Add resource filter for ARM Extension API requests

Author: mathewc

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -20,6 +20,7 @@
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Controllers
 {
     [Authorize(Policy = PolicyNames.AdminAuthLevel)]
+    [ResourceContainsSecrets]
     public class KeysController : Controller
     {
         private const string MasterKeyName = "_master";

src/WebJobs.Script.WebHost/Filters/ArmExtensionResourceFilter.cs

@@ -0,0 +1,53 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Controllers;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Azure.WebJobs.Script.Extensions;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
+{
+    /// <summary>
+    /// Resource filter used to ensure secrets aren't returned for GET requests made via the Functions ARM extension
+    /// API (hostruntime), unless properly authorized.
+    /// </summary>
+    /// <remarks>
+    /// All our first class ARM APIs handle RBAC naturally. For the hostruntime bridge, the runtime collaborates
+    /// based on request details coming from ARM/Geo.
+    /// </remarks>
+    public sealed class ArmExtensionResourceFilter : IAsyncResourceFilter
+    {
+        public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
+        {
+            // We only want to apply this filter for GET extension ARM requests that were forwarded directly to us via
+            // hostruntime bridge, not hostruntime requests initiated internally by the geomaster. The latter requests
+            // won't have the x-ms-arm-request-tracking-id header.
+            var request = context.HttpContext.Request;
+            bool isArmExtensionRequest = request.HasHeader(ScriptConstants.AntaresARMRequestTrackingIdHeader) &&
+                request.HasHeader(ScriptConstants.AntaresARMExtensionsRouteHeader);
+
+            if (isArmExtensionRequest && string.Equals(request.Method, "GET", StringComparison.OrdinalIgnoreCase))
+            {
+                // requests made by owner/co-admin are not filtered
+                if (!request.HasHeaderValue(ScriptConstants.AntaresClientAuthorizationSourceHeader, "legacy"))
+                {
+                    var controllerActionDescriptor = context.ActionDescriptor as ControllerActionDescriptor;
+                    if (controllerActionDescriptor != null && controllerActionDescriptor.MethodInfo != null &&
+                        Utility.GetHierarchicalAttributeOrNull<ResourceContainsSecretsAttribute>(controllerActionDescriptor.MethodInfo) != null)
+                    {
+                        // if the resource returned by the action contains secrets, fail the request
+                        context.HttpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                        await context.HttpContext.Response.WriteAsync(Resources.UnauthorizedArmExtensionResourceRequest);
+                        return;
+                    }
+                }
+            }
+
+            await next();
+        }
+    }
+}

src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs

@@ -294,4 +294,7 @@
   <data name="TraceStaleHostSecretRefresh" xml:space="preserve">
     <value>Stale host secrets detected. Refreshing secrets.</value>
   </data>
+  <data name="UnauthorizedArmExtensionResourceRequest" xml:space="preserve">
+    <value>GET requests for this resource via the hostruntime extensions API are not authorized. Please use an alternate first class ARM API.</value>
+  </data>
 </root>

src/WebJobs.Script.WebHost/Properties/Resources.resx

@@ -0,0 +1,16 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    /// <summary>
+    /// Attribute applied to actions to indicate whether the resource returned by an action
+    /// contains secrets.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public class ResourceContainsSecretsAttribute : Attribute
+    {
+    }
+}

src/WebJobs.Script.WebHost/ResourceContainsSecretsAttribute.cs

@@ -13,6 +13,7 @@
 using Microsoft.Azure.WebJobs.Script.WebHost.ContainerManagement;
 using Microsoft.Azure.WebJobs.Script.WebHost.DependencyInjection;
 using Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics;
+using Microsoft.Azure.WebJobs.Script.WebHost.Filters;
 using Microsoft.Azure.WebJobs.Script.WebHost.Management;
 using Microsoft.Azure.WebJobs.Script.WebHost.Metrics;
 using Microsoft.Azure.WebJobs.Script.WebHost.Middleware;
@@ -65,8 +66,11 @@ public static void AddWebJobsScriptHost(this IServiceCollection services, IConfi
         {
             services.AddHttpContextAccessor();
             services.AddWebJobsScriptHostRouting();
-            services.AddMvc()
-                .AddXmlDataContractSerializerFormatters();
+            services.AddMvc(options =>
+            {
+                options.Filters.Add(new ArmExtensionResourceFilter());
+            })
+            .AddXmlDataContractSerializerFormatters();
 
             // Standby services
             services.AddStandbyServices();

src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs

@@ -37,6 +37,16 @@ public static string GetRequestId(this HttpRequest request)
             return request.GetRequestPropertyOrDefault<string>(ScriptConstants.AzureFunctionsRequestIdKey);
         }
 
+        public static bool HasHeader(this HttpRequest request, string headerName)
+        {
+            return !string.IsNullOrEmpty(request.GetHeaderValueOrDefault(headerName));
+        }
+
+        public static bool HasHeaderValue(this HttpRequest request, string headerName, string value)
+        {
+            return string.Equals(request.GetHeaderValueOrDefault(headerName), value, StringComparison.OrdinalIgnoreCase);
+        }
+
         public static string GetHeaderValueOrDefault(this HttpRequest request, string headerName)
         {
             StringValues values;

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -83,6 +83,9 @@ public static class ScriptConstants
 
         public const string FunctionsUserAgent = "AzureFunctionsRuntime";
         public const string AntaresDefaultHostNameHeader = "WAS-DEFAULT-HOSTNAME";
+        public const string AntaresARMRequestTrackingIdHeader = "x-ms-arm-request-tracking-id";
+        public const string AntaresARMExtensionsRouteHeader = "X-MS-VIA-EXTENSIONS-ROUTE";
+        public const string AntaresClientAuthorizationSourceHeader = "X-MS-CLIENT-AUTHORIZATION-SOURCE";
         public const string AntaresLogIdHeaderName = "X-ARR-LOG-ID";
         public const string AntaresScaleOutHeaderName = "X-FUNCTION-SCALEOUT";
         public const string AntaresColdStartHeaderName = "X-MS-COLDSTART";

src/WebJobs.Script/ScriptConstants.cs

@@ -44,6 +44,39 @@ public static class Utility
 
         private static List<string> dotNetLanguages = new List<string>() { DotNetScriptTypes.CSharp, DotNetScriptTypes.DotNetAssembly };
 
+        /// <summary>
+        /// Walk from the method up to the containing type, looking for an instance
+        /// of the specified attribute type, returning it if found.
+        /// </summary>
+        /// <param name="method">The method to check.</param>
+        internal static T GetHierarchicalAttributeOrNull<T>(MethodInfo method) where T : Attribute
+        {
+            return (T)GetHierarchicalAttributeOrNull(method, typeof(T));
+        }
+
+        /// <summary>
+        /// Walk from the method up to the containing type, looking for an instance
+        /// of the specified attribute type, returning it if found.
+        /// </summary>
+        /// <param name="method">The method to check.</param>
+        /// <param name="type">The attribute type to look for.</param>
+        internal static Attribute GetHierarchicalAttributeOrNull(MethodInfo method, Type type)
+        {
+            var attribute = method.GetCustomAttribute(type);
+            if (attribute != null)
+            {
+                return attribute;
+            }
+
+            attribute = method.DeclaringType.GetCustomAttribute(type);
+            if (attribute != null)
+            {
+                return attribute;
+            }
+
+            return null;
+        }
+
         internal static async Task InvokeWithRetriesAsync(Action action, int maxRetries, TimeSpan retryInterval)
         {
             await InvokeWithRetriesAsync(() =>

src/WebJobs.Script/Utility.cs

@@ -70,6 +70,8 @@ protected EndToEndTestFixture(string rootPath, string testId, string functionsWo
 
         public TestEventGenerator EventGenerator { get; private set; } = new TestEventGenerator();
 
+        public string MasterKey { get; private set; }
+
         protected virtual ExtensionPackageReference[] GetExtensionsToInstall()
         {
             return null;
@@ -130,6 +132,8 @@ public async Task InitializeAsync()
             TableClient = storageAccount.CreateCloudTableClient();
 
             await CreateTestStorageEntities();
+
+            MasterKey = await Host.GetMasterKeyAsync();
         }
 
         public virtual void ConfigureScriptHost(IWebJobsBuilder webJobsBuilder)