Enabling saving secrets to blob instead of file storage

Author: krolson

src/WebJobs.Script.WebHost/GlobalSuppressions.cs

@@ -100,4 +100,5 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Controllers.ExceptionProcessingHandler.#Handle(System.Web.Http.ExceptionHandling.ExceptionHandlerContext)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1813:AvoidUnsealedAttributes", Scope = "type", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Filters.AuthorizationLevelAttribute")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Models.Swagger.HttpOperationInfo.#InputParameters")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Models.Swagger.SwaggerDocument.#ApiEndpoints")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.Models.Swagger.SwaggerDocument.#ApiEndpoints")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.WebHost.DefaultSecretsRepositoryFactory.#Create(Microsoft.Azure.WebJobs.Script.Config.ScriptSettingsManager,Microsoft.Azure.WebJobs.Script.WebHost.WebHostSettings,Microsoft.Azure.WebJobs.Script.ScriptHostConfiguration)")]

src/WebJobs.Script.WebHost/Security/BlobStorageSecretsRepository.cs

@@ -0,0 +1,157 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Azure.WebJobs.Host;
+//using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.Azure.WebJobs.Script.IO;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    /// <summary>
+    /// An <see cref="ISecretsRepository"/> implementation that uses Azure blob storage as the backing store.
+    /// </summary>
+    public sealed class BlobStorageSecretsRepository : ISecretsRepository, IDisposable
+    {
+        private readonly string _secretsSentinelFilePath;
+        private readonly string _secretsBlobPath;
+        private readonly string _hostSecretsSentinelFilePath;
+        private readonly string _hostSecretsBlobPath;
+        private readonly AutoRecoveringFileSystemWatcher _sentinelFileWatcher;
+        private readonly CloudBlobContainer _blobContainer;
+        private readonly string _secretsContainerName = "azure-webjobs-secrets";
+        private readonly string _accountConnectionString;
+        private bool _disposed = false;        
+
+        public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string accountConnectionString, string siteHostName)
+        {
+            if (secretSentinelDirectoryPath == null)
+            {
+                throw new ArgumentNullException(nameof(secretSentinelDirectoryPath));
+            }
+            if (accountConnectionString == null)
+            {
+                throw new ArgumentNullException(nameof(accountConnectionString));
+            }
+
+            _secretsSentinelFilePath = secretSentinelDirectoryPath;
+            _hostSecretsSentinelFilePath = Path.Combine(_secretsSentinelFilePath, ScriptConstants.HostMetadataFileName);            
+
+            Directory.CreateDirectory(_secretsSentinelFilePath);
+
+            _sentinelFileWatcher = new AutoRecoveringFileSystemWatcher(_secretsSentinelFilePath, "*.json");
+            _sentinelFileWatcher.Changed += OnChanged;
+
+            _secretsBlobPath = siteHostName.ToLowerInvariant(); 
+            _hostSecretsBlobPath = string.Format("{0}/{1}", _secretsBlobPath, ScriptConstants.HostMetadataFileName);
+
+            _accountConnectionString = accountConnectionString;
+            CloudStorageAccount account = CloudStorageAccount.Parse(_accountConnectionString);
+            CloudBlobClient client = account.CreateCloudBlobClient();
+
+            _blobContainer = client.GetContainerReference(_secretsContainerName);
+            _blobContainer.CreateIfNotExists();                  
+        }
+
+        public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
+
+        private string GetSecretsBlobPath(ScriptSecretsType secretsType, string functionName = null)
+        {
+            return secretsType == ScriptSecretsType.Host
+                ? _hostSecretsBlobPath
+                : string.Format("{0}/{1}", _secretsBlobPath, GetSecretFileName(functionName));
+        }
+
+        private string GetSecretsSentinelFilePath(ScriptSecretsType secretsType, string functionName = null)
+        {
+            return secretsType == ScriptSecretsType.Host
+                ? _hostSecretsSentinelFilePath
+                : Path.Combine(_secretsSentinelFilePath, GetSecretFileName(functionName));
+        }
+
+        private static string GetSecretFileName(string functionName)
+        {
+            return string.Format(CultureInfo.InvariantCulture, "{0}.json", functionName.ToLowerInvariant());            
+        }
+
+        private void OnChanged(object sender, FileSystemEventArgs e)
+        {
+            var changeHandler = SecretsChanged;
+            if (changeHandler != null)
+            {
+                var args = new SecretsChangedEventArgs { SecretsType = ScriptSecretsType.Host };
+
+                if (string.Compare(Path.GetFileName(e.FullPath), ScriptConstants.HostMetadataFileName, StringComparison.OrdinalIgnoreCase) != 0)
+                {
+                    args.SecretsType = ScriptSecretsType.Function;
+                    args.Name = Path.GetFileNameWithoutExtension(e.FullPath).ToLowerInvariant();
+                }
+
+                changeHandler(this, args);
+            }
+        }
+
+        public async Task<string> ReadAsync(ScriptSecretsType type, string functionName)
+        {
+            string secretsContent = null;
+            string blobPath = GetSecretsBlobPath(type, functionName);
+            CloudBlockBlob secretBlob = _blobContainer.GetBlockBlobReference(blobPath);
+                        
+            if (await secretBlob.ExistsAsync())
+            {                
+                secretsContent = await secretBlob.DownloadTextAsync();
+            }
+
+            return secretsContent;
+        }
+
+        public async Task WriteAsync(ScriptSecretsType type, string functionName, string secretsContent)
+        {
+            if (secretsContent == null)
+            {
+                throw new ArgumentNullException(nameof(secretsContent));
+            }
+            
+            string blobPath = GetSecretsBlobPath(type, functionName);            
+            CloudBlockBlob secretBlob = _blobContainer.GetBlockBlobReference(blobPath);            
+            using (StreamWriter writer = new StreamWriter(await secretBlob.OpenWriteAsync()))
+            {                
+                await writer.WriteAsync(secretsContent);
+            }           
+
+            string filePath = GetSecretsSentinelFilePath(type, functionName);            
+            await FileUtility.WriteAsync(filePath, DateTime.UtcNow.ToString());
+        }
+
+        public async Task PurgeOldSecretsAsync(IList<string> currentFunctions, TraceWriter traceWriter)
+        {
+            // no-op - allow stale secrets to remain
+            await Task.Yield();
+        }
+
+        private void Dispose(bool disposing)
+        {
+            if (!_disposed)
+            {
+                if (disposing)
+                {
+                    _sentinelFileWatcher.Dispose();                    
+                }
+
+                _disposed = true;
+            }
+        }
+
+        public void Dispose()
+        {
+            Dispose(true);
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/DefaultSecretsRepositoryFactory.cs

@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Web;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Script.Config;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public sealed class DefaultSecretsRepositoryFactory : ISecretsRepositoryFactory
+    {        
+        public ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config)
+        {            
+            string secretStorageType = settingsManager.GetSetting(EnvironmentSettingNames.AzureWebJobsSecretStorageType);
+            string storageString = AmbientConnectionStringProvider.Instance.GetConnectionString(ConnectionStringNames.Storage);
+            if (secretStorageType != null && secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase) && storageString != null)
+            {                
+                string siteHostId = settingsManager.AzureWebsiteDefaultSubdomain ?? config.HostConfig.HostId;
+                return new BlobStorageSecretsRepository(Path.Combine(webHostSettings.SecretsPath, "Sentinels"), storageString, siteHostId);
+            }
+            else
+            {
+                return new FileSystemSecretsRepository(webHostSettings.SecretsPath);
+            }            
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/ISecretRepositoryFactory.cs

@@ -0,0 +1,14 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Script.Config;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public interface ISecretsRepositoryFactory
+    {
+        ISecretsRepository Create(ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, ScriptHostConfiguration config);
+    }
+}

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -429,7 +429,9 @@
       <DesignTime>True</DesignTime>
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
+    <Compile Include="Security\BlobStorageSecretsRepository.cs" />
     <Compile Include="Security\DefaultSecretManagerFactory.cs" />
+    <Compile Include="Security\DefaultSecretsRepositoryFactory.cs" />
     <Compile Include="Security\FileSystemSecretsRepository.cs" />
     <Compile Include="Security\FunctionSecrets.cs" />
     <Compile Include="Security\DataProtectionKeyValueConverter.cs" />
@@ -438,6 +440,7 @@
     <Compile Include="Security\IKeyValueWriter.cs" />
     <Compile Include="Security\ISecretManager.cs" />
     <Compile Include="Security\ISecretManagerFactory.cs" />
+    <Compile Include="Security\ISecretRepositoryFactory.cs" />
     <Compile Include="Security\ISecretsRepository.cs" />
     <Compile Include="Security\KeyOperationResult.cs" />
     <Compile Include="Security\ScriptSecretsType.cs" />

src/WebJobs.Script.WebHost/WebScriptHostManager.cs

@@ -43,7 +43,7 @@ public class WebScriptHostManager : ScriptHostManager
         private IDictionary<IHttpRoute, FunctionDescriptor> _httpFunctions;
         private HttpRouteCollection _httpRoutes;
 
-        public WebScriptHostManager(ScriptHostConfiguration config, ISecretManagerFactory secretManagerFactory, ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, IScriptHostFactory scriptHostFactory = null)
+        public WebScriptHostManager(ScriptHostConfiguration config, ISecretManagerFactory secretManagerFactory, ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, IScriptHostFactory scriptHostFactory = null, ISecretsRepositoryFactory secretsRepositoryFactory = null)
             : base(config, settingsManager, scriptHostFactory)
         {
             _config = config;
@@ -63,10 +63,17 @@ public WebScriptHostManager(ScriptHostConfiguration config, ISecretManagerFactor
             }
 
             config.IsSelfHost = webHostSettings.IsSelfHost;
-
-            _secretManager = secretManagerFactory.Create(settingsManager, config.TraceWriter, new FileSystemSecretsRepository(webHostSettings.SecretsPath));
+            
             _performanceManager = new HostPerformanceManager(settingsManager);
             _swaggerDocumentManager = new SwaggerDocumentManager(config);
+
+            var secretsRepository = secretsRepositoryFactory.Create(settingsManager, webHostSettings, config);
+            _secretManager = secretManagerFactory.Create(settingsManager, config.TraceWriter, secretsRepository);       
+        }
+        
+        public WebScriptHostManager(ScriptHostConfiguration config, ISecretManagerFactory secretManagerFactory, ScriptSettingsManager settingsManager, WebHostSettings webHostSettings, IScriptHostFactory scriptHostFactory)
+            : this(config, secretManagerFactory, settingsManager, webHostSettings, scriptHostFactory, new DefaultSecretsRepositoryFactory())
+        {
         }
 
         public WebScriptHostManager(ScriptHostConfiguration config, ISecretManagerFactory secretManagerFactory, ScriptSettingsManager settingsManager, WebHostSettings webHostSettings)

src/WebJobs.Script/EnvironmentSettingNames.cs

@@ -19,5 +19,6 @@ public static class EnvironmentSettingNames
         public const string CompilationReleaseMode = "AzureWebJobsDotNetReleaseCompilation";
         public const string AzureWebJobsDisableHomepage = "AzureWebJobsDisableHomepage";
         public const string AzureWebsiteAppCountersName = "WEBSITE_COUNTERS_APP";
+        public const string AzureWebJobsSecretStorageType = "AzureWebJobsSecretStorageType";         
     }
 }

test/WebJobs.Script.Tests.Integration/Host/WebScriptHostManagerTests.cs

@@ -27,12 +27,12 @@ public class WebScriptHostManagerTests : IClassFixture<WebScriptHostManagerTests
     {
         private readonly ScriptSettingsManager _settingsManager;
         private readonly TempDirectory _secretsDirectory = new TempDirectory();
-        private Fixture _fixture;
+        private WebScriptHostManagerTests.Fixture _fixture;
 
         // Some tests need their own manager that differs from the fixture.
         private WebScriptHostManager _manager;
 
-        public WebScriptHostManagerTests(Fixture fixture)
+        public WebScriptHostManagerTests(WebScriptHostManagerTests.Fixture fixture)
         {
             _fixture = fixture;
             _settingsManager = ScriptSettingsManager.Instance;
@@ -109,10 +109,11 @@ public async Task EmptyHost_StartsSuccessfully()
                 RootLogPath = logDir,
                 FileLoggingMode = FileLoggingMode.Always
             };
-            ISecretsRepository repository = new FileSystemSecretsRepository(secretsDir);
+            string connectionString = AmbientConnectionStringProvider.Instance.GetConnectionString(ConnectionStringNames.Storage);
+            ISecretsRepository repository = new BlobStorageSecretsRepository(secretsDir, connectionString, "EmptyHost_StartsSuccessfully");
             ISecretManager secretManager = new SecretManager(_settingsManager, repository, NullTraceWriter.Instance);
             WebHostSettings webHostSettings = new WebHostSettings();
-            webHostSettings.SecretsPath = _secretsDirectory.Path;
+            webHostSettings.SecretsPath = _secretsDirectory.Path;            
 
             ScriptHostManager hostManager = new WebScriptHostManager(config, new TestSecretManagerFactory(secretManager), _settingsManager, webHostSettings);
 
@@ -149,8 +150,8 @@ public async Task MultipleHostRestarts()
                 RootScriptPath = functionTestDir,
                 FileLoggingMode = FileLoggingMode.Always,
             };
-
-            ISecretsRepository repository = new FileSystemSecretsRepository(secretsDir);
+            
+            ISecretsRepository repository = new FileSystemSecretsRepository(_secretsDirectory.Path);
             SecretManager secretManager = new SecretManager(_settingsManager, repository, NullTraceWriter.Instance);
             WebHostSettings webHostSettings = new WebHostSettings();
             webHostSettings.SecretsPath = _secretsDirectory.Path;
@@ -331,11 +332,11 @@ public Fixture()
                     RootLogPath = logRoot,
                     FileLoggingMode = FileLoggingMode.Always
                 };
-
+                
                 ISecretsRepository repository = new FileSystemSecretsRepository(SecretsPath);
                 ISecretManager secretManager = new SecretManager(_settingsManager, repository, NullTraceWriter.Instance);
                 WebHostSettings webHostSettings = new WebHostSettings();
-                webHostSettings.SecretsPath = _secretsDirectory.Path;
+                webHostSettings.SecretsPath = SecretsPath; 
 
                 var hostConfig = config.HostConfig;
                 var testEventGenerator = new TestSystemEventGenerator();
@@ -360,7 +361,7 @@ public Fixture()
                     "Info WebJobs.Indexing Found the following functions:",
                     "Info The next 5 occurrences of the schedule will be:",
                     "Info WebJobs.Host Job host started",
-                    "Error The following 1 functions are in error:"
+                    "Error The following 1 functions are in error:" 
                 };
                 foreach (string pattern in expectedPatterns)
                 {