Reset cached secrets on SyncTriggers (#7698) (#7947)

Author: mathewc

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -183,6 +183,31 @@ private void PrepareSyncTriggers()
             _secretManagerProvider.Current.ClearCache();
         }
 
+        /// <summary>
+        /// SyncTriggers is performed whenever deployments or other changes are made to the application.
+        /// There are some operations we want to perform whenever this happens.
+        /// </summary>
+        private void PrepareSyncTriggers()
+        {
+            // We clear cache to ensure that secrets are reloaded. This is important because secrets are part
+            // of the StartupContext payload (see StartupContextProvider) and that payload comes from the
+            // SyncTriggers operation. So there's a chicken and egg situation here. Consider the following scenario:
+            //   - app is using blob storage for keys
+            //   - a SyncTriggers operation has happened previously and the StartupContext has key info
+            //   - app instances initialize keys from StartupContext (keys aren't loaded from storage)
+            //   - user updates the app to use a new storage account
+            //   - a SyncTriggers operation is performed
+            //   - the app initializes from StartupContext, and **previous old key info is loaded**
+            //   - the SyncTriggers operation uses this old key info, so trigger cache is never updated with new key info
+            //   - Portal/ARM APIs will continue to show old key info.
+            // By clearing cache, we ensure that this host instance reloads keys when they're requested, and the SyncTriggers
+            // operation will contain current keys.
+            if (_secretManagerProvider.SecretsEnabled)
+            {
+                _secretManagerProvider.Current.ClearCache();
+            }
+        }
+
         internal static bool IsSyncTriggersEnvironment(IScriptWebHostEnvironment webHostEnvironment, IEnvironment environment)
         {
             if (environment.IsCoreTools())
@@ -339,45 +364,48 @@ public async Task<SyncTriggersPayload> GetSyncTriggersPayload()
                 }
             }
 
-            // Add functions secrets to the payload
-            // Only secret types we own/control can we cache directly
-            // Encryption is handled by Antares before storage
-            var secretsStorageType = _environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
-            if (string.IsNullOrEmpty(secretsStorageType) ||
-                string.Compare(secretsStorageType, "files", StringComparison.OrdinalIgnoreCase) == 0 ||
-                string.Compare(secretsStorageType, "blob", StringComparison.OrdinalIgnoreCase) == 0)
+            if (_secretManagerProvider.SecretsEnabled)
             {
-                var functionAppSecrets = new FunctionAppSecrets();
-
-                // add host secrets
-                var hostSecretsInfo = await _secretManagerProvider.Current.GetHostSecretsAsync();
-                functionAppSecrets.Host = new FunctionAppSecrets.HostSecrets
+                // Add functions secrets to the payload
+                // Only secret types we own/control can we cache directly
+                // Encryption is handled by Antares before storage
+                var secretsStorageType = _environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
+                if (string.IsNullOrEmpty(secretsStorageType) ||
+                    string.Compare(secretsStorageType, "files", StringComparison.OrdinalIgnoreCase) == 0 ||
+                    string.Compare(secretsStorageType, "blob", StringComparison.OrdinalIgnoreCase) == 0)
                 {
-                    Master = hostSecretsInfo.MasterKey,
-                    Function = hostSecretsInfo.FunctionKeys,
-                    System = hostSecretsInfo.SystemKeys
-                };
+                    var functionAppSecrets = new FunctionAppSecrets();
 
-                // add function secrets
-                var httpFunctions = functionsMetadata.Where(p => !p.IsProxy() && p.InputBindings.Any(q => q.IsTrigger && string.Compare(q.Type, "httptrigger", StringComparison.OrdinalIgnoreCase) == 0)).Select(p => p.Name).ToArray();
-                functionAppSecrets.Function = new FunctionAppSecrets.FunctionSecrets[httpFunctions.Length];
-                for (int i = 0; i < httpFunctions.Length; i++)
-                {
-                    var currFunctionName = httpFunctions[i];
-                    var currSecrets = await _secretManagerProvider.Current.GetFunctionSecretsAsync(currFunctionName);
-                    functionAppSecrets.Function[i] = new FunctionAppSecrets.FunctionSecrets
+                    // add host secrets
+                    var hostSecretsInfo = await _secretManagerProvider.Current.GetHostSecretsAsync();
+                    functionAppSecrets.Host = new FunctionAppSecrets.HostSecrets
                     {
-                        Name = currFunctionName,
-                        Secrets = currSecrets
+                        Master = hostSecretsInfo.MasterKey,
+                        Function = hostSecretsInfo.FunctionKeys,
+                        System = hostSecretsInfo.SystemKeys
                     };
-                }
 
-                result.Add("secrets", JObject.FromObject(functionAppSecrets));
-            }
-            else
-            {
-                // TODO: handle other external key storage types
-                // like KeyVault when the feature comes online
+                    // add function secrets
+                    var httpFunctions = functionsMetadata.Where(p => !p.IsProxy() && p.InputBindings.Any(q => q.IsTrigger && string.Compare(q.Type, "httptrigger", StringComparison.OrdinalIgnoreCase) == 0)).Select(p => p.Name).ToArray();
+                    functionAppSecrets.Function = new FunctionAppSecrets.FunctionSecrets[httpFunctions.Length];
+                    for (int i = 0; i < httpFunctions.Length; i++)
+                    {
+                        var currFunctionName = httpFunctions[i];
+                        var currSecrets = await _secretManagerProvider.Current.GetFunctionSecretsAsync(currFunctionName);
+                        functionAppSecrets.Function[i] = new FunctionAppSecrets.FunctionSecrets
+                        {
+                            Name = currFunctionName,
+                            Secrets = currSecrets
+                        };
+                    }
+
+                    result.Add("secrets", JObject.FromObject(functionAppSecrets));
+                }
+                else
+                {
+                    // TODO: handle other external key storage types
+                    // like KeyVault when the feature comes online
+                }
             }
 
             string json = JsonConvert.SerializeObject(result);

src/WebJobs.Script.WebHost/Security/KeyManagement/DefaultSecretManagerProvider.cs

@@ -26,6 +26,7 @@ public sealed class DefaultSecretManagerProvider : ISecretManagerProvider
         private readonly StartupContextProvider _startupContextProvider;
         private readonly IAzureStorageProvider _azureStorageProvider;
         private Lazy<ISecretManager> _secretManagerLazy;
+        private Lazy<bool> _secretsEnabledLazy;
 
         public DefaultSecretManagerProvider(IOptionsMonitor<ScriptApplicationHostOptions> options, IHostIdProvider hostIdProvider,
             IConfiguration configuration, IEnvironment environment, ILoggerFactory loggerFactory, IMetricsLogger metricsLogger, HostNameProvider hostNameProvider, StartupContextProvider startupContextProvider, IAzureStorageProvider azureStorageProvider)
@@ -45,74 +46,146 @@ public DefaultSecretManagerProvider(IOptionsMonitor<ScriptApplicationHostOptions
             _loggerFactory = loggerFactory;
             _metricsLogger = metricsLogger ?? throw new ArgumentNullException(nameof(metricsLogger));
             _secretManagerLazy = new Lazy<ISecretManager>(Create);
+            _secretsEnabledLazy = new Lazy<bool>(GetSecretsEnabled);
 
             // When these options change (due to specialization), we need to reset the secret manager.
             options.OnChange(_ => ResetSecretManager());
 
             _azureStorageProvider = azureStorageProvider;
         }
 
+        public bool SecretsEnabled
+        {
+            get
+            {
+                if (_secretManagerLazy.IsValueCreated)
+                {
+                    return true;
+                }
+                return _secretsEnabledLazy.Value;
+            }
+        }
+
         public ISecretManager Current => _secretManagerLazy.Value;
 
-        private void ResetSecretManager() => Interlocked.Exchange(ref _secretManagerLazy, new Lazy<ISecretManager>(Create));
+        private void ResetSecretManager()
+        {
+            Interlocked.Exchange(ref _secretsEnabledLazy, new Lazy<bool>(GetSecretsEnabled));
+            Interlocked.Exchange(ref _secretManagerLazy, new Lazy<ISecretManager>(Create));
+        }
 
         private ISecretManager Create() => new SecretManager(CreateSecretsRepository(), _loggerFactory.CreateLogger<SecretManager>(), _metricsLogger, _hostNameProvider, _startupContextProvider);
 
         internal ISecretsRepository CreateSecretsRepository()
         {
-            ISecretsRepository repository;
+            ISecretsRepository repository = null;
+
+            if (TryGetSecretsRepositoryType(out Type repositoryType))
+            {
+                if (repositoryType == typeof(FileSystemSecretsRepository))
+                {
+                    repository = new FileSystemSecretsRepository(_options.CurrentValue.SecretsPath, _loggerFactory.CreateLogger<FileSystemSecretsRepository>(), _environment);
+                }
+                else if (repositoryType == typeof(KeyVaultSecretsRepository))
+                {
+                    string azureWebJobsSecretStorageKeyVaultName = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageKeyVaultName);
+                    string azureWebJobsSecretStorageKeyVaultConnectionString = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageKeyVaultConnectionString);
+
+                    repository = new KeyVaultSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
+                                                               azureWebJobsSecretStorageKeyVaultName,
+                                                               azureWebJobsSecretStorageKeyVaultConnectionString,
+                                                               _loggerFactory.CreateLogger<KeyVaultSecretsRepository>(),
+                                                               _environment);
+                }
+                else if (repositoryType == typeof(KubernetesSecretsRepository))
+                {
+                    repository = new KubernetesSecretsRepository(_environment, new SimpleKubernetesClient(_environment, _loggerFactory.CreateLogger<SimpleKubernetesClient>()));
+                }
+                else if (repositoryType == typeof(BlobStorageSasSecretsRepository))
+                {
+                    string secretStorageSas = _environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageSas);
+                    string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
+                    repository = new BlobStorageSasSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
+                                                                     secretStorageSas,
+                                                                     siteSlotName,
+                                                                     _loggerFactory.CreateLogger<BlobStorageSasSecretsRepository>(),
+                                                                     _environment,
+                                                                     _azureStorageProvider);
+                }
+                else if (repositoryType == typeof(BlobStorageSecretsRepository))
+                {
+                    string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
+                    repository = new BlobStorageSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
+                                                                  ConnectionStringNames.Storage,
+                                                                  siteSlotName,
+                                                                  _loggerFactory.CreateLogger<BlobStorageSecretsRepository>(),
+                                                                  _environment,
+                                                                  _azureStorageProvider);
+                }
+            }
+
+            if (repository == null)
+            {
+                throw new InvalidOperationException($"Secret initialization from Blob storage failed due to missing both an Azure Storage connection string and a SAS connection uri. " +
+                    $"For Blob Storage, please provide at least one of these. If you intend to use files for secrets, add an App Setting key '{EnvironmentSettingNames.AzureWebJobsSecretStorageType}' with value '{FileStorage}'.");
+            }
+
+            ILogger logger = _loggerFactory.CreateLogger<DefaultSecretManagerProvider>();
+            logger.LogInformation("Resolved secret storage provider {provider}", repository.Name);
 
+            return repository;
+        }
+
+        /// <summary>
+        /// Determines the repository Type to use based on configured settings.
+        /// </summary>
+        /// <remarks>
+        /// For scenarios where the app isn't configured for key storage (e.g. no AzureWebJobsSecretStorageType explicitly configured,
+        /// no storage connection string for default blob storage, etc.). Note that it's still possible for the creation of the repository
+        /// to fail due to invalid values. This method just does preliminary config checks to determine the Type.
+        /// </remarks>
+        /// <param name="repositoryType">The repository Type or null.</param>
+        /// <returns>True if a Type was determined, false otherwise.</returns>
+        internal bool TryGetSecretsRepositoryType(out Type repositoryType)
+        {
             string secretStorageType = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
             string secretStorageSas = _environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageSas);
 
             if (secretStorageType != null && secretStorageType.Equals(FileStorage, StringComparison.OrdinalIgnoreCase))
             {
-                repository = new FileSystemSecretsRepository(_options.CurrentValue.SecretsPath, _loggerFactory.CreateLogger<FileSystemSecretsRepository>(), _environment);
+                repositoryType = typeof(FileSystemSecretsRepository);
+                return true;
             }
             else if (secretStorageType != null && secretStorageType.Equals("keyvault", StringComparison.OrdinalIgnoreCase))
             {
-                string azureWebJobsSecretStorageKeyVaultName = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageKeyVaultName);
-                string azureWebJobsSecretStorageKeyVaultConnectionString = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsSecretStorageKeyVaultConnectionString);
-
-                repository = new KeyVaultSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
-                                                           azureWebJobsSecretStorageKeyVaultName,
-                                                           azureWebJobsSecretStorageKeyVaultConnectionString,
-                                                           _loggerFactory.CreateLogger<KeyVaultSecretsRepository>(),
-                                                           _environment);
+                repositoryType = typeof(KeyVaultSecretsRepository);
+                return true;
             }
             else if (secretStorageType != null && secretStorageType.Equals("kubernetes", StringComparison.OrdinalIgnoreCase))
             {
-                repository = new KubernetesSecretsRepository(_environment, new SimpleKubernetesClient(_environment, _loggerFactory.CreateLogger<SimpleKubernetesClient>()));
+                repositoryType = typeof(KubernetesSecretsRepository);
+                return true;
             }
             else if (secretStorageSas != null)
             {
-                string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
-                repository = new BlobStorageSasSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
-                                                                 secretStorageSas,
-                                                                 siteSlotName,
-                                                                 _loggerFactory.CreateLogger<BlobStorageSasSecretsRepository>(),
-                                                                 _environment,
-                                                                 _azureStorageProvider);
+                repositoryType = typeof(BlobStorageSasSecretsRepository);
+                return true;
             }
             else if (_azureStorageProvider.ConnectionExists(ConnectionStringNames.Storage))
             {
-                string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
-                repository = new BlobStorageSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"),
-                                                              ConnectionStringNames.Storage,
-                                                              siteSlotName,
-                                                              _loggerFactory.CreateLogger<BlobStorageSecretsRepository>(),
-                                                              _environment,
-                                                              _azureStorageProvider);
+                repositoryType = typeof(BlobStorageSecretsRepository);
+                return true;
             }
             else
             {
-                throw new InvalidOperationException($"Secret initialization from Blob storage failed due to missing both an Azure Storage connection string and a SAS connection uri. " +
-                    $"For Blob Storage, please provide at least one of these. If you intend to use files for secrets, add an App Setting key '{EnvironmentSettingNames.AzureWebJobsSecretStorageType}' with value '{FileStorage}'.");
+                repositoryType = null;
+                return false;
             }
+        }
 
-            ILogger logger = _loggerFactory.CreateLogger<DefaultSecretManagerProvider>();
-            logger.LogInformation("Resolved secret storage provider {provider}", repository.Name);
-            return repository;
+        internal bool GetSecretsEnabled()
+        {
+            return TryGetSecretsRepositoryType(out _);
         }
     }
 }

src/WebJobs.Script.WebHost/Security/KeyManagement/ISecretManagerProvider.cs

@@ -5,6 +5,14 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
     public interface ISecretManagerProvider
     {
+        /// <summary>
+        /// Gets a value indicating whether we're configured to use secrets.
+        /// </summary>
+        bool SecretsEnabled { get; }
+
+        /// <summary>
+        /// Gets or creates the <see cref="ISecretManager"./>
+        /// </summary>
         ISecretManager Current { get; }
     }
 }