Implementation of the ArmAuthenticationHandler.

Enhancements to authorization handler to support multile AuthLevel type
claims.

Author: fabiocav

src/WebJobs.Script.WebHost/Management/WebFunctionsManager.cs

@@ -15,6 +15,7 @@
 using Microsoft.Azure.WebJobs.Script.Management.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Helpers;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;

src/WebJobs.Script.WebHost/Models/EncryptedHostAssignmentContext.cs

@@ -2,7 +2,7 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Azure.WebJobs.Script.WebHost.Helpers;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Newtonsoft.Json;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Models

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationDefaults.cs

@@ -0,0 +1,15 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
+{
+    public static class ArmAuthenticationDefaults
+    {
+        public const string AuthenticationScheme = "ArmToken";
+    }
+}

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationExtensions.cs

@@ -0,0 +1,19 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    public static class ArmAuthenticationExtensions
+    {
+        public static AuthenticationBuilder AddArmToken(this AuthenticationBuilder builder)
+            => builder.AddScheme<ArmAuthenticationOptions, ArmAuthenticationHandler>(ArmAuthenticationDefaults.AuthenticationScheme, _ => { });
+    }
+}

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationHandler.cs

@@ -0,0 +1,69 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication
+{
+    public class ArmAuthenticationHandler : AuthenticationHandler<ArmAuthenticationOptions>
+    {
+        internal const string ArmTokenHeaderName = "x-ms-site-restricted-token";
+
+        private readonly ILogger _logger;
+
+        public ArmAuthenticationHandler(IOptionsMonitor<ArmAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
+            : base(options, logger, encoder, clock)
+        {
+            _logger = logger.CreateLogger<ArmAuthenticationHandler>();
+        }
+
+        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            AuthenticateResult result = HandleAuthenticate();
+
+            return Task.FromResult(result);
+        }
+
+        private AuthenticateResult HandleAuthenticate()
+        {
+            string token = null;
+            if (!Context.Request.Headers.TryGetValue(ArmTokenHeaderName, out StringValues values))
+            {
+                return AuthenticateResult.NoResult();
+            }
+
+            token = values.First();
+
+            try
+            {
+                if (!SimpleWebTokenHelper.ValidateToken(token, Clock))
+                {
+                    return AuthenticateResult.Fail("Token validation failed.");
+                }
+
+                var claims = new List<Claim>
+                {
+                    new Claim(SecurityConstants.AuthLevelClaimType, AuthorizationLevel.Admin.ToString())
+                };
+
+                var identity = new ClaimsIdentity(claims, ArmAuthenticationDefaults.AuthenticationScheme);
+                return AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(identity), Scheme.Name));
+            }
+            catch (Exception exc)
+            {
+                _logger.LogError(exc, "ARM authentication token validation failed.");
+                return AuthenticateResult.Fail(exc);
+            }
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationOptions.cs

@@ -0,0 +1,15 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication
+{
+    public class ArmAuthenticationOptions : AuthenticationSchemeOptions
+    {
+    }
+}