Geometric key size progression during snapshotting. Fixes #3034.

Author: alrod

src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs

@@ -93,6 +93,7 @@ public async virtual Task<HostSecretsInfo> GetHostSecretsAsync()
                     {
                         _logger?.LogDebug(Resources.TraceNonDecryptedHostSecretRefresh);
                         await PersistSecretsAsync(hostSecrets, null, true);
+                        hostSecrets = GenerateHostSecrets(hostSecrets);
                         await RefreshSecretsAsync(hostSecrets);
                     }
 
@@ -139,13 +140,7 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                     // no secrets exist for this function so generate them
                     string message = string.Format(Resources.TraceFunctionSecretGeneration, functionName);
                     _logger.LogDebug(message);
-                    secrets = new FunctionSecrets
-                    {
-                        Keys = new List<Key>
-                        {
-                            GenerateKey(ScriptConstants.DefaultFunctionKeyName)
-                        }
-                    };
+                    secrets = GenerateFunctionSecrets();
 
                     await PersistSecretsAsync(secrets, functionName);
                 }
@@ -160,6 +155,7 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
                     string message = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName);
                     _logger?.LogDebug(message);
                     await PersistSecretsAsync(secrets, functionName, true);
+                    secrets = GenerateFunctionSecrets(secrets);
                     await RefreshSecretsAsync(secrets, functionName);
                 }
 
@@ -378,13 +374,53 @@ private HostSecrets GenerateHostSecrets()
             {
                 MasterKey = GenerateKey(ScriptConstants.DefaultMasterKeyName),
                 FunctionKeys = new List<Key>
+            {
+                GenerateKey(ScriptConstants.DefaultFunctionKeyName)
+            },
+                SystemKeys = new List<Key>()
+            };
+        }
+
+        private HostSecrets GenerateHostSecrets(HostSecrets secrets)
+        {
+            if (secrets.MasterKey.IsEncrypted)
+            {
+                secrets.MasterKey.Value = GenerateSecret();
+            }
+            secrets.SystemKeys = RegenerateList(secrets.SystemKeys);
+            secrets.FunctionKeys = RegenerateList(secrets.FunctionKeys);
+            return secrets;
+        }
+
+        private FunctionSecrets GenerateFunctionSecrets()
+        {
+            return new FunctionSecrets
+            {
+                Keys = new List<Key>
                 {
                     GenerateKey(ScriptConstants.DefaultFunctionKeyName)
-                },
-                SystemKeys = new List<Key>()
+                }
             };
         }
 
+        private FunctionSecrets GenerateFunctionSecrets(FunctionSecrets secrets)
+        {
+            secrets.Keys = RegenerateList(secrets.Keys);
+            return secrets;
+        }
+
+        private IList<Key> RegenerateList(IList<Key> list)
+        {
+            return list.Select(k =>
+            {
+                if (k.IsEncrypted)
+                {
+                    k.Value = GenerateSecret();
+                }
+                return k;
+            }).ToList();
+        }
+
         private Task RefreshSecretsAsync<T>(T secrets, string keyScope = null) where T : ScriptSecrets
         {
             var refreshedSecrets = secrets.Refresh(_keyValueConverterFactory);

test/WebJobs.Script.Tests/Security/SecretManagerTests.cs

@@ -496,9 +496,9 @@ public async Task GetHostSecrets_WhenNonDecryptedHostSecrets_SavesAndRefreshes()
                 }
 
                 Assert.NotNull(hostSecrets);
-                Assert.Equal(hostSecrets.MasterKey, "cryptoError");
+                Assert.NotEqual(hostSecrets.MasterKey, "cryptoError");
                 var result = JsonConvert.DeserializeObject<HostSecrets>(File.ReadAllText(Path.Combine(directory.Path, ScriptConstants.HostMetadataFileName)));
-                Assert.Equal(result.MasterKey.Value, "!cryptoError");
+                Assert.Equal(result.MasterKey.Value, "!" + hostSecrets.MasterKey);
                 Assert.Equal(1, Directory.GetFiles(directory.Path, $"host.{ScriptConstants.Snapshot}*").Length);
             }
         }
@@ -536,9 +536,9 @@ public async Task GetFunctiontSecrets_WhenNonDecryptedSecrets_SavesAndRefreshes(
                 }
 
                 Assert.NotNull(functionSecrets);
-                Assert.Equal(functionSecrets["Key1"], "cryptoError");
+                Assert.NotEqual(functionSecrets["Key1"], "cryptoError");
                 var result = JsonConvert.DeserializeObject<FunctionSecrets>(File.ReadAllText(Path.Combine(directory.Path, functionName + ".json")));
-                Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!cryptoError");
+                Assert.Equal(result.GetFunctionKey("Key1", functionName).Value, "!" + functionSecrets["Key1"]);
                 Assert.Equal(1, Directory.GetFiles(directory.Path, $"{functionName}.{ScriptConstants.Snapshot}*").Length);
             }
         }
@@ -755,7 +755,10 @@ private Mock<IKeyValueConverterFactory> GetConverterFactoryMock(bool simulateWri
 
             var mockValueWriter = new Mock<IKeyValueWriter>();
             mockValueWriter.Setup(r => r.WriteValue(It.IsAny<Key>()))
-                .Returns<Key>(k => new Key(k.Name, simulateWriteConversion ? "!" + k.Value : k.Value) { IsEncrypted = simulateWriteConversion });
+                .Returns<Key>(k =>
+                {
+                    return new Key(k.Name, simulateWriteConversion ? "!" + k.Value : k.Value) { IsEncrypted = simulateWriteConversion };
+                });
 
             var mockValueConverterFactory = new Mock<IKeyValueConverterFactory>();
             mockValueConverterFactory.Setup(f => f.GetValueReader(It.IsAny<Key>()))