Including admin JWT on outbound platform calls (#9199)

Author: mathewc

src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs

@@ -20,7 +20,6 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
     public class AuthorizationLevelAttribute : AuthorizationFilterAttribute
     {
         public const string FunctionsKeyHeaderName = "x-functions-key";
-        public const string ArmTokenHeaderName = "x-ms-site-restricted-token";
 
         public AuthorizationLevelAttribute(AuthorizationLevel level)
         {
@@ -94,7 +93,7 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
 
         internal static string GetArmTokenHeader(HttpActionContext actionContext)
         {
-            if (actionContext.Request.Headers.TryGetValues(ArmTokenHeaderName, out IEnumerable<string> values))
+            if (actionContext.Request.Headers.TryGetValues(ScriptConstants.SiteRestrictedTokenHeaderName, out IEnumerable<string> values))
             {
                 return values.First();
             }

src/WebJobs.Script.WebHost/Filters/JwtAuthenticationAttribute.cs

@@ -57,14 +57,14 @@ public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationTok
                         ValidateIssuer = true,
                         ValidAudiences = new string[]
                         {
-                            string.Format(AdminJwtSiteFunctionsValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                            string.Format(AdminJwtSiteValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                            string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                            string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                         },
                         ValidIssuers = new string[]
                         {
-                            AdminJwtAppServiceIssuer,
-                            string.Format(AdminJwtScmValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
-                            string.Format(AdminJwtSiteValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                            AppServiceCoreUri,
+                            string.Format(ScmSiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                            string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
                         }
                     };
 

src/WebJobs.Script.WebHost/Management/FunctionsSyncManager.cs

@@ -420,7 +420,8 @@ internal static HttpRequestMessage BuildSetTriggersRequest()
         // of triggers. It'll verify app ownership using a SWT token valid for 5 minutes. It should be plenty.
         private async Task<(bool, string)> SetTriggersAsync(string content)
         {
-            var token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string swtToken = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
+            string jwtToken = JwtTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(5));
 
             string sanitizedContentString = content;
             if (ArmCacheEnabled)
@@ -439,7 +440,8 @@ internal static HttpRequestMessage BuildSetTriggersRequest()
                 var requestId = Guid.NewGuid().ToString();
                 request.Headers.Add(ScriptConstants.AntaresLogIdHeaderName, requestId);
                 request.Headers.Add("User-Agent", ScriptConstants.FunctionsUserAgent);
-                request.Headers.Add("x-ms-site-restricted-token", token);
+                request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, swtToken);
+                request.Headers.Add(ScriptConstants.SiteTokenHeaderName, jwtToken);
                 request.Content = new StringContent(content, Encoding.UTF8, "application/json");
 
                 string message = $"Making SyncTriggers request (RequestId={requestId}, Uri={request.RequestUri.ToString()}, Content={sanitizedContentString}).";

src/WebJobs.Script.WebHost/Security/JwtTokenHelper.cs

@@ -0,0 +1,30 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.IdentityModel.Tokens.Jwt;
+using Microsoft.Azure.WebJobs.Script.Config;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Security
+{
+    internal static class JwtTokenHelper
+    {
+        public static string CreateToken(DateTime validUntil, string audience = null, string issuer = null, byte[] key = null)
+        {
+            var tokenHandler = new JwtSecurityTokenHandler();
+            key = key ?? SecretsUtility.GetEncryptionKey();
+            var tokenDescriptor = new SecurityTokenDescriptor
+            {
+                Audience = audience ?? ScriptConstants.AppServiceCoreUri,
+                Issuer = issuer ?? string.Format(ScriptConstants.SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(EnvironmentSettingNames.AzureWebsiteName)),
+                Expires = validUntil,
+                SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+            };
+            var token = tokenHandler.CreateToken(tokenDescriptor);
+            string tokenValue = tokenHandler.WriteToken(token);
+
+            return tokenValue;
+        }
+    }
+}

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -519,6 +519,7 @@
     <Compile Include="Management\WebFunctionsManager.cs" />
     <Compile Include="Models\FunctionMetadataResponse.cs" />
     <Compile Include="ResourceContainsSecretsAttribute.cs" />
+    <Compile Include="Security\JwtTokenHelper.cs" />
     <Compile Include="Security\SecretsUtility.cs" />
     <Compile Include="Security\SimpleWebTokenHelper.cs" />
     <Compile Include="StandbyManager.cs" />

src/WebJobs.Script/GlobalSuppressions.cs

@@ -250,3 +250,4 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1709:IdentifiersShouldBeCasedCorrectly", MessageId = "ARM", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AntaresARMRequestTrackingIdHeader")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1709:IdentifiersShouldBeCasedCorrectly", MessageId = "ARM", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AntaresARMExtensionsRouteHeader")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Scm", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AdminJwtScmValidIssuerFormat")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Scm", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#ScmSiteUriFormat")]

src/WebJobs.Script/ScriptConstants.cs

@@ -65,6 +65,7 @@ public static class ScriptConstants
         public const string ColdStartEventName = "ColdStart";
         public const string ShutdownRecoveryEventName = "ShutdownRecovery";
 
+        public const string SiteRestrictedTokenHeaderName = "x-ms-site-restricted-token";
         public const string SiteTokenHeaderName = "x-ms-site-token";
         public const string AntaresARMRequestTrackingIdHeader = "x-ms-arm-request-tracking-id";
         public const string AntaresARMExtensionsRouteHeader = "X-MS-VIA-EXTENSIONS-ROUTE";
@@ -83,11 +84,10 @@ public static class ScriptConstants
         public const string FeatureFlagDisableShadowCopy = "DisableShadowCopy";
         public const string FeatureFlagsEnableDynamicExtensionLoading = "EnableDynamicExtensionLoading";
 
-        public const string AdminJwtSiteFunctionsValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
-        public const string AdminJwtSiteValidAudienceFormat = "https://{0}.azurewebsites.net";
-        public const string AdminJwtScmValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
-        public const string AdminJwtSiteValidIssuerFormat = "https://{0}.azurewebsites.net";
-        public const string AdminJwtAppServiceIssuer = "https://appservice.core.azurewebsites.net";
+        public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
+        public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";
+        public const string SiteUriFormat = "https://{0}.azurewebsites.net";
+        public const string AppServiceCoreUri = "https://appservice.core.azurewebsites.net";
 
         public const string SwaggerFileName = "swagger.json";
         public const string AzureFunctionsSystemDirectoryName = ".azurefunctions";

test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs

@@ -406,7 +406,7 @@ public async Task OnAuthorization_Arm_Success_SetsAdminAuthLevel()
             var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
 
             HttpRequestMessage request = new HttpRequestMessage();
-            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
             var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
             actionContext.ControllerContext.Request = request;
 
@@ -429,7 +429,7 @@ public async Task OnAuthorization_Arm_Expired_ReturnsUnauthorized()
             var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
 
             HttpRequestMessage request = new HttpRequestMessage();
-            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
             var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
             actionContext.ControllerContext.Request = request;
 
@@ -453,7 +453,7 @@ public async Task OnAuthorization_Arm_Invalid_ReturnsUnauthorized()
             var attribute = new AuthorizationLevelAttribute(AuthorizationLevel.Admin);
 
             HttpRequestMessage request = new HttpRequestMessage();
-            request.Headers.Add(AuthorizationLevelAttribute.ArmTokenHeaderName, token);
+            request.Headers.Add(ScriptConstants.SiteRestrictedTokenHeaderName, token);
             var actionContext = CreateActionContext(typeof(TestController).GetMethod(nameof(TestController.Get)), HttpConfig);
             actionContext.ControllerContext.Request = request;
 

test/WebJobs.Script.Tests/Filters/JwtAuthenticationAttributeTests.cs

@@ -54,8 +54,8 @@ public JwtAuthenticationAttributeTests()
         [InlineData(ScriptConstants.SiteTokenHeaderName, "https://testsite.azurewebsites.net", "https://testsite.azurewebsites.net")]
         public async Task AuthenticateAsync_WithValidToken_SetsAdminAuthorizationLevel(string headerName, string issuer = null, string audience = null)
         {
-            issuer = issuer ?? string.Format(AdminJwtScmValidIssuerFormat, Instance.GetSetting(AzureWebsiteName));
-            audience = audience ?? string.Format(AdminJwtSiteFunctionsValidAudienceFormat, Instance.GetSetting(AzureWebsiteName));
+            issuer = issuer ?? string.Format(ScmSiteUriFormat, Instance.GetSetting(AzureWebsiteName));
+            audience = audience ?? string.Format(SiteAzureFunctionsUriFormat, Instance.GetSetting(AzureWebsiteName));
 
             string token = JwtGenerator.GenerateToken(issuer, audience, expires: DateTime.UtcNow.AddMinutes(10));
 
@@ -68,8 +68,8 @@ public async Task AuthenticateAsync_WithValidToken_SetsAdminAuthorizationLevel(s
         [InlineData(10, null, "invalid")]
         public async Task AuthenticateAsync_InvalidToken_DoesNotSetAuthorizationLevel(int expiry, string issuer = null, string audience = null)
         {
-            issuer = issuer ?? string.Format(AdminJwtScmValidIssuerFormat, Instance.GetSetting(AzureWebsiteName));
-            audience = audience ?? string.Format(AdminJwtSiteFunctionsValidAudienceFormat, Instance.GetSetting(AzureWebsiteName));
+            issuer = issuer ?? string.Format(ScmSiteUriFormat, Instance.GetSetting(AzureWebsiteName));
+            audience = audience ?? string.Format(SiteAzureFunctionsUriFormat, Instance.GetSetting(AzureWebsiteName));
 
             string token = JwtGenerator.GenerateToken(issuer, audience, expires: DateTime.UtcNow.AddMinutes(expiry), notBefore: DateTime.UtcNow.AddHours(-1));
 
@@ -79,8 +79,8 @@ public async Task AuthenticateAsync_InvalidToken_DoesNotSetAuthorizationLevel(in
         [Fact]
         public async Task AuthenticateAsync_WithValidToken_Base64Encoding_SetsAdminAuthorizationLevel()
         {
-            string issuer = string.Format(AdminJwtScmValidIssuerFormat, Instance.GetSetting(AzureWebsiteName));
-            string audience = string.Format(AdminJwtSiteFunctionsValidAudienceFormat, Instance.GetSetting(AzureWebsiteName));
+            string issuer = string.Format(ScmSiteUriFormat, Instance.GetSetting(AzureWebsiteName));
+            string audience = string.Format(SiteUriFormat, Instance.GetSetting(AzureWebsiteName));
 
             string key = SecretsUtility.GetEncryptionKeyValue();
             var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(key.ToKeyBytes()), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256");

test/WebJobs.Script.Tests/Management/FunctionsSyncManagerTests.cs

@@ -238,6 +238,8 @@ public async Task TrySyncTriggers_PostsExpectedContent(bool cacheEnabled)
                 // verify expected headers
                 Assert.Equal(ScriptConstants.FunctionsUserAgent, _mockHttpHandler.LastRequest.Headers.UserAgent.ToString());
                 Assert.True(_mockHttpHandler.LastRequest.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName));
+                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteRestrictedTokenHeaderName));
+                Assert.NotEmpty(_mockHttpHandler.LastRequest.Headers.GetValues(ScriptConstants.SiteTokenHeaderName));
 
                 if (cacheEnabled)
                 {