Allow Internal Auth for SyncTriggers

Author: mathewc

src/WebJobs.Script.WebHost/Controllers/AdminController.cs

@@ -106,10 +106,7 @@ public FunctionStatus GetFunctionStatus(string name)
         [EnableDebugMode]
         public IHttpActionResult GetHostStatus()
         {
-            var authorizationLevel = Request.GetAuthorizationLevel();
-            if (Request.IsAuthDisabled() ||
-                authorizationLevel == AuthorizationLevel.Admin ||
-                Request.IsAntaresInternalRequest())
+            if (Request.IsAuthDisabled() || Request.IsAdminOrInternalRequest())
             {
                 var status = new HostStatus
                 {
@@ -159,10 +156,7 @@ public IHttpActionResult Log(IEnumerable<HostLogEntry> logEntries)
                 return BadRequest("An array of log entry objects is expected.");
             }
 
-            var authorizationLevel = Request.GetAuthorizationLevel();
-            if (Request.IsAuthDisabled() ||
-                authorizationLevel == AuthorizationLevel.Admin ||
-                Request.IsAntaresInternalRequest())
+            if (Request.IsAuthDisabled() || Request.IsAdminOrInternalRequest())
             {
                 foreach (var logEntry in logEntries)
                 {
@@ -212,18 +206,26 @@ public HttpResponseMessage LaunchDebugger()
 
         [HttpPost]
         [Route("admin/host/synctriggers")]
+        [AllowAnonymous]
         public async Task<HttpResponseMessage> SyncTriggers()
         {
-            var result = await _functionsSyncManager.TrySyncTriggersAsync();
-
-            // Return a dummy body to make it valid in ARM template action evaluation
-            var statusCode = result.Success ? HttpStatusCode.OK : HttpStatusCode.InternalServerError;
-            var responseContent = new JObject
+            if (Request.IsAuthDisabled() || Request.IsAdminOrInternalRequest())
             {
-                { "status", result.Success ? "success" : result.Error }
-            };
+                var result = await _functionsSyncManager.TrySyncTriggersAsync();
+
+                // Return a dummy body to make it valid in ARM template action evaluation
+                var statusCode = result.Success ? HttpStatusCode.OK : HttpStatusCode.InternalServerError;
+                var responseContent = new JObject
+                {
+                    { "status", result.Success ? "success" : result.Error }
+                };
 
-            return Request.CreateResponse(statusCode, responseContent);
+                return Request.CreateResponse(statusCode, responseContent);
+            }
+            else
+            {
+                return Request.CreateResponse(HttpStatusCode.Unauthorized);
+            }
         }
 
         [Route("admin/extensions/{name}/{*extra}")]

src/WebJobs.Script/Extensions/HttpRequestMessageExtensions.cs

@@ -73,6 +73,12 @@ public static bool IsAntaresInternalRequest(this HttpRequestMessage request)
             return !request.Headers.Contains(ScriptConstants.AntaresLogIdHeaderName);
         }
 
+        public static bool IsAdminOrInternalRequest(this HttpRequestMessage request)
+        {
+            var authorizationLevel = request.GetAuthorizationLevel();
+            return authorizationLevel == AuthorizationLevel.Admin || request.IsAntaresInternalRequest();
+        }
+
         public static bool IsAuthDisabled(this HttpRequestMessage request)
         {
             return request.GetRequestPropertyOrDefault<bool>(ScriptConstants.AzureFunctionsHttpRequestAuthorizationDisabledKey);

test/WebJobs.Script.Tests.Integration/SamplesEndToEndTests.cs

@@ -14,18 +14,21 @@
 using System.Threading.Tasks;
 using System.Web.Http;
 using System.Xml.Linq;
+using Autofac;
 using Microsoft.Azure.WebJobs.Host;
 using Microsoft.Azure.WebJobs.Script.Config;
 using Microsoft.Azure.WebJobs.Script.Tests.Properties;
 using Microsoft.Azure.WebJobs.Script.WebHost;
 using Microsoft.Azure.WebJobs.Script.WebHost.Filters;
+using Microsoft.Azure.WebJobs.Script.WebHost.Management;
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.ServiceBus;
 using Microsoft.ServiceBus.Messaging;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 using Microsoft.WindowsAzure.Storage.Queue;
 using Microsoft.WindowsAzure.Storage.Table;
+using Moq;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using Xunit;
@@ -37,6 +40,7 @@ namespace Microsoft.Azure.WebJobs.Script.Tests
     public class SamplesEndToEndTests : IClassFixture<SamplesEndToEndTests.TestFixture>
     {
         internal const string MasterKey = "t8laajal0a1ajkgzoqlfv5gxr4ebhqozebw4qzdy";
+        private const string TestInstanceId = "a03948aa41d0c354ce659d273031a12c9b5755727cb9f66c1b4792a0cd3c5998";
 
         private readonly ScriptSettingsManager _settingsManager;
         private TestFixture _fixture;
@@ -226,6 +230,37 @@ public async Task Home_Get_InAzureEnvironment_AsInternalRequest_ReturnsNoContent
             }
         }
 
+        [Fact]
+        public async Task SyncTriggers_AdminAuth_Succeeds()
+        {
+            string uri = "admin/host/synctriggers";
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+            request.Headers.Add(AuthorizationLevelAttribute.FunctionsKeyHeaderName, MasterKey);
+            HttpResponseMessage response = await this._fixture.HttpClient.SendAsync(request);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task SyncTriggers_InternalAuth_Succeeds()
+        {
+            using (new TestScopedSettings(_settingsManager, EnvironmentSettingNames.AzureWebsiteInstanceId, "testinstance"))
+            {
+                string uri = "admin/host/synctriggers";
+                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+                HttpResponseMessage response = await this._fixture.HttpClient.SendAsync(request);
+                Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            }
+        }
+
+        [Fact]
+        public async Task SyncTriggers_ExternalUnauthorized_ReturnsUnauthorized()
+        {
+            string uri = "admin/host/synctriggers";
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, uri);
+            HttpResponseMessage response = await this._fixture.HttpClient.SendAsync(request);
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+
         [Fact]
         public async Task HttpTrigger_CSharp_Poco_Post_Succeeds()
         {
@@ -1178,7 +1213,12 @@ public TestFixture()
                     SecretsPath = Path.Combine(Environment.CurrentDirectory, @"..\..\..\..\src\WebJobs.Script.WebHost\App_Data\Secrets"),
                     TraceWriter = _traceWriter
                 };
-                WebApiConfig.Register(_config, _settingsManager, HostSettings);
+                WebApiConfig.Register(_config, _settingsManager, HostSettings, (builder, settings) =>
+                {
+                    var syncManagerMock = new Mock<IFunctionsSyncManager>(MockBehavior.Strict);
+                    syncManagerMock.Setup(p => p.TrySyncTriggersAsync(It.IsAny<bool>())).ReturnsAsync(new SyncTriggersResult { Success = true });
+                    builder.Register<IFunctionsSyncManager>(_ => syncManagerMock.Object);
+                });
 
                 HttpServer = new HttpServer(_config);
                 HttpClient = new HttpClient(HttpServer);