Including admin JWT on outbound platform calls (#9198)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -688,7 +688,8 @@ internal HttpRequestMessage BuildSetTriggersRequest()
         // of triggers. It'll verify app ownership using a SWT token valid for 5 minutes. It should be plenty.
         private async Task<(bool, string)> SetTriggersAsync(string content)
         {
-            var token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
 
             string sanitizedContentString = content;
             if (ArmCacheEnabled)
@@ -707,7 +708,8 @@ internal HttpRequestMessage BuildSetTriggersRequest()
                 var requestId = Guid.NewGuid().ToString();
                 request.Headers.Add(ScriptConstants.AntaresLogIdHeaderName, requestId);
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
-                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
+                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
                 if (_environment.IsKubernetesManagedHosting())

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -284,12 +284,14 @@ private HttpRequestMessage BuildRequest<TContent>(HttpMethod method, string path
                 Content = new ObjectContent<TContent>(content, new JsonMediaTypeFormatter())
             };
 
-            var token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
 
             // add the required authentication headers
             request.Headers.Add(ContainerNameHeader, _containerName);
             request.Headers.Add(HostNameHeader, _hostNameProvider.Value);
-            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
+            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
             request.Headers.Add(StampNameHeader, _stampName);
 
             return request;

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -86,14 +86,14 @@ private static TokenValidationParameters CreateTokenValidationParameters()
                 result.ValidateIssuer = true;
                 result.ValidAudiences = new string[]
                 {
-                    string.Format(AdminJwtSiteFunctionsValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                    string.Format(AdminJwtSiteValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                    string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                 };
                 result.ValidIssuers = new string[]
                 {
-                    AdminJwtAppServiceIssuer,
-                    string.Format(AdminJwtScmValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                    string.Format(AdminJwtSiteValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                    AppServiceCoreUri,
+                    string.Format(ScmSiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                 };
             }
 

src/WebJobs.Script.WebHost/Security/JwtTokenHelper.cs

@@ -0,0 +1,30 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.IdentityModel.Tokens.Jwt;
+using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
+{
+    internal static class JwtTokenHelper
+    {
+        public static string CreateToken(DateTime validUntil, string audience = null, string issuer = null, byte[] key = null)
+        {
+            var tokenHandler = new JwtSecurityTokenHandler();
+            key = key ?? SecretsUtility.GetEncryptionKey();
+            var tokenDescriptor = new SecurityTokenDescriptor
+            {
+                Audience = audience ?? ScriptConstants.AppServiceCoreUri,
+                Issuer = issuer ?? string.Format(ScriptConstants.SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(EnvironmentSettingNames.AzureWebsiteName)),
+                Expires = validUntil,
+                SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+            };
+            var token = tokenHandler.CreateToken(tokenDescriptor);
+            string tokenValue = tokenHandler.WriteToken(token);
+
+            return tokenValue;
+        }
+    }
+}

src/WebJobs.Script/ScriptConstants.cs

@@ -124,11 +124,10 @@ public static class ScriptConstants
         public const string FeatureFlagEnableMultiLanguageWorker = "EnableMultiLanguageWorker";
         public const string FeatureFlagEnableLinuxEPExecutionCount = "EnableLinuxFEC";
 
-        public const string AdminJwtSiteFunctionsValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
-        public const string AdminJwtSiteValidAudienceFormat = "https://{0}.azurewebsites.net";
-        public const string AdminJwtScmValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
-        public const string AdminJwtSiteValidIssuerFormat = "https://{0}.azurewebsites.net";
-        public const string AdminJwtAppServiceIssuer = "https://appservice.core.azurewebsites.net";
+        public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
+        public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";
+        public const string SiteUriFormat = "https://{0}.azurewebsites.net";
+        public const string AppServiceCoreUri = "https://appservice.core.azurewebsites.net";
 
         public const string AzureFunctionsSystemDirectoryName = ".azurefunctions";
         public const string HttpMethodConstraintName = "httpMethod";

test/WebJobs.Script.Tests.Integration/Management/FunctionsSyncManagerTests.cs

@@ -234,6 +234,8 @@ public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
                 // verify expected headers
                 Assert.Equal(ScriptConstants.FunctionsUserAgent, _mockHttpHandler.LastRequest.Headers.UserAgent.ToString());
                 Assert.True(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName));
+                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
                 if (cacheEnabled)
                 {

test/WebJobs.Script.Tests.Integration/TestFunctionHost.cs

@@ -23,6 +23,7 @@
 using Microsoft.Azure.WebJobs.Script.WebHost.DependencyInjection;
 using Microsoft.Azure.WebJobs.Script.WebHost.Middleware;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Azure.WebJobs.Script.Workers.Http;
 using Microsoft.Azure.WebJobs.Script.Workers.Rpc;
 using Microsoft.Extensions.Configuration;
@@ -405,19 +406,10 @@ public async Task<HostStatus> GetHostStatusAsync()
 
         public string GenerateAdminJwtToken(string audience = null, string issuer = null, byte[] key = null)
         {
-            var tokenHandler = new JwtSecurityTokenHandler();
-            key = key ?? SecretsUtility.GetEncryptionKey();
-            var tokenDescriptor = new SecurityTokenDescriptor
-            {
-                Audience = audience ?? string.Format(ScriptConstants.AdminJwtSiteFunctionsValidAudienceFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
-                Issuer = issuer ?? string.Format(ScriptConstants.AdminJwtScmValidIssuerFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
-                Expires = DateTime.UtcNow.AddHours(1),
-                SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
-            };
-            var token = tokenHandler.CreateToken(tokenDescriptor);
-            string tokenHeaderValue = tokenHandler.WriteToken(token);
+            audience = audience ?? string.Format(ScriptConstants.SiteAzureFunctionsUriFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName));
+            issuer = issuer ?? string.Format(ScriptConstants.ScmSiteUriFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName));
 
-            return tokenHeaderValue;
+            return JwtTokenHelper.CreateToken(DateTime.UtcNow.AddHours(1), audience, issuer, key);
         }
 
         public void Dispose()

test/WebJobs.Script.Tests/Metrics/LinuxContainerMetricsPublisherTests.cs

@@ -93,6 +93,7 @@ private void ValidateRequest(HttpRequestMessage request)
             Assert.Equal(request.Headers.GetValues(LinuxContainerMetricsPublisher.HostNameHeader).Single(), _testHostName);
             Assert.Equal(request.Headers.GetValues(LinuxContainerMetricsPublisher.StampNameHeader).Single(), _testStampName);
             Assert.NotEmpty(request.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+            Assert.NotEmpty(request.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
             Assert.Equal(request.RequestUri.Host, _testIpAddress);