Add support for additional key encodings and audience/issuers (#9186)

Author: mathewc

src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs

@@ -3,6 +3,7 @@
 
 using System.Linq;
 using System.Security.Claims;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
@@ -73,21 +74,26 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
         private static TokenValidationParameters CreateTokenValidationParameters()
         {
             var result = new TokenValidationParameters();
-            if (SecretsUtility.TryGetEncryptionKey(out byte[] key))
+            if (SecretsUtility.TryGetEncryptionKey(out string key))
             {
-                // TODO: Once ScriptSettingsManager is gone, Audience and Issuer shouold be pulled from configuration.
-                result.IssuerSigningKey = new SymmetricSecurityKey(key);
+                // TODO: Once ScriptSettingsManager is gone, Audience and Issuer should be pulled from configuration.
+                result.IssuerSigningKeys = new SecurityKey[]
+                {
+                    new SymmetricSecurityKey(key.ToKeyBytes()),
+                    new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+                };
                 result.ValidateAudience = true;
                 result.ValidateIssuer = true;
                 result.ValidAudiences = new string[]
                 {
-                    string.Format(AdminJwtValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                    AdminJwtAppServiceIssuer
+                    string.Format(AdminJwtSiteFunctionsValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(AdminJwtSiteValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                 };
                 result.ValidIssuers = new string[]
                 {
-                    string.Format(AdminJwtValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                    AdminJwtAppServiceIssuer
+                    AdminJwtAppServiceIssuer,
+                    string.Format(AdminJwtScmValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                    string.Format(AdminJwtSiteValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                 };
             }
 

src/WebJobs.Script.WebHost/Security/SecretsUtility.cs

@@ -19,16 +19,15 @@ public static string GetNonDecryptableName(string secretsPath)
             return secretsPath + $".{ScriptConstants.Snapshot}.{timeStamp}.json";
         }
 
-        public static bool TryGetEncryptionKey(out byte[] key, IEnvironment environment = null)
+        public static bool TryGetEncryptionKey(out string key, IEnvironment environment = null)
         {
             environment = environment ?? SystemEnvironment.Instance;
 
             if (environment.IsKubernetesManagedHosting())
             {
-                var podEncryptionKey = environment.GetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey);
-                if (!string.IsNullOrEmpty(podEncryptionKey))
+                key = environment.GetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey);
+                if (!string.IsNullOrEmpty(key))
                 {
-                    key = Convert.FromBase64String(podEncryptionKey);
                     return true;
                 }
             }
@@ -42,19 +41,18 @@ public static bool TryGetEncryptionKey(out byte[] key, IEnvironment environment
             }
 
             // Fall back to using DataProtection APIs to get the key
-            string defaultKey = Util.GetDefaultKeyValue();
-            if (!string.IsNullOrEmpty(defaultKey))
+            key = Util.GetDefaultKeyValue();
+            if (!string.IsNullOrEmpty(key))
             {
-                key = defaultKey.ToKeyBytes();
                 return true;
             }
 
             return false;
         }
 
-        public static byte[] GetEncryptionKey(IEnvironment environment = null)
+        public static string GetEncryptionKeyValue(IEnvironment environment = null)
         {
-            if (TryGetEncryptionKey(out byte[] key, environment))
+            if (TryGetEncryptionKey(out string key, environment))
             {
                 return key;
             }
@@ -64,6 +62,12 @@ public static byte[] GetEncryptionKey(IEnvironment environment = null)
             }
         }
 
+        public static byte[] GetEncryptionKey(IEnvironment environment = null)
+        {
+            string key = GetEncryptionKeyValue(environment);
+            return key.ToKeyBytes();
+        }
+
         public static byte[] ToKeyBytes(this string hexOrBase64)
         {
             // only support 32 bytes (256 bits) key length
@@ -78,18 +82,10 @@ public static byte[] ToKeyBytes(this string hexOrBase64)
             return Convert.FromBase64String(hexOrBase64);
         }
 
-        private static bool TryGetEncryptionKey(IEnvironment environment, string keyName, out byte[] encryptionKey)
+        private static bool TryGetEncryptionKey(IEnvironment environment, string keyName, out string encryptionKey)
         {
-            encryptionKey = null;
-            var hexOrBase64 = environment.GetEnvironmentVariable(keyName);
-            if (string.IsNullOrEmpty(hexOrBase64))
-            {
-                return false;
-            }
-
-            encryptionKey = hexOrBase64.ToKeyBytes();
-
-            return true;
+            encryptionKey = environment.GetEnvironmentVariable(keyName);
+            return !string.IsNullOrEmpty(encryptionKey);
         }
     }
 }

src/WebJobs.Script/ScriptConstants.cs

@@ -128,8 +128,10 @@ public static class ScriptConstants
         public const string HostingConfigDisableLinuxAppServiceDetailedExecutionEvents = "DisableLinuxExecutionDetails";
         public const string HostingConfigDisableLinuxAppServiceExecutionEventLogBackoff = "DisableLinuxLogBackoff";
 
-        public const string AdminJwtValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
-        public const string AdminJwtValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteFunctionsValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
+        public const string AdminJwtSiteValidAudienceFormat = "https://{0}.azurewebsites.net";
+        public const string AdminJwtScmValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteValidIssuerFormat = "https://{0}.azurewebsites.net";
         public const string AdminJwtAppServiceIssuer = "https://appservice.core.azurewebsites.net";
 
         public const string AzureFunctionsSystemDirectoryName = ".azurefunctions";

test/WebJobs.Script.Tests.Integration/TestFunctionHost.cs

@@ -409,14 +409,14 @@ public async Task<HostStatus> GetHostStatusAsync()
             return await response.Content.ReadAsAsync<HostStatus>();
         }
 
-        public string GenerateAdminJwtToken(string audience = null, string issuer = null)
+        public string GenerateAdminJwtToken(string audience = null, string issuer = null, byte[] key = null)
         {
             var tokenHandler = new JwtSecurityTokenHandler();
-            byte[] key = SecretsUtility.GetEncryptionKey();
+            key = key ?? SecretsUtility.GetEncryptionKey();
             var tokenDescriptor = new SecurityTokenDescriptor
             {
-                Audience = audience ?? string.Format(ScriptConstants.AdminJwtValidAudienceFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
-                Issuer = issuer ?? string.Format(ScriptConstants.AdminJwtValidIssuerFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
+                Audience = audience ?? string.Format(ScriptConstants.AdminJwtSiteFunctionsValidAudienceFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
+                Issuer = issuer ?? string.Format(ScriptConstants.AdminJwtScmValidIssuerFormat, Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteName)),
                 Expires = DateTime.UtcNow.AddHours(1),
                 SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
             };

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/JwtTokenAuthTests.cs

@@ -6,6 +6,7 @@
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
+using System.Text;
 using System.Threading.Tasks;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Management;
@@ -30,10 +31,18 @@ public JwtTokenAuthTests(TestFixture fixture)
 
         [Theory]
         [InlineData(nameof(HttpRequestHeader.Authorization))]
-        [InlineData(nameof(HttpRequestHeader.Authorization), ScriptConstants.AdminJwtAppServiceIssuer, ScriptConstants.AdminJwtAppServiceIssuer)]
+        [InlineData(nameof(HttpRequestHeader.Authorization), "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        [InlineData(nameof(HttpRequestHeader.Authorization), "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]
+        [InlineData(nameof(HttpRequestHeader.Authorization), "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        [InlineData(nameof(HttpRequestHeader.Authorization), "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]
+        [InlineData(nameof(HttpRequestHeader.Authorization), "https://testsite.azurewebsites.net", "https://testsite.azurewebsites.net")]
         [InlineData(ScriptConstants.SiteTokenHeaderName)]
-        [InlineData(ScriptConstants.SiteTokenHeaderName, ScriptConstants.AdminJwtAppServiceIssuer, ScriptConstants.AdminJwtAppServiceIssuer)]
-        public async Task InvokeAdminApi_ValidToken_Succeeds(string headerName, string audience = null, string issuer = null)
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://appservice.core.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.scm.azurewebsites.net", "https://testsite.azurewebsites.net/azurefunctions")]
+        [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.azurewebsites.net", "https://testsite.azurewebsites.net")]
+        public async Task InvokeAdminApi_ValidToken_Succeeds(string headerName, string issuer = null, string audience = null)
         {
             HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "admin/host/status");
             string token = _fixture.Host.GenerateAdminJwtToken(audience, issuer);
@@ -72,6 +81,18 @@ public async Task InvokeAdminApi_InvalidToken_Fails(string headerName)
             Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
         }
 
+        [Fact]
+        public async Task InvokeAdminApi_ValidToken_UTF8Encoding_Succeeds()
+        {
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "admin/host/status");
+            string key = SecretsUtility.GetEncryptionKeyValue();
+            string token = _fixture.Host.GenerateAdminJwtToken(key: Encoding.UTF8.GetBytes(key));
+            request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
+
+            var response = await _fixture.Host.HttpClient.SendAsync(request);
+            response.EnsureSuccessStatusCode();
+        }
+
         public class TestFixture : EndToEndTestFixture
         {
             private TestScopedEnvironmentVariable _scopedEnvironment;

test/WebJobs.Script.Tests/Helpers/SecretsUtilityTest.cs

@@ -0,0 +1,25 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Xunit;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Helpers
+{
+    public class SecretsUtilityTest
+    {
+        [Fact]
+        public void ToKeyBytes_ReturnsExpectedValue()
+        {
+            byte[] keyBytes = TestHelpers.GenerateKeyBytes();
+
+            string hexKey = TestHelpers.GenerateKeyHexString(keyBytes);
+            string base64Key = Convert.ToBase64String(keyBytes);
+
+            Assert.Equal(keyBytes, SecretsUtility.ToKeyBytes(hexKey));
+            Assert.Equal(keyBytes, SecretsUtility.ToKeyBytes(base64Key));
+            Assert.Equal(keyBytes, Convert.FromBase64String(base64Key));
+        }
+    }
+}

test/WebJobs.Script.Tests/Helpers/SimpleWebTokenTests.cs

@@ -2,7 +2,6 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 using Xunit;