Allow site auth JWT tokens to be passed via x-ms-site-token header (#9175)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -707,7 +707,7 @@ internal HttpRequestMessage BuildSetTriggersRequest()
                 var requestId = Guid.NewGuid().ToString();
                 request.Headers.Add(ScriptConstants.AntaresLogIdHeaderName, requestId);
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
-                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
+                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
                 if (_environment.IsKubernetesManagedHosting())

src/WebJobs.Script.WebHost/Metrics/LinuxContainerMetricsPublisher.cs

@@ -289,7 +289,7 @@ private HttpRequestMessage BuildRequest<TContent>(HttpMethod method, string path
             // add the required authentication headers
             request.Headers.Add(ContainerNameHeader, _containerName);
             request.Headers.Add(HostNameHeader, _hostNameProvider.Value);
-            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
+            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
             request.Headers.Add(StampNameHeader, _stampName);
 
             return request;

src/WebJobs.Script.WebHost/Security/Authentication/Arm/ArmAuthenticationHandler.cs

@@ -35,7 +35,7 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         private AuthenticateResult HandleAuthenticate()
         {
             string token = null;
-            if (!Context.Request.Headers.TryGetValue(ScriptConstants.SiteTokenHeaderName, out StringValues values))
+            if (!Context.Request.Headers.TryGetValue(ScriptConstants.SiteRestrictedTokenHeaderName, out StringValues values))
             {
                 return AuthenticateResult.NoResult();
             }

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -1,19 +1,19 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-using System;
+using System.Linq;
 using System.Security.Claims;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
-using Microsoft.Azure.Web.DataProtection;
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Script;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security.Authentication;
+using Microsoft.Extensions.Primitives;
 using Microsoft.IdentityModel.Tokens;
 using static Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames;
 using static Microsoft.Azure.WebJobs.Script.ScriptConstants;
@@ -31,8 +31,16 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
                             {
                                 OnMessageReceived = c =>
                                 {
+                                    // By default, tokens are passed via the standard Authorization Bearer header. However we also support
+                                    // passing tokens via the x-ms-site-token header.
+                                    if (c.Request.Headers.TryGetValue(ScriptConstants.SiteTokenHeaderName, out StringValues values))
+                                    {
+                                        // the token we set here will be the one used - Authorization header won't be checked.
+                                        c.Token = values.FirstOrDefault();
+                                    }
+
                                     // Temporary: Tactical fix to address specialization issues. This should likely be moved to a token validator
-                                    // TODO: DI (FACAVAL) This will be fixed once the permanent fix is in plance
+                                    // TODO: DI (FACAVAL) This will be fixed once the permanent fix is in place
                                     if (_specialized == 0 && !SystemEnvironment.Instance.IsPlaceholderModeEnabled() && Interlocked.CompareExchange(ref _specialized, 1, 0) == 0)
                                     {
                                         o.TokenValidationParameters = CreateTokenValidationParameters();
@@ -55,7 +63,7 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
 
                             o.TokenValidationParameters = CreateTokenValidationParameters();
 
-                            // TODO: DI (FACAVAL) Remove this once th work above is completed.
+                            // TODO: DI (FACAVAL) Remove this once the work above is completed.
                             if (!SystemEnvironment.Instance.IsPlaceholderModeEnabled())
                             {
                                 // We're not in standby mode, so flag as specialized
@@ -65,17 +73,28 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
 
         private static TokenValidationParameters CreateTokenValidationParameters()
         {
-            string defaultKey = Util.GetDefaultKeyValue();
-
             var result = new TokenValidationParameters();
-            if (defaultKey != null)
+            if (SecretsUtility.TryGetEncryptionKey(out string key))
             {
-                // TODO: Once ScriptSettingsManager is gone, Audience and Issuer shouold be pulled from configuration.
-                result.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(defaultKey));
+                // TODO: Once ScriptSettingsManager is gone, Audience and Issuer should be pulled from configuration.
+                result.IssuerSigningKeys = new SecurityKey[]
+                {
+                    new SymmetricSecurityKey(key.ToKeyBytes()),
+                    new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+                };
                 result.ValidateAudience = true;
                 result.ValidateIssuer = true;
-                result.ValidAudience = string.Format(AdminJwtValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName));
-                result.ValidIssuer = string.Format(AdminJwtValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName));
+                result.ValidAudiences = new string[]
+                {
+                    string.Format(AdminJwtSiteFunctionsValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(AdminJwtSiteValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                };
+                result.ValidIssuers = new string[]
+                {
+                    AdminJwtAppServiceIssuer,
+                    string.Format(AdminJwtScmValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(AdminJwtSiteValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                };
             }
 
             return result;

src/WebJobs.Script.WebHost/Security/SecretsUtility.cs

@@ -2,11 +2,12 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.IO;
+using System.Linq;
+using Microsoft.Azure.Web.DataProtection;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
-    internal class SecretsUtility
+    internal static class SecretsUtility
     {
         public static string GetNonDecryptableName(string secretsPath)
         {
@@ -17,5 +18,74 @@ public static string GetNonDecryptableName(string secretsPath)
             }
             return secretsPath + $".{ScriptConstants.Snapshot}.{timeStamp}.json";
         }
+
+        public static bool TryGetEncryptionKey(out string key, IEnvironment environment = null)
+        {
+            environment = environment ?? SystemEnvironment.Instance;
+
+            if (environment.IsKubernetesManagedHosting())
+            {
+                key = environment.GetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey);
+                if (!string.IsNullOrEmpty(key))
+                {
+                    return true;
+                }
+            }
+
+            // Use WebSiteAuthEncryptionKey if available else fall back to ContainerEncryptionKey.
+            // Until the container is specialized to a specific site WebSiteAuthEncryptionKey will not be available.
+            if (TryGetEncryptionKey(environment, EnvironmentSettingNames.WebSiteAuthEncryptionKey, out key) ||
+                TryGetEncryptionKey(environment, EnvironmentSettingNames.ContainerEncryptionKey, out key))
+            {
+                return true;
+            }
+
+            // Fall back to using DataProtection APIs to get the key
+            key = Util.GetDefaultKeyValue();
+            if (!string.IsNullOrEmpty(key))
+            {
+                return true;
+            }
+
+            return false;
+        }
+
+        public static string GetEncryptionKeyValue(IEnvironment environment = null)
+        {
+            if (TryGetEncryptionKey(out string key, environment))
+            {
+                return key;
+            }
+            else
+            {
+                throw new InvalidOperationException($"No encryption key defined in the environment.");
+            }
+        }
+
+        public static byte[] GetEncryptionKey(IEnvironment environment = null)
+        {
+            string key = GetEncryptionKeyValue(environment);
+            return key.ToKeyBytes();
+        }
+
+        public static byte[] ToKeyBytes(this string hexOrBase64)
+        {
+            // only support 32 bytes (256 bits) key length
+            if (hexOrBase64.Length == 64)
+            {
+                return Enumerable.Range(0, hexOrBase64.Length)
+                    .Where(x => x % 2 == 0)
+                    .Select(x => Convert.ToByte(hexOrBase64.Substring(x, 2), 16))
+                    .ToArray();
+            }
+
+            return Convert.FromBase64String(hexOrBase64);
+        }
+
+        private static bool TryGetEncryptionKey(IEnvironment environment, string keyName, out string encryptionKey)
+        {
+            encryptionKey = environment.GetEnvironmentVariable(keyName);
+            return !string.IsNullOrEmpty(encryptionKey);
+        }
     }
 }

src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs

@@ -24,10 +24,7 @@ public static class SimpleWebTokenHelper
 
         internal static string Encrypt(string value, byte[] key = null, IEnvironment environment = null)
         {
-            if (key == null)
-            {
-                TryGetEncryptionKey(environment, EnvironmentSettingNames.WebSiteAuthEncryptionKey, out key);
-            }
+            key = key ?? SecretsUtility.GetEncryptionKey(environment);
 
             using (var aes = new AesManaged { Key = key })
             {
@@ -86,19 +83,7 @@ public static string Decrypt(byte[] encryptionKey, string value)
 
         public static string Decrypt(string value, IEnvironment environment = null)
         {
-            if ((environment != null) && environment.IsKubernetesManagedHosting())
-            {
-                var encryptionKey = GetPodEncryptionKey(environment);
-                return Decrypt(encryptionKey, value);
-            }
-            // Use WebSiteAuthEncryptionKey if available else fallback to ContainerEncryptionKey.
-            // Until the container is specialized to a specific site WebSiteAuthEncryptionKey will not be available.
-            byte[] key;
-            if (!TryGetEncryptionKey(environment, EnvironmentSettingNames.WebSiteAuthEncryptionKey, out key, false))
-            {
-                TryGetEncryptionKey(environment, EnvironmentSettingNames.ContainerEncryptionKey, out key);
-            }
-
+            byte[] key = SecretsUtility.GetEncryptionKey(environment);
             return Decrypt(key, value);
         }
 
@@ -136,50 +121,5 @@ private static string GetSHA256Base64String(byte[] key)
                 return Convert.ToBase64String(sha256.ComputeHash(key));
             }
         }
-
-        private static bool TryGetEncryptionKey(IEnvironment environment, string keyName, out byte[] encryptionKey, bool throwIfFailed = true)
-        {
-            environment = environment ?? SystemEnvironment.Instance;
-
-            encryptionKey = null;
-            var hexOrBase64 = environment.GetEnvironmentVariable(keyName);
-            if (string.IsNullOrEmpty(hexOrBase64))
-            {
-                if (throwIfFailed)
-                {
-                    throw new InvalidOperationException($"No {keyName} defined in the environment");
-                }
-
-                return false;
-            }
-
-            encryptionKey = hexOrBase64.ToKeyBytes();
-
-            return true;
-        }
-
-        private static byte[] GetPodEncryptionKey(IEnvironment environment)
-        {
-            var podEncryptionKey = environment.GetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey);
-            if (string.IsNullOrEmpty(podEncryptionKey))
-            {
-                throw new Exception("Pod encryption key is empty.");
-            }
-            return Convert.FromBase64String(podEncryptionKey);
-        }
-
-        public static byte[] ToKeyBytes(this string hexOrBase64)
-        {
-            // only support 32 bytes (256 bits) key length
-            if (hexOrBase64.Length == 64)
-            {
-                return Enumerable.Range(0, hexOrBase64.Length)
-                    .Where(x => x % 2 == 0)
-                    .Select(x => Convert.ToByte(hexOrBase64.Substring(x, 2), 16))
-                    .ToArray();
-            }
-
-            return Convert.FromBase64String(hexOrBase64);
-        }
     }
 }

src/WebJobs.Script/ScriptConstants.cs

@@ -95,7 +95,8 @@ public static class ScriptConstants
         public const string AntaresLogIdHeaderName = "X-ARR-LOG-ID";
         public const string AntaresScaleOutHeaderName = "X-FUNCTION-SCALEOUT";
         public const string AntaresColdStartHeaderName = "X-MS-COLDSTART";
-        public const string SiteTokenHeaderName = "x-ms-site-restricted-token";
+        public const string SiteTokenHeaderName = "x-ms-site-token";
+        public const string SiteRestrictedTokenHeaderName = "x-ms-site-restricted-token";
         public const string EasyAuthIdentityHeader = "x-ms-client-principal";
         public const string AntaresPlatformInternal = "x-ms-platform-internal";
         public const string AzureVersionHeader = "x-ms-version";
@@ -123,8 +124,11 @@ public static class ScriptConstants
         public const string FeatureFlagEnableMultiLanguageWorker = "EnableMultiLanguageWorker";
         public const string FeatureFlagEnableLinuxEPExecutionCount = "EnableLinuxFEC";
 
-        public const string AdminJwtValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
-        public const string AdminJwtValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteFunctionsValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
+        public const string AdminJwtSiteValidAudienceFormat = "https://{0}.azurewebsites.net";
+        public const string AdminJwtScmValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteValidIssuerFormat = "https://{0}.azurewebsites.net";
+        public const string AdminJwtAppServiceIssuer = "https://appservice.core.azurewebsites.net";
 
         public const string AzureFunctionsSystemDirectoryName = ".azurefunctions";
         public const string HttpMethodConstraintName = "httpMethod";

test/WebJobs.Script.Tests.Integration/Management/KubernetesPodControllerTests.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.Net;
 using System.Net.Http;
@@ -138,10 +139,11 @@ public async Task Assignment_Fails_Without_Encryption_Key()
             environment.SetEnvironmentVariable(EnvironmentSettingNames.KubernetesServiceHost, "http://localhost:80");
             environment.SetEnvironmentVariable(EnvironmentSettingNames.PodNamespace, "k8se-apps");
 
-            var ex = await Assert.ThrowsAsync<System.Exception>(async () =>
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(async () =>
             {
                 await (podController.Assign(encryptedHostAssignmentContext));
             });
+            Assert.Equal("No encryption key defined in the environment.", ex.Message);
             Assert.Null(startupContextProvider.Context);
         }
 

test/WebJobs.Script.Tests.Integration/TestFunctionHost.cs

@@ -15,7 +15,6 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.TestHost;
-using Microsoft.Azure.Web.DataProtection;
 using Microsoft.Azure.WebJobs.Host.Executors;
 using Microsoft.Azure.WebJobs.Script.ExtensionBundle;
 using Microsoft.Azure.WebJobs.Script.Models;
@@ -404,15 +403,14 @@ public async Task<HostStatus> GetHostStatusAsync()
             return await response.Content.ReadAsAsync<HostStatus>();
         }
 
-        public string GenerateAdminJwtToken()
+        public string GenerateAdminJwtToken(string audience = null, string issuer = null, byte[] key = null)
         {
             var tokenHandler = new JwtSecurityTokenHandler();
-            string defaultKey = Util.GetDefaultKeyValue();
-            var key = Encoding.ASCII.GetBytes(defaultKey);
+            key = key ?? SecretsUtility.GetEncryptionKey();
             var tokenDescriptor = new SecurityTokenDescriptor
             {
-                Audience = string.Format(ScriptConstants.AdminJwtValidAudienceFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
-                Issuer = string.Format(ScriptConstants.AdminJwtValidIssuerFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
+                Audience = audience ?? string.Format(ScriptConstants.AdminJwtSiteFunctionsValidAudienceFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
+                Issuer = issuer ?? string.Format(ScriptConstants.AdminJwtScmValidIssuerFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
                 Expires = DateTime.UtcNow.AddHours(1),
                 SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
             };