Removing obsolete auth policy (#11335)

Author: mathewc

src/WebJobs.Script.WebHost/Controllers/HostController.cs

@@ -68,7 +68,7 @@ public HostController(IOptions<ScriptApplicationHostOptions> applicationHostOpti
 
         [HttpGet]
         [Route("admin/host/status")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         [TypeFilter(typeof(EnableDebugModeFilter))]
         public async Task<IActionResult> GetHostStatus([FromServices] IScriptHostManager scriptHostManager, [FromServices] IHostIdProvider hostIdProvider, [FromServices] IServiceProvider serviceProvider = null)
         {
@@ -120,7 +120,7 @@ public async Task<IActionResult> GetHostStatus([FromServices] IScriptHostManager
         /// </summary>
         [HttpGet]
         [Route("admin/host/processes")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         public async Task<IActionResult> GetWorkerProcesses([FromServices] IScriptHostManager scriptHostManager)
         {
             if (!Utility.TryGetHostService(scriptHostManager, out IWebHostRpcWorkerChannelManager webHostLanguageWorkerChannelManager))
@@ -186,7 +186,7 @@ public async Task<IActionResult> GetWorkerProcesses([FromServices] IScriptHostMa
 
         [HttpPost]
         [Route("admin/host/drain")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         public async Task<IActionResult> Drain([FromServices] IScriptHostManager scriptHostManager, CancellationToken cancellation)
         {
             _logger.LogDebug("Received request to drain the host");
@@ -224,7 +224,7 @@ public async Task<IActionResult> Drain([FromServices] IScriptHostManager scriptH
 
         [HttpGet]
         [Route("admin/host/drain/status")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         public IActionResult DrainStatus([FromServices] IScriptHostManager scriptHostManager)
         {
             if (Utility.TryGetHostService(scriptHostManager, out IFunctionActivityStatusProvider functionActivityStatusProvider) &&
@@ -258,7 +258,7 @@ public IActionResult DrainStatus([FromServices] IScriptHostManager scriptHostMan
 
         [HttpPost]
         [Route("admin/host/resume")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         public async Task<IActionResult> Resume([FromServices] IScriptHostManager scriptHostManager, CancellationToken cancellation)
         {
             try
@@ -326,7 +326,7 @@ public async Task<IActionResult> Ping([FromServices] IScriptHostManager scriptHo
 
         [HttpPost]
         [Route("admin/host/scale/status")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         [ResponseCache(NoStore = true, Location = ResponseCacheLocation.None)]
         [RequiresRunningHost]
         public async Task<IActionResult> GetScaleStatus([FromBody] ScaleStatusContext context, [FromServices] IScriptHostManager scriptHostManager)
@@ -355,7 +355,7 @@ public async Task<IActionResult> GetScaleStatus([FromBody] ScaleStatusContext co
 
         [HttpPost]
         [Route("admin/host/log")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         public IActionResult Log([FromBody] IEnumerable<HostLogEntry> logEntries)
         {
             if (logEntries == null)
@@ -406,7 +406,7 @@ public IActionResult LaunchDebugger()
 
         [HttpPost]
         [Route("admin/host/synctriggers")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         [RequiresRunningHost]
         public async Task<IActionResult> SyncTriggers()
         {
@@ -513,7 +513,7 @@ public async Task<IActionResult> ExtensionWebHookHandler(string extensionName, C
 
         [HttpGet]
         [Route("admin/host/config")]
-        [Authorize(Policy = PolicyNames.AdminAuthLevelOrInternal)]
+        [Authorize(Policy = PolicyNames.AdminAuthLevel)]
         [RequiresRunningHost]
         public IActionResult GetConfig([FromServices] IScriptHostManager scriptHostManager)
         {

src/WebJobs.Script.WebHost/Middleware/VirtualFileSystemMiddleware.cs

@@ -104,7 +104,7 @@ private async Task<bool> AuthenticateAndAuthorize(HttpContext context)
             var authorizationPolicyProvider = context.RequestServices.GetRequiredService<IAuthorizationPolicyProvider>();
             var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
 
-            if (!AuthorizationOptionsExtensions.CheckPlatformInternal(context, allowAppServiceInternal: false))
+            if (!AuthorizationOptionsExtensions.EnforceAdminIsolation(context, allowAppServiceInternal: false))
             {
                 return false;
             }

src/WebJobs.Script.WebHost/Security/Authorization/Policies/AuthorizationOptionsExtensions.cs

@@ -8,7 +8,6 @@
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Authentication;
-using Microsoft.Azure.WebJobs.Script.WebHost.Extensions;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authorization.Policies
@@ -25,7 +24,7 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                 {
                     if (c.Resource is AuthorizationFilterContext filterContext)
                     {
-                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: false))
+                        if (!EnforceAdminIsolation(filterContext.HttpContext, allowAppServiceInternal: true))
                         {
                             return false;
                         }
@@ -41,47 +40,13 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                 p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.System));
             });
 
-            options.AddPolicy(PolicyNames.AdminAuthLevelOrInternal, p =>
-            {
-                p.AddScriptAuthenticationSchemes();
-                p.RequireAssertion(async c =>
-                {
-                    if (c.Resource is AuthorizationFilterContext filterContext)
-                    {
-                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: true))
-                        {
-                            return false;
-                        }
-
-                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
-                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
-                        {
-                            return true;
-                        }
-
-                        var authorizationService = filterContext.HttpContext.RequestServices.GetRequiredService<IAuthorizationService>();
-                        AuthorizationResult result = await authorizationService.AuthorizeAsync(c.User, PolicyNames.AdminAuthLevel);
-
-                        return result.Succeeded;
-                    }
-
-                    return false;
-                });
-            });
-
             options.AddPolicy(PolicyNames.SystemKeyAuthLevel, p =>
             {
                 p.AddScriptAuthenticationSchemes();
                 p.RequireAssertion(c =>
                 {
                     if (c.Resource is AuthorizationFilterContext filterContext)
                     {
-                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
-                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
-                        {
-                            return true;
-                        }
-
                         string keyName = null;
                         object keyNameObject = filterContext.RouteData.Values["extensionName"];
                         if (keyNameObject != null)
@@ -114,9 +79,14 @@ private static void AddScriptAuthenticationSchemes(this AuthorizationPolicyBuild
             builder.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
         }
 
-        internal static bool CheckPlatformInternal(HttpContext httpContext, bool allowAppServiceInternal)
+        /// <summary>
+        /// When AdminIsolation is enabled, performs platform internal request verification on the specified HTTP context.
+        /// </summary>
+        /// <param name="httpContext">The <see cref="HttpContext"/> to check.</param>
+        /// <param name="allowAppServiceInternal">True if App Service internal requests should also be allowed; otherwise, false.</param>
+        /// <returns>True if the request passes isolation checks, false otherwise.</returns>
+        internal static bool EnforceAdminIsolation(HttpContext httpContext, bool allowAppServiceInternal)
         {
-            // when AdminIsolation is enabled, verify the request is platform internal
             var environment = httpContext.RequestServices.GetRequiredService<IEnvironment>();
             if (environment.IsAdminIsolationEnabled() &&
                 !(httpContext.Request.IsPlatformInternalRequest(environment) || (allowAppServiceInternal && httpContext.Request.IsAppServiceInternalRequest())))

src/WebJobs.Script.WebHost/Security/Authorization/Policies/PolicyNames.cs

@@ -11,7 +11,6 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authorization.Policies
     public static class PolicyNames
     {
         public const string AdminAuthLevel = "AuthLevelAdmin";
-        public const string AdminAuthLevelOrInternal = "InternalAuthLevelAdmin";
         public const string SystemAuthLevel = "AuthLevelSystem";
         public const string FunctionAuthLevel = "AuthLevelFunction";
         public const string SystemKeyAuthLevel = "AuthLevelSystemKey";

src/WebJobs.Script/Config/FunctionsHostingConfigOptions.cs

@@ -3,16 +3,13 @@
 
 using System;
 using System.Collections.Generic;
-using System.Linq;
-using Microsoft.AspNetCore.Http;
 using Microsoft.Azure.WebJobs.Script.Workers.Rpc;
 
 namespace Microsoft.Azure.WebJobs.Script.Config
 {
     public class FunctionsHostingConfigOptions
     {
         private readonly Dictionary<string, string> _features;
-        private PathString[] _allowedInternalAuthApis;
 
         public FunctionsHostingConfigOptions()
         {
@@ -78,24 +75,6 @@ internal bool SwtIssuerEnabled
             }
         }
 
-        /// <summary>
-        /// Gets or sets a string delimited by '|' that contains a list of admin APIs that are allowed to
-        /// be invoked internally by platform components.
-        /// </summary>
-        internal string InternalAuthApisAllowList
-        {
-            get
-            {
-                return GetFeature(ScriptConstants.HostingConfigInternalAuthApisAllowList);
-            }
-
-            set
-            {
-                _allowedInternalAuthApis = null;
-                _features[ScriptConstants.HostingConfigInternalAuthApisAllowList] = value;
-            }
-        }
-
         /// <summary>
         /// Gets a string delimited by '|' that contains the name of the apps with worker indexing disabled.
         /// </summary>
@@ -243,32 +222,5 @@ internal bool GetFeatureAsBooleanOrDefault(string name, bool defaultValue)
             }
             return defaultValue;
         }
-
-        internal bool CheckInternalAuthAllowList(HttpRequest httpRequest)
-        {
-            if (InternalAuthApisAllowList != null && _allowedInternalAuthApis == null)
-            {
-                // initialize our cached allow list on demand
-                _allowedInternalAuthApis = InternalAuthApisAllowList.Split(new[] { '|' }, StringSplitOptions.RemoveEmptyEntries).Select(p => new PathString(p)).ToArray();
-            }
-
-            if (_allowedInternalAuthApis != null)
-            {
-                // An allow list is configured, so we ensure that the current request
-                // matches any of the allowed APIs.
-                foreach (PathString ps in _allowedInternalAuthApis)
-                {
-                    if (httpRequest.Path.StartsWithSegments(ps, StringComparison.OrdinalIgnoreCase))
-                    {
-                        return true;
-                    }
-                }
-
-                return false;
-            }
-
-            // no allow list configured
-            return true;
-        }
     }
 }

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -13,9 +13,7 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Azure.WebJobs.Extensions.Http;
-using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -104,13 +102,6 @@ public static bool IsPlatformInternalRequest(this HttpRequest request, IEnvironm
             return string.Compare(value, "true", StringComparison.OrdinalIgnoreCase) == 0;
         }
 
-        public static bool IsInternalAuthAllowed(this HttpRequest httpRequest)
-        {
-            // Check to see if the specific API is allowed based on any configured allow list
-            var options = httpRequest.HttpContext.RequestServices.GetService<IOptions<FunctionsHostingConfigOptions>>().Value;
-            return options.CheckInternalAuthAllowList(httpRequest);
-        }
-
         private static IEnvironment GetEnvironment(HttpRequest request, IEnvironment environment = null)
         {
             return environment ?? request.HttpContext.RequestServices?.GetService<IEnvironment>() ?? SystemEnvironment.Instance;

src/WebJobs.Script/ScriptConstants.cs

@@ -143,7 +143,6 @@ public static class ScriptConstants
         public const string HostingConfigDisableLinuxAppServiceExecutionEventLogBackoff = "DisableLinuxLogBackoff";
         public const string FeatureFlagEnableLegacyDurableVersionCheck = "EnableLegacyDurableVersionCheck";
         public const string HostingConfigSwtIssuerEnabled = "SwtIssuerEnabled";
-        public const string HostingConfigInternalAuthApisAllowList = "InternalAuthApisAllowList";
 
         public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
         public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/SamplesEndToEndTests_CSharp.cs

@@ -246,7 +246,7 @@ public async Task ExtensionWebHook_Succeeds()
         [InlineData("admin/host/extensionBundle/v1/templates", true, true, false, true, false, HttpStatusCode.Unauthorized)]
         [InlineData("admin/host/extensionBundle/v1/templates", true, true, true, false, true, HttpStatusCode.NotFound)]
         [InlineData("admin/host/extensionBundle/v1/templates", true, false, false, false, true, HttpStatusCode.NotFound)]
-        [InlineData("admin/host/extensionBundle/v1/templates", true, true, false, true, true, HttpStatusCode.Forbidden)]
+        [InlineData("admin/host/extensionBundle/v1/templates", true, true, false, true, true, HttpStatusCode.NotFound)]
         [InlineData("admin/vfs/host.json", true, true, true, false, true, HttpStatusCode.OK)]
         [InlineData("admin/vfs/host.json", true, true, false, false, true, HttpStatusCode.Unauthorized)]
         [InlineData("admin/vfs/host.json", true, true, true, false, false, HttpStatusCode.Unauthorized)]
@@ -476,46 +476,21 @@ public async Task ArmExtensionsResourceFilter_GetNonSecretResource_Succeeds()
         }
 
         [Fact]
-        public async Task SyncTriggers_InternalAuth_Succeeds()
+        public async Task SyncTriggers_AdminTokenProvided_Succeeds()
         {
             using (var httpClient = _fixture.Host.CreateHttpClient())
             {
                 string uri = "admin/host/synctriggers";
+                string token = _fixture.Host.GenerateAdminJwtToken(issuer: ScriptConstants.AppServiceCoreUri);
                 HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
                 HttpResponseMessage response = await httpClient.SendAsync(request);
                 Assert.Equal(HttpStatusCode.OK, response.StatusCode);
             }
         }
 
-        [Theory]
-        [InlineData("", HttpStatusCode.Unauthorized)]
-        [InlineData("|", HttpStatusCode.Unauthorized)]
-        [InlineData("/admin/host/foo|/admin/host/bar", HttpStatusCode.Unauthorized)]
-        [InlineData("/admin/host/status|/admin/host/synctriggers", HttpStatusCode.OK)]
-        public async Task SyncTriggers_InternalAuth_AllowListSpecified_ReturnsExpectedResult(string allowList, HttpStatusCode expected)
-        {
-            var options = _fixture.Host.WebHostServices.GetService<IOptions<FunctionsHostingConfigOptions>>().Value;
-
-            try
-            {
-                options.InternalAuthApisAllowList = allowList;
-
-                using (var httpClient = _fixture.Host.CreateHttpClient())
-                {
-                    string uri = "admin/host/synctriggers";
-                    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
-                    HttpResponseMessage response = await httpClient.SendAsync(request);
-                    Assert.Equal(expected, response.StatusCode);
-                }
-            }
-            finally
-            {
-                options.InternalAuthApisAllowList = null;
-            }
-        }
-
         [Fact]
-        public async Task SyncTriggers_ExternalUnauthorized_ReturnsUnauthorized()
+        public async Task SyncTriggers_NoAuthentication_ReturnsUnauthorized()
         {
             string uri = "admin/host/synctriggers";
             HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
@@ -524,7 +499,7 @@ public async Task SyncTriggers_ExternalUnauthorized_ReturnsUnauthorized()
         }
 
         [Fact]
-        public async Task SyncTriggers_AdminLevel_Succeeds()
+        public async Task SyncTriggers_MasterKeyProvided_Succeeds()
         {
             string uri = "admin/host/synctriggers";
             HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
@@ -543,23 +518,6 @@ public async Task HostLog_Anonymous_Fails()
             Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
         }
 
-        [Fact]
-        public async Task HostLog_PlatformInternal_Succeeds()
-        {
-            var environment = _fixture.Host.JobHostServices.GetService<IEnvironment>();
-            Assert.True(environment.IsAppService());
-
-            using (var httpClient = _fixture.Host.CreateHttpClient())
-            {
-                // no x-arr-log-id header makes this request platform internal
-                var request = new HttpRequestMessage(HttpMethod.Post, "admin/host/log");
-                request.Content = new StringContent("[]");
-                request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
-                var response = await httpClient.SendAsync(request);
-                Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-            }
-        }
-
         [Fact]
         public async Task HostLog_AdminLevel_Succeeds()
         {