Added feature to use SAS uri for secret storage and supporting tests.

Author: gzuber

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -125,4 +125,9 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostManager.#.ctor(Microsoft.Azure.WebJobs.Script.ScriptHostConfiguration,Microsoft.Azure.WebJobs.Script.WebHost.ISecretManagerFactory,Microsoft.Azure.WebJobs.Script.Eventing.IScriptEventManager,Microsoft.Azure.WebJobs.Script.Config.ScriptSettingsManager,Microsoft.Azure.WebJobs.Script.WebHost.WebHostSettings,Microsoft.Extensions.Logging.ILoggerFactory,Microsoft.Azure.WebJobs.Script.IScriptHostFactory,Microsoft.Azure.WebJobs.Script.WebHost.ISecretsRepositoryFactory,Microsoft.Azure.WebJobs.Script.Scale.HostPerformanceManager,System.Int32,System.Int32)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_syncTimer", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostManager.#Dispose(System.Boolean)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA1801:ReviewUnusedParameters", MessageId = "config", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Extensions.FunctionMetadataExtensions.#GetTestData(System.String,Microsoft.Azure.WebJobs.Script.ScriptHostConfiguration)")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2214:DoNotCallOverridableMethodsInConstructors", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.SecretManager.#.ctor(Microsoft.Azure.WebJobs.Script.WebHost.ISecretsRepository,Microsoft.Azure.WebJobs.Script.WebHost.IKeyValueConverterFactory,Microsoft.Azure.WebJobs.Host.TraceWriter,System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2214:DoNotCallOverridableMethodsInConstructors", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.SecretManager.#.ctor(Microsoft.Azure.WebJobs.Script.WebHost.ISecretsRepository,Microsoft.Azure.WebJobs.Script.WebHost.IKeyValueConverterFactory,Microsoft.Azure.WebJobs.Host.TraceWriter,System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Sas", Scope = "type", Target = "Microsoft.Azure.WebJobs.Script.WebHost.BlobStorageSasSecretsRepository")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Sas", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.BlobStorageSasSecretsRepository.#.ctor(System.String,System.String,System.String)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings", MessageId = "1#", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.BlobStorageSasSecretsRepository.#.ctor(System.String,System.String,System.String)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2214:DoNotCallOverridableMethodsInConstructors", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.BlobStorageSecretsRepository.#.ctor(System.String,System.String,System.String)")]
+

src/WebJobs.Script.WebHost/Security/BlobStorageSasSecretsRepository.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    /// <summary>
+    /// An <see cref="BlobStorageSecretsRepository"/> implementation that uses a SAS connection string to connect to the Azure blob storage backing store.
+    /// </summary>
+    public sealed class BlobStorageSasSecretsRepository : BlobStorageSecretsRepository
+    {
+        public BlobStorageSasSecretsRepository(string secretSentinelDirectoryPath, string containerSasUri, string siteSlotName)
+            : base(secretSentinelDirectoryPath, containerSasUri, siteSlotName)
+        { }
+
+        protected override CloudBlobContainer CreateBlobContainer(string containerSasUri)
+        {
+            return new CloudBlobContainer(new Uri(containerSasUri));
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/BlobStorageSecretsRepository.cs

@@ -18,7 +18,7 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost
     /// <summary>
     /// An <see cref="ISecretsRepository"/> implementation that uses Azure blob storage as the backing store.
     /// </summary>
-    public sealed class BlobStorageSecretsRepository : ISecretsRepository, IDisposable
+    public class BlobStorageSecretsRepository : ISecretsRepository, IDisposable
     {
         private readonly string _secretsSentinelFilePath;
         private readonly string _secretsBlobPath;
@@ -57,15 +57,21 @@ public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string a
             _hostSecretsBlobPath = string.Format("{0}/{1}", _secretsBlobPath, ScriptConstants.HostMetadataFileName);
 
             _accountConnectionString = accountConnectionString;
-            CloudStorageAccount account = CloudStorageAccount.Parse(_accountConnectionString);
-            CloudBlobClient client = account.CreateCloudBlobClient();
-
-            _blobContainer = client.GetContainerReference(_secretsContainerName);
-            _blobContainer.CreateIfNotExists();
+            _blobContainer = CreateBlobContainer(_accountConnectionString);
         }
 
         public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
 
+        protected virtual CloudBlobContainer CreateBlobContainer(string connectionString)
+        {
+            CloudStorageAccount account = CloudStorageAccount.Parse(connectionString);
+            CloudBlobClient client = account.CreateCloudBlobClient();
+            CloudBlobContainer blobContainer = client.GetContainerReference(_secretsContainerName);
+            blobContainer.CreateIfNotExists();
+
+            return blobContainer;
+        }
+
         private string GetSecretsBlobPath(ScriptSecretsType secretsType, string functionName = null)
         {
             return secretsType == ScriptSecretsType.Host
@@ -182,6 +188,7 @@ private void Dispose(bool disposing)
         public void Dispose()
         {
             Dispose(true);
+            GC.SuppressFinalize(this);
         }
     }
 }

src/WebJobs.Script.WebHost/Security/DefaultSecretsRepositoryFactory.cs

@@ -17,7 +17,13 @@ public ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostS
         {
             string secretStorageType = settingsManager.GetSetting(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
             string storageString = AmbientConnectionStringProvider.Instance.GetConnectionString(ConnectionStringNames.Storage);
-            if (secretStorageType != null && secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase) && storageString != null)
+            string secretStorageSas = settingsManager.GetSetting(EnvironmentSettingNames.AzureWebJobsSecretStorageSas);
+            if (secretStorageType != null && secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase) && secretStorageSas != null)
+            {
+                string siteSlotName = settingsManager.AzureWebsiteUniqueSlotName ?? config.HostConfig.HostId;
+                return new BlobStorageSasSecretsRepository(Path.Combine(webHostSettings.SecretsPath, "Sentinels"), secretStorageSas, siteSlotName);
+            }
+            else if (secretStorageType != null && secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase) && storageString != null)
             {
                 string siteSlotName = settingsManager.AzureWebsiteUniqueSlotName ?? config.HostConfig.HostId;
                 return new BlobStorageSecretsRepository(Path.Combine(webHostSettings.SecretsPath, "Sentinels"), storageString, siteSlotName);

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -559,6 +559,7 @@
     <Compile Include="FunctionRequestInvoker.cs" />
     <Compile Include="ProxyFunctionExecutor.cs" />
     <Compile Include="Security\BlobStorageSecretsRepository.cs" />
+    <Compile Include="Security\BlobStorageSasSecretsRepository.cs" />
     <Compile Include="Security\DefaultSecretManagerFactory.cs" />
     <Compile Include="Security\DefaultSecretsRepositoryFactory.cs" />
     <Compile Include="Security\FileSystemSecretsRepository.cs" />

src/WebJobs.Script/EnvironmentSettingNames.cs

@@ -22,6 +22,7 @@ public static class EnvironmentSettingNames
         public const string AzureWebJobsExtensionsPath = "AzureWebJobs_ExtensionsPath";
         public const string AzureWebsiteAppCountersName = "WEBSITE_COUNTERS_APP";
         public const string AzureWebJobsSecretStorageType = "AzureWebJobsSecretStorageType";
+        public const string AzureWebJobsSecretStorageSas = "AzureWebJobsSecretStorageSas";
         public const string AppInsightsInstrumentationKey = "APPINSIGHTS_INSTRUMENTATIONKEY";
         public const string ProxySiteExtensionEnabledKey = "ROUTING_EXTENSION_VERSION";
         public const string FunctionsExtensionVersion = "FUNCTIONS_EXTENSION_VERSION";

src/WebJobs.Script/GlobalSuppressions.cs

@@ -245,4 +245,5 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.FileTraceWriter.#.ctor(System.String,System.Diagnostics.TraceLevel,Microsoft.Azure.WebJobs.Script.Diagnostics.LogType)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptHost.#ConfigureLogging()")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Dir", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.Scale.ApplicationPerformanceCounters.#RemoteDirMonitorLimit")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Dir", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.Scale.ApplicationPerformanceCounters.#RemoteDirMonitors")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Dir", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.Scale.ApplicationPerformanceCounters.#RemoteDirMonitors")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Sas", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames.#AzureWebJobsSecretStorageSas")]

test/WebJobs.Script.Tests.Integration/Host/SecretsRepositoryTests.cs

@@ -29,7 +29,8 @@ public SecretsRepositoryTests(SecretsRepositoryTests.Fixture fixture)
         public enum SecretsRepositoryType
         {
             FileSystem,
-            BlobStorage
+            BlobStorage,
+            BlobStorageSas
         }
 
         [Fact]
@@ -38,10 +39,12 @@ public void FileSystemRepo_Constructor_CreatesSecretPathIfNotExists()
             Constructor_CreatesSecretPathIfNotExists(SecretsRepositoryType.FileSystem);
         }
 
-        [Fact]
-        public void BlobStorageRepo_Constructor_CreatesSecretPathIfNotExists()
+        [Theory]
+        [InlineData(SecretsRepositoryType.BlobStorage)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas)]
+        public void BlobStorageRepo_Constructor_CreatesSecretPathIfNotExists(SecretsRepositoryType repositoryType)
         {
-            Constructor_CreatesSecretPathIfNotExists(SecretsRepositoryType.BlobStorage);
+            Constructor_CreatesSecretPathIfNotExists(repositoryType);
         }
 
         private void Constructor_CreatesSecretPathIfNotExists(SecretsRepositoryType repositoryType)
@@ -67,11 +70,13 @@ private void Constructor_CreatesSecretPathIfNotExists(SecretsRepositoryType repo
         }
 
         [Theory]
-        [InlineData(ScriptSecretsType.Host)]
-        [InlineData(ScriptSecretsType.Function)]
-        public async Task BlobStorageRepo_ReadAsync_ReadsExpectedFile(ScriptSecretsType secretsType)
+        [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Function)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Function)]
+        public async Task BlobStorageRepo_ReadAsync_ReadsExpectedFile(SecretsRepositoryType repositoryType, ScriptSecretsType secretsType)
         {
-            await ReadAsync_ReadsExpectedFile(SecretsRepositoryType.BlobStorage, secretsType);
+            await ReadAsync_ReadsExpectedFile(repositoryType, secretsType);
         }
 
         [Theory]
@@ -101,11 +106,13 @@ private async Task ReadAsync_ReadsExpectedFile(SecretsRepositoryType repositoryT
         }
 
         [Theory]
-        [InlineData(ScriptSecretsType.Host)]
-        [InlineData(ScriptSecretsType.Function)]
-        public async Task BlobStorageRepo_WriteAsync_CreatesExpectedFile(ScriptSecretsType secretsType)
+        [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Function)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Function)]
+        public async Task BlobStorageRepo_WriteAsync_CreatesExpectedFile(SecretsRepositoryType repositoryType, ScriptSecretsType secretsType)
         {
-            await WriteAsync_CreatesExpectedFile(SecretsRepositoryType.BlobStorage, secretsType);
+            await WriteAsync_CreatesExpectedFile(repositoryType, secretsType);
         }
 
         [Theory]
@@ -129,7 +136,7 @@ private async Task WriteAsync_CreatesExpectedFile(SecretsRepositoryType reposito
 
                 string filePath = Path.Combine(directory.Path, $"{testFunctionName ?? "host"}.json");
 
-                if (repositoryType == SecretsRepositoryType.BlobStorage)
+                if (repositoryType == SecretsRepositoryType.BlobStorage || repositoryType == SecretsRepositoryType.BlobStorageSas)
                 {
                     Assert.True(_fixture.MarkerFileExists(testFunctionName ?? "host"));
                 }
@@ -143,10 +150,12 @@ public async Task FileSystemRepo_WriteAsync_ChangeNotificationUpdatesExistingSec
             await WriteAsync_ChangeNotificationUpdatesExistingSecret(SecretsRepositoryType.FileSystem);
         }
 
-        [Fact]
-        public async Task BlobStorageRepo_WriteAsync_ChangeNotificationUpdatesExistingSecret()
+        [Theory]
+        [InlineData(SecretsRepositoryType.BlobStorage)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas)]
+        public async Task BlobStorageRepo_WriteAsync_ChangeNotificationUpdatesExistingSecret(SecretsRepositoryType repositoryType)
         {
-            await WriteAsync_ChangeNotificationUpdatesExistingSecret(SecretsRepositoryType.BlobStorage);
+            await WriteAsync_ChangeNotificationUpdatesExistingSecret(repositoryType);
         }
 
         private async Task WriteAsync_ChangeNotificationUpdatesExistingSecret(SecretsRepositoryType repositoryType)
@@ -202,6 +211,8 @@ public async Task FileSystemRepo_PurgeOldSecrets_RemovesOldAndKeepsCurrentSecret
         [InlineData(SecretsRepositoryType.FileSystem, ScriptSecretsType.Function)]
         [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Host)]
         [InlineData(SecretsRepositoryType.BlobStorage, ScriptSecretsType.Function)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Host)]
+        [InlineData(SecretsRepositoryType.BlobStorageSas, ScriptSecretsType.Function)]
         public async Task GetSecretSnapshots_ReturnsExpected(SecretsRepositoryType repositoryType, ScriptSecretsType secretsType)
         {
             using (var directory = new TempDirectory())
@@ -229,7 +240,6 @@ public Fixture()
             {
                 TestSiteName = "TestSiteName";
                 BlobConnectionString = AmbientConnectionStringProvider.Instance.GetConnectionString(ConnectionStringNames.Storage);
-                BlobContainer = CloudStorageAccount.Parse(BlobConnectionString).CreateCloudBlobClient().GetContainerReference("azure-webjobs-secrets");
             }
 
             public string TestSiteName { get; private set; }
@@ -238,6 +248,8 @@ public Fixture()
 
             public string BlobConnectionString { get; private set; }
 
+            public Uri BlobSasConnectionUri { get; private set; }
+
             public CloudBlobContainer BlobContainer { get; private set; }
 
             public SecretsRepositoryType RepositoryType { get; private set; }
@@ -251,6 +263,16 @@ public void TestInitialize(SecretsRepositoryType repositoryType, string secretsD
                     TestSiteName = testSiteName;
                 }
 
+                if (RepositoryType == SecretsRepositoryType.BlobStorageSas)
+                {
+                    BlobSasConnectionUri = TestHelpers.CreateBlobContainerSas(BlobConnectionString, "azure-webjobs-secrets-sas");
+                    BlobContainer = new CloudBlobContainer(BlobSasConnectionUri);
+                }
+                else
+                {
+                    BlobContainer = CloudStorageAccount.Parse(BlobConnectionString).CreateCloudBlobClient().GetContainerReference("azure-webjobs-secrets");
+                }
+
                 ClearAllBlobSecrets();
                 ClearAllFileSecrets();
             }
@@ -261,6 +283,10 @@ public ISecretsRepository GetNewSecretRepository()
                 {
                     return new BlobStorageSecretsRepository(SecretsDirectory, BlobConnectionString, TestSiteName);
                 }
+                else if (RepositoryType == SecretsRepositoryType.BlobStorageSas)
+                {
+                    return new BlobStorageSasSecretsRepository(SecretsDirectory, BlobSasConnectionUri.ToString(), TestSiteName);
+                }
                 return new FileSystemSecretsRepository(SecretsDirectory);
             }
 
@@ -299,6 +325,7 @@ public void WriteSecret(string functionNameOrHost, string fileText)
                         WriteSecretsToFile(functionNameOrHost, fileText);
                         break;
                     case SecretsRepositoryType.BlobStorage:
+                    case SecretsRepositoryType.BlobStorageSas:
                         WriteSecretsBlobAndUpdateSentinelFile(functionNameOrHost, fileText);
                         break;
                     default:
@@ -336,6 +363,7 @@ public string GetSecretText(string functionNameOrHost)
                         secretText = File.ReadAllText(SecretsFileOrSentinelPath(functionNameOrHost));
                         break;
                     case SecretsRepositoryType.BlobStorage:
+                    case SecretsRepositoryType.BlobStorageSas:
                         secretText = GetSecretBlobText(functionNameOrHost);
                         break;
                     default:
@@ -374,7 +402,13 @@ private void ClearAllFileSecrets()
 
             private void ClearAllBlobSecrets()
             {
-                BlobContainer.CreateIfNotExists();
+                // A sas connection requires the container to already exist, it
+                // doesn't have permission to create it
+                if (RepositoryType != SecretsRepositoryType.BlobStorageSas)
+                {
+                    BlobContainer.CreateIfNotExists();
+                }
+
                 var blobs = BlobContainer.ListBlobs(prefix: TestSiteName.ToLowerInvariant(), useFlatBlobListing: true);
                 foreach (IListBlobItem blob in blobs)
                 {