Refactor the build method of ServiceManager to remove internal dependency (Azure#32603)

# The core changes
* In `ServiceManagerStore.cs`, refactor the build method of `ServiceManager` to remove internal dependency. The original implementation builds the `ServiceManager` from a `ServiceCollection` directly, and inject `IConfigureOptions<ServiceManagerOptions>` and `IOptionsChangeTokenSource<ServiceManagerOptions>` to support hot reload. Without internal depdencies, we have to use the `ServiceManagerBuilder` to support hot-reload. The only way of `ServiceManagerBuilder` to support hot-reload is to inject a `IConfiguration` object which provides a change token. However, the SDK and function extensions have different ways to parse configuration, for example, SDK lacks the functionality to parse identity-based connection from configuration. Therefore, we have to pass the actual configuration action via `ServiceManagerBuilder.WithOptions`, and injects an `IConfiguration` object to provide change token. To avoid errors thrown by SDK when it parses the configuration, we wraps the real `IConfiguration` object to make it looks like empty configuration but provides the true change token.
* Remove the internal access of `AccessKey` and also fix the problem that access keys used in signature validation are not hot-reloadable. Without internal access, we have to pass the configuration again to get the access keys.

Author: Y-Sindo

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/EmptyConfiguration.cs

@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.SignalR.Management;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
+{
+    /// <summary>
+    /// This configuration does nothing but provides a reload token from a real <see cref="IConfiguration"/> object.
+    /// It aims to trigger a configuration reload of <see cref="ServiceHubContext"/> when the real configuration changes. As the <see cref="ServiceManagerBuilder"/> doesn't provide an API to inject an <see cref="IOptionsChangeTokenSource{ServiceManagerOptions}"/> and it has a different way to read configuration with function extensions, we have to inject an empty configuration via <see cref="ServiceManagerBuilder.WithConfiguration(IConfiguration)"/> to provide a reload token and does actual configuration parsing via <see cref="ServiceManagerBuilder.WithOptions(Action{ServiceManagerOptions})"/>.
+    /// </summary>
+    internal class EmptyConfiguration : IConfiguration
+    {
+        private static readonly IConfiguration EmptyImpl = new ConfigurationBuilder().AddInMemoryCollection().Build();
+        private readonly IConfiguration _configuration;
+
+        public EmptyConfiguration(IConfiguration configuration)
+        {
+            _configuration = configuration;
+        }
+
+        public string this[string key] { get => null; set { } }
+
+        public IEnumerable<IConfigurationSection> GetChildren() => Array.Empty<IConfigurationSection>();
+
+        public IChangeToken GetReloadToken() => _configuration.GetReloadToken();
+
+        public IConfigurationSection GetSection(string key) => EmptyImpl.GetSection(key);
+    }
+}

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/IInternalServiceHubContextStore.cs

@@ -3,14 +3,14 @@
 
 using System;
 using System.Threading.Tasks;
-using Microsoft.Azure.SignalR;
 using Microsoft.Azure.SignalR.Management;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
 {
     internal interface IInternalServiceHubContextStore : IServiceHubContextStore, IAsyncDisposable, IDisposable
     {
-        AccessKey[] AccessKeys { get; }
+        IOptionsMonitor<SignatureValidationOptions> SignatureValidationOptions { get; }
 
         ValueTask<ServiceHubContext<T>> GetAsync<T>(string hubName) where T : class;
     }

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/OptionsSetup.cs

@@ -7,72 +7,66 @@
 using Microsoft.Azure.SignalR.Management;
 using Microsoft.Extensions.Azure;
 using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 
 namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
 {
-    internal class OptionsSetup : IConfigureOptions<ServiceManagerOptions>, IOptionsChangeTokenSource<ServiceManagerOptions>
+    internal class OptionsSetup
     {
         private readonly IConfiguration _configuration;
-        private readonly AzureComponentFactory _azureComponentFactory;
-        private readonly string _connectionStringKey;
+        private readonly Action<ServiceManagerOptions> _configureServiceManagerOptions;
 
-        public OptionsSetup(IConfiguration configuration, AzureComponentFactory azureComponentFactory, string connectionStringKey)
+        public OptionsSetup(IConfiguration configuration, AzureComponentFactory azureComponentFactory, string connectionStringKey, SignalROptions optionsFromCode)
         {
             if (string.IsNullOrWhiteSpace(connectionStringKey))
             {
                 throw new ArgumentException($"'{nameof(connectionStringKey)}' cannot be null or whitespace", nameof(connectionStringKey));
             }
 
             _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
-            _azureComponentFactory = azureComponentFactory;
-            _connectionStringKey = connectionStringKey;
-        }
-
-        public string Name => Options.DefaultName;
-
-        public void Configure(ServiceManagerOptions options)
-        {
-            if (_configuration.TryGetJsonObjectSerializer(out var serializer))
+            _configureServiceManagerOptions = options =>
             {
-                options.UseJsonObjectSerializer(serializer);
-            }
+                // Apply options from code.
+                options.ServiceEndpoints = optionsFromCode.ServiceEndpoints?.ToArray();
+                options.ServiceTransportType = optionsFromCode.ServiceTransportType;
+                options.UseJsonObjectSerializer(optionsFromCode.JsonObjectSerializer);
 
-            if (_configuration.GetConnectionString(_connectionStringKey) != null || _configuration[_connectionStringKey] != null)
-            {
-                options.ConnectionString = _configuration.GetConnectionString(_connectionStringKey) ?? _configuration[_connectionStringKey];
-            }
+                // Apply options from configuration
+                if (_configuration.TryGetJsonObjectSerializer(out var serializer))
+                {
+                    options.UseJsonObjectSerializer(serializer);
+                }
+                if (_configuration.GetConnectionString(connectionStringKey) != null || _configuration[connectionStringKey] != null)
+                {
+                    options.ConnectionString = _configuration.GetConnectionString(connectionStringKey) ?? _configuration[connectionStringKey];
+                }
+                var endpoints = _configuration.GetSection(Constants.AzureSignalREndpoints).GetEndpoints(azureComponentFactory);
 
-            var endpoints = _configuration.GetSection(Constants.AzureSignalREndpoints).GetEndpoints(_azureComponentFactory);
-
-            // when the configuration is in the style: AzureSignalRConnectionString:serviceUri = https://xxx.service.signalr.net , we see the endpoint as unnamed.
-            if (options.ConnectionString == null && _configuration.GetSection(_connectionStringKey).TryGetEndpointFromIdentity(_azureComponentFactory, out var endpoint, isNamed: false))
-            {
-                endpoints = endpoints.Append(endpoint);
-            }
-            if (endpoints.Any())
-            {
-                options.ServiceEndpoints = endpoints.ToArray();
-            }
-            var serviceTransportTypeStr = _configuration[Constants.ServiceTransportTypeName];
-            if (Enum.TryParse<ServiceTransportType>(serviceTransportTypeStr, out var transport))
-            {
-                options.ServiceTransportType = transport;
-            }
-            else if (!string.IsNullOrWhiteSpace(serviceTransportTypeStr))
-            {
-                throw new InvalidOperationException($"Invalid service transport type: {serviceTransportTypeStr}.");
-            }
-            //make connection more stable
-            options.ConnectionCount = 3;
-            options.ProductInfo = GetProductInfo();
+                // when the configuration is in the style: AzureSignalRConnectionString:serviceUri = https://xxx.service.signalr.net , we see the endpoint as unnamed.
+                if (options.ConnectionString == null && _configuration.GetSection(connectionStringKey).TryGetEndpointFromIdentity(azureComponentFactory, out var endpoint, isNamed: false))
+                {
+                    endpoints = endpoints.Append(endpoint);
+                }
+                if (endpoints.Any())
+                {
+                    options.ServiceEndpoints = endpoints.ToArray();
+                }
+                var serviceTransportTypeStr = _configuration[Constants.ServiceTransportTypeName];
+                if (Enum.TryParse<ServiceTransportType>(serviceTransportTypeStr, out var transport))
+                {
+                    options.ServiceTransportType = transport;
+                }
+                else if (!string.IsNullOrWhiteSpace(serviceTransportTypeStr))
+                {
+                    throw new InvalidOperationException($"Invalid service transport type: {serviceTransportTypeStr}.");
+                }
+                //make connection more stable
+                options.ConnectionCount = 3;
+                options.ProductInfo = GetProductInfo();
+            };
         }
 
-        public IChangeToken GetChangeToken()
-        {
-            return _configuration.GetReloadToken();
-        }
+        public Action<ServiceManagerOptions> Configure => _configureServiceManagerOptions;
 
         private string GetProductInfo()
         {

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/ServiceHubContextStore.cs

@@ -3,28 +3,27 @@
 
 using System;
 using System.Collections.Concurrent;
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.Azure.SignalR;
 using Microsoft.Azure.SignalR.Management;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
 {
     internal sealed class ServiceHubContextStore : IInternalServiceHubContextStore
     {
         private readonly ConcurrentDictionary<string, (Lazy<Task<IServiceHubContext>> Lazy, IServiceHubContext Value)> _store = new(StringComparer.OrdinalIgnoreCase);
         private readonly ConcurrentDictionary<string, Lazy<Task<object>>> _stronglyTypedStore = new(StringComparer.OrdinalIgnoreCase);
-        private readonly IServiceEndpointManager _endpointManager;
         private readonly ServiceManager _serviceManager;
 
-        public AccessKey[] AccessKeys => _endpointManager.Endpoints.Keys.Select(endpoint => endpoint.AccessKey).ToArray();
-
         public IServiceManager ServiceManager => _serviceManager as IServiceManager;
 
-        public ServiceHubContextStore(IServiceEndpointManager endpointManager, ServiceManager serviceManager)
+        public IOptionsMonitor<SignatureValidationOptions> SignatureValidationOptions { get; }
+
+        public ServiceHubContextStore(IOptionsMonitor<SignatureValidationOptions> signatureValidationOptions, ServiceManager serviceManager)
         {
+            SignatureValidationOptions = signatureValidationOptions;
             _serviceManager = serviceManager;
-            _endpointManager = endpointManager;
         }
 
         public async ValueTask<ServiceHubContext<T>> GetAsync<T>(string hubName) where T : class

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/ServiceManagerStore.cs

@@ -3,8 +3,6 @@
 
 using System;
 using System.Collections.Concurrent;
-using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.Azure.SignalR;
 using Microsoft.Azure.SignalR.Management;
@@ -51,25 +49,23 @@ public IInternalServiceHubContextStore GetByConfigurationKey(string connectionSt
 
         private IInternalServiceHubContextStore CreateHubContextStore(string connectionStringKey)
         {
-            var services = new ServiceCollection()
-                .Configure<ServiceManagerOptions>(o =>
-                {
-                    o.ServiceTransportType = _options.ServiceTransportType;
-                    o.ServiceEndpoints = _options.ServiceEndpoints?.ToArray();
-                    o.UseJsonObjectSerializer(_options.JsonObjectSerializer);
-                })
-                .SetupOptions<ServiceManagerOptions, OptionsSetup>(new OptionsSetup(_configuration, _azureComponentFactory, connectionStringKey))
-                .AddSignalRServiceManager()
-                .AddSingleton(sp => (ServiceManager)sp.GetService<IServiceManager>())
-                .AddSingleton(_loggerFactory)
-                .AddSingleton<IInternalServiceHubContextStore, ServiceHubContextStore>();
-            if (_router != null)
-            {
-                services.AddSingleton(_router);
-            }
-            services.AddSingleton(services.ToList() as IReadOnlyCollection<ServiceDescriptor>);
-            return services.BuildServiceProvider()
-               .GetRequiredService<IInternalServiceHubContextStore>();
+            var serviceManagerOptionsSetup = new OptionsSetup(_configuration, _azureComponentFactory, connectionStringKey, _options);
+            var serviceManger = new ServiceManagerBuilder()
+                // Does the actual configuration
+                .WithOptions(serviceManagerOptionsSetup.Configure)
+                .WithLoggerFactory(_loggerFactory)
+                .WithRouter(_router ?? new EndpointRouterDecorator())
+                // Serves as a reload token provider only
+                .WithConfiguration(new EmptyConfiguration(_configuration))
+                .BuildServiceManager();
+            return new ServiceCollection()
+                .AddSingleton(serviceManger)
+                .AddOptions()
+                .AddSingleton<IConfigureOptions<SignatureValidationOptions>>(new SignatureValidationOptionsSetup(serviceManagerOptionsSetup.Configure))
+                .AddSingleton<IOptionsChangeTokenSource<SignatureValidationOptions>>(new ConfigurationChangeTokenSource<SignatureValidationOptions>(_configuration))
+                .AddSingleton<ServiceHubContextStore>()
+                .BuildServiceProvider()
+                .GetRequiredService<ServiceHubContextStore>();
         }
 
         public async ValueTask DisposeAsync()

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/SignatureValidationOptions.cs

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
+{
+    internal class SignatureValidationOptions
+    {
+        public List<string> AccessKeys { get; } = new List<string>();
+        public bool RequireValidation { get; set; } = true;
+    }
+}

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/Config/SignatureValidationOptionsSetup.cs

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.Azure.SignalR;
+using Microsoft.Azure.SignalR.Management;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
+{
+    internal class SignatureValidationOptionsSetup : IConfigureOptions<SignatureValidationOptions>
+    {
+        private static readonly char[] PropertySeparator = { ';' };
+        private static readonly char[] KeyValueSeparator = { '=' };
+        private const string AccessKeyProperty = "AccessKey";
+
+        private readonly Action<ServiceManagerOptions> _configureServiceManagerOptions;
+
+        public SignatureValidationOptionsSetup(Action<ServiceManagerOptions> configureServiceManagerOptions)
+        {
+            _configureServiceManagerOptions = configureServiceManagerOptions;
+        }
+
+        /// <remarks>
+        /// We can't get the <see cref="ServiceManagerOptions"/> from <see cref="ServiceManager"/>, therefore we have to reuse the configuration action to build the options again.
+        /// </remarks>
+        public void Configure(SignatureValidationOptions options)
+        {
+            var serviceManagerOptions = new ServiceManagerOptions();
+            _configureServiceManagerOptions(serviceManagerOptions);
+            IEnumerable<ServiceEndpoint> endpoints = serviceManagerOptions.ServiceEndpoints ?? Array.Empty<ServiceEndpoint>();
+            if (serviceManagerOptions.ConnectionString != null)
+            {
+                endpoints = endpoints.Append(new ServiceEndpoint(serviceManagerOptions.ConnectionString));
+            }
+            foreach (var endpoint in endpoints)
+            {
+                if (endpoint.ConnectionString != null && TryGetAccessKey(endpoint.ConnectionString, out var accessKey))
+                {
+                    options.AccessKeys.Add(accessKey);
+                }
+                else
+                {
+                    // Once there is one connection string without access key, the validation is not required. Currently we don't have mechanism to validate identity-based connection.
+                    options.RequireValidation = false;
+                    // Validation isn't required therefore no need to continue to get the access keys.
+                    return;
+                }
+            }
+        }
+
+        private static bool TryGetAccessKey(string connectionString, out string accesskey)
+        {
+            foreach (var property in connectionString.Split(PropertySeparator, StringSplitOptions.RemoveEmptyEntries))
+            {
+                var kvp = property.Split(KeyValueSeparator, 2);
+                if (kvp.Length != 2)
+                {
+                    continue;
+                }
+                if (kvp[0].Trim().Equals(AccessKeyProperty, StringComparison.OrdinalIgnoreCase))
+                {
+                    accesskey = kvp[1].Trim();
+                    return true;
+                }
+            }
+            accesskey = null;
+            return false;
+        }
+    }
+}

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/TriggerBindings/Executor/ExecutionContext.cs

@@ -1,15 +1,14 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using Microsoft.Azure.SignalR;
 using Microsoft.Azure.WebJobs.Host.Executors;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
 {
     internal class ExecutionContext
     {
         public ITriggeredFunctionExecutor Executor { get; set; }
-
-        public AccessKey[] AccessKeys { get; set; }
+        public IOptionsMonitor<SignatureValidationOptions> SignatureValidationOptions { get; set; }
     }
 }

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/TriggerBindings/Executor/SignalRMethodExecutor.cs

@@ -26,7 +26,7 @@ protected SignalRMethodExecutor(IRequestResolver resolver, ExecutionContext exec
         protected Task<FunctionResult> ExecuteWithAuthAsync(HttpRequestMessage request, ExecutionContext executor,
             InvocationContext context, TaskCompletionSource<object> tcs = null)
         {
-            if (!Resolver.ValidateSignature(request, executor.AccessKeys))
+            if (!Resolver.ValidateSignature(request, executor.SignatureValidationOptions))
             {
                 throw new SignalRTriggerAuthorizeFailedException();
             }

sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService/src/TriggerBindings/Resolver/IRequestResolver.cs

@@ -5,16 +5,16 @@
 using System.Threading.Tasks;
 
 using Microsoft.AspNetCore.SignalR.Protocol;
-using Microsoft.Azure.SignalR;
 using Microsoft.Azure.SignalR.Serverless.Protocols;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Azure.WebJobs.Extensions.SignalRService
 {
     internal interface IRequestResolver
     {
         bool ValidateContentType(HttpRequestMessage request);
 
-        bool ValidateSignature(HttpRequestMessage request, AccessKey[] accessKeys);
+        bool ValidateSignature(HttpRequestMessage request, IOptionsMonitor<SignatureValidationOptions> signatureValidationOptions);
 
         bool TryGetInvocationContext(HttpRequestMessage request, out InvocationContext context);