Adding HIS Enforcement feature flags and metrics logging (#9872)

Author: mathewc

src/WebJobs.Script.WebHost/Controllers/KeysController.cs

@@ -23,8 +23,6 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Controllers
     [ResourceContainsSecrets]
     public class KeysController : Controller
     {
-        private const string MasterKeyName = "_master";
-
         private static readonly Lazy<Dictionary<string, string>> EmptyKeys = new Lazy<Dictionary<string, string>>(() => new Dictionary<string, string>());
         private readonly ISecretManagerProvider _secretManagerProvider;
         private readonly ILogger _logger;
@@ -187,7 +185,7 @@ private async Task<IActionResult> AddOrUpdateSecretAsync(string keyName, string
             }
 
             KeyOperationResult operationResult;
-            if (secretsType == ScriptSecretsType.Host && string.Equals(keyName, MasterKeyName, StringComparison.OrdinalIgnoreCase))
+            if (secretsType == ScriptSecretsType.Host && string.Equals(keyName, ScriptConstants.MasterKeyName, StringComparison.OrdinalIgnoreCase))
             {
                 operationResult = await _secretManagerProvider.Current.SetMasterKeyAsync(value);
             }
@@ -216,6 +214,8 @@ private async Task<IActionResult> AddOrUpdateSecretAsync(string keyName, string
                     return NotFound();
                 case OperationResult.Conflict:
                     return StatusCode(StatusCodes.Status409Conflict);
+                case OperationResult.BadRequest:
+                    return StatusCode(StatusCodes.Status400BadRequest);
                 default:
                     return StatusCode(StatusCodes.Status500InternalServerError);
             }
@@ -237,7 +237,7 @@ private async Task<Dictionary<string, string>> GetHostSecretsByScope(string secr
                 {
                     keys = new Dictionary<string, string>(keys)
                     {
-                        { MasterKeyName, hostSecrets.MasterKey }
+                        { ScriptConstants.MasterKeyName, hostSecrets.MasterKey }
                     };
                 }
 
@@ -276,7 +276,7 @@ private async Task<IActionResult> DeleteFunctionSecretAsync(string keyName, stri
 
         internal bool IsBuiltInSystemKeyName(string keyName)
         {
-            if (keyName.Equals(MasterKeyName, StringComparison.OrdinalIgnoreCase))
+            if (keyName.Equals(ScriptConstants.MasterKeyName, StringComparison.OrdinalIgnoreCase))
             {
                 return true;
             }

src/WebJobs.Script.WebHost/Diagnostics/Extensions/ScriptHostServiceLoggerExtension.cs

@@ -333,7 +333,7 @@ public static void ScriptHostServiceRestartCanceledByRuntime(this ILogger logger
         public static void LogHostInitializationSettings(this ILogger logger, string originalFunctionWorkerRuntime, string functionWorkerRuntime,
             string originalFunctionWorkerRuntimeVersion, string functionsWorkerRuntimeVersion, string functionExtensionVersion, string hostDirectory,
             bool inStandbyMode, bool hasBeenSpecialized, bool usePlaceholderDotNetIsolated, string websiteSku, string featureFlags,
-            IDictionary<string, string> hostingConfig)
+            IDictionary<string, string> hostingConfig, string hisMode)
         {
             // This is a dump of values for telemetry right now, but eventually we will refactor this
             // into a proper Options object
@@ -350,7 +350,8 @@ public static void LogHostInitializationSettings(this ILogger logger, string ori
                 UsePlaceholderDotNetIsolated = usePlaceholderDotNetIsolated,
                 WebSiteSku = websiteSku,
                 FeatureFlags = featureFlags,
-                HostingConfig = hostingConfig
+                HostingConfig = hostingConfig,
+                HISMode = hisMode
             };
 
             var options = new JsonSerializerOptions { WriteIndented = true };

src/WebJobs.Script.WebHost/OperationResult.cs

@@ -10,6 +10,7 @@ public enum OperationResult
         Created,
         Updated,
         NotFound,
-        Conflict
+        Conflict,
+        BadRequest
     }
 }

src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs

@@ -283,6 +283,9 @@
   <data name="HostSpecializationTrace" xml:space="preserve">
     <value>Starting host specialization</value>
   </data>
+  <data name="NonHISSecret" xml:space="preserve">
+    <value>A non highly-identifiable secret has been loaded by the application: (KeyType:{0}, KeyName:{1}, FunctionName:{2}).</value>
+  </data>
   <data name="TraceAddOrUpdateFunctionSecret" xml:space="preserve">
     <value>{0} secret '{1}' for '{2}' {3}.</value>
   </data>

src/WebJobs.Script.WebHost/Properties/Resources.resx

@@ -11,14 +11,13 @@
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
-using DryIoc;
-using Microsoft.Azure.Web.DataProtection;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
-using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using static Microsoft.Azure.WebJobs.Script.WebHost.Models.FunctionAppSecrets;
 using DataProtectionConstants = Microsoft.Azure.Web.DataProtection.Constants;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
@@ -30,6 +29,9 @@ public class SecretManager : IDisposable, ISecretManager
         private readonly ISecretsRepository _repository;
         private readonly HostNameProvider _hostNameProvider;
         private readonly StartupContextProvider _startupContextProvider;
+        private readonly Lazy<bool> _strictHISFeatureEnabled = new Lazy<bool>(() => FeatureFlags.IsEnabled(ScriptConstants.FeatureFlagStrictHISModeEnabled));
+        private readonly Lazy<bool> _strictHISWarnFeatureEnabled = new Lazy<bool>(() => FeatureFlags.IsEnabled(ScriptConstants.FeatureFlagStrictHISModeWarn));
+        private readonly HashSet<string> _invalidNonHISKeys = new HashSet<string>();
         private ConcurrentDictionary<string, IDictionary<string, string>> _functionSecrets;
         private ConcurrentDictionary<string, (string, AuthorizationLevel)> _authorizationCache = new ConcurrentDictionary<string, (string, AuthorizationLevel)>(StringComparer.OrdinalIgnoreCase);
         private HostSecretsInfo _hostSecrets;
@@ -137,11 +139,17 @@ public async virtual Task<HostSecretsInfo> GetHostSecretsAsync()
                             await RefreshSecretsAsync(hostSecrets);
                         }
 
+                        // before caching  any secrets, validate them
+                        string masterKeyValue = hostSecrets.MasterKey.Value;
+                        var functionKeys = hostSecrets.FunctionKeys.ToDictionary(p => p.Name, p => p.Value);
+                        var systemKeys = hostSecrets.SystemKeys.ToDictionary(p => p.Name, p => p.Value);
+                        ValidateHostSecrets(masterKeyValue, functionKeys, systemKeys);
+
                         _hostSecrets = new HostSecretsInfo
                         {
-                            MasterKey = hostSecrets.MasterKey.Value,
-                            FunctionKeys = hostSecrets.FunctionKeys.ToDictionary(s => s.Name, s => s.Value),
-                            SystemKeys = hostSecrets.SystemKeys.ToDictionary(s => s.Name, s => s.Value)
+                            MasterKey = masterKeyValue,
+                            FunctionKeys = functionKeys,
+                            SystemKeys = systemKeys
                         };
                     }
                     finally
@@ -219,7 +227,10 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                             await RefreshSecretsAsync(secrets, functionName);
                         }
 
+                        // before caching any secrets, validate them
                         var result = secrets.Keys.ToDictionary(s => s.Name, s => s.Value);
+                        ValidateSecrets(result, SecretGenerator.FunctionKeySeed, functionName);
+
                         functionSecrets = _functionSecrets.AddOrUpdate(functionName, result, (n, r) => result);
                     }
                     finally
@@ -290,6 +301,15 @@ public async Task<KeyOperationResult> SetMasterKeyAsync(string value = null)
                 }
                 else
                 {
+                    if (_strictHISFeatureEnabled.Value)
+                    {
+                        // if an explicit value has been provided and strict HIS mode is enabled, validate the secret
+                        if (!SecretGenerator.TryValidateSecret(value, SecretGenerator.MasterKeySeed))
+                        {
+                            return new KeyOperationResult(value, OperationResult.BadRequest);
+                        }
+                    }
+
                     // Use the provided secret
                     masterKey = value;
                     result = OperationResult.Updated;
@@ -329,11 +349,57 @@ public async Task<bool> DeleteSecretAsync(string secretName, string keyScope, Sc
             }
         }
 
+        internal static ulong GetKeySeed(ScriptSecretsType secretsType, string keyScope)
+        {
+            if (secretsType == ScriptSecretsType.Function)
+            {
+                return SecretGenerator.FunctionKeySeed;
+            }
+            else if (secretsType == ScriptSecretsType.Host)
+            {
+                if (string.Equals(keyScope, HostKeyScopes.FunctionKeys, StringComparison.OrdinalIgnoreCase))
+                {
+                    return SecretGenerator.FunctionKeySeed;
+                }
+                else if (string.Equals(keyScope, HostKeyScopes.SystemKeys, StringComparison.OrdinalIgnoreCase))
+                {
+                    return SecretGenerator.SystemKeySeed;
+                }
+            }
+
+            return 0;
+        }
+
+        public static string GetKeyType(ulong seed)
+        {
+            switch (seed)
+            {
+                case SecretGenerator.MasterKeySeed:
+                    return "Master";
+                case SecretGenerator.SystemKeySeed:
+                    return "System";
+                case SecretGenerator.FunctionKeySeed:
+                    return "Function";
+                default:
+                    return "Unknown";
+            }
+        }
+
         private async Task<KeyOperationResult> AddOrUpdateSecretAsync(ScriptSecretsType secretsType, string keyScope,
             string secretName, string secret, Func<ScriptSecrets> secretsFactory)
         {
             OperationResult result = OperationResult.NotFound;
 
+            if (!string.IsNullOrEmpty(secret) && _strictHISFeatureEnabled.Value)
+            {
+                // if an explicit value has been provided and strict HIS mode is enabled, validate the secret
+                ulong seed = GetKeySeed(secretsType, keyScope);
+                if (seed > 0 && !SecretGenerator.TryValidateSecret(secret, seed))
+                {
+                    return new KeyOperationResult(secret, OperationResult.BadRequest);
+                }
+            }
+
             secret ??= SecretGenerator.GenerateFunctionKeyValue();
 
             await ModifyFunctionSecretsAsync(secretsType, keyScope, secrets =>
@@ -400,8 +466,7 @@ private async Task ModifyFunctionSecretsAsync(ScriptSecretsType secretsType, str
             }
         }
 
-        private Task<FunctionSecrets> LoadFunctionSecretsAsync(string functionName)
-            => LoadSecretsAsync<FunctionSecrets>(functionName);
+        private Task<FunctionSecrets> LoadFunctionSecretsAsync(string functionName) => LoadSecretsAsync<FunctionSecrets>(functionName);
 
         private async Task<T> LoadSecretsAsync<T>(string keyScope = null) where T : ScriptSecrets
         {
@@ -419,6 +484,22 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin
 
         public async Task<(string KeyName, AuthorizationLevel Level)> GetAuthorizationLevelOrNullAsync(string keyValue, string functionName = null)
         {
+            // local helper function to get auth level and also enforce HIS validation
+            async Task<(string KeyName, AuthorizationLevel Level)> GetAuthorizationLevelAndValidateAsync(string keyValue, string functionName)
+            {
+                var result = await GetAuthorizationLevelAsync(this, keyValue, functionName);
+
+                if (result.Level != AuthorizationLevel.Anonymous &&
+                    _strictHISFeatureEnabled.Value && _invalidNonHISKeys.Contains(keyValue))
+                {
+                    // HIS strict mode is enabled and the matched key is invalid
+                    // Such keys cannot grant access.
+                    return (null, AuthorizationLevel.Anonymous);
+                }
+
+                return result;
+            }
+
             if (keyValue != null)
             {
                 string cacheKey = $"{keyValue}{functionName}";
@@ -432,7 +513,7 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin
                 // cause the secrets to be loaded into cache - we want to know if they were cached BEFORE this check.
                 bool secretsCached = _hostSecrets != null || _functionSecrets.Any();
 
-                var result = await GetAuthorizationLevelAsync(this, keyValue, functionName);
+                var result = await GetAuthorizationLevelAndValidateAsync(keyValue, functionName);
                 if (result.Level != AuthorizationLevel.Anonymous)
                 {
                     // key match
@@ -448,9 +529,10 @@ private async Task<ScriptSecrets> LoadSecretsAsync(ScriptSecretsType type, strin
                     {
                         _hostSecrets = null;
                         _functionSecrets.Clear();
+                        _invalidNonHISKeys.Clear();
                         _lastCacheResetTime = DateTime.UtcNow;
 
-                        return await GetAuthorizationLevelAsync(this, keyValue, functionName);
+                        return await GetAuthorizationLevelAndValidateAsync(keyValue, functionName);
                     }
                 }
             }
@@ -514,6 +596,47 @@ private static ScriptSecretsType GetSecretsType<T>() where T : ScriptSecrets
                 : ScriptSecretsType.Function;
         }
 
+        private void ValidateHostSecrets(string masterKey, IDictionary<string, string> functionKeys, IDictionary<string, string> systemKeys)
+        {
+            ValidateSecret(ScriptConstants.MasterKeyName, masterKey, SecretGenerator.MasterKeySeed);
+            ValidateSecrets(functionKeys, SecretGenerator.FunctionKeySeed);
+            ValidateSecrets(systemKeys, SecretGenerator.SystemKeySeed);
+        }
+
+        private void ValidateSecret(string keyName, string keyValue, ulong seed, string functionName = null)
+        {
+            if (SecretGenerator.TryValidateSecret(keyValue, seed))
+            {
+                _metricsLogger.LogEvent(MetricEventNames.IdentifiableSecretLoaded, functionName);
+            }
+            else
+            {
+                _metricsLogger.LogEvent(MetricEventNames.NonIdentifiableSecretLoaded, functionName);
+
+                if (_strictHISFeatureEnabled.Value || _strictHISWarnFeatureEnabled.Value)
+                {
+                    // if either HIS mode is enabled log the appropriate diagnostic event
+                    // and track the secret as invalid
+                    string message = string.Format(Resources.NonHISSecret, GetKeyType(seed), keyName, functionName);
+                    LogLevel level = _strictHISFeatureEnabled.Value ? LogLevel.Error : LogLevel.Warning;
+                    _logger.LogDiagnosticEvent(level, 0, DiagnosticEventConstants.NonHISSecretLoaded, message, DiagnosticEventConstants.NonHISSecretLoadedHelpLink, exception: null);
+
+                    _invalidNonHISKeys.Add(keyValue);
+                }
+            }
+        }
+
+        private void ValidateSecrets(IDictionary<string, string> keys, ulong seed, string functionName = null)
+        {
+            if (keys != null)
+            {
+                foreach (var key in keys)
+                {
+                    ValidateSecret(key.Key, key.Value, seed, functionName);
+                }
+            }
+        }
+
         private HostSecrets GenerateHostSecrets()
         {
             return new HostSecrets
@@ -661,6 +784,7 @@ private void ClearCacheOnChange(ScriptSecretsType secretsType, string functionNa
             // clear the cached secrets if they exist
             // they'll be reloaded on demand next time
             _authorizationCache.Clear();
+
             if (secretsType == ScriptSecretsType.Host && _hostSecrets != null)
             {
                 _logger.LogInformation("Host keys change detected. Clearing cache.");
@@ -686,6 +810,7 @@ public void ClearCache()
             _authorizationCache.Clear();
             _hostSecrets = null;
             _functionSecrets.Clear();
+            _invalidNonHISKeys.Clear();
         }
 
         private async Task<string> AnalyzeSnapshots(string[] secretBackups)
@@ -745,11 +870,26 @@ private string GetFunctionName(string keyScope, ScriptSecretsType secretsType)
         private void InitializeCache()
         {
             var cachedFunctionSecrets = _startupContextProvider.GetFunctionSecretsOrNull();
-            _functionSecrets = cachedFunctionSecrets != null ?
-                new ConcurrentDictionary<string, IDictionary<string, string>>(cachedFunctionSecrets, StringComparer.OrdinalIgnoreCase) :
-                new ConcurrentDictionary<string, IDictionary<string, string>>(StringComparer.OrdinalIgnoreCase);
+            if (cachedFunctionSecrets != null)
+            {
+                foreach (var functionKeys in cachedFunctionSecrets)
+                {
+                    ValidateSecrets(functionKeys.Value, SecretGenerator.FunctionKeySeed, functionKeys.Key);
+                }
 
-            _hostSecrets = _startupContextProvider.GetHostSecretsOrNull();
+                _functionSecrets = new ConcurrentDictionary<string, IDictionary<string, string>>(cachedFunctionSecrets, StringComparer.OrdinalIgnoreCase);
+            }
+            else
+            {
+                _functionSecrets = new ConcurrentDictionary<string, IDictionary<string, string>>(StringComparer.OrdinalIgnoreCase);
+            }
+
+            var hostSecrets = _startupContextProvider.GetHostSecretsOrNull();
+            if (hostSecrets != null)
+            {
+                ValidateHostSecrets(hostSecrets.MasterKey, hostSecrets.FunctionKeys, hostSecrets.SystemKeys);
+                _hostSecrets = hostSecrets;
+            }
         }
 
         private string GetEncryptionKeysHashes()