Adding HostingConfig for SWT token handling (#9700)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -15,14 +15,11 @@
 using Microsoft.Azure.WebJobs.Host.Executors;
 using Microsoft.Azure.WebJobs.Host.Storage;
 using Microsoft.Azure.WebJobs.Script.Config;
-using Microsoft.Azure.WebJobs.Script.DependencyInjection;
 using Microsoft.Azure.WebJobs.Script.Description;
 using Microsoft.Azure.WebJobs.Script.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Extensions;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
@@ -58,30 +55,30 @@ public class FunctionsSyncManager : IFunctionsSyncManager, IDisposable
         private readonly ILogger _logger;
         private readonly HttpClient _httpClient;
         private readonly ISecretManagerProvider _secretManagerProvider;
-        private readonly IConfiguration _configuration;
         private readonly IHostIdProvider _hostIdProvider;
         private readonly IScriptWebHostEnvironment _webHostEnvironment;
         private readonly IEnvironment _environment;
         private readonly HostNameProvider _hostNameProvider;
         private readonly IFunctionMetadataManager _functionMetadataManager;
         private readonly SemaphoreSlim _syncSemaphore = new SemaphoreSlim(1, 1);
         private readonly IAzureBlobStorageProvider _azureBlobStorageProvider;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
         private BlobClient _hashBlobClient;
 
-        public FunctionsSyncManager(IConfiguration configuration, IHostIdProvider hostIdProvider, IOptionsMonitor<ScriptApplicationHostOptions> applicationHostOptions, ILogger<FunctionsSyncManager> logger, IHttpClientFactory httpClientFactory, ISecretManagerProvider secretManagerProvider, IScriptWebHostEnvironment webHostEnvironment, IEnvironment environment, HostNameProvider hostNameProvider, IFunctionMetadataManager functionMetadataManager, IAzureBlobStorageProvider azureBlobStorageProvider)
+        public FunctionsSyncManager(IHostIdProvider hostIdProvider, IOptionsMonitor<ScriptApplicationHostOptions> applicationHostOptions, ILogger<FunctionsSyncManager> logger, IHttpClientFactory httpClientFactory, ISecretManagerProvider secretManagerProvider, IScriptWebHostEnvironment webHostEnvironment, IEnvironment environment, HostNameProvider hostNameProvider, IFunctionMetadataManager functionMetadataManager, IAzureBlobStorageProvider azureBlobStorageProvider, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions)
         {
             _applicationHostOptions = applicationHostOptions;
             _logger = logger;
             _httpClient = httpClientFactory.CreateClient();
             _secretManagerProvider = secretManagerProvider;
-            _configuration = configuration;
             _hostIdProvider = hostIdProvider;
             _webHostEnvironment = webHostEnvironment;
             _environment = environment;
             _hostNameProvider = hostNameProvider;
             _functionMetadataManager = functionMetadataManager;
             _azureBlobStorageProvider = azureBlobStorageProvider;
+            _hostingConfigOptions = functionsHostingConfigOptions;
         }
 
         internal bool ArmCacheEnabled
@@ -726,9 +723,6 @@ internal HttpRequestMessage BuildSetTriggersRequest()
         // of triggers. It'll verify app ownership using a SWT token valid for 5 minutes. It should be plenty.
         private async Task<(bool Success, string ErrorMessage)> SetTriggersAsync(string content)
         {
-            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-
             string sanitizedContentString = content;
             if (ArmCacheEnabled)
             {
@@ -746,10 +740,17 @@ internal HttpRequestMessage BuildSetTriggersRequest()
                 var requestId = Guid.NewGuid().ToString();
                 request.Headers.Add(ScriptConstants.AntaresLogIdHeaderName, requestId);
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
-                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
+                if (_hostingConfigOptions.Value.SwtIssuerEnabled)
+                {
+                    string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                    request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+                }
+
+                string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
+
                 if (_environment.IsManagedAppEnvironment())
                 {
                     request.Headers.Add("K8SE-APP-NAME", _environment.GetEnvironmentVariable("CONTAINER_APP_NAME"));

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -11,6 +11,7 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Microsoft.Extensions.Logging;
@@ -38,6 +39,7 @@ public class LinuxContainerMetricsPublisher : IMetricsPublisher
         private readonly IDisposable _standbyOptionsOnChangeSubscription;
         private readonly string _requestUri;
         private readonly IEnvironment _environment;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
         // Buffer for all memory activities for this container.
         private BlockingCollection<MemoryActivity> _memoryActivities;
@@ -63,14 +65,15 @@ public class LinuxContainerMetricsPublisher : IMetricsPublisher
         private string _stampName;
         private bool _initialized = false;
 
-        public LinuxContainerMetricsPublisher(IEnvironment environment, IOptionsMonitor<StandbyOptions> standbyOptions, ILogger<LinuxContainerMetricsPublisher> logger, HostNameProvider hostNameProvider, HttpClient httpClient = null)
+        public LinuxContainerMetricsPublisher(IEnvironment environment, IOptionsMonitor<StandbyOptions> standbyOptions, ILogger<LinuxContainerMetricsPublisher> logger, HostNameProvider hostNameProvider, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions, HttpClient httpClient = null)
         {
             _standbyOptions = standbyOptions ?? throw new ArgumentNullException(nameof(standbyOptions));
             _environment = environment ?? throw new ArgumentNullException(nameof(environment));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
             _hostNameProvider = hostNameProvider ?? throw new ArgumentNullException(nameof(hostNameProvider));
             _memoryActivities = new BlockingCollection<MemoryActivity>(new ConcurrentQueue<MemoryActivity>(), boundedCapacity: _maxBufferSize);
             _functionActivities = new BlockingCollection<FunctionActivity>(new ConcurrentQueue<FunctionActivity>(), boundedCapacity: _maxBufferSize);
+            _hostingConfigOptions = functionsHostingConfigOptions;
 
             _currentMemoryActivities = new ConcurrentQueue<MemoryActivity>();
             _currentFunctionActivities = new ConcurrentQueue<FunctionActivity>();
@@ -284,16 +287,20 @@ private HttpRequestMessage BuildRequest<TContent>(HttpMethod method, string path
                 Content = new ObjectContent<TContent>(content, new JsonMediaTypeFormatter())
             };
 
-            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
-
             // add the required authentication headers
             request.Headers.Add(ContainerNameHeader, _containerName);
             request.Headers.Add(HostNameHeader, _hostNameProvider.Value);
-            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
-            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
             request.Headers.Add(StampNameHeader, _stampName);
 
+            if (_hostingConfigOptions.Value.SwtIssuerEnabled)
+            {
+                string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+            }
+
+            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
+
             return request;
         }
 

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationHandler.cs

@@ -9,6 +9,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -18,11 +19,13 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication
     public class ArmAuthenticationHandler : AuthenticationHandler<ArmAuthenticationOptions>
     {
         private readonly ILogger _logger;
+        private readonly IOptions<FunctionsHostingConfigOptions> _hostingConfigOptions;
 
-        public ArmAuthenticationHandler(IOptionsMonitor<ArmAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
+        public ArmAuthenticationHandler(IOptionsMonitor<ArmAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IOptions<FunctionsHostingConfigOptions> functionsHostingConfigOptions)
             : base(options, logger, encoder, clock)
         {
             _logger = logger.CreateLogger<ArmAuthenticationHandler>();
+            _hostingConfigOptions = functionsHostingConfigOptions;
         }
 
         protected override Task<AuthenticateResult> HandleAuthenticateAsync()
@@ -35,7 +38,7 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         private AuthenticateResult HandleAuthenticate()
         {
             string token = null;
-            if (!Context.Request.Headers.TryGetValue(ScriptConstants.SiteRestrictedTokenHeaderName, out StringValues values))
+            if (!_hostingConfigOptions.Value.SwtAuthenticationEnabled || !Context.Request.Headers.TryGetValue(ScriptConstants.SiteRestrictedTokenHeaderName, out StringValues values))
             {
                 return AuthenticateResult.NoResult();
             }

src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs

@@ -277,7 +277,8 @@ private static void AddLinuxContainerServices(this IServiceCollection services)
                     var logger = s.GetService<ILogger<LinuxContainerMetricsPublisher>>();
                     var standbyOptions = s.GetService<IOptionsMonitor<StandbyOptions>>();
                     var hostNameProvider = s.GetService<HostNameProvider>();
-                    return new LinuxContainerMetricsPublisher(environment, standbyOptions, logger, hostNameProvider);
+                    var hostingConfigOptions = s.GetService<IOptions<FunctionsHostingConfigOptions>>();
+                    return new LinuxContainerMetricsPublisher(environment, standbyOptions, logger, hostNameProvider, hostingConfigOptions);
                 }
 
                 return NullMetricsPublisher.Instance;

src/WebJobs.Script/Config/FunctionsHostingConfigOptions.cs

@@ -43,6 +43,38 @@ public bool WorkerIndexingEnabled
             }
         }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether SWT tokens should be accepted.
+        /// </summary>
+        public bool SwtAuthenticationEnabled
+        {
+            get
+            {
+                return GetFeatureOrDefault(ScriptConstants.HostingConfigSwtAuthenticationEnabled, "1") == "1";
+            }
+
+            set
+            {
+                _features[ScriptConstants.HostingConfigSwtAuthenticationEnabled] = value ? "1" : "0";
+            }
+        }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether SWT tokens should be sent on outgoing requests.
+        /// </summary>
+        public bool SwtIssuerEnabled
+        {
+            get
+            {
+                return GetFeatureOrDefault(ScriptConstants.HostingConfigSwtIssuerEnabled, "1") == "1";
+            }
+
+            set
+            {
+                _features[ScriptConstants.HostingConfigSwtIssuerEnabled] = value ? "1" : "0";
+            }
+        }
+
         /// <summary>
         /// Gets a string delimited by '|' that contains the name of the apps with worker indexing disabled.
         /// </summary>
@@ -105,5 +137,16 @@ public string GetFeature(string name)
             }
             return null;
         }
+
+        /// <summary>
+        /// Gets a feature by name, returning the specified default value if not found.
+        /// </summary>
+        /// <param name="name">Feature name.</param>
+        /// <param name="defaultValue">The default value to use.</param>
+        /// <returns>String value from hostig configuration.</returns>
+        public string GetFeatureOrDefault(string name, string defaultValue)
+        {
+            return GetFeature(name) ?? defaultValue;
+        }
     }
 }

src/WebJobs.Script/Config/FunctionsHostingConfigSource.cs

@@ -29,7 +29,7 @@ public FunctionsHostingConfigSource(IEnvironment environment)
         /// Builds the <see cref="FunctionsHostingConfigSource"/> for this source.
         /// </summary>
         /// <param name="builder">The <see cref="IConfigurationBuilder"/>.</param>
-        /// <returns>A <see cref="FunctionsHostingConfigProvider"/></returns>
+        /// <returns>A <see cref="FunctionsHostingConfigProvider"/>.</returns>
         public override IConfigurationProvider Build(IConfigurationBuilder builder)
         {
             Path = _path;

src/WebJobs.Script/ScriptConstants.cs

@@ -131,6 +131,8 @@ public static class ScriptConstants
         public const string HostingConfigDisableLinuxAppServiceDetailedExecutionEvents = "DisableLinuxExecutionDetails";
         public const string HostingConfigDisableLinuxAppServiceExecutionEventLogBackoff = "DisableLinuxLogBackoff";
         public const string FeatureFlagEnableLegacyDurableVersionCheck = "EnableLegacyDurableVersionCheck";
+        public const string HostingConfigSwtAuthenticationEnabled = "SwtAuthenticationEnabled";
+        public const string HostingConfigSwtIssuerEnabled = "SwtIssuerEnabled";
 
         public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
         public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";

test/WebJobs.Script.Tests.Integration/Management/FunctionsSyncManagerTests.cs

@@ -49,6 +49,7 @@ public class FunctionsSyncManagerTests : IDisposable
         private readonly Mock<ISecretManagerProvider> _secretManagerProviderMock;
         private readonly Mock<ISecretManager> _secretManagerMock;
         private readonly TestScriptHostService _scriptHostManager; // To refresh underlying IConfiguration for IAzureBlobStorageProvider
+        private readonly FunctionsHostingConfigOptions _hostingConfigOptions;
         private string _function1;
         private bool _emptyContent;
         private bool _secretsEnabled;
@@ -152,7 +153,10 @@ public FunctionsSyncManagerTests()
             _scriptHostManager = new TestScriptHostService(configuration);
             var azureBlobStorageProvider = TestHelpers.GetAzureBlobStorageProvider(configuration, scriptHostManager: _scriptHostManager);
 
-            _functionsSyncManager = new FunctionsSyncManager(configuration, hostIdProviderMock.Object, optionsMonitor, loggerFactory.CreateLogger<FunctionsSyncManager>(), httpClientFactory, _secretManagerProviderMock.Object, _mockWebHostEnvironment.Object, _mockEnvironment.Object, _hostNameProvider, functionMetadataManager, azureBlobStorageProvider);
+            _hostingConfigOptions = new FunctionsHostingConfigOptions();
+            var hostingConfigOptionsWrapper = new OptionsWrapper<FunctionsHostingConfigOptions>(_hostingConfigOptions);
+
+            _functionsSyncManager = new FunctionsSyncManager(hostIdProviderMock.Object, optionsMonitor, loggerFactory.CreateLogger<FunctionsSyncManager>(), httpClientFactory, _secretManagerProviderMock.Object, _mockWebHostEnvironment.Object, _mockEnvironment.Object, _hostNameProvider, functionMetadataManager, azureBlobStorageProvider, hostingConfigOptionsWrapper);
         }
 
         private string GetExpectedTriggersPayload(string postedConnection = DefaultTestConnection, string postedTaskHub = DefaultTestTaskHub, string durableVersion = "V2")
@@ -242,11 +246,13 @@ public void ArmCacheEnabled_VerifyDefault()
         }
 
         [Theory]
-        [InlineData(true)]
-        [InlineData(false)]
-        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
+        [InlineData(true, true)]
+        [InlineData(false, true)]
+        [InlineData(true, false)]
+        public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled, bool swtIssuerEnabled)
         {
             _mockEnvironment.Setup(p => p.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteArmCacheEnabled)).Returns(cacheEnabled ? "1" : "0");
+            _hostingConfigOptions.SwtIssuerEnabled = swtIssuerEnabled;
 
             using (var env = new TestScopedEnvironmentVariable(_vars))
             {
@@ -262,7 +268,16 @@ public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
                 // verify expected headers
                 Assert.Equal(ScriptConstants.FunctionsUserAgent, _mockHttpHandler.LastRequest.Headers.UserAgent.ToString());
                 Assert.True(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName));
-                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+
+                if (swtIssuerEnabled)
+                {
+                    Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+                }
+                else
+                {
+                    Assert.False(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.SiteRestrictedTokenHeaderName));
+                }
+                
                 Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
                 if (cacheEnabled)