Use auth to decrypt signature and use container name for audience for… (#9348)

Tonewall · Tony Choi · web-flow · commit 6ca3775826cf · 2023-06-27T10:34:23.000-07:00
* Use auth to decrypt signature and use container name for audience for cv1

* Adding unit tests

* Unit test resetting container name

* clean up

* Encrypt and decrypt with signature test

---------

Co-authored-by: Tony Choi &lt;tonychoi@microsoft.com&gt;
diff --git a/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs b/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
@@ -73,13 +73,22 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
 
         private static string[] GetValidAudiences()
         {
-            if (SystemEnvironment.Instance.IsPlaceholderModeEnabled() &&
-                SystemEnvironment.Instance.IsFlexConsumptionSku())
+            if (SystemEnvironment.Instance.IsPlaceholderModeEnabled())
             {
-                return new string[]
+                if (SystemEnvironment.Instance.IsFlexConsumptionSku())
                 {
-                    ScriptSettingsManager.Instance.GetSetting(WebsitePodName)
-                };
+                    return new string[]
+                    {
+                        ScriptSettingsManager.Instance.GetSetting(WebsitePodName)
+                    };
+                }
+                else if (SystemEnvironment.Instance.IsLinuxConsumptionOnAtlas())
+                {
+                    return new string[]
+                    {
+                        ScriptSettingsManager.Instance.GetSetting(ContainerName)
+                    };
+                }
             }
 
             return new string[]
diff --git a/src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs b/src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs
@@ -15,14 +15,14 @@ public static class SimpleWebTokenHelper
         /// <summary>
         /// A SWT or a Simple Web Token is a token that's made of key=value pairs separated
         /// by &. We only specify expiration in ticks from now (exp={ticks})
-        /// The SWT is then returned as an encrypted string
+        /// The SWT is then returned as an encrypted string.
         /// </summary>
-        /// <param name="validUntil">Datetime for when the token should expire</param>
-        /// <param name="key">Optional key to encrypt the token with</param>
-        /// <returns>a SWT signed by this app</returns>
+        /// <param name="validUntil">Datetime for when the token should expire.</param>
+        /// <param name="key">Optional key to encrypt the token with.</param>
+        /// <returns>a SWT signed by this app.</returns>
         public static string CreateToken(DateTime validUntil, byte[] key = null) => Encrypt($"exp={validUntil.Ticks}", key);
 
-        internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null)
+        internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null, bool includesSignature = false)
         {
             key = key ?? SecretsUtility.GetEncryptionKey(environment);
 
@@ -45,23 +45,31 @@ internal static string Encrypt(string value, byte[] key = null, IEnvironment env
                         cryptoStream.FlushFinalBlock();
                     }
 
-                    // return {iv}.{swt}.{sha236(key)}
-                    return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
+                    if (includesSignature)
+                    {
+                        return $"{Convert.ToBase64String(aes.IV)}.{Convert.ToBase64String(cipherStream.ToArray())}.{GetSHA256Base64String(aes.Key)}.{Convert.ToBase64String(ComputeHMACSHA256(aes.Key, input))}";
+                    }
+                    else
+                    {
+                        // return {iv}.{swt}.{sha236(key)}
+                        return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));
+                    }
                 }
             }
         }
 
         public static string Decrypt(byte[] encryptionKey, string value)
         {
             var parts = value.Split(new[] { '.' }, StringSplitOptions.RemoveEmptyEntries);
-            if (parts.Length != 2 && parts.Length != 3)
+            if (parts.Length != 2 && parts.Length != 3 && parts.Length != 4)
             {
                 throw new InvalidOperationException("Malformed token.");
             }
 
             var iv = Convert.FromBase64String(parts[0]);
             var data = Convert.FromBase64String(parts[1]);
             var base64KeyHash = parts.Length == 3 ? parts[2] : null;
+            var signature = parts.Length == 4 ? Convert.FromBase64String(parts[3]) : null;
 
             if (!string.IsNullOrEmpty(base64KeyHash) && !string.Equals(GetSHA256Base64String(encryptionKey), base64KeyHash))
             {
@@ -80,7 +88,13 @@ public static string Decrypt(byte[] encryptionKey, string value)
                         binaryWriter.Write(data, 0, data.Length);
                     }
 
-                    return Encoding.UTF8.GetString(ms.ToArray());
+                    var input = ms.ToArray();
+                    if (signature != null && !signature.SequenceEqual(ComputeHMACSHA256(encryptionKey, input)))
+                    {
+                        throw new InvalidOperationException("Signature mismatches!");
+                    }
+
+                    return Encoding.UTF8.GetString(input);
                 }
             }
         }
@@ -125,5 +139,13 @@ private static string GetSHA256Base64String(byte[] key)
                 return Convert.ToBase64String(sha256.ComputeHash(key));
             }
         }
+
+        private static byte[] ComputeHMACSHA256(byte[] key, byte[] input)
+        {
+            using (var hmacSha256 = new HMACSHA256(key))
+            {
+                return hmacSha256.ComputeHash(input);
+            }
+        }
     }
 }
diff --git a/src/WebJobs.Script/Config/ScriptSettingsManager.cs b/src/WebJobs.Script/Config/ScriptSettingsManager.cs
@@ -31,7 +31,7 @@ public static ScriptSettingsManager Instance
         }
 
         /// <summary>
-        /// Gets a value indicating whether we are running in App Service
+        /// Gets a value indicating whether we are running in App Service.
         /// </summary>
         public virtual bool IsAppServiceEnvironment => !string.IsNullOrEmpty(GetSetting(EnvironmentSettingNames.AzureWebsiteInstanceId));
 
diff --git a/test/WebJobs.Script.Tests/Extensions/ScriptJwtBearerExtensionsTests.cs b/test/WebJobs.Script.Tests/Extensions/ScriptJwtBearerExtensionsTests.cs
@@ -6,6 +6,7 @@
 using System.Linq;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Extensions.DependencyInjection;
+using NuGet.Configuration;
 using Xunit;
 using static Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames;
 
@@ -21,9 +22,11 @@ public class ScriptJwtBearerExtensionsTests
         public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlaceholderModeEnabled, bool isLinuxConsumptionOnLegion)
         {
             var podName = "RandomPodName";
+            var containerName = "RandomContainerName";
             var siteName = "RandomSiteName";
             ScriptSettingsManager.Instance.SetSetting(AzureWebsiteName, siteName);
             ScriptSettingsManager.Instance.SetSetting(WebsitePodName, podName);
+            ScriptSettingsManager.Instance.SetSetting(ContainerName, string.Empty);
 
             var expectedWithSiteName = new string[]
             {
@@ -34,6 +37,7 @@ public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlacehold
             {
                 ScriptSettingsManager.Instance.GetSetting(WebsitePodName)
             };
+            var expectedWithContainerName = new string[] { };
 
             var testData = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 
@@ -48,6 +52,16 @@ public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlacehold
                 testData[WebsitePodName] = podName;
                 testData[LegionServiceHost] = "1";
             }
+            else
+            {
+                ScriptSettingsManager.Instance.SetSetting(ContainerName, containerName);
+                expectedWithContainerName = new string[]
+                {
+                    ScriptSettingsManager.Instance.GetSetting(ContainerName)
+                };
+                testData[AzureWebsiteInstanceId] = string.Empty;
+                testData[ContainerName] = containerName;
+            }
 
             testData[ContainerEncryptionKey] = Convert.ToBase64String(TestHelpers.GenerateKeyBytes());
             using (new TestScopedEnvironmentVariable(testData))
@@ -61,6 +75,11 @@ public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlacehold
                     Assert.Equal(audiences.Count, expectedWithPodName.Length);
                     Assert.Equal(audiences[0], expectedWithPodName[0]);
                 }
+                else if (isPlaceholderModeEnabled)
+                {
+                    Assert.Equal(audiences.Count, expectedWithContainerName.Length);
+                    Assert.Equal(audiences[0], expectedWithContainerName[0]);
+                }
                 else
                 {
                     Assert.Equal(audiences.Count, expectedWithSiteName.Length);
diff --git a/test/WebJobs.Script.Tests/Helpers/SimpleWebTokenTests.cs b/test/WebJobs.Script.Tests/Helpers/SimpleWebTokenTests.cs
@@ -2,8 +2,12 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
+using Newtonsoft.Json;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests.Helpers
@@ -89,11 +93,63 @@ public void Validate_Token_Uses_Website_Encryption_Key_If_Container_Encryption_K
             Assert.True(SimpleWebTokenHelper.TryValidateToken(token, new SystemClock()));
         }
 
+        [Fact]
+        public void Validate_Token_Checks_Signature_If_Signature_Is_Available()
+        {
+            var websiteAuthEncryptionKey = TestHelpers.GenerateKeyBytes();
+            var websiteAuthEncryptionStringKey = TestHelpers.GenerateKeyHexString(websiteAuthEncryptionKey);
+
+            var timeStamp = DateTime.UtcNow.AddHours(1);
+
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, websiteAuthEncryptionStringKey);
+
+            var token = SimpleWebTokenHelper.Encrypt($"exp={timeStamp.Ticks}", websiteAuthEncryptionKey, includesSignature: true);
+
+            Assert.True(SimpleWebTokenHelper.TryValidateToken(token, new SystemClock()));
+        }
+
+        [Fact]
+        public void Encrypt_And_Decrypt_Context_With_Signature()
+        {
+            var websiteAuthEncryptionKey = TestHelpers.GenerateKeyBytes();
+            var websiteAuthEncryptionStringKey = TestHelpers.GenerateKeyHexString(websiteAuthEncryptionKey);
+            var hostContext = GetHostAssignmentContext();
+            var hostContextJson = JsonConvert.SerializeObject(hostContext);
+
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
+            Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, websiteAuthEncryptionStringKey);
+
+            var encryptedHostContextWithSignature = SimpleWebTokenHelper.Encrypt(hostContextJson, websiteAuthEncryptionKey, includesSignature: true);
+
+            var decryptedHostContextJson = SimpleWebTokenHelper.Decrypt(websiteAuthEncryptionKey, encryptedHostContextWithSignature);
+
+            Assert.Equal(hostContextJson, decryptedHostContextJson);
+        }
+
         public void Dispose()
         {
             // Clean up
             Environment.SetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, string.Empty);
             Environment.SetEnvironmentVariable(EnvironmentSettingNames.ContainerEncryptionKey, string.Empty);
         }
+
+        private static HostAssignmentContext GetHostAssignmentContext()
+        {
+            var hostAssignmentContext = new HostAssignmentContext();
+            hostAssignmentContext.SiteId = 1;
+            hostAssignmentContext.SiteName = "sitename";
+            hostAssignmentContext.LastModifiedTime = DateTime.UtcNow.Add(TimeSpan.FromMinutes(new Random().Next()));
+            hostAssignmentContext.Environment = new Dictionary<string, string>();
+            hostAssignmentContext.MSIContext = new MSIContext();
+            hostAssignmentContext.EncryptedTokenServiceSpecializationPayload = "payload";
+            hostAssignmentContext.TokenServiceApiEndpoint = "endpoints";
+            hostAssignmentContext.CorsSettings = new CorsSettings();
+            hostAssignmentContext.EasyAuthSettings = new EasyAuthSettings();
+            hostAssignmentContext.Secrets = new FunctionAppSecrets();
+            hostAssignmentContext.IsWarmupRequest = false;
+
+            return hostAssignmentContext;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,14 +15,14 @@ public static class SimpleWebTokenHelper`
`15`	`15`	`/// <summary>`
`16`	`16`	`/// A SWT or a Simple Web Token is a token that's made of key=value pairs separated`
`17`	`17`	`/// by &. We only specify expiration in ticks from now (exp={ticks})`
`18`		`- /// The SWT is then returned as an encrypted string`
	`18`	`+ /// The SWT is then returned as an encrypted string.`
`19`	`19`	`/// </summary>`
`20`		`- /// <param name="validUntil">Datetime for when the token should expire</param>`
`21`		`- /// <param name="key">Optional key to encrypt the token with</param>`
`22`		`- /// <returns>a SWT signed by this app</returns>`
	`20`	`+ /// <param name="validUntil">Datetime for when the token should expire.</param>`
	`21`	`+ /// <param name="key">Optional key to encrypt the token with.</param>`
	`22`	`+ /// <returns>a SWT signed by this app.</returns>`
`23`	`23`	`public static string CreateToken(DateTime validUntil, byte[] key = null) => Encrypt($"exp={validUntil.Ticks}", key);`
`24`	`24`
`25`		`- internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null)`
	`25`	`+ internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null, bool includesSignature = false)`
`26`	`26`	`{`
`27`	`27`	`key = key ?? SecretsUtility.GetEncryptionKey(environment);`
`28`	`28`
`@@ -45,23 +45,31 @@ internal static string Encrypt(string value, byte[] key = null, IEnvironment env`
`45`	`45`	`cryptoStream.FlushFinalBlock();`
`46`	`46`	`}`
`47`	`47`
`48`		`- // return {iv}.{swt}.{sha236(key)}`
`49`		`- return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));`
	`48`	`+ if (includesSignature)`
	`49`	`+ {`
	`50`	`+ return $"{Convert.ToBase64String(aes.IV)}.{Convert.ToBase64String(cipherStream.ToArray())}.{GetSHA256Base64String(aes.Key)}.{Convert.ToBase64String(ComputeHMACSHA256(aes.Key, input))}";`
	`51`	`+ }`
	`52`	`+ else`
	`53`	`+ {`
	`54`	`+ // return {iv}.{swt}.{sha236(key)}`
	`55`	`+ return string.Format("{0}.{1}.{2}", iv, Convert.ToBase64String(cipherStream.ToArray()), GetSHA256Base64String(aes.Key));`
	`56`	`+ }`
`50`	`57`	`}`
`51`	`58`	`}`
`52`	`59`	`}`
`53`	`60`
`54`	`61`	`public static string Decrypt(byte[] encryptionKey, string value)`
`55`	`62`	`{`
`56`	`63`	`var parts = value.Split(new[] { '.' }, StringSplitOptions.RemoveEmptyEntries);`
`57`		`- if (parts.Length != 2 && parts.Length != 3)`
	`64`	`+ if (parts.Length != 2 && parts.Length != 3 && parts.Length != 4)`
`58`	`65`	`{`
`59`	`66`	`throw new InvalidOperationException("Malformed token.");`
`60`	`67`	`}`
`61`	`68`
`62`	`69`	`var iv = Convert.FromBase64String(parts[0]);`
`63`	`70`	`var data = Convert.FromBase64String(parts[1]);`
`64`	`71`	`var base64KeyHash = parts.Length == 3 ? parts[2] : null;`
	`72`	`+ var signature = parts.Length == 4 ? Convert.FromBase64String(parts[3]) : null;`
`65`	`73`
`66`	`74`	`if (!string.IsNullOrEmpty(base64KeyHash) && !string.Equals(GetSHA256Base64String(encryptionKey), base64KeyHash))`
`67`	`75`	`{`
`@@ -80,7 +88,13 @@ public static string Decrypt(byte[] encryptionKey, string value)`
`80`	`88`	`binaryWriter.Write(data, 0, data.Length);`
`81`	`89`	`}`
`82`	`90`
`83`		`- return Encoding.UTF8.GetString(ms.ToArray());`
	`91`	`+ var input = ms.ToArray();`
	`92`	`+ if (signature != null && !signature.SequenceEqual(ComputeHMACSHA256(encryptionKey, input)))`
	`93`	`+ {`
	`94`	`+ throw new InvalidOperationException("Signature mismatches!");`
	`95`	`+ }`
	`96`	`+`
	`97`	`+ return Encoding.UTF8.GetString(input);`
`84`	`98`	`}`
`85`	`99`	`}`
`86`	`100`	`}`
`@@ -125,5 +139,13 @@ private static string GetSHA256Base64String(byte[] key)`
`125`	`139`	`return Convert.ToBase64String(sha256.ComputeHash(key));`
`126`	`140`	`}`
`127`	`141`	`}`
	`142`	`+`
	`143`	`+ private static byte[] ComputeHMACSHA256(byte[] key, byte[] input)`
	`144`	`+ {`
	`145`	`+ using (var hmacSha256 = new HMACSHA256(key))`
	`146`	`+ {`
	`147`	`+ return hmacSha256.ComputeHash(input);`
	`148`	`+ }`
	`149`	`+ }`
`128`	`150`	`}`
`129`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public static ScriptSettingsManager Instance`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`/// <summary>`
`34`		`- /// Gets a value indicating whether we are running in App Service`
	`34`	`+ /// Gets a value indicating whether we are running in App Service.`
`35`	`35`	`/// </summary>`
`36`	`36`	`public virtual bool IsAppServiceEnvironment => !string.IsNullOrEmpty(GetSetting(EnvironmentSettingNames.AzureWebsiteInstanceId));`
`37`	`37`