[Port V2]: Adding additional logs for secrets regen. Fixes #4879

alrod · alrod · commit af163837baeb · 2019-09-30T12:49:36.000-07:00
diff --git a/src/WebJobs.Script.WebHost/Security/ScriptSecrets.cs b/src/WebJobs.Script.WebHost/Security/ScriptSecrets.cs
@@ -36,6 +36,9 @@ protected ScriptSecrets()
         [JsonProperty(PropertyName = "source")]
         public string Source { get; set; }
 
+        [JsonProperty(PropertyName = "decryptionKeyId")]
+        public string DecryptionKeyId { get; set; }
+
         protected abstract ICollection<Key> GetKeys(string keyScope);
 
         public abstract ScriptSecrets Refresh(IKeyValueConverterFactory factory);
diff --git a/src/WebJobs.Script.WebHost/Security/SecretManager.cs b/src/WebJobs.Script.WebHost/Security/SecretManager.cs
@@ -8,12 +8,14 @@
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Azure.WebJobs.Host;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 using Microsoft.Extensions.Logging;
+using DataProtectionCostants = Microsoft.Azure.Web.DataProtection.Constants;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
@@ -466,7 +468,6 @@ private async Task PersistSecretsAsync<T>(T secrets, string keyScope = null, boo
             }
 
             ScriptSecretsType secretsType = secrets.SecretsType;
-            string secretsContent = ScriptSecretSerializer.SerializeSecrets<T>(secrets);
             if (isNonDecryptable)
             {
                 string[] secretBackups = await _repository.GetSecretSnapshots(secrets.SecretsType, keyScope);
@@ -479,11 +480,18 @@ private async Task PersistSecretsAsync<T>(T secrets, string keyScope = null, boo
                     _logger?.LogInformation(message);
                     throw new InvalidOperationException(message);
                 }
-                await _repository.WriteSnapshotAsync(secretsType, keyScope, secretsContent);
+                await _repository.WriteSnapshotAsync(secretsType, keyScope, ScriptSecretSerializer.SerializeSecrets<T>(secrets));
             }
             else
             {
-                await _repository.WriteAsync(secretsType, keyScope, secretsContent);
+                // We want to store encryption keys hashes to investigate sudden regenerations
+                string hashes = GetEncryptionKeysHashes();
+                secrets.DecryptionKeyId = hashes;
+                string message = $"Encription keys hashes: {hashes}";
+                _traceWriter.Info(message);
+                _logger?.LogInformation(message);
+
+                await _repository.WriteAsync(secretsType, keyScope, ScriptSecretSerializer.SerializeSecrets<T>(secrets));
             }
         }
 
@@ -580,5 +588,31 @@ public async Task PurgeOldSecretsAsync(string rootScriptPath, TraceWriter traceW
 
             await _repository.PurgeOldSecretsAsync(currentFunctions, traceWriter, logger);
         }
+
+        private static string GetEncryptionKeysHashes()
+        {
+            string result = string.Empty;
+            string azureWebsiteLocalEncryptionKey = Environment.GetEnvironmentVariable(DataProtectionCostants.AzureWebsiteLocalEncryptionKey) ?? string.Empty;
+            using (SHA256Managed hash = new SHA256Managed())
+            {
+
+                if (!string.IsNullOrEmpty(azureWebsiteLocalEncryptionKey))
+                {
+                    byte[] hashBytes = hash.ComputeHash(Encoding.UTF8.GetBytes(azureWebsiteLocalEncryptionKey));
+                    string azureWebsiteLocalEncryptionKeyHash = Convert.ToBase64String(hashBytes);
+                    result += $"{DataProtectionCostants.AzureWebsiteLocalEncryptionKey}={azureWebsiteLocalEncryptionKeyHash};";
+                }
+
+                string azureWebsiteEnvironmentMachineKey = Environment.GetEnvironmentVariable(DataProtectionCostants.AzureWebsiteEnvironmentMachineKey) ?? string.Empty;
+                if (!string.IsNullOrEmpty(azureWebsiteEnvironmentMachineKey))
+                {
+                    byte[] hashBytes = hash.ComputeHash(Encoding.UTF8.GetBytes(azureWebsiteEnvironmentMachineKey));
+                    string azureWebsiteEnvironmentMachineKeyHash = Convert.ToBase64String(hashBytes);
+                    result += $"{DataProtectionCostants.AzureWebsiteEnvironmentMachineKey}={azureWebsiteEnvironmentMachineKeyHash};";
+                }
+
+                return result;
+            }
+        }
     }
 }
