SWT token cleanup (#11148)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -729,7 +729,7 @@ internal HttpRequestMessage BuildSetTriggersRequest()
         }
 
         // This function will call POST https://{app}.azurewebsites.net/operation/settriggers with the content
-        // of triggers. It'll verify app ownership using a SWT token valid for 5 minutes. It should be plenty.
+        // of triggers. It'll verify app ownership using a site token valid for 5 minutes. It should be plenty.
         private async Task<(bool Success, string ErrorMessage)> SetTriggersAsync(string content)
         {
             // sanitize the content before logging
@@ -747,12 +747,6 @@ internal HttpRequestMessage BuildSetTriggersRequest()
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
-                if (_hostingConfigOptions.Value.SwtIssuerEnabled)
-                {
-                    string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-                    request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-                }
-
                 string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
                 request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
 

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -292,12 +292,6 @@ private HttpRequestMessage BuildRequest<TContent>(HttpMethod method, string path
             request.Headers.Add(HostNameHeader, _hostNameProvider.Value);
             request.Headers.Add(StampNameHeader, _stampName);
 
-            if (_hostingConfigOptions.CurrentValue.SwtIssuerEnabled)
-            {
-                string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-            }
-
             string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
             request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
 

src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs renamed to src/WebJobs.Script.WebHost/Security/EncryptionHelper.cs

@@ -6,22 +6,11 @@
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNetCore.Authentication;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
 {
-    public static class SimpleWebTokenHelper
+    public static class EncryptionHelper
     {
-        /// <summary>
-        /// A SWT or a Simple Web Token is a token that's made of key=value pairs separated
-        /// by &. We only specify expiration in ticks from now (exp={ticks})
-        /// The SWT is then returned as an encrypted string.
-        /// </summary>
-        /// <param name="validUntil">Datetime for when the token should expire.</param>
-        /// <param name="key">Optional key to encrypt the token with.</param>
-        /// <returns>a SWT signed by this app.</returns>
-        public static string CreateToken(DateTime validUntil, byte[] key = null) => Encrypt($"exp={validUntil.Ticks}", key);
-
         internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null, bool includesSignature = false)
         {
             key = key ?? SecretsUtility.GetEncryptionKey(environment);
@@ -51,7 +40,7 @@ internal static string Encrypt(string value, byte[] key = null, IEnvironment env
                     }
                     else
                     {
-                        // return {iv}.{swt}.{sha236(key)}
+                        // return {iv}.{content}.{sha236(key)}
                         return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
                     }
                 }
@@ -105,33 +94,6 @@ public static string Decrypt(string value, IEnvironment environment = null)
             return Decrypt(key, value);
         }
 
-        public static bool TryValidateToken(string token, ISystemClock systemClock)
-        {
-            try
-            {
-                return ValidateToken(token, systemClock);
-            }
-            catch
-            {
-                return false;
-            }
-        }
-
-        public static bool ValidateToken(string token, ISystemClock systemClock, IEnvironment environment = null)
-        {
-            var data = Decrypt(token, environment);
-
-            var parsedToken = data
-                // token = key1=value1;key2=value2
-                .Split(';', StringSplitOptions.RemoveEmptyEntries)
-                 // ["key1=value1", "key2=value2"]
-                 .Select(v => v.Split('=', StringSplitOptions.RemoveEmptyEntries))
-                 // [["key1", "value1"], ["key2", "value2"]]
-                 .ToDictionary(k => k[0], v => v[1]);
-
-            return parsedToken.ContainsKey("exp") && systemClock.UtcNow.UtcDateTime < new DateTime(long.Parse(parsedToken["exp"]));
-        }
-
         private static string GetSHA256Base64String(byte[] key)
         {
             using (var sha256 = SHA256.Create())

src/WebJobs.Script.WebHost/StartupContextProvider.cs

@@ -113,7 +113,7 @@ private StartupContext GetStartupContextOrNull()
                     // Dont' want to block on this file operation, so we kick it off in the background.
                     Task.Run(() => File.Delete(contextPath));
 
-                    string decryptedContent = SimpleWebTokenHelper.Decrypt(content, environment: _environment);
+                    string decryptedContent = EncryptionHelper.Decrypt(content, environment: _environment);
                     var context = JsonConvert.DeserializeObject<StartupContext>(decryptedContent);
 
                     return context;
@@ -139,7 +139,7 @@ private StartupContext GetStartupContextOrNull()
         /// <returns>The decrypted assignment context</returns>
         public virtual HostAssignmentContext SetContext(EncryptedHostAssignmentContext encryptedContext)
         {
-            string decryptedContext = SimpleWebTokenHelper.Decrypt(encryptedContext.EncryptedContext, environment: _environment);
+            string decryptedContext = EncryptionHelper.Decrypt(encryptedContext.EncryptedContext, environment: _environment);
             var hostAssignmentContext = JsonConvert.DeserializeObject<HostAssignmentContext>(decryptedContext);
 
             // Don't update StartupContext for warmup requests

src/WebJobs.Script/Config/FunctionsHostingConfigOptions.cs

@@ -62,22 +62,6 @@ internal bool ShutdownWebhostWorkerChannelsOnHostShutdown
             }
         }
 
-        /// <summary>
-        /// Gets or sets a value indicating whether SWT tokens should be sent on outgoing requests.
-        /// </summary>
-        internal bool SwtIssuerEnabled
-        {
-            get
-            {
-                return GetFeatureAsBooleanOrDefault(ScriptConstants.HostingConfigSwtIssuerEnabled, true);
-            }
-
-            set
-            {
-                _features[ScriptConstants.HostingConfigSwtIssuerEnabled] = value ? "1" : "0";
-            }
-        }
-
         /// <summary>
         /// Gets or sets a string delimited by '|' that contains a list of admin APIs that are allowed to
         /// be invoked internally by platform components.

src/WebJobs.Script/ScriptConstants.cs

@@ -108,7 +108,6 @@ public static class ScriptConstants
         public const string AntaresLogIdHeaderName = "X-ARR-LOG-ID";
         public const string AntaresScaleOutHeaderName = "X-FUNCTION-SCALEOUT";
         public const string AntaresColdStartHeaderName = "X-MS-COLDSTART";
-        public const string SiteRestrictedTokenHeaderName = "x-ms-site-restricted-token";
         public const string SiteTokenHeaderName = "x-ms-site-token";
         public const string EasyAuthIdentityHeader = "x-ms-client-principal";
         public const string AntaresPlatformInternal = "x-ms-platform-internal";
@@ -145,7 +144,6 @@ public static class ScriptConstants
         public const string HostingConfigDisableLinuxAppServiceDetailedExecutionEvents = "DisableLinuxExecutionDetails";
         public const string HostingConfigDisableLinuxAppServiceExecutionEventLogBackoff = "DisableLinuxLogBackoff";
         public const string FeatureFlagEnableLegacyDurableVersionCheck = "EnableLegacyDurableVersionCheck";
-        public const string HostingConfigSwtIssuerEnabled = "SwtIssuerEnabled";
         public const string HostingConfigInternalAuthApisAllowList = "InternalAuthApisAllowList";
         public const string HostingConfigDotNetInProcDisabled = "DotNetInProcDisabled";
 

test/WebJobs.Script.Tests.Integration/ContainerManagement/AtlasContainerInitializationHostedServiceTests.cs

@@ -194,7 +194,7 @@ private static string GetEncryptedHostAssignmentContext(HostAssignmentContext ho
             using (var env = new TestScopedEnvironmentVariable(WebSiteAuthEncryptionKey, containerEncryptionKey))
             {
                 var serializeObject = JsonConvert.SerializeObject(hostAssignmentContext);
-                return SimpleWebTokenHelper.Encrypt(serializeObject);
+                return EncryptionHelper.Encrypt(serializeObject);
             }
         }
 

test/WebJobs.Script.Tests.Integration/ContainerManagement/LegionContainerInitializationHostedServiceTests.cs

@@ -170,7 +170,7 @@ private static string GetEncryptedHostAssignmentContext(HostAssignmentContext ho
             using (var env = new TestScopedEnvironmentVariable(WebSiteAuthEncryptionKey, containerEncryptionKey))
             {
                 var serializeObject = JsonConvert.SerializeObject(hostAssignmentContext);
-                return SimpleWebTokenHelper.Encrypt(serializeObject);
+                return EncryptionHelper.Encrypt(serializeObject);
             }
         }
 

test/WebJobs.Script.Tests.Integration/Host/StandbyManager/StandbyManagerE2ETests_Linux.cs

@@ -283,7 +283,7 @@ private static EncryptedHostAssignmentContext CreateEncryptedContext(HostAssignm
         {
             string json = JsonConvert.SerializeObject(context);
             var encryptionKey = Convert.FromBase64String(key);
-            string encrypted = SimpleWebTokenHelper.Encrypt(json, encryptionKey);
+            string encrypted = EncryptionHelper.Encrypt(json, encryptionKey);
 
             return new EncryptedHostAssignmentContext { EncryptedContext = encrypted };
         }

test/WebJobs.Script.Tests.Integration/Management/FunctionsSyncManagerTests.cs

@@ -391,13 +391,11 @@ public void ArmCacheEnabled_VerifyDefault()
         }
 
         [Theory]
-        [InlineData(true, true)]
-        [InlineData(false, true)]
-        [InlineData(true, false)]
-        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled, bool swtIssuerEnabled)
+        [InlineData(true)]
+        [InlineData(false)]
+        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
         {
             _mockEnvironment.Setup(p => p.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteArmCacheEnabled)).Returns(cacheEnabled ? "1" : "0");
-            _hostingConfigOptions.SwtIssuerEnabled = swtIssuerEnabled;
 
             using (var env = new TestScopedEnvironmentVariable(_vars))
             {
@@ -413,16 +411,6 @@ public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled, bool s
                 // verify expected headers
                 Assert.Equal(ScriptConstants.FunctionsUserAgent, _mockHttpHandler.LastRequest.Headers.UserAgent.ToString());
                 Assert.True(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName));
-
-                if (swtIssuerEnabled)
-                {
-                    Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
-                }
-                else
-                {
-                    Assert.False(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.SiteRestrictedTokenHeaderName));
-                }
-
                 Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
                 if (cacheEnabled)