Implementation of system level keys

Author: fabiocav

src/WebJobs.Script.WebHost/App_Data/secrets/host.json

@@ -10,6 +10,12 @@
       "value": "zlnu496ve212kk1p84ncrtdvmtpembduqp25ajjc",
       "encrypted": false
     }
+  ],
+  "systemKeys": [
+    {
+      "name": "samplesystemkey",
+      "value": "bcnu496ve212kk1p84ncrtdvmtpembduqp25aghe",
+      "encrypted": false
+    }
   ]
-
-}
+}

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -20,6 +20,7 @@ public class KeysController : ApiController
     {
         private const string MasterKeyName = "_master";
 
+        private static readonly Lazy<Dictionary<string, string>> EmptyKeys = new Lazy<Dictionary<string, string>>(() => new Dictionary<string, string>());
         private readonly WebScriptHostManager _scriptHostManager;
         private readonly ISecretManager _secretManager;
         private readonly TraceWriter _traceWriter;
@@ -45,39 +46,54 @@ public async Task<IHttpActionResult> Get(string name)
         }
 
         [HttpGet]
-        [Route("admin/host/keys")]
+        [Route("admin/host/{keys:regex(^(keys|functionkeys|systemkeys)$)}")]
         public async Task<IHttpActionResult> Get()
         {
-            var hostSecrets = await _secretManager.GetHostSecretsAsync();
-            return GetKeysResult(hostSecrets.FunctionKeys);
+            string hostKeyScope = GetHostKeyScopeForRequest();
+
+            Dictionary<string, string> keys = await GetHostSecretsByScope(hostKeyScope);
+            return GetKeysResult(keys);
         }
 
         [HttpPost]
         [Route("admin/functions/{name}/keys/{keyName}")]
-        public Task<IHttpActionResult> Post(string name, string keyName) => AddOrUpdateFunctionSecretAsync(keyName, null, name);
+        public Task<IHttpActionResult> Post(string name, string keyName) => AddOrUpdateSecretAsync(keyName, null, name, ScriptSecretsType.Function);
 
         [HttpPost]
-        [Route("admin/host/keys/{keyName}")]
-        public Task<IHttpActionResult> Post(string keyName) => AddOrUpdateFunctionSecretAsync(keyName, null);
+        [Route("admin/host/{keys:regex(^(keys|functionkeys|systemkeys)$)}/{keyName}")]
+        public Task<IHttpActionResult> Post(string keyName) => AddOrUpdateSecretAsync(keyName, null, GetHostKeyScopeForRequest(), ScriptSecretsType.Host);
 
         [HttpPut]
         [Route("admin/functions/{name}/keys/{keyName}")]
-        public Task<IHttpActionResult> Put(string name, string keyName, Key key) => PutKeyAsync(keyName, key, name);
+        public Task<IHttpActionResult> Put(string name, string keyName, Key key) => PutKeyAsync(keyName, key, name, ScriptSecretsType.Function);
 
         [HttpPut]
-        [Route("admin/host/keys/{keyName}")]
-        public Task<IHttpActionResult> Put(string keyName, Key key) => PutKeyAsync(keyName, key);
+        [Route("admin/host/{keys:regex(^(keys|functionkeys|systemkeys)$)}/{keyName}")]
+        public Task<IHttpActionResult> Put(string keyName, Key key) => PutKeyAsync(keyName, key, GetHostKeyScopeForRequest(), ScriptSecretsType.Host);
 
         [HttpDelete]
         [Route("admin/functions/{name}/keys/{keyName}")]
-        public Task<IHttpActionResult> Delete(string name, string keyName) => DeleteFunctionSecretAsync(keyName, name);
+        public Task<IHttpActionResult> Delete(string name, string keyName) => DeleteFunctionSecretAsync(keyName, name, ScriptSecretsType.Function);
 
         [HttpDelete]
-        [Route("admin/host/keys/{keyName}")]
-        public Task<IHttpActionResult> Delete(string keyName) => DeleteFunctionSecretAsync(keyName);
+        [Route("admin/host/{keys:regex(^(keys|functionkeys|systemkeys)$)}/{keyName}")]
+        public Task<IHttpActionResult> Delete(string keyName) => DeleteFunctionSecretAsync(keyName, GetHostKeyScopeForRequest(), ScriptSecretsType.Host);
+
+        private string GetHostKeyScopeForRequest()
+        {
+            string keyScope = ControllerContext.RouteData.Values.GetValueOrDefault<string>("keys");
+
+            if (string.Equals(keyScope, "keys", StringComparison.OrdinalIgnoreCase))
+            {
+                keyScope = HostKeyScopes.FunctionKeys;
+            }
+
+            return keyScope;
+        }
 
         private IHttpActionResult GetKeysResult(IDictionary<string, string> keys)
         {
+            keys = keys ?? EmptyKeys.Value;
             var keysContent = new
             {
                 keys = keys.Select(k => new { name = k.Key, value = k.Value })
@@ -88,35 +104,34 @@ private IHttpActionResult GetKeysResult(IDictionary<string, string> keys)
             return Ok(keyResponse);
         }
 
-        private async Task<IHttpActionResult> PutKeyAsync(string keyName, Key key, string functionName = null)
+        private async Task<IHttpActionResult> PutKeyAsync(string keyName, Key key, string keyScope, ScriptSecretsType secretsType)
         {
             if (key?.Value == null)
             {
                 return BadRequest("Invalid key value");
             }
 
-            return await AddOrUpdateFunctionSecretAsync(keyName, key.Value, functionName);
+            return await AddOrUpdateSecretAsync(keyName, key.Value, keyScope, secretsType);
         }
 
-        private async Task<IHttpActionResult> AddOrUpdateFunctionSecretAsync(string keyName, string value, string functionName = null)
+        private async Task<IHttpActionResult> AddOrUpdateSecretAsync(string keyName, string value, string keyScope, ScriptSecretsType secretsType)
         {
-            if (functionName != null &&
-                !_scriptHostManager.Instance.IsFunction(functionName))
+            if (secretsType == ScriptSecretsType.Function && keyScope != null && !_scriptHostManager.Instance.IsFunction(keyScope))
             {
                 return NotFound();
             }
 
             KeyOperationResult operationResult;
-            if (functionName == null && string.Equals(keyName, MasterKeyName, StringComparison.OrdinalIgnoreCase))
+            if (secretsType == ScriptSecretsType.Host && string.Equals(keyName, MasterKeyName, StringComparison.OrdinalIgnoreCase))
             {
                 operationResult = await _secretManager.SetMasterKeyAsync(value);
             }
             else
             {
-                operationResult = await _secretManager.AddOrUpdateFunctionSecretAsync(keyName, value, functionName);
+                operationResult = await _secretManager.AddOrUpdateFunctionSecretAsync(keyName, value, keyScope, secretsType);
             }
 
-            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, functionName ?? "host", operationResult.Result);
+            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, keyScope ?? "host", operationResult.Result);
 
             switch (operationResult.Result)
             {
@@ -139,22 +154,38 @@ private async Task<IHttpActionResult> AddOrUpdateFunctionSecretAsync(string keyN
             }
         }
 
-        private async Task<IHttpActionResult> DeleteFunctionSecretAsync(string keyName, string functionName = null)
+        private async Task<Dictionary<string, string>> GetHostSecretsByScope(string secretsScope)
+        {
+            var hostSecrets = await _secretManager.GetHostSecretsAsync();
+
+            if (string.Equals(secretsScope, HostKeyScopes.FunctionKeys, StringComparison.OrdinalIgnoreCase))
+            {
+                return hostSecrets.FunctionKeys;
+            } 
+            else if (string.Equals(secretsScope, HostKeyScopes.SystemKeys, StringComparison.OrdinalIgnoreCase))
+            {
+                return hostSecrets.SystemKeys;
+            }
+            
+            return null;
+        }
+
+        private async Task<IHttpActionResult> DeleteFunctionSecretAsync(string keyName, string keyScope, ScriptSecretsType secretsType)
         {
             if (keyName == null || keyName.StartsWith("_"))
             {
                 // System keys cannot be deleted.
                 return BadRequest("Invalid key name.");
             }
 
-            if ((functionName != null && !_scriptHostManager.Instance.IsFunction(functionName)) ||
-                !await _secretManager.DeleteSecretAsync(keyName, functionName))
+            if ((secretsType == ScriptSecretsType.Function && !_scriptHostManager.Instance.IsFunction(keyScope)) ||
+                !await _secretManager.DeleteSecretAsync(keyName, keyScope, secretsType))
             {
                 // Either the function or the key were not found
                 return NotFound();
             }
 
-            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, functionName ?? "host", "Deleted");
+            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, keyScope ?? "host", "Deleted");
 
             return StatusCode(HttpStatusCode.NoContent);
         }

src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs

@@ -18,13 +18,16 @@ public sealed class AuthorizationLevelAttribute : AuthorizationFilterAttribute
     {
         public const string FunctionsKeyHeaderName = "x-functions-key";
 
-        public AuthorizationLevelAttribute(AuthorizationLevel level)
+        public AuthorizationLevelAttribute(AuthorizationLevel level, string keyName = null)
         {
             Level = level;
+            KeyName = keyName;
         }
 
         public AuthorizationLevel Level { get; }
 
+        public string KeyName { get; }
+
         public async override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
         {
             if (actionContext == null)
@@ -36,7 +39,7 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             // as a request property
             var secretManager = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<ISecretManager>();
             var settings = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<WebHostSettings>();
-            var requestAuthorizationLevel = await GetAuthorizationLevelAsync(actionContext.Request, secretManager);
+            var requestAuthorizationLevel = await GetAuthorizationLevelAsync(actionContext.Request, secretManager, keyName: KeyName);
             actionContext.Request.Properties[ScriptConstants.AzureFunctionsHttpRequestAuthorizationLevel] = requestAuthorizationLevel;
 
             if (settings.IsAuthDisabled || 
@@ -52,7 +55,7 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             }
         }
 
-        internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRequestMessage request, ISecretManager secretManager, string functionName = null)
+        internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRequestMessage request, ISecretManager secretManager, string functionName = null, string keyName = null)
         {
             // first see if a key value is specified via headers or query string (header takes precedence)
             IEnumerable<string> values;
@@ -77,9 +80,13 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
                     return AuthorizationLevel.Admin;
                 }
 
+                if (HasMatchingKey(hostSecrets.SystemKeys, keyValue, keyName))
+                {
+                    return AuthorizationLevel.System;
+                }
+
                 // see if the key specified matches the host function key
-                if (hostSecrets.FunctionKeys != null &&
-                    hostSecrets.FunctionKeys.Any(k => Key.SecretValueEquals(keyValue, k.Value)))
+                if (HasMatchingKey(hostSecrets.FunctionKeys, keyValue, keyName))
                 {
                     return AuthorizationLevel.Function;
                 }
@@ -88,8 +95,7 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
                 if (functionName != null)
                 {
                     IDictionary<string, string> functionSecrets = await secretManager.GetFunctionSecretsAsync(functionName);
-                    if (functionSecrets != null &&
-                        functionSecrets.Values.Any(s => Key.SecretValueEquals(keyValue, s)))
+                    if (HasMatchingKey(functionSecrets, keyValue, keyName))
                     {
                         return AuthorizationLevel.Function;
                     }
@@ -99,6 +105,10 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
             return AuthorizationLevel.Anonymous;
         }
 
+        private static bool HasMatchingKey(IDictionary<string, string> secrets, string keyValue, string keyName)
+            => secrets != null &&
+            secrets.Any(kvp => (keyName == null || string.Equals(kvp.Key, keyName, StringComparison.OrdinalIgnoreCase)) && Key.SecretValueEquals(kvp.Value, keyValue));
+
         internal static bool SkipAuthorization(HttpActionContext actionContext)
         {
             return actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Count > 0

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -89,3 +89,6 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.MetricsEventManager.#BeginEvent(System.String,System.String)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.SystemMetricEvent.#DebugValue")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Controllers.AdminController.#Ping()")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.HostSecretsInfo.#SystemKeys")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1721:PropertyNamesShouldNotMatchGetMethods", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.FunctionSecrets.#Keys")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.HostSecrets.#SystemKeys")]

src/WebJobs.Script.WebHost/Security/FunctionSecrets.cs

@@ -26,12 +26,11 @@ public FunctionSecrets(IList<Key> keys)
         [JsonIgnore]
         public override bool HasStaleKeys => Keys?.Any(k => k.IsStale) ?? false;
 
-        [JsonIgnore]
-        protected override ICollection<Key> InnerFunctionKeys => Keys;
-
         [JsonIgnore]
         public override ScriptSecretsType SecretsType => ScriptSecretsType.Function;
 
+        protected override ICollection<Key> GetKeys(string keyScope) => Keys;
+
         public override ScriptSecrets Refresh(IKeyValueConverterFactory factory)
         {
             var keys = Keys.Select(k => factory.GetValueWriter(k).WriteValue(k)).ToList();

src/WebJobs.Script.WebHost/Security/HostKeyScopes.cs

@@ -0,0 +1,17 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public static class HostKeyScopes
+    {
+        public const string FunctionKeys = "functionkeys";
+
+        public const string SystemKeys = "systemkeys";
+    }
+}

src/WebJobs.Script.WebHost/Security/HostSecrets.cs

@@ -15,21 +15,37 @@ public class HostSecrets : ScriptSecrets
         [JsonProperty(PropertyName = "functionKeys")]
         public IList<Key> FunctionKeys { get; set; }
 
-        [JsonIgnore]
-        public override bool HasStaleKeys => (MasterKey?.IsStale ?? false) || (FunctionKeys?.Any(k => k.IsStale) ?? false);
+        [JsonProperty(PropertyName = "systemKeys")]
+        public IList<Key> SystemKeys { get; set; }
 
         [JsonIgnore]
-        protected override ICollection<Key> InnerFunctionKeys => FunctionKeys;
+        public override bool HasStaleKeys => (MasterKey?.IsStale ?? false)
+            || (FunctionKeys?.Any(k => k.IsStale) ?? false) || (SystemKeys?.Any(k => k.IsStale) ?? false);
 
         [JsonIgnore]
         public override ScriptSecretsType SecretsType => ScriptSecretsType.Host;
 
+        protected override ICollection<Key> GetKeys(string keyScope)
+        {
+            if (string.Equals(keyScope, HostKeyScopes.FunctionKeys, System.StringComparison.OrdinalIgnoreCase))
+            {
+                return FunctionKeys;
+            }
+            else if (string.Equals(keyScope, HostKeyScopes.SystemKeys, System.StringComparison.OrdinalIgnoreCase))
+            {
+                return SystemKeys;
+            }
+
+            return null;
+        }
+
         public override ScriptSecrets Refresh(IKeyValueConverterFactory factory)
         {
             var secrets = new HostSecrets
             {
                 MasterKey = factory.WriteKey(MasterKey),
-                FunctionKeys = FunctionKeys.Select(k => factory.WriteKey(k)).ToList()
+                FunctionKeys = FunctionKeys.Select(k => factory.WriteKey(k)).ToList(),
+                SystemKeys = SystemKeys.Select(k => factory.WriteKey(k)).ToList()
             };
 
             return secrets;

src/WebJobs.Script.WebHost/Security/HostSecretsInfo.cs

@@ -10,5 +10,7 @@ public class HostSecretsInfo
         public string MasterKey { get; set; }
 
         public Dictionary<string, string> FunctionKeys { get; set; }
+
+        public Dictionary<string, string> SystemKeys { get; set; }
     }
 }

src/WebJobs.Script.WebHost/Security/ISecretManager.cs

@@ -13,9 +13,11 @@ public interface ISecretManager
         /// Deletes a function secret.
         /// </summary>
         /// <param name="secretName">The name of the secret to be deleted.</param>
-        /// <param name="functionName">The function name, in case of a function level secret; <see cref="null"/> if this is a host level function secret.</param>
+        /// <param name="keyScope">The target scope for the key. In case of a function level secrets, this will be the name of the function,
+        /// for host level secrets, this will identify the host secret type.</param>
+        /// <param name="secretsType">The target secrets type.</param>
         /// <returns>True if the secret was successfully deleted; otherwise, false.</returns>
-        Task<bool> DeleteSecretAsync(string secretName, string functionName = null);
+        Task<bool> DeleteSecretAsync(string secretName, string keyScope, ScriptSecretsType secretsType);
 
         /// <summary>
         /// Retrieves function secrets.
@@ -37,9 +39,11 @@ public interface ISecretManager
         /// </summary>
         /// <param name="secretName">The name of the secret to be created or updated.</param>
         /// <param name="secret">The secret value.</param>
-        /// <param name="functionName">The optional function name. If not provided, the function secret will be created at the host level.</param>
+        /// <param name="keyScope">The target scope for the key. For function level secrets, this will be the name of the function,
+        /// for host level secrets, this will identify the host secret type.</param>
+        /// <param name="secretsType">The target secrets type.</param>
         /// <returns>A <see cref="Task"/> that completes when the operation is finished.</returns>
-        Task<KeyOperationResult> AddOrUpdateFunctionSecretAsync(string secretName, string secret, string functionName = null);
+        Task<KeyOperationResult> AddOrUpdateFunctionSecretAsync(string secretName, string secret, string keyScope, ScriptSecretsType secretsType);
 
         /// <summary>
         /// Updates the host master key.