Defaulting SwtAuthenticationEnabled to False (#10197)

mathewc · web-flow · commit f7930b02062d · 2024-05-30T16:48:45.000-07:00
diff --git a/CustomDictionary.xml b/CustomDictionary.xml
@@ -77,7 +77,8 @@
       <Word>EventHub</Word>
       <Word>Non</Word>
       <Word>Decryptable</Word>
-	</Recognized>
+      <Word>Swt</Word>
+    </Recognized>
     <Deprecated/>
     <Compound>
       <Term CompoundAlternate="CancellationToken">cancellationToken</Term>
diff --git a/src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs b/src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs
@@ -12,6 +12,7 @@
 using System.Web.Http.Controllers;
 using System.Web.Http.Filters;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Filters
@@ -55,7 +56,11 @@ public async override Task OnAuthorizationAsync(HttpActionContext actionContext,
             // If the request has not yet been authenticated, authenticate it
             if (requestAuthorizationLevel == AuthorizationLevel.Anonymous)
             {
-                string armToken = GetArmTokenHeader(actionContext);
+                string armToken = null;
+                if (FeatureFlags.IsEnabled(ScriptConstants.FeatureFlagSwtAuthenticationEnabled))
+                {
+                    armToken = GetArmTokenHeader(actionContext);
+                }
 
                 if (armToken != null)
                 {
diff --git a/src/WebJobs.Script/Config/FeatureFlags.cs b/src/WebJobs.Script/Config/FeatureFlags.cs
@@ -14,7 +14,7 @@ public static class FeatureFlags
     {
         public static bool IsEnabled(string name)
         {
-            string featureFlags = Environment.GetEnvironmentVariable("AzureWebJobsFeatureFlags");
+            string featureFlags = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsFeatureFlags);
             if (!string.IsNullOrEmpty(featureFlags))
             {
                 string[] flags = featureFlags.Split(',');
diff --git a/src/WebJobs.Script/EnvironmentSettingNames.cs b/src/WebJobs.Script/EnvironmentSettingNames.cs
@@ -32,6 +32,7 @@ public static class EnvironmentSettingNames
         public const string AzureWebsiteArmCacheEnabled = "WEBSITE_FUNCTIONS_ARMCACHE_ENABLED";
         public const string TestDataCapEnabled = "WEBSITE_FUNCTIONS_TESTDATA_CAP_ENABLED";
         public const string AzureWebsiteRuntimeSiteName = "WEBSITE_DEPLOYMENT_ID";
+        public const string AzureWebJobsFeatureFlags = "AzureWebJobsFeatureFlags";
 
         /// <summary>
         /// Environment variable dynamically set by the platform when it is safe to
diff --git a/src/WebJobs.Script/ScriptConstants.cs b/src/WebJobs.Script/ScriptConstants.cs
@@ -83,6 +83,7 @@ public static class ScriptConstants
 
         public const string FeatureFlagDisableShadowCopy = "DisableShadowCopy";
         public const string FeatureFlagsEnableDynamicExtensionLoading = "EnableDynamicExtensionLoading";
+        public const string FeatureFlagSwtAuthenticationEnabled = "SwtAuthenticationEnabled";
 
         public const string SiteAzureFunctionsUriFormat = "https://{0}.azurewebsites.net/azurefunctions";
         public const string ScmSiteUriFormat = "https://{0}.scm.azurewebsites.net";
diff --git a/test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs b/test/WebJobs.Script.Tests/Filters/AuthorizationLevelAttributeTests.cs
@@ -396,9 +396,13 @@ public async Task OnAuthorization_WithNamedKeyHeader_Succeeds()
             Assert.Null(actionContext.Response);
         }
 
-        [Fact]
-        public async Task OnAuthorization_Arm_Success_SetsAdminAuthLevel()
+        [Theory]
+        [InlineData(true)]
+        [InlineData(false)]
+        public async Task OnAuthorization_Arm_SetsAdminAuthLevel_WhenSwtAuthenticationEnabled(bool swtAuthenticationEnabled)
         {
+            string featureFlags = swtAuthenticationEnabled ? "Foo,SwtAuthenticationEnabled,Bar" : "Foo,Bar";
+
             byte[] key = GenerateKeyBytes();
             string keyString = GenerateKeyHexString(key);
             string token = CreateSimpleWebToken(DateTime.UtcNow.AddMinutes(5), key);
@@ -411,12 +415,22 @@ public async Task OnAuthorization_Arm_Success_SetsAdminAuthLevel()
             actionContext.ControllerContext.Request = request;
 
             using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebsiteAuthEncryptionKey, keyString))
+            using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsFeatureFlags, featureFlags))
             {
                 await attribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
             }
 
-            Assert.Null(actionContext.Response);
-            Assert.Equal(AuthorizationLevel.Admin, actionContext.Request.GetAuthorizationLevel());
+            AuthorizationLevel authorizationLevel = actionContext.Request.GetAuthorizationLevel();
+            if (swtAuthenticationEnabled)
+            {
+                Assert.Null(actionContext.Response);
+                Assert.Equal(AuthorizationLevel.Admin, authorizationLevel);
+            }
+            else
+            {
+                Assert.Equal(HttpStatusCode.Unauthorized, actionContext.Response.StatusCode);
+                Assert.Equal(AuthorizationLevel.Anonymous, authorizationLevel);
+            }
         }
 
         [Fact]

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public static class FeatureFlags`
`14`	`14`	`{`
`15`	`15`	`public static bool IsEnabled(string name)`
`16`	`16`	`{`
`17`		`- string featureFlags = Environment.GetEnvironmentVariable("AzureWebJobsFeatureFlags");`
	`17`	`+ string featureFlags = Environment.GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsFeatureFlags);`
`18`	`18`	`if (!string.IsNullOrEmpty(featureFlags))`
`19`	`19`	`{`
`20`	`20`	`string[] flags = featureFlags.Split(',');`