Add decryptionKey to a snapshot

alrod · alrod · commit a51bfece1e4e · 2019-03-21T20:46:25.000-07:00
diff --git a/src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs b/src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs
diff --git a/src/WebJobs.Script.WebHost/Properties/Resources.resx b/src/WebJobs.Script.WebHost/Properties/Resources.resx
@@ -280,10 +280,10 @@
     <value>Master key {0}</value>
   </data>
   <data name="TraceNonDecryptedFunctionSecretRefresh" xml:space="preserve">
-    <value>Non-decryptable function ('{0}') secrets detected. Refreshing secrets.</value>
+    <value>Non-decryptable function ('{0}') secrets detected. Refreshing secrets. Exception: {1}.</value>
   </data>
   <data name="TraceNonDecryptedHostSecretRefresh" xml:space="preserve">
-    <value>Non-decryptable host secrets detected. Refreshing secrets.</value>
+    <value>Non-decryptable host secrets detected. Refreshing secrets. Exception: {0}.</value>
   </data>
   <data name="TraceSecretDeleted" xml:space="preserve">
     <value>{0} secret '{1}' deleted.</value>
diff --git a/src/WebJobs.Script.WebHost/Security/KeyManagement/ScriptSecrets.cs b/src/WebJobs.Script.WebHost/Security/KeyManagement/ScriptSecrets.cs
@@ -2,12 +2,8 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.Collections;
 using System.Collections.Generic;
-using System.Globalization;
 using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Newtonsoft.Json;
 
@@ -37,6 +33,9 @@ protected ScriptSecrets()
         [JsonProperty(PropertyName = "source")]
         public string Source { get; set; }
 
+        [JsonProperty(PropertyName = "decryptionKeyId")]
+        public string DecryptionKeyId { get; set; }
+
         protected abstract ICollection<Key> GetKeys(string keyScope);
 
         public abstract ScriptSecrets Refresh(IKeyValueConverterFactory factory);
diff --git a/src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs b/src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs
@@ -8,6 +8,7 @@
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Azure.KeyVault.Models;
@@ -98,9 +99,10 @@ public async virtual Task<HostSecretsInfo> GetHostSecretsAsync()
                             // so we read the secrets running them through the appropriate readers
                             hostSecrets = ReadHostSecrets(hostSecrets);
                         }
-                        catch (CryptographicException)
+                        catch (CryptographicException ex)
                         {
-                            _logger?.LogDebug(Resources.TraceNonDecryptedHostSecretRefresh);
+                            string message = string.Format(Resources.TraceNonDecryptedHostSecretRefresh, ex);
+                            _logger?.LogDebug(message);
                             await PersistSecretsAsync(hostSecrets, null, true);
                             hostSecrets = GenerateHostSecrets(hostSecrets);
                             await RefreshSecretsAsync(hostSecrets);
@@ -162,9 +164,9 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                         // Read all secrets, which will run the keys through the appropriate readers
                         secrets.Keys = secrets.Keys.Select(k => _keyValueConverterFactory.ReadKey(k)).ToList();
                     }
-                    catch (CryptographicException)
+                    catch (CryptographicException ex)
                     {
-                        string message = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName);
+                        string message = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName, ex);
                         _logger?.LogDebug(message);
                         await PersistSecretsAsync(secrets, functionName, true);
                         secrets = GenerateFunctionSecrets(secrets);
@@ -451,6 +453,14 @@ private async Task PersistSecretsAsync<T>(T secrets, string keyScope = null, boo
             ScriptSecretsType secretsType = secrets.SecretsType;
             if (isNonDecryptable)
             {
+                string decryptionKey = SystemEnvironment.Instance.GetEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey);
+                if (!string.IsNullOrEmpty(decryptionKey))
+                {
+                    SHA256Managed hash = new SHA256Managed();
+                    byte[] hashBytes = hash.ComputeHash(Encoding.UTF8.GetBytes(decryptionKey));
+                    secrets.DecryptionKeyId = Convert.ToBase64String(hashBytes);
+                }
+
                 string[] secretBackups = await _repository.GetSecretSnapshots(secrets.SecretsType, keyScope);
 
                 if (secretBackups.Length >= ScriptConstants.MaximumSecretBackupCount)
diff --git a/test/WebJobs.Script.Tests/Security/SecretManagerTests.cs b/test/WebJobs.Script.Tests/Security/SecretManagerTests.cs
@@ -507,12 +507,15 @@ public async Task GetHostSecrets_WhenNonDecryptedHostSecrets_SavesAndRefreshes()
         [Fact]
         public async Task GetFunctiontSecrets_WhenNonDecryptedSecrets_SavesAndRefreshes()
         {
-            using (var directory = new TempDirectory())
+            string key = TestHelpers.GenerateKeyHexString();
+            using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, key))
             {
-                string functionName = "testfunction";
-                string expectedTraceMessage = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName);
-                string functionSecretsJson =
-                     @"{
+                using (var directory = new TempDirectory())
+                {
+                    string functionName = "testfunction";
+                    string expectedTraceMessage = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName, string.Empty);
+                    string functionSecretsJson =
+                         @"{
     'keys': [
         {
             'name': 'Key1',
@@ -526,21 +529,27 @@ public async Task GetFunctiontSecrets_WhenNonDecryptedSecrets_SavesAndRefreshes(
         }
     ]
 }";
-                File.WriteAllText(Path.Combine(directory.Path, functionName + ".json"), functionSecretsJson);
-                Mock<IKeyValueConverterFactory> mockValueConverterFactory = GetConverterFactoryMock(true, false);
-                IDictionary<string, string> functionSecrets;
-                ISecretsRepository repository = new FileSystemSecretsRepository(directory.Path);
+                    File.WriteAllText(Path.Combine(directory.Path, functionName + ".json"), functionSecretsJson);
+                    Mock<IKeyValueConverterFactory> mockValueConverterFactory = GetConverterFactoryMock(true, false);
+                    IDictionary<string, string> functionSecrets;
+                    ISecretsRepository repository = new FileSystemSecretsRepository(directory.Path);
 
-                using (var secretManager = new SecretManager(repository, mockValueConverterFactory.Object, null, new TestMetricsLogger()))
-                {
-                    functionSecrets = await secretManager.GetFunctionSecretsAsync(functionName);
-                }
+                    using (var secretManager = new SecretManager(repository, mockValueConverterFactory.Object, null, new TestMetricsLogger()))
+                    {
+                            functionSecrets = await secretManager.GetFunctionSecretsAsync(functionName);
+                    }
 
-                Assert.NotNull(functionSecrets);
-                Assert.NotEqual(functionSecrets["Key1"], "cryptoError");
-                var result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, functionName + ".json")));
-                Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!" + functionSecrets["Key1"]);
-                Assert.Equal(1, Directory.GetFiles(directory.Path, $"{functionName}.{ScriptConstants.Snapshot}*").Length);
+                    Assert.NotNull(functionSecrets);
+                    Assert.NotEqual(functionSecrets["Key1"], "cryptoError");
+                    var result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, functionName + ".json")));
+                    Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!" + functionSecrets["Key1"]);
+                    Assert.Equal(1, Directory.GetFiles(directory.Path, $"{functionName}.{ScriptConstants.Snapshot}*").Length);
+
+                    result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, functionName + ".json")));
+                    string snapShotFileName = Directory.GetFiles(directory.Path, $"{functionName}.{ScriptConstants.Snapshot}*")[0];
+                    result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, snapShotFileName)));
+                    Assert.NotEqual(result.DecryptionKeyId, key);
+                }
             }
         }
 
@@ -780,7 +789,6 @@ public async Task GetFunctiontSecrets_AddsMetrics()
             using (var directory = new TempDirectory())
             {
                 string functionName = "testfunction";
-                string expectedTraceMessage = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName);
                 string functionSecretsJson =
                      @"{
     'keys': [
