[Storage] [WebJobs] LogScan to properly use the target BlobServiceClient when specified (#53464)

* WIP - builds - Added target blobserviceclient to IBlobListenerStrategy.RegisterAsync; Added catch for possible permissions failure to default to primary

* Minor cleanup

* Remove unused method

* PR feedback - change back strategy to take in 1 blob client; Only log when target account does not have permissions

* Remove unnecessary changes

* Change Register Shared BLob Listener to use primary client for receipts and target client for the strategy

* Removed SAS off Uri from being logged; Added another Authorization error code

* WIP - adding unit tests

* Add test to ensure the correct client is being passed to strategy and executor

* cleanup of unnecessary setup

* Update Changelog

* PR comments

* PR Comment part 2

Author: amnguye

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+- Bug fix ensuring that BlobTrigger log scan targets the correct storage account in multi-account scenarios.
 
 ### Other Changes
 

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/src/Listeners/BlobListenerFactory.cs

@@ -107,8 +107,13 @@ public async Task<IListener> CreateAsync(CancellationToken cancellationToken)
                     new SharedBlobListenerFactory(hostId, _hostBlobServiceClient, _exceptionHandler, _blobWrittenWatcherSetter, _loggerFactory.CreateLogger<BlobListener>()));
 
                 // Register the blob container we wish to monitor with the shared blob listener.
-                await RegisterWithSharedBlobListenerAsync(hostId, sharedBlobListener, primaryBlobClient,
-                    blobTriggerQueueWriter, cancellationToken).ConfigureAwait(false);
+                await RegisterWithSharedBlobListenerAsync(
+                    hostId,
+                    sharedBlobListener,
+                    primaryBlobClient,
+                    targetBlobClient,
+                    blobTriggerQueueWriter,
+                    cancellationToken).ConfigureAwait(false);
             }
 
             // Create a "bridge" listener that will monitor the blob
@@ -165,14 +170,24 @@ await RegisterWithSharedBlobListenerAsync(hostId, sharedBlobListener, primaryBlo
         private async Task RegisterWithSharedBlobListenerAsync(
             string hostId,
             SharedBlobListener sharedBlobListener,
-            BlobServiceClient blobClient,
+            BlobServiceClient primaryBlobClient,
+            BlobServiceClient targetBlobClient,
             BlobTriggerQueueWriter blobTriggerQueueWriter,
             CancellationToken cancellationToken)
         {
-            BlobTriggerExecutor triggerExecutor = new BlobTriggerExecutor(hostId, _functionDescriptor, _input, new BlobReceiptManager(blobClient),
-                blobTriggerQueueWriter, _loggerFactory.CreateLogger<BlobListener>());
-
-            await sharedBlobListener.RegisterAsync(blobClient, _container, triggerExecutor, cancellationToken).ConfigureAwait(false);
+            BlobTriggerExecutor triggerExecutor = new BlobTriggerExecutor(
+                hostId,
+                _functionDescriptor,
+                _input,
+                new BlobReceiptManager(primaryBlobClient),
+                blobTriggerQueueWriter,
+                _loggerFactory.CreateLogger<BlobListener>());
+
+            await sharedBlobListener.RegisterAsync(
+                targetBlobClient,
+                _container,
+                triggerExecutor,
+                cancellationToken).ConfigureAwait(false);
         }
 
         private void RegisterWithSharedBlobQueueListenerAsync(

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/src/Listeners/PollLogsStrategy.Logger.cs

@@ -16,8 +16,15 @@ private class Logger
                LoggerMessage.Define<string, string, int>(LogLevel.Debug, new EventId(300, nameof(ScanBlobLogs)),
                    "Log scan for recent blob updates in container '{containerName}' with PollId '{pollId}' found {blobCount} blobs.");
 
+            private static readonly Action<ILogger<BlobListener>, string, Exception> _loggingNotEnabledOnTargetAccount =
+               LoggerMessage.Define<string>(LogLevel.Warning, new EventId(400, nameof(LoggingNotEnabledOnTargetAccount)),
+                   "Storage Analytics Logs are not enabled on the target blob storage account: '{targetAccountName}'. See aka.ms/AAywxhb");
+
             public static void ScanBlobLogs(ILogger<BlobListener> logger, string containerName, string pollId, int blobCount) =>
                 _scanBlobLogs(logger, containerName, pollId, blobCount, null);
+
+            public static void LoggingNotEnabledOnTargetAccount(ILogger<BlobListener> logger, string targetAccountName) =>
+                _loggingNotEnabledOnTargetAccount(logger, targetAccountName, null);
         }
     }
 }

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/src/Listeners/PollLogsStrategy.cs

@@ -49,7 +49,10 @@ public PollLogsStrategy(IWebJobsExceptionHandler exceptionHandler, ILogger<BlobL
             _exceptionHandler = exceptionHandler ?? throw new ArgumentNullException(nameof(exceptionHandler));
         }
 
-        public async Task RegisterAsync(BlobServiceClient blobServiceClient, BlobContainerClient container, ITriggerExecutor<BlobTriggerExecutorContext> triggerExecutor,
+        public async Task RegisterAsync(
+            BlobServiceClient blobServiceClient,
+            BlobContainerClient container,
+            ITriggerExecutor<BlobTriggerExecutorContext> triggerExecutor,
             CancellationToken cancellationToken)
         {
             ThrowIfDisposed();
@@ -78,8 +81,18 @@ public async Task RegisterAsync(BlobServiceClient blobServiceClient, BlobContain
 
             if (!_logListeners.ContainsKey(blobServiceClient))
             {
-                BlobLogListener logListener = await BlobLogListener.CreateAsync(blobServiceClient, _logger, cancellationToken).ConfigureAwait(false);
-                _logListeners.Add(blobServiceClient, logListener);
+                try
+                {
+                    BlobLogListener logListener = await BlobLogListener.CreateAsync(blobServiceClient, _logger, cancellationToken).ConfigureAwait(false);
+                    _logListeners.Add(blobServiceClient, logListener);
+                }
+                catch (RequestFailedException ex) when (ex.ErrorCode == BlobErrorCode.AuthorizationPermissionMismatch ||
+                                                        ex.ErrorCode == BlobErrorCode.InsufficientAccountPermissions ||
+                                                        ex.ErrorCode == BlobErrorCode.AuthorizationFailure)
+                {
+                    // Log which account we couldn't enable logging on due to permissions.
+                    Logger.LoggingNotEnabledOnTargetAccount(_logger, blobServiceClient.AccountName);
+                }
             }
         }
 

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/src/Listeners/SharedBlobListener.cs

@@ -39,6 +39,15 @@ public SharedBlobListener(string hostId, BlobServiceClient blobServiceClient,
             _timer = new TaskSeriesTimer(_strategy, exceptionHandler, initialWait: Task.Delay(0));
         }
 
+        // This constructor is used for injecting custom strategy in unit tests.
+        internal SharedBlobListener(IBlobListenerStrategy strategy, IWebJobsExceptionHandler exceptionHandler)
+        {
+            _strategy = strategy ?? throw new ArgumentNullException(nameof(strategy));
+
+            // Start the first iteration immediately.
+            _timer = new TaskSeriesTimer(_strategy, exceptionHandler, initialWait: Task.Delay(0));
+        }
+
         public IBlobWrittenWatcher BlobWritterWatcher
         {
             get { return _strategy; }

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/tests/Listeners/BlobListenerFactoryTests.cs

@@ -0,0 +1,148 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Reflection;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Storage.Blobs;
+using Azure.Storage.Blobs.Models;
+using Azure.Storage.Queues;
+using Microsoft.Azure.WebJobs.Extensions.Storage.Blobs.Listeners;
+using Microsoft.Azure.WebJobs.Extensions.Storage.Common;
+using Microsoft.Azure.WebJobs.Extensions.Storage.Common.Listeners;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Host.Executors;
+using Microsoft.Azure.WebJobs.Host.Listeners;
+using Microsoft.Azure.WebJobs.Host.Protocols;
+using Microsoft.Azure.WebJobs.Host.Scale;
+using Microsoft.Azure.WebJobs.Host.Timers;
+using Microsoft.Extensions.Logging;
+using Moq;
+using NUnit.Framework;
+using NUnit.Framework.Internal;
+
+namespace Microsoft.Azure.WebJobs.Extensions.Storage.Blobs.Tests.Listeners
+{
+    public class BlobListenerFactoryTests
+    {
+        [Test]
+        public async Task CreateAsync_RegisterWithSharedBlobListenerAsync_UsesTargetBlobClient()
+        {
+            // Arrange
+            // Storage account and container names
+            string accountName1 = "fakeaccount1";
+            string accountName2 = "fakeaccount2";
+            string containerName1 = "fakecontainer1";
+            string containerName2 = "fakecontainer2";
+
+            // Mock BlobContainerClients
+            var containerClient1 = new Mock<BlobContainerClient>(new Uri($"https://{accountName1}.blob.core.windows.net/{containerName1}"), null);
+            containerClient1.Setup(x => x.Uri).Returns(new Uri($"https://{accountName1}.blob.core.windows.net/{containerName1}"));
+            containerClient1.Setup(x => x.Name).Returns(containerName1);
+            containerClient1.Setup(x => x.AccountName).Returns(accountName1);
+
+            var containerClient2 = new Mock<BlobContainerClient>(new Uri($"https://{accountName1}.blob.core.windows.net/{containerName2}"), null);
+            containerClient2.Setup(x => x.Uri).Returns(new Uri($"https://{accountName1}.blob.core.windows.net/{containerName2}"));
+            containerClient2.Setup(x => x.Name).Returns(containerName2);
+            containerClient2.Setup(x => x.AccountName).Returns(accountName2);
+
+            var hostNamesContainerClient = new Mock<BlobContainerClient>(new Uri($"https://{accountName1}.blob.core.windows.net/{HostContainerNames.Hosts}"), null);
+            hostNamesContainerClient.Setup(x => x.Uri).Returns(new Uri($"https://{accountName1}.blob.core.windows.net/{HostContainerNames.Hosts}"));
+            hostNamesContainerClient.Setup(x => x.Name).Returns(HostContainerNames.Hosts);
+            hostNamesContainerClient.Setup(x => x.AccountName).Returns(accountName1);
+
+            // Mock BlobServiceClients
+            var primaryClient = new Mock<BlobServiceClient>(new Uri($"https://{accountName1}.blob.core.windows.net/"), null);
+            primaryClient.Setup(x => x.Uri).Returns(new Uri($"https://{accountName1}.blob.core.windows.net/"));
+            primaryClient.Setup(x => x.AccountName).Returns(accountName1);
+            primaryClient.Setup(x => x.GetBlobContainerClient(containerName1)).Returns(containerClient1.Object);
+            primaryClient.Setup(x => x.GetBlobContainerClient(containerName2)).Returns(containerClient2.Object);
+            primaryClient.Setup(x => x.GetBlobContainerClient(HostContainerNames.Hosts)).Returns(hostNamesContainerClient.Object);
+            primaryClient.Setup(x => x.GetPropertiesAsync(It.IsAny<CancellationToken>())).ReturnsAsync(Response.FromValue(new BlobServiceProperties(), null));
+
+            var targetClient = new Mock<BlobServiceClient>(new Uri($"https://{accountName2}.blob.core.windows.net/"), null);
+            targetClient.Setup(x => x.Uri).Returns(new Uri($"https://{accountName2}.blob.core.windows.net/"));
+            targetClient.Setup(x => x.AccountName).Returns(accountName2);
+            targetClient.Setup(x => x.GetPropertiesAsync(It.IsAny<CancellationToken>())).ReturnsAsync(Response.FromValue(new BlobServiceProperties(), null));
+
+            // Other dependencies
+            var loggerFactory = new LoggerFactory();
+            var logger = loggerFactory.CreateLogger<BlobListener>();
+            var hostIdProvider = new Mock<IHostIdProvider>();
+            var blobsOptions = new BlobsOptions();
+            var exceptionHandler = new Mock<IWebJobsExceptionHandler>();
+            var blobWrittenWatcherSetter = new Mock<IContextSetter<IBlobWrittenWatcher>>();
+            var hostQueueServiceClient = new QueueServiceClient(new Uri($"https://{accountName1}.queue.core.windows.net/"));
+            var dataQueueServiceClient = new QueueServiceClient(new Uri($"https://{accountName2}.queue.core.windows.net/"));
+            var queueServiceClientProvider = new FakeQueueServiceClientProvider(hostQueueServiceClient);
+            var sharedQueueWatcher = new SharedQueueWatcher();
+            var blobTriggerQueueWriterFactory = new BlobTriggerQueueWriterFactory(
+                hostIdProvider.Object,
+                queueServiceClientProvider,
+                sharedQueueWatcher);
+            var executor = new Mock<ITriggeredFunctionExecutor>();
+            var input = new Mock<IBlobPathSource>();
+            var singletonManager = new Mock<IHostSingletonManager>();
+            var concurrencyManager = new Mock<ConcurrencyManager>();
+            var drainModeManager = new Mock<IDrainModeManager>();
+            var functionDescriptor = new FunctionDescriptor { Id = "id", ShortName = "shortname" };
+
+            // Setup SharedContextProvider and Test Strategy
+            var sharedContextProvider = new Mock<ISharedContextProvider>();
+            var testStrategy = new TestBlobListenerStrategy();
+            var sharedBlobListener = new SharedBlobListener(testStrategy, exceptionHandler.Object);
+            sharedContextProvider.Setup(x => x.GetOrCreateInstance(It.IsAny<SharedBlobListenerFactory>()))
+                .Returns(sharedBlobListener);
+
+            // Setup SharedBlobQueueListener
+            var sharedBlobQueueListener = new SharedBlobQueueListener(
+                new Mock<IListener>().Object,
+                new BlobQueueTriggerExecutor(BlobTriggerSource.LogsAndContainerScan,
+                new Mock<IBlobWrittenWatcher>().Object, logger));
+            sharedContextProvider.Setup(s => s.GetOrCreateInstance<SharedBlobQueueListener>(It.IsAny<SharedBlobQueueListenerFactory>()))
+                .Returns(sharedBlobQueueListener);
+
+            // Create the factory
+            var factory = new BlobListenerFactory(
+                hostIdProvider.Object,
+                blobsOptions,
+                exceptionHandler.Object,
+                blobWrittenWatcherSetter.Object,
+                blobTriggerQueueWriterFactory,
+                sharedContextProvider.Object,
+                loggerFactory,
+                functionDescriptor,
+                primaryClient.Object,
+                hostQueueServiceClient,
+                targetClient.Object,
+                dataQueueServiceClient,
+                containerClient1.Object,
+                input.Object,
+                BlobTriggerSource.LogsAndContainerScan,
+                executor.Object,
+                singletonManager.Object,
+                concurrencyManager.Object,
+                drainModeManager.Object
+            );
+
+            // Act
+            await factory.CreateAsync(CancellationToken.None);
+
+            // Assert
+            // 1. The strategy should have registered the target client and container
+            Assert.AreEqual(targetClient.Object, testStrategy.TargetServiceClient, "TargetServiceClient should be the target client.");
+            Assert.AreEqual(containerClient1.Object, testStrategy.ContainerClient, "ContainerClient should be the primary container.");
+
+            // 2. The BlobTriggerExecutor should use a BlobReceiptManager with the primary client
+            var receiptManagerField = typeof(BlobTriggerExecutor).GetField("_receiptManager", BindingFlags.NonPublic | BindingFlags.Instance);
+            var receiptManager = receiptManagerField.GetValue(testStrategy.Executor);
+            var blobContainerClientField = typeof(BlobReceiptManager).GetField("_blobContainerClient", BindingFlags.NonPublic | BindingFlags.Instance);
+            var resultPrimaryClient = blobContainerClientField.GetValue(receiptManager);
+
+            // The BlobReceiptManager should use the hostNamesContainerClient (from the primary client)
+            Assert.AreEqual(hostNamesContainerClient.Object, resultPrimaryClient, "BlobReceiptManager should use the primary container client.");
+        }
+    }
+}

sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs/tests/Listeners/ScanBlobScanLogHybridPollingStrategyTests.cs

@@ -318,6 +318,58 @@ public async Task RegisterAsync_InitializesWithScanInfoManager()
             RunExecuterWithExpectedBlobs(expectedNames, product, executor);
         }
 
+        [Test]
+        public async Task RegisterAsync_HandlesPermissionErrors()
+        {
+            List<BlobErrorCode> permissionErrors = new List<BlobErrorCode>
+            {
+                BlobErrorCode.AuthorizationPermissionMismatch,
+                BlobErrorCode.InsufficientAccountPermissions,
+                BlobErrorCode.AuthorizationFailure
+            };
+
+            LambdaBlobTriggerExecutor executor = new LambdaBlobTriggerExecutor();
+            string accountName = "fakeaccount";
+            foreach (BlobErrorCode errorCode in permissionErrors)
+            {
+                Uri uri = new Uri($"https://{accountName}.blob.core.windows.net/");
+                Mock<BlobServiceClient> mockServiceClient = new Mock<BlobServiceClient>(uri, null);
+
+                TestBlobScanInfoManager scanInfoManager = new TestBlobScanInfoManager();
+                IBlobListenerStrategy product = new ScanBlobScanLogHybridPollingStrategy(scanInfoManager, _exceptionHandler, _logger);
+
+                // Setup GetPropertiesAsync to succeed
+                mockServiceClient.Setup(x => x.Uri).Returns(uri);
+                mockServiceClient.Setup(x => x.AccountName).Returns(accountName);
+                mockServiceClient.Setup(x => x.GetBlobContainerClient("fakecontainer")).Returns(_blobContainerMock.Object);
+                mockServiceClient.Setup(x => x.GetBlobContainerClient("fakecontainer2")).Returns(_secondBlobContainerMock.Object);
+                mockServiceClient.Setup(x => x.GetBlobContainerClient("$logs")).Returns(_logsContainerMock.Object);
+                mockServiceClient
+                    .Setup(x => x.GetPropertiesAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(Response.FromValue(_serviceProperties, default));
+
+                // Setup SetPropertiesAsync to throw a RequestFailedException with your error code
+                mockServiceClient
+                    .Setup(x => x.SetPropertiesAsync(
+                        It.IsAny<BlobServiceProperties>(),
+                        It.IsAny<CancellationToken>()))
+                    .ThrowsAsync(new RequestFailedException(status: 403, message: "This request is not authorized to perform this operation using this permission.", errorCode: errorCode.ToString(), default));
+
+                // Create a few blobs.
+                for (int i = 0; i < 5; i++)
+                {
+                    CreateBlobAndUploadToContainer(_blobContainerMock, _blobItems);
+                }
+
+                await scanInfoManager.UpdateLatestScanAsync(AccountName, ContainerName, DateTime.UtcNow);
+                await product.RegisterAsync(mockServiceClient.Object, _blobContainerMock.Object, executor, CancellationToken.None);
+
+                var logMessages = _loggerProvider.GetAllLogMessages();
+                Assert.IsTrue(logMessages.Any(m => m.EventId.Name == "LoggingNotEnabledOnTargetAccount"
+                    || m.FormattedMessage.Contains("LoggingNotEnabledOnTargetAccount")));
+            }
+        }
+
         [Test]
         public async Task ExecuteAsync_UpdatesScanInfoManager()
         {