Proxies redirecting to local function will return 401 if local function is not anonymou

#3489

Author: safihamid

src/WebJobs.Script.WebHost/Middleware/FunctionInvocationMiddleware.cs

@@ -186,16 +186,23 @@ private void PopulateRouteData(HttpContext context)
 
         private async Task<bool> AuthenticateAndAuthorizeAsync(HttpContext context, FunctionDescriptor descriptor)
         {
-            var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
-            AuthorizationPolicy policy = AuthUtility.CreateFunctionPolicy();
+            if (!descriptor.Metadata.IsProxy)
+            {
+                var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
+                AuthorizationPolicy policy = AuthUtility.CreateFunctionPolicy();
 
-            // Authenticate the request
-            var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
+                // Authenticate the request
+                var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
 
-            // Authorize using the function policy and resource
-            var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, descriptor);
+                // Authorize using the function policy and resource
+                var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, descriptor);
 
-            return authorizeResult.Succeeded;
+                return authorizeResult.Succeeded;
+            }
+            else
+            {
+                return true;
+            }
         }
 
         internal static void SetRequestId(HttpRequest request)

test/WebJobs.Script.Tests.Integration/TestScripts/Proxies/PingAuth/function.json

@@ -0,0 +1,16 @@
+{
+    "bindings": [
+        {
+            "authLevel": "function",
+            "name": "req",
+            "type": "httpTrigger",
+            "direction": "in"
+        },
+        {
+            "name": "$return",
+            "type": "http",
+            "direction": "out"
+        }
+    ],
+    "disabled": false
+}

test/WebJobs.Script.Tests.Integration/TestScripts/Proxies/PingAuth/run.csx

@@ -0,0 +1 @@
+public static string Run(HttpRequestMessage req) => "Pong";

test/WebJobs.Script.Tests.Integration/TestScripts/Proxies/proxies.json

@@ -49,6 +49,18 @@
         "backend.request.headers.accept": "text/plain"
       }
     },
+    "LocalFunctionCallWithAuth": {
+      "matchCondition": {
+        "methods": [
+          "GET"
+        ],
+        "route": "/myhttptriggerauth"
+      },
+      "backendUri": "https://localhost/api/PingAuth",
+      "requestOverrides": {
+        "backend.request.headers.accept": "text/plain"
+      }
+    },
     "LongRoute": {
       "matchCondition": {
         "route": "/test123412341234123412341234123412341234123412341234123412341234123412341234123421341234123423141234123412341234123412341234123412341234123412341234123412341234123412341234123412341234213423141234123412341234123412341234123412341234123412341234123412341234123412341234123412341234"

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/ProxyEndToEndTests.cs

@@ -18,6 +18,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
+using Moq;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests
@@ -43,7 +44,7 @@ public async Task ListFunctions_Proxies_Succeeds()
             var response = await _fixture.HttpClient.SendAsync(request);
             var metadata = (await response.Content.ReadAsAsync<IEnumerable<FunctionMetadataResponse>>()).ToArray();
 
-            Assert.Equal(18, metadata.Length);
+            Assert.Equal(20, metadata.Length);
             var function = metadata.Single(p => p.Name == "PingRoute");
             Assert.Equal("https://localhost/myroute/mysubroute", function.InvokeUrlTemplate.AbsoluteUri);
 
@@ -60,7 +61,7 @@ public async Task ListFunctions_Proxies_Succeeds()
             response = await _fixture.HttpClient.SendAsync(request);
             metadata = (await response.Content.ReadAsAsync<IEnumerable<FunctionMetadataResponse>>()).ToArray();
             Assert.False(metadata.Any(p => p.IsProxy));
-            Assert.Equal(2, metadata.Length);
+            Assert.Equal(3, metadata.Length);
         }
 
         [Fact]
@@ -109,6 +110,18 @@ public async Task LocalFunctionCall()
             Assert.Equal("Pong", content);
         }
 
+        [Fact]
+        public async Task LocalFunctionCallWithAuth()
+        {
+            string functionKey = await _fixture.GetFunctionSecretAsync("PingAuth");
+
+            HttpResponseMessage response = await _fixture.HttpClient.GetAsync($"myhttptriggerauth?code={functionKey}");
+
+            string content = await response.Content.ReadAsStringAsync();
+            Assert.Equal("200", response.StatusCode.ToString("D"));
+            Assert.Equal("Pong", content);
+        }
+
         [Fact]
         public async Task LocalFunctionInfiniteRedirectTest()
         {
@@ -341,6 +354,13 @@ public TestFixture()
                 TestHelpers.WaitForWebHost(HttpClient);
             }
 
+            public async Task<string> GetFunctionSecretAsync(string functionName)
+            {
+                var secretManager = _testServer.Host.Services.GetService<ISecretManagerProvider>().Current;
+                var secrets = await secretManager.GetFunctionSecretsAsync(functionName);
+                return secrets.First().Value;
+            }
+
             public ScriptApplicationHostOptions HostOptions { get; private set; }
 
             public HttpClient HttpClient { get; set; }

test/WebJobs.Script.Tests.Shared/TestSecretManager.cs

@@ -26,8 +26,8 @@ public virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(string
         {
             return Task.FromResult<IDictionary<string, string>>(new Dictionary<string, string>
             {
-                { "Key1", "Value1" },
-                { "Key2", "Value2" },
+                { "Key1", $"{functionName}1".ToLowerInvariant() },
+                { "Key2", $"{functionName}2".ToLowerInvariant() },
             });
         }
 

test/WebJobs.Script.Tests/ProxyMetadataManagerTests.cs

@@ -48,7 +48,7 @@ public void ProxyMetadata_WhenProxyFileChanges_IsRefreshed()
 
                 Assert.NotSame(proxyMetadata1, proxyMetadata3);
 
-                Assert.Equal(16, proxyMetadata3.Functions.Length);
+                Assert.Equal(17, proxyMetadata3.Functions.Length);
             }
         }
     }