+            {
+                var matchingNames = matches.Where(x => x.Identifier.Name == name);
+                Assert.Equal(matchingNames.Count(), 1);
+                Assert.Equal(matchingNames.First().Identifier.Name, name);
+            }
+        }
+
+        public class FindSecretsDataProvider
+        {
+            public static IEnumerable<object[]> TestCases
+            {
+                get
+                {
+                    yield return new object[] { (Func<SecretItem, bool>)(x => x.Identifier.Name.StartsWith("S")), new List<string>() { "Seattle", "SanDiego" } };
+                    yield return new object[] { (Func<SecretItem, bool>)(x => x.Identifier.Name.EndsWith("o")), new List<string>() { "Chicago", "SanDiego" } };
+                }
+            }
+        }
     }
 }
