Adding support for admin API isolation (#8462)

Author: mathewc

WebJobs.Script.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.29409.12
+# Visual Studio Version 17
+VisualStudioVersion = 17.2.32505.173
 MinimumVisualStudioVersion = 15.0.0.0
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{16351B76-87CA-4A8C-80A1-3DD83A0C4AA6}"
 EndProject
@@ -304,8 +304,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Python", "Python", "{0AE3CE
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "HttpTrigger", "HttpTrigger", "{BA45A727-34B7-484F-9B93-B1755AF09A2A}"
 	ProjectSection(SolutionItems) = preProject
-		sample\Python\HttpTrigger\__init__.py = sample\Python\HttpTrigger\__init__.py
 		sample\Python\HttpTrigger\function.json = sample\Python\HttpTrigger\function.json
+		sample\Python\HttpTrigger\__init__.py = sample\Python\HttpTrigger\__init__.py
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WebJobs.Script.Abstractions", "src\WebJobs.Script.Abstractions\WebJobs.Script.Abstractions.csproj", "{9A522D9D-2D86-4572-B7D1-ECBFBFAF312C}"
@@ -360,12 +360,13 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "HttpTrigger-LongRun", "Http
 		sample\NodeDrain\HttpTrigger-LongRun\index.js = sample\NodeDrain\HttpTrigger-LongRun\index.js
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "HttpTrigger-AdminLevel", "HttpTrigger-AdminLevel", "{7FDE25BC-43C0-4902-AB9B-8B09123716BA}"
+	ProjectSection(SolutionItems) = preProject
+		sample\CSharp\HttpTrigger-AdminLevel\function.json = sample\CSharp\HttpTrigger-AdminLevel\function.json
+		sample\CSharp\HttpTrigger-AdminLevel\run.csx = sample\CSharp\HttpTrigger-AdminLevel\run.csx
+	EndProjectSection
+EndProject
 Global
-	GlobalSection(SharedMSBuildProjectFiles) = preSolution
-		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{35c9ccb7-d8b6-4161-bb0d-bcfa7c6dcffb}*SharedItemsImports = 13
-		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{3ba93614-3a4a-49b0-bfbc-7831e2c02bb7}*SharedItemsImports = 5
-		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{edddaed1-0e37-4ed7-a595-63f686dee90a}*SharedItemsImports = 5
-	EndGlobalSection
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
 		Release|Any CPU = Release|Any CPU
@@ -471,8 +472,14 @@ Global
 		{09D16953-A048-4E6B-B366-1E0D7E5EF86E} = {AFB0F5F7-A612-4F4A-94DD-8B69CABF7970}
 		{6FE94892-4E58-403D-BA32-4A35C0EE1E46} = {FF9C0818-30D3-437A-A62D-7A61CA44F459}
 		{1EE80AFE-8B64-4670-9462-3DEA692D4457} = {6FE94892-4E58-403D-BA32-4A35C0EE1E46}
+		{7FDE25BC-43C0-4902-AB9B-8B09123716BA} = {34506711-9D66-41EF-BBA1-9A9DC1140209}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {85400884-5FFD-4C27-A571-58CB3C8CAAC5}
 	EndGlobalSection
+	GlobalSection(SharedMSBuildProjectFiles) = preSolution
+		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{35c9ccb7-d8b6-4161-bb0d-bcfa7c6dcffb}*SharedItemsImports = 13
+		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{3ba93614-3a4a-49b0-bfbc-7831e2c02bb7}*SharedItemsImports = 5
+		test\WebJobs.Script.Tests.Shared\WebJobs.Script.Tests.Shared.projitems*{edddaed1-0e37-4ed7-a595-63f686dee90a}*SharedItemsImports = 5
+	EndGlobalSection
 EndGlobal

sample/CSharp/HttpTrigger-AdminLevel/function.json

@@ -0,0 +1,16 @@
+{
+  "bindings": [
+    {
+      "type": "httpTrigger",
+      "name": "req",
+      "direction": "in",
+      "methods": [ "get" ],
+      "authLevel": "admin"
+    },
+    {
+      "type": "http",
+      "name": "$return",
+      "direction": "out"
+    }
+  ]
+}

sample/CSharp/HttpTrigger-AdminLevel/run.csx

@@ -0,0 +1,15 @@
+using System.Net;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Primitives;
+
+public static IActionResult Run(HttpRequest req, TraceWriter log)
+{
+    log.Info("C# HTTP trigger function processed a request.");
+
+    if (req.Query.TryGetValue("name", out StringValues value))
+    {
+        return new OkObjectResult($"Hello {value.ToString()}");
+    }
+
+    return new BadRequestObjectResult("Please pass a name on the query string or in the request body");
+}

src/WebJobs.Script.WebHost/Middleware/VirtualFileSystemMiddleware.cs

@@ -103,6 +103,11 @@ private async Task<bool> AuthenticateAndAuthorize(HttpContext context)
             var authorizationPolicyProvider = context.RequestServices.GetRequiredService<IAuthorizationPolicyProvider>();
             var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
 
+            if (!AuthorizationOptionsExtensions.CheckPlatformInternal(context, allowAppServiceInternal: false))
+            {
+                return false;
+            }
+
             var policy = await authorizationPolicyProvider.GetPolicyAsync(PolicyNames.AdminAuthLevel);
             var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
 

src/WebJobs.Script.WebHost/Security/Authorization/Policies/AuthorizationOptionsExtensions.cs

@@ -22,6 +22,18 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
             {
                 p.AddScriptAuthenticationSchemes();
                 p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Admin));
+                p.RequireAssertion(c =>
+                {
+                    if (c.Resource is AuthorizationFilterContext filterContext)
+                    {
+                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: false))
+                        {
+                            return false;
+                        }
+                    }
+
+                    return true;
+                });
             });
 
             options.AddPolicy(PolicyNames.SystemAuthLevel, p =>
@@ -37,6 +49,11 @@ public static void AddScriptPolicies(this AuthorizationOptions options)
                 {
                     if (c.Resource is AuthorizationFilterContext filterContext)
                     {
+                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: true))
+                        {
+                            return false;
+                        }
+
                         if (filterContext.HttpContext.Request.IsAppServiceInternalRequest())
                         {
                             return true;
@@ -96,5 +113,20 @@ private static void AddScriptAuthenticationSchemes(this AuthorizationPolicyBuild
             builder.AuthenticationSchemes.Add(AuthLevelAuthenticationDefaults.AuthenticationScheme);
             builder.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
         }
+
+        internal static bool CheckPlatformInternal(HttpContext httpContext, bool allowAppServiceInternal)
+        {
+            // when AdminIsolation is enabled, verify the request is platform internal
+            var environment = httpContext.RequestServices.GetRequiredService<IEnvironment>();
+            if (environment.IsAdminIsolationEnabled() &&
+                !(httpContext.Request.IsPlatformInternalRequest(environment) || (allowAppServiceInternal && httpContext.Request.IsAppServiceInternalRequest())))
+            {
+                // request must either be granted PlatformInternal by FrontEnd, or must be an internal
+                // request that has bypassed FrontEnd
+                return false;
+            }
+
+            return true;
+        }
     }
 }

src/WebJobs.Script/Environment/EnvironmentExtensions.cs

@@ -45,6 +45,11 @@ public static bool IsRuntimeScaleMonitoringEnabled(this IEnvironment environment
             return environment.GetEnvironmentVariable(FunctionsRuntimeScaleMonitoringEnabled) == "1";
         }
 
+        public static bool IsAdminIsolationEnabled(this IEnvironment environment)
+        {
+            return environment.GetEnvironmentVariable(FunctionsAdminIsolationEnabled) == "1";
+        }
+
         public static bool IsEasyAuthEnabled(this IEnvironment environment)
         {
             bool.TryParse(environment.GetEnvironmentVariable(EasyAuthEnabled), out bool isEasyAuthEnabled);

src/WebJobs.Script/Environment/EnvironmentSettingNames.cs

@@ -52,6 +52,7 @@ public static class EnvironmentSettingNames
         public const string AzureFilesContentShare = "WEBSITE_CONTENTSHARE";
         public const string AzureWebsiteRuntimeSiteName = "WEBSITE_DEPLOYMENT_ID";
         public const string FunctionsRuntimeScaleMonitoringEnabled = "FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED";
+        public const string FunctionsAdminIsolationEnabled = "FUNCTIONS_ADMIN_ISOLATION_ENABLED";
         public const string AzureWebsiteStartupContextCache = "WEBSITE_FUNCTIONS_STARTUPCONTEXT_CACHE";
         public const string AzureWebJobsFeatureFlags = "AzureWebJobsFeatureFlags";
         public const string CloudName = "WEBSITE_CLOUD_NAME";

src/WebJobs.Script/Extensions/HttpRequestExtensions.cs

@@ -13,6 +13,7 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Primitives;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -78,7 +79,7 @@ public static TValue GetItemOrDefault<TValue>(this HttpRequest request, string k
 
         public static bool IsAppServiceInternalRequest(this HttpRequest request, IEnvironment environment = null)
         {
-            environment = environment ?? SystemEnvironment.Instance;
+            environment = GetEnvironment(request, environment);
             if (!environment.IsAppService())
             {
                 return false;
@@ -90,6 +91,24 @@ public static bool IsAppServiceInternalRequest(this HttpRequest request, IEnviro
             return !request.Headers.Keys.Contains(ScriptConstants.AntaresLogIdHeaderName);
         }
 
+        public static bool IsPlatformInternalRequest(this HttpRequest request, IEnvironment environment = null)
+        {
+            environment = GetEnvironment(request, environment);
+            if (!environment.IsAppService())
+            {
+                return false;
+            }
+
+            var header = request.Headers[ScriptConstants.AntaresPlatformInternal];
+            string value = header.FirstOrDefault();
+            return string.Compare(value, "true", StringComparison.OrdinalIgnoreCase) == 0;
+        }
+
+        private static IEnvironment GetEnvironment(HttpRequest request, IEnvironment environment = null)
+        {
+            return environment ?? request.HttpContext.RequestServices?.GetService<IEnvironment>() ?? SystemEnvironment.Instance;
+        }
+
         public static bool IsColdStart(this HttpRequest request)
         {
             return !string.IsNullOrEmpty(request.GetHeaderValueOrDefault(ScriptConstants.AntaresColdStartHeaderName));

src/WebJobs.Script/ScriptConstants.cs

@@ -97,6 +97,7 @@ public static class ScriptConstants
         public const string AntaresColdStartHeaderName = "X-MS-COLDSTART";
         public const string SiteTokenHeaderName = "x-ms-site-restricted-token";
         public const string EasyAuthIdentityHeader = "x-ms-client-principal";
+        public const string AntaresPlatformInternal = "x-ms-platform-internal";
         public const string AzureVersionHeader = "x-ms-version";
         public const string XIdentityHeader = "X-IDENTITY-HEADER";
         public const string DynamicSku = "Dynamic";

test/WebJobs.Script.Tests.Integration/TestFunctionHost.cs

@@ -168,6 +168,14 @@ public TestFunctionHost(string scriptPath, string logPath,
             HttpClient = _testServer.CreateClient();
             HttpClient.Timeout = TimeSpan.FromMinutes(5);
 
+            var environment = _testServer.Services.GetService<IEnvironment>();
+            if (environment.IsAppService())
+            {
+                // host is configured to simulate an AppService environment
+                // all normal requests will go through the Antares FrontEnd and receive this header
+                HttpClient.DefaultRequestHeaders.Add(ScriptConstants.AntaresLogIdHeaderName, "xyz");
+            }
+
             var manager = _testServer.Host.Services.GetService<IScriptHostManager>();
             _hostService = manager as WebJobsScriptHostService;
 
@@ -205,6 +213,17 @@ public TestFunctionHost(string scriptPath, string logPath,
 
         public HttpClient HttpClient { get; private set; }
 
+        /// <summary>
+        /// Create a new HttpClient without default test configuration.
+        /// </summary>
+        public HttpClient CreateHttpClient()
+        {
+            var httpClient = _testServer.CreateClient();
+            httpClient.Timeout = TimeSpan.FromMinutes(5);
+
+            return httpClient;
+        }
+
         public async Task<string> GetMasterKeyAsync()
         {
             if (!SecretManagerProvider.SecretsEnabled)