Refactoring AuthorizationLevelAttribute to split system level authorization with named keys

Author: fabiocav

src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs

@@ -14,20 +14,18 @@
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
 {
-    public sealed class AuthorizationLevelAttribute : AuthorizationFilterAttribute
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
+    public class AuthorizationLevelAttribute : AuthorizationFilterAttribute
     {
         public const string FunctionsKeyHeaderName = "x-functions-key";
 
-        public AuthorizationLevelAttribute(AuthorizationLevel level, string keyName = null)
+        public AuthorizationLevelAttribute(AuthorizationLevel level)
         {
             Level = level;
-            KeyName = keyName;
         }
 
         public AuthorizationLevel Level { get; }
 
-        public string KeyName { get; }
-
         public async override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
         {
             if (actionContext == null)
@@ -39,7 +37,7 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             // as a request property
             var secretManager = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<ISecretManager>();
             var settings = actionContext.ControllerContext.Configuration.DependencyResolver.GetService<WebHostSettings>();
-            var requestAuthorizationLevel = await GetAuthorizationLevelAsync(actionContext.Request, secretManager, keyName: KeyName);
+            var requestAuthorizationLevel = await GetAuthorizationLevelAsync(actionContext.Request, secretManager, EvaluateKeyMatch);
             actionContext.Request.Properties[ScriptConstants.AzureFunctionsHttpRequestAuthorizationLevel] = requestAuthorizationLevel;
 
             if (settings.IsAuthDisabled || 
@@ -55,7 +53,15 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             }
         }
 
-        internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRequestMessage request, ISecretManager secretManager, string functionName = null, string keyName = null)
+        protected virtual bool EvaluateKeyMatch(IDictionary<string, string> secrets, string keyValue) => HasMatchingKey(secrets, keyValue);
+
+        internal static Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRequestMessage request, ISecretManager secretManager, string functionName = null)
+        {
+            return GetAuthorizationLevelAsync(request, secretManager, HasMatchingKey, functionName);
+        }
+
+        internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRequestMessage request, ISecretManager secretManager,
+            Func<IDictionary<string, string>, string, bool> matchEvaluator, string functionName = null)
         {
             // first see if a key value is specified via headers or query string (header takes precedence)
             IEnumerable<string> values;
@@ -80,13 +86,13 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
                     return AuthorizationLevel.Admin;
                 }
 
-                if (HasMatchingKey(hostSecrets.SystemKeys, keyValue, keyName))
+                if (matchEvaluator(hostSecrets.SystemKeys, keyValue))
                 {
                     return AuthorizationLevel.System;
                 }
 
                 // see if the key specified matches the host function key
-                if (HasMatchingKey(hostSecrets.FunctionKeys, keyValue, keyName))
+                if (matchEvaluator(hostSecrets.FunctionKeys, keyValue))
                 {
                     return AuthorizationLevel.Function;
                 }
@@ -95,7 +101,7 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
                 if (functionName != null)
                 {
                     IDictionary<string, string> functionSecrets = await secretManager.GetFunctionSecretsAsync(functionName);
-                    if (HasMatchingKey(functionSecrets, keyValue, keyName))
+                    if (matchEvaluator(functionSecrets, keyValue))
                     {
                         return AuthorizationLevel.Function;
                     }
@@ -105,9 +111,8 @@ internal static async Task<AuthorizationLevel> GetAuthorizationLevelAsync(HttpRe
             return AuthorizationLevel.Anonymous;
         }
 
-        private static bool HasMatchingKey(IDictionary<string, string> secrets, string keyValue, string keyName)
-            => secrets != null &&
-            secrets.Any(kvp => (keyName == null || string.Equals(kvp.Key, keyName, StringComparison.OrdinalIgnoreCase)) && Key.SecretValueEquals(kvp.Value, keyValue));
+        private static bool HasMatchingKey(IDictionary<string, string> secrets, string keyValue) 
+            => secrets != null && secrets.Values.Any(s => Key.SecretValueEquals(s, keyValue));
 
         internal static bool SkipAuthorization(HttpActionContext actionContext)
         {

src/WebJobs.Script.WebHost/Filters/SystemAuthorizationLevelAttribute.cs

@@ -0,0 +1,28 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
+{
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
+    public sealed class SystemAuthorizationLevelAttribute : AuthorizationLevelAttribute
+    {
+        public SystemAuthorizationLevelAttribute(string keyName) 
+            : base(AuthorizationLevel.System)
+        {
+            KeyName = keyName;
+        }
+
+        public string KeyName { get; }
+
+        protected override bool EvaluateKeyMatch(IDictionary<string, string> secrets, string keyValue)
+            => EvaluateKeyMatch(secrets, keyValue, KeyName);
+            
+        internal static bool EvaluateKeyMatch(IDictionary<string, string> secrets, string keyValue, string keyName)
+            => secrets != null && 
+            secrets.Any(kvp => (keyName == null || string.Equals(kvp.Key, keyName, StringComparison.OrdinalIgnoreCase)) && Key.SecretValueEquals(kvp.Value, keyValue));
+    }
+}

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -91,4 +91,5 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Controllers.AdminController.#Ping()")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.HostSecretsInfo.#SystemKeys")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1721:PropertyNamesShouldNotMatchGetMethods", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.FunctionSecrets.#Keys")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.HostSecrets.#SystemKeys")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.HostSecrets.#SystemKeys")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1813:AvoidUnsealedAttributes", Scope = "type", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Filters.AuthorizationLevelAttribute")]

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -418,6 +418,7 @@
     <Compile Include="Diagnostics\WebHostMetricsLogger.cs" />
     <Compile Include="Extensions\DependencyResolverExtensions.cs" />
     <Compile Include="Filters\AuthorizationLevelAttribute.cs" />
+    <Compile Include="Filters\SystemAuthorizationLevelAttribute.cs" />
     <Compile Include="Formatting\PlaintextMediaTypeFormatter.cs" />
     <Compile Include="Global.asax.cs">
       <DependentUpon>Global.asax</DependentUpon>