Adding runtime site name to valid JWT audiences (slot scenarios) (#10187)

Author: mathewc

src/WebJobs.Script.WebHost/Filters/JwtAuthenticationAttribute.cs

@@ -46,24 +46,7 @@ public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationTok
                 var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();
                 if (signingKeys.Length > 0)
                 {
-                    var validationParameters = new TokenValidationParameters()
-                    {
-                        IssuerSigningKeys = signingKeys,
-                        AudienceValidator = AudienceValidator,
-                        IssuerValidator = IssuerValidator,
-                        ValidAudiences = new string[]
-                        {
-                            string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                            string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
-                        },
-                        ValidIssuers = new string[]
-                        {
-                            AppServiceCoreUri,
-                            string.Format(ScmSiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                            string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
-                        }
-                    };
-
+                    var validationParameters = CreateTokenValidationParameters(signingKeys);
                     if (JwtGenerator.IsTokenValid(token, validationParameters))
                     {
                         context.Request.SetAuthorizationLevel(AuthorizationLevel.Admin);
@@ -76,6 +59,40 @@ public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationTok
 
         public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken) => Task.CompletedTask;
 
+        internal static TokenValidationParameters CreateTokenValidationParameters(SymmetricSecurityKey[] signingKeys)
+        {
+            string siteName = ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName);
+            string runtimeSiteName = ScriptSettingsManager.Instance.GetSetting(AzureWebsiteRuntimeSiteName);
+            var audiences = new List<string>
+            {
+                string.Format(SiteAzureFunctionsUriFormat, siteName),
+                string.Format(SiteUriFormat, siteName)
+            };
+
+            if (!string.IsNullOrEmpty(runtimeSiteName) && !string.Equals(siteName, runtimeSiteName, StringComparison.OrdinalIgnoreCase))
+            {
+                // on a non-production slot, the runtime site name will differ from the site name
+                // we allow both for audience
+                audiences.Add(string.Format(SiteUriFormat, runtimeSiteName));
+            }
+
+            var validationParameters = new TokenValidationParameters()
+            {
+                IssuerSigningKeys = signingKeys,
+                AudienceValidator = AudienceValidator,
+                IssuerValidator = IssuerValidator,
+                ValidAudiences = audiences,
+                ValidIssuers = new string[]
+                {
+                    AppServiceCoreUri,
+                    string.Format(ScmSiteUriFormat, siteName),
+                    string.Format(SiteUriFormat, siteName)
+                }
+            };
+
+            return validationParameters;
+        }
+
         private static string IssuerValidator(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
         {
             if (!validationParameters.ValidIssuers.Any(p => string.Equals(issuer, p, StringComparison.OrdinalIgnoreCase)))

src/WebJobs.Script/EnvironmentSettingNames.cs

@@ -31,6 +31,7 @@ public static class EnvironmentSettingNames
         public const string CoreToolsEnvironment = "FUNCTIONS_CORETOOLS_ENVIRONMENT";
         public const string AzureWebsiteArmCacheEnabled = "WEBSITE_FUNCTIONS_ARMCACHE_ENABLED";
         public const string TestDataCapEnabled = "WEBSITE_FUNCTIONS_TESTDATA_CAP_ENABLED";
+        public const string AzureWebsiteRuntimeSiteName = "WEBSITE_DEPLOYMENT_ID";
 
         /// <summary>
         /// Environment variable dynamically set by the platform when it is safe to

test/WebJobs.Script.Tests/Filters/JwtAuthenticationAttributeTests.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
@@ -14,6 +15,7 @@
 using System.Web.Http.Filters;
 using Microsoft.Azure.Web.DataProtection;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Filters;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
@@ -109,6 +111,44 @@ public async Task AuthenticateAsync_WithValidToken_Base64Encoding_SetsAdminAutho
             await AuthenticateAsync(token, ScriptConstants.SiteTokenHeaderName, AuthorizationLevel.Admin);
         }
 
+        [Theory]
+        [InlineData("testsite", "testsite")]
+        [InlineData("testsite", "testsite__5bb5")]
+        [InlineData("testsite", null)]
+        [InlineData("testsite", "")]
+        public void CreateTokenValidationParameters_NonProductionSlot_HasExpectedAudiences(string siteName, string runtimeSiteName)
+        {
+            string azFuncAudience = string.Format(ScriptConstants.SiteAzureFunctionsUriFormat, siteName);
+            string siteAudience = string.Format(ScriptConstants.SiteUriFormat, siteName);
+            string runtimeSiteAudience = string.Format(ScriptConstants.SiteUriFormat, runtimeSiteName);
+
+            var testEnv = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+            {
+                { EnvironmentSettingNames.AzureWebsiteName, siteName },
+                { EnvironmentSettingNames.AzureWebsiteRuntimeSiteName, runtimeSiteName }
+            };
+
+            using (new TestScopedSettings(ScriptSettingsManager.Instance, testEnv))
+            {
+                var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();
+                var tokenValidationParameters = JwtAuthenticationAttribute.CreateTokenValidationParameters(signingKeys);
+                var audiences = tokenValidationParameters.ValidAudiences.ToArray();
+
+                Assert.Equal(audiences[0], azFuncAudience);
+                Assert.Equal(audiences[1], siteAudience);
+
+                if (string.Compare(siteName, runtimeSiteName, StringComparison.OrdinalIgnoreCase) == 0)
+                {
+                    Assert.Equal(2, audiences.Length);
+                }
+                else if (!string.IsNullOrEmpty(runtimeSiteName))
+                {
+                    Assert.Equal(3, audiences.Length);
+                    Assert.Equal(audiences[2], runtimeSiteAudience);
+                }
+            }
+        }
+
         public async Task AuthenticateAsync(string token, string headerName, AuthorizationLevel expectedLevel)
         {
             var controllerContext = new HttpControllerContext()