Allowing Admin authenticated requests to bypass WebHook auth pipeline

Author: mathewc

sample/HttpTrigger-CSharp/run.csx

@@ -1,6 +1,4 @@
-#r "System.Web.Http"
-
-using System;
+using System;
 using System.Linq;
 using System.Net;
 using System.Net.Http;

src/WebJobs.Script.WebHost/App_Start/AutofacBootstrap.cs

@@ -1,10 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-using System;
 using System.Configuration;
-using System.IO;
-using System.Web;
+using System.Threading.Tasks;
 using System.Web.Configuration;
 using System.Web.Hosting;
 using Autofac;
@@ -15,32 +13,12 @@ namespace WebJobs.Script.WebHost.App_Start
 {
     public static class AutofacBootstrap
     {
-        internal static void Initialize(ContainerBuilder builder)
+        internal static void Initialize(ContainerBuilder builder, WebHostSettings settings)
         {
-            string logFilePath;
-            string scriptRootPath;
-            string secretsPath;
-            string home = Environment.GetEnvironmentVariable("HOME");
-            bool isLocal = string.IsNullOrEmpty(home);
-            if (isLocal)
-            {
-                // we're running locally
-                scriptRootPath = Path.Combine(HostingEnvironment.ApplicationPhysicalPath, @"..\..\sample");
-                logFilePath = Path.Combine(Path.GetTempPath(), @"Functions");
-                secretsPath = HttpContext.Current.Server.MapPath("~/App_Data/Secrets");
-            }
-            else
-            {
-                // we're running in Azure
-                scriptRootPath = Path.Combine(home, @"site\wwwroot");
-                logFilePath = Path.Combine(home, @"LogFiles\Application\Functions");
-                secretsPath = Path.Combine(home, @"data\Functions\secrets");
-            }
-
             ScriptHostConfiguration scriptHostConfig = new ScriptHostConfiguration()
             {
-                RootScriptPath = scriptRootPath,
-                RootLogPath = logFilePath,
+                RootScriptPath = settings.ScriptPath,
+                RootLogPath = settings.LogPath,
                 FileLoggingEnabled = true
             };
 
@@ -55,15 +33,22 @@ internal static void Initialize(ContainerBuilder builder)
             WebScriptHostManager scriptHostManager = new WebScriptHostManager(scriptHostConfig);
             builder.RegisterInstance<WebScriptHostManager>(scriptHostManager);
 
-            SecretManager secretManager = new SecretManager(secretsPath);
+            SecretManager secretManager = new SecretManager(settings.SecretsPath);
             // Make sure that host secrets get created on startup if they don't exist
             secretManager.GetHostSecrets();
             builder.RegisterInstance<SecretManager>(secretManager);
 
             WebHookReceiverManager webHookReceiverManager = new WebHookReceiverManager(secretManager);
             builder.RegisterInstance<WebHookReceiverManager>(webHookReceiverManager);
 
-            HostingEnvironment.QueueBackgroundWorkItem((ct) => scriptHostManager.RunAndBlock(ct));
+            if (!settings.IsSelfHost)
+            {
+                HostingEnvironment.QueueBackgroundWorkItem((ct) => scriptHostManager.RunAndBlock(ct));
+            }
+            else
+            {
+                Task.Run(() => scriptHostManager.RunAndBlock());
+            }
         }
     }
 }

src/WebJobs.Script.WebHost/App_Start/WebApiConfig.cs

@@ -2,6 +2,9 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
+using System.IO;
+using System.Web;
+using System.Web.Hosting;
 using System.Web.Http;
 using Autofac;
 using Autofac.Integration.WebApi;
@@ -14,19 +17,28 @@ namespace WebJobs.Script.WebHost
     public static class WebApiConfig
     {
         public static void Register(HttpConfiguration config)
+        {
+            Register(config, GetDefaultSettings());
+        }
+
+        public static void Register(HttpConfiguration config, WebHostSettings settings = null)
         {
             if (config == null)
             {
                 throw new ArgumentNullException("config");
             }
+            if (settings == null)
+            {
+                throw new ArgumentNullException("settings");
+            }
 
             var builder = new ContainerBuilder();
             builder.RegisterApiControllers(typeof(FunctionsController).Assembly);
-            AutofacBootstrap.Initialize(builder);
+            AutofacBootstrap.Initialize(builder, settings);
             var container = builder.Build();
-            GlobalConfiguration.Configuration.DependencyResolver = new AutofacWebApiDependencyResolver(container);
+            config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
 
-            config.MessageHandlers.Add(new EnsureHostRunningHandler()); 
+            config.MessageHandlers.Add(new EnsureHostRunningHandler(config)); 
 
             // Web API configuration and services
 
@@ -59,5 +71,28 @@ public static void Register(HttpConfiguration config)
             config.InitializeReceiveGitHubWebHooks();
             config.InitializeReceiveSalesforceWebHooks();
         }
+
+        private static WebHostSettings GetDefaultSettings()
+        {
+            WebHostSettings settings = new WebHostSettings();
+
+            string home = Environment.GetEnvironmentVariable("HOME");
+            bool isLocal = string.IsNullOrEmpty(home);
+            if (isLocal)
+            {
+                settings.ScriptPath = Path.Combine(HostingEnvironment.ApplicationPhysicalPath, @"..\..\sample");
+                settings.LogPath = Path.Combine(Path.GetTempPath(), @"Functions");
+                settings.SecretsPath = HttpContext.Current.Server.MapPath("~/App_Data/Secrets");
+            }
+            else
+            {
+                // we're running in Azure
+                settings.ScriptPath = Path.Combine(home, @"site\wwwroot");
+                settings.LogPath = Path.Combine(home, @"LogFiles\Application\Functions");
+                settings.SecretsPath = Path.Combine(home, @"data\Functions\secrets");
+            }
+
+            return settings;
+        }
     }
 }

src/WebJobs.Script.WebHost/App_Start/WebHostSettings.cs

@@ -0,0 +1,13 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+namespace WebJobs.Script.WebHost
+{
+    public class WebHostSettings
+    {
+        public bool IsSelfHost { get; set; }
+        public string ScriptPath { get; set; }
+        public string LogPath { get; set; }
+        public string SecretsPath { get; set; }
+    }
+}

src/WebJobs.Script.WebHost/Controllers/FunctionsController.cs

@@ -9,6 +9,7 @@
 using System.Threading.Tasks;
 using System.Web.Http;
 using System.Web.Http.Controllers;
+using Microsoft.Azure.WebJobs.Script;
 using Microsoft.Azure.WebJobs.Script.Description;
 using WebJobs.Script.WebHost.Filters;
 using WebJobs.Script.WebHost.WebHooks;
@@ -40,29 +41,41 @@ public override async Task<HttpResponseMessage> ExecuteAsync(HttpControllerConte
                 return new HttpResponseMessage(HttpStatusCode.NotFound);
             }
 
-            // Authorize the request
+            // Determine the authorization level of the request
             SecretManager secretManager = (SecretManager)controllerContext.Configuration.DependencyResolver.GetService(typeof(SecretManager));
+            AuthorizationLevel authorizationLevel = AuthorizationLevelAttribute.GetAuthorizationLevel(request, secretManager, functionName: function.Name);
+
+            // Dispatch the request
             HttpTriggerBindingMetadata httpFunctionMetadata = (HttpTriggerBindingMetadata)function.Metadata.InputBindings.FirstOrDefault(p => p.Type == BindingType.HttpTrigger);
             bool isWebHook = !string.IsNullOrEmpty(httpFunctionMetadata.WebHookType);
-            if (!isWebHook && !AuthorizationLevelAttribute.IsAuthorized(request, httpFunctionMetadata.AuthLevel, secretManager, functionName: function.Name))
-            {
-                return new HttpResponseMessage(HttpStatusCode.Unauthorized);
-            }
-
             HttpResponseMessage response = null;
             if (isWebHook)
             {
-                // This is a WebHook request so define a delegate for the user function.
-                // The WebHook Receiver pipeline will first validate the request fully
-                // then invoke this callback.
-                Func<HttpRequestMessage, Task<HttpResponseMessage>> invokeFunction = async (req) =>
+                if (authorizationLevel == AuthorizationLevel.Admin)
+                {
+                    // Admin level requests bypass the WebHook auth pipeline
+                    response = await _scriptHostManager.HandleRequestAsync(function, request, cancellationToken);
+                }
+                else
                 {
-                    return await _scriptHostManager.HandleRequestAsync(function, req, cancellationToken);
-                };
-                response = await _webHookReceiverManager.HandleRequestAsync(function, request, invokeFunction);
+                    // This is a WebHook request so define a delegate for the user function.
+                    // The WebHook Receiver pipeline will first validate the request fully
+                    // then invoke this callback.
+                    Func<HttpRequestMessage, Task<HttpResponseMessage>> invokeFunction = async (req) =>
+                    {
+                        return await _scriptHostManager.HandleRequestAsync(function, req, cancellationToken);
+                    };
+                    response = await _webHookReceiverManager.HandleRequestAsync(function, request, invokeFunction);
+                }
             }
             else
             {
+                // Authorize
+                if (authorizationLevel < httpFunctionMetadata.AuthLevel)
+                {
+                    return new HttpResponseMessage(HttpStatusCode.Unauthorized);
+                }
+
                 // Validate the HttpMethod
                 // Note that for WebHook requests, WebHook receiver does its own validation
                 if (httpFunctionMetadata.Methods != null && !httpFunctionMetadata.Methods.Contains(request.Method))

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -16,9 +16,14 @@ public class EnsureHostRunningHandler : DelegatingHandler
         private readonly int _hostRunningPollIntervalMs = 500;
         private WebScriptHostManager _scriptHostManager;
 
-        public EnsureHostRunningHandler()
+        public EnsureHostRunningHandler(HttpConfiguration config)
         {
-            _scriptHostManager = (WebScriptHostManager)GlobalConfiguration.Configuration.DependencyResolver.GetService(typeof(WebScriptHostManager));
+            if (config == null)
+            {
+                throw new ArgumentNullException("config");
+            }
+
+            _scriptHostManager = (WebScriptHostManager)config.DependencyResolver.GetService(typeof(WebScriptHostManager));
         }
 
         protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

src/WebJobs.Script.WebHost/Handlers/EnsureHostRunningHandler.cs

@@ -233,6 +233,7 @@
   <ItemGroup>
     <Compile Include="App_Start\AutofacBootstrap.cs" />
     <Compile Include="App_Start\WebApiConfig.cs" />
+    <Compile Include="App_Start\WebHostSettings.cs" />
     <Compile Include="Controllers\AdminController.cs" />
     <Compile Include="Controllers\FunctionsController.cs" />
     <Compile Include="Controllers\HomeController.cs" />

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -0,0 +1,98 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Net;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using System.Web.Http;
+using WebJobs.Script.WebHost;
+using Xunit;
+
+namespace WebJobs.Script.Tests
+{
+    public class SamplesEndToEndTests : IClassFixture<SamplesEndToEndTests.TestFixture>
+    {
+        private TestFixture _fixture;
+
+        public SamplesEndToEndTests(TestFixture fixture)
+        {
+            _fixture = fixture;
+        }
+
+        [Fact]
+        public async Task Home_Get_Succeeds()
+        {
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, string.Empty);
+
+            HttpResponseMessage response = await this._fixture.Client.SendAsync(request);
+            Assert.Equal(HttpStatusCode.NoContent, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task HttpTrigger_Get_Succeeds()
+        {
+            string uri = "api/httptrigger?code=hyexydhln844f2mb7hgsup2yf8dowlb0885mbiq1&name=Mathew";
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, uri);
+
+            HttpResponseMessage response = await this._fixture.Client.SendAsync(request);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            string body = await response.Content.ReadAsStringAsync();
+            Assert.Equal("Hello Mathew", body);
+        }
+
+        [Fact]
+        public async Task GenericWebHook_Post_Succeeds()
+        {
+            string uri = "api/webhook-generic?code=1388a6b0d05eca2237f10e4a4641260b0a08f3a5";
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+            request.Content = new StringContent("{ 'a': 'Foobar' }");
+            request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
+
+            HttpResponseMessage response = await this._fixture.Client.SendAsync(request);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            string body = await response.Content.ReadAsStringAsync();
+            Assert.Equal("WebHook processed successfully! Foobar", body);
+        }
+
+        [Fact]
+        public async Task GenericWebHook_Post_AdminKey_Succeeds()
+        {
+            // Verify that sending the admin key bypasses WebHook auth
+            string uri = "api/webhook-generic?code=t8laajal0a1ajkgzoqlfv5gxr4ebhqozebw4qzdy";
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+            request.Content = new StringContent("{ 'a': 'Foobar' }");
+            request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
+
+            HttpResponseMessage response = await this._fixture.Client.SendAsync(request);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            string body = await response.Content.ReadAsStringAsync();
+            Assert.Equal("WebHook processed successfully! Foobar", body);
+        }
+
+        public class TestFixture
+        {
+            public TestFixture()
+            {
+                HttpConfiguration config = new HttpConfiguration();
+
+                WebHostSettings settings = new WebHostSettings
+                {
+                    IsSelfHost = true,
+                    ScriptPath = Path.Combine(Environment.CurrentDirectory, @"..\..\..\..\sample"),
+                    LogPath = Path.Combine(Path.GetTempPath(), @"Functions"),
+                    SecretsPath = Path.Combine(Environment.CurrentDirectory, @"..\..\..\..\src\WebJobs.Script.WebHost\App_Data\Secrets")
+                };
+                WebApiConfig.Register(config, settings);
+
+                HttpServer server = new HttpServer(config);
+                this.Client = new HttpClient(server);
+                this.Client.BaseAddress = new Uri("https://localhost/");
+            }
+
+            public HttpClient Client { get; set; }
+        }
+    }
+}

test/WebJobs.Script.Tests/SamplesEndToEndTests.cs

@@ -183,6 +183,7 @@
     <Compile Include="FileTraceWriterTests.cs" />
     <Compile Include="FSharpEndToEndTests.cs" />
     <Compile Include="FunctionGeneratorTests.cs" />
+    <Compile Include="SamplesEndToEndTests.cs" />
     <Compile Include="PhpEndToEndTests.cs" />
     <Compile Include="PowershellEndToEndTests.cs" />
     <Compile Include="PythonEndToEndTests.cs" />