Changes to flow the TraceWriter into the SecretManager

Author: fabiocav

src/WebJobs.Script.WebHost/App_Start/AutofacBootstrap.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using Autofac;
+using Microsoft.Azure.WebJobs.Host;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost.WebHooks;
 
@@ -13,16 +14,15 @@ internal static void Initialize(ScriptSettingsManager settingsManager, Container
         {
             builder.RegisterInstance(settingsManager);
 
-            // register the resolver so that it is disposed when the container
-            // is disposed
-            var webHostResolver = new WebHostResolver(settingsManager);
-            builder.RegisterInstance(webHostResolver);
+            builder.RegisterType<WebHostResolver>().SingleInstance();
 
             // these services are externally owned by the WebHostResolver, and will be disposed
             // when the resolver is disposed
-            builder.Register<ISecretManager>(ct => webHostResolver.GetSecretManager(settings)).ExternallyOwned();
-            builder.Register<WebScriptHostManager>(ct => webHostResolver.GetWebScriptHostManager(settings)).ExternallyOwned();
-            builder.Register<WebHookReceiverManager>(ct => webHostResolver.GetWebHookReceiverManager(settings)).ExternallyOwned();
+            builder.RegisterType<DefaultSecretManagerFactory>().As<ISecretManagerFactory>().SingleInstance();
+            builder.Register<TraceWriter>(ct => ct.ResolveOptional<WebScriptHostManager>()?.Instance?.TraceWriter ?? NullTraceWriter.Instance).ExternallyOwned();
+            builder.Register<ISecretManager>(ct => ct.Resolve<WebHostResolver>().GetSecretManager(settings)).ExternallyOwned();
+            builder.Register<WebScriptHostManager>(ct => ct.Resolve<WebHostResolver>().GetWebScriptHostManager(settings)).ExternallyOwned();
+            builder.Register<WebHookReceiverManager>(ct => ct.Resolve<WebHostResolver>().GetWebHookReceiverManager(settings)).ExternallyOwned();
         }
     }
 }

src/WebJobs.Script.WebHost/App_Start/WebHostResolver.cs

@@ -16,21 +16,21 @@ public sealed class WebHostResolver : IDisposable
     {
         private static object _syncLock = new object();
 
+        private readonly ISecretManagerFactory _secretManagerFactory;
         private ScriptHostConfiguration _standbyScriptHostConfig;
         private WebScriptHostManager _standbyHostManager;
-        private ISecretManager _standbySecretManager;
         private WebHookReceiverManager _standbyReceiverManager;
 
         private ScriptHostConfiguration _activeScriptHostConfig;
         private WebScriptHostManager _activeHostManager;
-        private ISecretManager _activeSecretManager;
         private WebHookReceiverManager _activeReceiverManager;
 
         private static ScriptSettingsManager _settingsManager;
 
-        public WebHostResolver(ScriptSettingsManager settingsManager)
+        public WebHostResolver(ScriptSettingsManager settingsManager, ISecretManagerFactory secretManagerFactory)
         {
             _settingsManager = settingsManager;
+            _secretManagerFactory = secretManagerFactory;
         }
 
         public ScriptHostConfiguration GetScriptHostConfiguration(WebHostSettings settings)
@@ -50,17 +50,7 @@ public ScriptHostConfiguration GetScriptHostConfiguration(WebHostSettings settin
 
         public ISecretManager GetSecretManager(WebHostSettings settings)
         {
-            if (_activeSecretManager != null)
-            {
-                return _activeSecretManager;
-            }
-
-            lock (_syncLock)
-            {
-                EnsureInitialized(settings);
-
-                return _activeSecretManager ?? _standbySecretManager;
-            }
+            return GetWebScriptHostManager(settings).SecretManager;
         }
 
         public WebScriptHostManager GetWebScriptHostManager(WebHostSettings settings)
@@ -109,16 +99,14 @@ private void EnsureInitialized(WebHostSettings settings)
                     }
 
                     _activeScriptHostConfig = GetScriptHostConfiguration(settings.ScriptPath, settings.LogPath);
-                    _activeSecretManager = GetSecretManager(_settingsManager, settings.SecretsPath);
-                    _activeReceiverManager = new WebHookReceiverManager(_activeSecretManager);
-                    _activeHostManager = new WebScriptHostManager(_activeScriptHostConfig, _activeSecretManager, _settingsManager, settings);
 
-                    (_standbySecretManager as IDisposable)?.Dispose();
+                    _activeHostManager = new WebScriptHostManager(_activeScriptHostConfig, _secretManagerFactory, _settingsManager, settings);
+                    _activeReceiverManager = new WebHookReceiverManager(_activeHostManager.SecretManager);
+
                     _standbyHostManager?.Dispose();
                     _standbyReceiverManager?.Dispose();
 
                     _standbyScriptHostConfig = null;
-                    _standbySecretManager = null;
                     _standbyHostManager = null;
                     _standbyReceiverManager = null;
                     _settingsManager.Reset();
@@ -129,9 +117,9 @@ private void EnsureInitialized(WebHostSettings settings)
                 if (_standbyHostManager == null)
                 {
                     _standbyScriptHostConfig = GetScriptHostConfiguration(settings.ScriptPath, settings.LogPath);
-                    _standbySecretManager = GetSecretManager(_settingsManager, settings.SecretsPath);
-                    _standbyReceiverManager = new WebHookReceiverManager(_standbySecretManager);
-                    _standbyHostManager = new WebScriptHostManager(_standbyScriptHostConfig, _standbySecretManager, _settingsManager, settings);
+
+                    _standbyHostManager = new WebScriptHostManager(_standbyScriptHostConfig, _secretManagerFactory, _settingsManager, settings);
+                    _standbyReceiverManager = new WebHookReceiverManager(_standbyHostManager.SecretManager);
                 }
             }
         }
@@ -224,15 +212,11 @@ private static void InitializeFileSystem(string scriptPath)
             }
         }
 
-        private static ISecretManager GetSecretManager(ScriptSettingsManager settingsManager, string secretsPath) => new SecretManager(settingsManager, secretsPath);
-
         public void Dispose()
         {
-            (_standbySecretManager as IDisposable)?.Dispose();
             _standbyHostManager?.Dispose();
             _standbyReceiverManager?.Dispose();
 
-            (_activeSecretManager as IDisposable)?.Dispose();
             _activeHostManager?.Dispose();
             _activeReceiverManager?.Dispose();
         }

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -3,11 +3,14 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Linq;
 using System.Net;
 using System.Web.Http;
+using Microsoft.Azure.WebJobs.Host;
 using Microsoft.Azure.WebJobs.Script.WebHost.Filters;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Controllers
 {
@@ -18,11 +21,13 @@ public class KeysController : ApiController
 
         private readonly WebScriptHostManager _scriptHostManager;
         private readonly ISecretManager _secretManager;
+        private readonly TraceWriter _traceWriter;
 
-        public KeysController(WebScriptHostManager scriptHostManager, ISecretManager secretManager)
+        public KeysController(WebScriptHostManager scriptHostManager, ISecretManager secretManager, TraceWriter traceWriter)
         {
             _scriptHostManager = scriptHostManager;
             _secretManager = secretManager;
+            _traceWriter = traceWriter.WithSource($"{ScriptConstants.TraceSourceSecretManagement}.Api");
         }
 
         [HttpGet]
@@ -110,6 +115,8 @@ private IHttpActionResult AddOrUpdateFunctionSecret(string keyName, string value
                 operationResult = _secretManager.AddOrUpdateFunctionSecret(keyName, value, functionName);
             }
 
+            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, functionName ?? "host", operationResult.Result);
+
             switch (operationResult.Result)
             {
                 case OperationResult.Created:
@@ -146,6 +153,8 @@ private IHttpActionResult DeleteFunctionSecret(string keyName, string functionNa
                 return NotFound();
             }
 
+            _traceWriter.VerboseFormat(Resources.TraceKeysApiSecretChange, keyName, functionName ?? "host", "Deleted");
+
             return StatusCode(HttpStatusCode.NoContent);
         }
     }

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -77,4 +77,9 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1810:InitializeReferenceTypeStaticFieldsInline", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Models.ApiModelUtility.#.cctor()")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebHostResolver.#GetSecretManager(Microsoft.Azure.WebJobs.Script.Settings.ScriptSettingsManager,System.String)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebHostResolver.#GetSecretManager(Microsoft.Azure.WebJobs.Script.Config.ScriptSettingsManager,System.String)")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_fileWatcher", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.SecretManager.#Dispose(System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_fileWatcher", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.SecretManager.#Dispose(System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.DefaultSecretManagerFactory.#Create(Microsoft.Azure.WebJobs.Script.Config.ScriptSettingsManager,Microsoft.Azure.WebJobs.Host.TraceWriter,System.String)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2214:DoNotCallOverridableMethodsInConstructors", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.SecretManager.#.ctor(System.String,Microsoft.Azure.WebJobs.Script.WebHost.IKeyValueConverterFactory,Microsoft.Azure.WebJobs.Host.TraceWriter,System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_httpRoutes", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostManager.#Dispose(System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_metricsLogger", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostManager.#Dispose(System.Boolean)")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2213:DisposableFieldsShouldBeDisposed", MessageId = "_httpConfiguration", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.WebHooks.WebHookReceiverManager.#Dispose(System.Boolean)")]

src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs

@@ -259,4 +259,28 @@
     ]
 }</value>
   </data>
+  <data name="TraceAddOrUpdateFunctionSecret" xml:space="preserve">
+    <value>{0} secret '{1}' for '{2}' {3}.</value>
+  </data>
+  <data name="TraceFunctionSecretGeneration" xml:space="preserve">
+    <value>Function ('{0}') secrets do not exist. Generating secrets.</value>
+  </data>
+  <data name="TraceHostSecretGeneration" xml:space="preserve">
+    <value>Host secrets do not exist. Generating secrets.</value>
+  </data>
+  <data name="TraceKeysApiSecretChange" xml:space="preserve">
+    <value>Secret '{0}' for '{1}' {2}.</value>
+  </data>
+  <data name="TraceMasterKeyCreatedOrUpdated" xml:space="preserve">
+    <value>Master key {0}</value>
+  </data>
+  <data name="TraceSecretDeleted" xml:space="preserve">
+    <value>{0} secret '{1}' deleted.</value>
+  </data>
+  <data name="TraceStaleFunctionSecretRefresh" xml:space="preserve">
+    <value>Stale function ('{0}') secrets detected. Refreshing secrets.</value>
+  </data>
+  <data name="TraceStaleHostSecretRefresh" xml:space="preserve">
+    <value>Stale host secrets detected. Refreshing secrets.</value>
+  </data>
 </root>

src/WebJobs.Script.WebHost/Properties/Resources.resx

@@ -0,0 +1,19 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Script.Config;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public sealed class DefaultSecretManagerFactory : ISecretManagerFactory
+    {
+        public ISecretManager Create(ScriptSettingsManager settingsManager, TraceWriter traceWriter, string secretsPath)
+            => new SecretManager(settingsManager, secretsPath, traceWriter);
+    }
+}

src/WebJobs.Script.WebHost/Security/DefaultSecretManagerFactory.cs

@@ -0,0 +1,14 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Script.Config;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public interface ISecretManagerFactory
+    {
+        ISecretManager Create(ScriptSettingsManager settingsManager, TraceWriter traceWriter, string secretsPath);
+    }
+}