Allow site auth JWT tokens to be passed via x-ms-site-token header (#9176)

Author: mathewc

src/WebJobs.Script.WebHost/Filters/JwtAuthenticationAttribute.cs

@@ -2,15 +2,17 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Net.Http.Headers;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web.Http.Filters;
 using Microsoft.Azure.Web.DataProtection;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.IdentityModel.Tokens;
-using static Microsoft.Azure.WebJobs.Script.Config.ScriptSettingsManager;
 using static Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames;
 using static Microsoft.Azure.WebJobs.Script.ScriptConstants;
 
@@ -23,23 +25,50 @@ public sealed class JwtAuthenticationAttribute : Attribute, IAuthenticationFilte
 
         public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
         {
-            AuthenticationHeaderValue authorization = context.Request.Headers.Authorization;
+            // By default, tokens are passed via the standard Authorization Bearer header. However we also support
+            // passing tokens via the x-ms-site-token header.
+            string token = null;
+            if (context.Request.Headers.TryGetValues(ScriptConstants.SiteTokenHeaderName, out IEnumerable<string> values))
+            {
+                token = values.FirstOrDefault();
+            }
+            else
+            {
+                // check the standard Authorization header
+                AuthenticationHeaderValue authorization = context.Request.Headers.Authorization;
+                if (authorization != null && string.Equals(authorization.Scheme, "Bearer", StringComparison.OrdinalIgnoreCase))
+                {
+                    token = authorization.Parameter;
+                }
+            }
 
-            if (authorization != null && string.Equals(authorization.Scheme, "Bearer", StringComparison.OrdinalIgnoreCase))
+            if (!string.IsNullOrEmpty(token))
             {
-                string defaultKey = Util.GetDefaultKeyValue();
-                if (defaultKey != null)
+                if (SecretsUtility.TryGetEncryptionKey(out string key))
                 {
                     var validationParameters = new TokenValidationParameters()
                     {
-                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(defaultKey)),
+                        IssuerSigningKeys = new SecurityKey[]
+                        {
+                            new SymmetricSecurityKey(key.ToKeyBytes()),
+                            new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+                        },
                         ValidateAudience = true,
                         ValidateIssuer = true,
-                        ValidAudience = string.Format(AdminJwtValidAudienceFormat, Instance.GetSetting(AzureWebsiteName)),
-                        ValidIssuer = string.Format(AdminJwtValidIssuerFormat, Instance.GetSetting(AzureWebsiteName))
+                        ValidAudiences = new string[]
+                        {
+                            string.Format(AdminJwtSiteFunctionsValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                            string.Format(AdminJwtSiteValidAudienceFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                        },
+                        ValidIssuers = new string[]
+                        {
+                            AdminJwtAppServiceIssuer,
+                            string.Format(AdminJwtScmValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
+                            string.Format(AdminJwtSiteValidIssuerFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+                        }
                     };
 
-                    if (JwtGenerator.IsTokenValid(authorization.Parameter, validationParameters))
+                    if (JwtGenerator.IsTokenValid(token, validationParameters))
                     {
                         context.Request.SetAuthorizationLevel(AuthorizationLevel.Admin);
                     }

src/WebJobs.Script.WebHost/Security/SecretsUtility.cs

@@ -2,11 +2,12 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
-using System.IO;
+using System.Linq;
+using Microsoft.Azure.Web.DataProtection;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
-    internal class SecretsUtility
+    internal static class SecretsUtility
     {
         public static string GetNonDecryptableName(string secretsPath)
         {
@@ -17,5 +18,60 @@ public static string GetNonDecryptableName(string secretsPath)
             }
             return secretsPath + $".{ScriptConstants.Snapshot}.{timeStamp}.json";
         }
+
+        public static bool TryGetEncryptionKey(out string key)
+        {
+            if (TryGetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey, out key))
+            {
+                return true;
+            }
+
+            // Fall back to using DataProtection APIs to get the key
+            key = Util.GetDefaultKeyValue();
+            if (!string.IsNullOrEmpty(key))
+            {
+                return true;
+            }
+
+            return false;
+        }
+
+        public static string GetEncryptionKeyValue()
+        {
+            if (TryGetEncryptionKey(out string key))
+            {
+                return key;
+            }
+            else
+            {
+                throw new InvalidOperationException($"No encryption key defined in the environment.");
+            }
+        }
+
+        public static byte[] GetEncryptionKey()
+        {
+            string key = GetEncryptionKeyValue();
+            return key.ToKeyBytes();
+        }
+
+        public static bool TryGetEncryptionKey(string keyName, out string encryptionKey)
+        {
+            encryptionKey = Environment.GetEnvironmentVariable(keyName);
+            return !string.IsNullOrEmpty(encryptionKey);
+        }
+
+        public static byte[] ToKeyBytes(this string hexOrBase64)
+        {
+            // only support 32 bytes (256 bits) key length
+            if (hexOrBase64.Length == 64)
+            {
+                return Enumerable.Range(0, hexOrBase64.Length)
+                    .Where(x => x % 2 == 0)
+                    .Select(x => Convert.ToByte(hexOrBase64.Substring(x, 2), 16))
+                    .ToArray();
+            }
+
+            return Convert.FromBase64String(hexOrBase64);
+        }
     }
 }

src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs

@@ -23,10 +23,7 @@ internal static class SimpleWebTokenHelper
 
         internal static string Encrypt(string value, byte[] key = null)
         {
-            if (key == null)
-            {
-                TryGetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey, out key);
-            }
+            key = key ?? SecretsUtility.GetEncryptionKey();
 
             using (var aes = new AesManaged { Key = key })
             {
@@ -97,8 +94,7 @@ public static bool TryValidateToken(string token, DateTime dateTime)
 
         public static bool ValidateToken(string token, DateTime dateTime)
         {
-            // Use WebSiteAuthEncryptionKey if available.
-            TryGetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey, out byte[] key);
+            byte[] key = SecretsUtility.GetEncryptionKey();
 
             var data = Decrypt(key, token);
 
@@ -120,38 +116,5 @@ private static string GetSHA256Base64String(byte[] key)
                 return Convert.ToBase64String(sha256.ComputeHash(key));
             }
         }
-
-        public static bool TryGetEncryptionKey(string keyName, out byte[] encryptionKey, bool throwIfFailed = true)
-        {
-            encryptionKey = null;
-            var hexOrBase64 = Environment.GetEnvironmentVariable(keyName);
-            if (string.IsNullOrEmpty(hexOrBase64))
-            {
-                if (throwIfFailed)
-                {
-                    throw new InvalidOperationException($"No {keyName} defined in the environment");
-                }
-
-                return false;
-            }
-
-            encryptionKey = hexOrBase64.ToKeyBytes();
-
-            return true;
-        }
-
-        public static byte[] ToKeyBytes(this string hexOrBase64)
-        {
-            // only support 32 bytes (256 bits) key length
-            if (hexOrBase64.Length == 64)
-            {
-                return Enumerable.Range(0, hexOrBase64.Length)
-                    .Where(x => x % 2 == 0)
-                    .Select(x => Convert.ToByte(hexOrBase64.Substring(x, 2), 16))
-                    .ToArray();
-            }
-
-            return Convert.FromBase64String(hexOrBase64);
-        }
     }
 }

src/WebJobs.Script/GlobalSuppressions.cs

@@ -248,4 +248,5 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Dir", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.Scale.ApplicationPerformanceCounters.#RemoteDirMonitors")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Sas", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.EnvironmentSettingNames.#AzureWebJobsSecretStorageSas")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1709:IdentifiersShouldBeCasedCorrectly", MessageId = "ARM", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AntaresARMRequestTrackingIdHeader")]
-[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1709:IdentifiersShouldBeCasedCorrectly", MessageId = "ARM", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AntaresARMExtensionsRouteHeader")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1709:IdentifiersShouldBeCasedCorrectly", MessageId = "ARM", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AntaresARMExtensionsRouteHeader")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Scm", Scope = "member", Target = "Microsoft.Azure.WebJobs.Script.ScriptConstants.#AdminJwtScmValidIssuerFormat")]

src/WebJobs.Script/ScriptConstants.cs

@@ -65,6 +65,7 @@ public static class ScriptConstants
         public const string ColdStartEventName = "ColdStart";
         public const string ShutdownRecoveryEventName = "ShutdownRecovery";
 
+        public const string SiteTokenHeaderName = "x-ms-site-token";
         public const string AntaresARMRequestTrackingIdHeader = "x-ms-arm-request-tracking-id";
         public const string AntaresARMExtensionsRouteHeader = "X-MS-VIA-EXTENSIONS-ROUTE";
         public const string AntaresClientAuthorizationSourceHeader = "X-MS-CLIENT-AUTHORIZATION-SOURCE";
@@ -82,8 +83,11 @@ public static class ScriptConstants
         public const string FeatureFlagDisableShadowCopy = "DisableShadowCopy";
         public const string FeatureFlagsEnableDynamicExtensionLoading = "EnableDynamicExtensionLoading";
 
-        public const string AdminJwtValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
-        public const string AdminJwtValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteFunctionsValidAudienceFormat = "https://{0}.azurewebsites.net/azurefunctions";
+        public const string AdminJwtSiteValidAudienceFormat = "https://{0}.azurewebsites.net";
+        public const string AdminJwtScmValidIssuerFormat = "https://{0}.scm.azurewebsites.net";
+        public const string AdminJwtSiteValidIssuerFormat = "https://{0}.azurewebsites.net";
+        public const string AdminJwtAppServiceIssuer = "https://appservice.core.azurewebsites.net";
 
         public const string SwaggerFileName = "swagger.json";
         public const string AzureFunctionsSystemDirectoryName = ".azurefunctions";

test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs

@@ -8,6 +8,7 @@
 using System.Net.Http;
 using System.Reflection;
 using System.Security.Cryptography;
+using System.ServiceModel.Channels;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -498,10 +499,7 @@ public static string GenerateKeyHexString(byte[] key = null)
 
         private static string EncryptSimpleWebToken(string value, byte[] key = null)
         {
-            if (key == null)
-            {
-                SimpleWebTokenHelper.TryGetEncryptionKey(EnvironmentSettingNames.WebsiteAuthEncryptionKey, out key);
-            }
+            key = key ?? SecretsUtility.GetEncryptionKey();
 
             using (var aes = new AesManaged { Key = key })
             {