Adding Authorization to AdminController (now requires master key header)

Author: mathewc

sample/WebHook-Generic/function.json

@@ -3,7 +3,7 @@
     "input": [
       {
         "type": "httpTrigger",
-        "webHookReceiver": "genericJson"
+        "webHookType": "genericJson"
       }
     ],
     "output": [

sample/WebHook-GitHub/function.json

@@ -3,7 +3,7 @@
     "input": [
       {
         "type": "httpTrigger",
-        "webHookReceiver": "github"
+        "webHookType": "github"
       }
     ],
     "output": [

src/WebJobs.Script.WebHost/App_Data/secrets/HttpTrigger.json

@@ -0,0 +1,3 @@
+{
+  "key": "hyexydhln844f2mb7hgsup2yf8dowlb0885mbiq1"
+}

src/WebJobs.Script.WebHost/App_Data/secrets/WebHook-Generic.json

@@ -1,3 +1,3 @@
 {
-  "webHookReceiverKey": "1388a6b0d05eca2237f10e4a4641260b0a08f3a5"
+  "key": "1388a6b0d05eca2237f10e4a4641260b0a08f3a5"
 }

src/WebJobs.Script.WebHost/App_Data/secrets/host.json

@@ -0,0 +1,4 @@
+{
+  "masterKey": "t8laajal0a1ajkgzoqlfv5gxr4ebhqozebw4qzdy",
+  "functionKey": "zlnu496ve212kk1p84ncrtdvmtpembduqp25ajjc"
+}

src/WebJobs.Script.WebHost/Controllers/AdminController.cs

@@ -6,6 +6,7 @@
 using System.Web.Http;
 using Microsoft.Azure.WebJobs.Script;
 using Microsoft.Azure.WebJobs.Script.Description;
+using WebJobs.Script.WebHost.Filters;
 using WebJobs.Script.WebHost.Models;
 
 namespace WebJobs.Script.WebHost.Controllers
@@ -14,6 +15,7 @@ namespace WebJobs.Script.WebHost.Controllers
     /// Controller responsible for handling all administrative requests, for
     /// example enqueueing function invocations, etc.
     /// </summary>
+    [AuthorizationLevel(AuthorizationLevel.Admin)]
     public class AdminController : ApiController
     {
         private readonly WebScriptHostManager _scriptHostManager;
@@ -27,9 +29,6 @@ public AdminController(WebScriptHostManager scriptHostManager)
         [Route("admin/functions/{name}")]
         public HttpResponseMessage Invoke(string name, [FromBody] FunctionInvocation invocation)
         {
-            // TODO: This entire controller will need to be locked down once the
-            // admin auth model is in place
-
             if (invocation == null)
             {
                 return new HttpResponseMessage(HttpStatusCode.BadRequest);

src/WebJobs.Script.WebHost/Controllers/FunctionsController.cs

@@ -7,6 +7,7 @@
 using System.Web.Http;
 using System.Web.Http.Controllers;
 using Microsoft.Azure.WebJobs.Script.Description;
+using WebJobs.Script.WebHost.Filters;
 using WebJobs.Script.WebHost.WebHooks;
 
 namespace WebJobs.Script.WebHost.Controllers
@@ -36,9 +37,17 @@ public override async Task<HttpResponseMessage> ExecuteAsync(HttpControllerConte
                 return new HttpResponseMessage(HttpStatusCode.NotFound);
             }
 
-            HttpResponseMessage response = null;
+            // Authorize the request
+            SecretManager secretManager = (SecretManager)controllerContext.Configuration.DependencyResolver.GetService(typeof(SecretManager));
             HttpBindingMetadata httpFunctionMetadata = (HttpBindingMetadata)function.Metadata.InputBindings.FirstOrDefault(p => p.Type == BindingType.HttpTrigger);
-            if (!string.IsNullOrEmpty(httpFunctionMetadata.WebHookReceiver))
+            bool isWebHook = !string.IsNullOrEmpty(httpFunctionMetadata.WebHookType);
+            if (!isWebHook && !AuthorizationLevelAttribute.IsAuthorized(request, httpFunctionMetadata.AuthLevel, secretManager, functionName: function.Name))
+            {
+                return new HttpResponseMessage(HttpStatusCode.Unauthorized);
+            }
+
+            HttpResponseMessage response = null;
+            if (isWebHook)
             {
                 // This is a WebHook request so define a delegate for the user function.
                 // The WebHook Receiver pipeline will first validate the request fully

src/WebJobs.Script.WebHost/Filters/AuthorizationLevelAttribute.cs

@@ -0,0 +1,125 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Net.Http;
+using System.Runtime.CompilerServices;
+using System.Web.Http.Controllers;
+using System.Web.Http.Filters;
+using Microsoft.Azure.WebJobs.Script;
+
+namespace WebJobs.Script.WebHost.Filters
+{
+    public class AuthorizationLevelAttribute : AuthorizationFilterAttribute
+    {
+        public const string MasterKeyHeaderName = "x-functions-key";
+
+        public AuthorizationLevelAttribute(AuthorizationLevel level)
+        {
+            Level = level;
+        }
+
+        public AuthorizationLevel Level { get; private set; }
+
+        public override void OnAuthorization(HttpActionContext actionContext)
+        {
+            SecretManager secretManager = (SecretManager)actionContext.ControllerContext.Configuration.DependencyResolver.GetService(typeof(SecretManager));
+
+            if (!IsAuthorized(actionContext.Request, Level, secretManager))
+            {
+                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
+            }
+        }
+
+        public static bool IsAuthorized(HttpRequestMessage request, AuthorizationLevel level, SecretManager secretManager, string functionName = null)
+        {
+            if (level == AuthorizationLevel.Anonymous)
+            {
+                return true;
+            }
+
+            AuthorizationLevel requestLevel = GetAuthorizationLevel(request, secretManager, functionName);
+            return requestLevel >= level;
+        }
+
+        private static AuthorizationLevel GetAuthorizationLevel(HttpRequestMessage request, SecretManager secretManager, string functionName = null)
+        {
+            // TODO: Add support for validating "EasyAuth" headers
+
+            // first see if a key value is specified via headers or query string
+            IEnumerable<string> values;
+            string keyValue = null;
+            if (request.Headers.TryGetValues(MasterKeyHeaderName, out values))
+            {
+                keyValue = values.FirstOrDefault();
+            }
+            else
+            {
+                var queryParameters = request.GetQueryNameValuePairs().ToDictionary(p => p.Key, p => p.Value, StringComparer.OrdinalIgnoreCase);
+                queryParameters.TryGetValue("key", out keyValue);
+            }
+
+            if (!string.IsNullOrEmpty(keyValue))
+            {
+                // see if the key specified is the master key
+                HostSecrets hostSecrets = secretManager.GetHostSecrets();
+                if (!string.IsNullOrEmpty(hostSecrets.MasterKey) &&
+                    SecretEqual(keyValue, hostSecrets.MasterKey))
+                {
+                    return AuthorizationLevel.Admin;
+                }
+
+                // see if the key specified matches the host function key
+                if (!string.IsNullOrEmpty(hostSecrets.FunctionKey) &&
+                    SecretEqual(keyValue, hostSecrets.FunctionKey))
+                {
+                    return AuthorizationLevel.Function;
+                }
+
+                // if there is a function specific key specified try to match against that
+                if (functionName != null)
+                {
+                    FunctionSecrets functionSecrets = secretManager.GetFunctionSecrets(functionName);
+                    if (functionSecrets != null &&
+                        !string.IsNullOrEmpty(functionSecrets.Key) &&
+                        SecretEqual(keyValue, functionSecrets.Key))
+                    {
+                        return AuthorizationLevel.Function;
+                    }
+                }
+            }
+
+            return AuthorizationLevel.Anonymous;
+        }
+
+        /// <summary>
+        /// Provides a time consistent comparison of two secrets in the form of two strings.
+        /// This prevents security attacks that attempt to determine key values based on response
+        /// times.
+        /// </summary>
+        /// <param name="inputA">The first secret to compare.</param>
+        /// <param name="inputB">The second secret to compare.</param>
+        /// <returns>Returns <c>true</c> if the two secrets are equal, <c>false</c> otherwise.</returns>
+        [MethodImpl(MethodImplOptions.NoOptimization)]
+        private static bool SecretEqual(string inputA, string inputB)
+        {
+            if (ReferenceEquals(inputA, inputB))
+            {
+                return true;
+            }
+
+            if (inputA == null || inputB == null || inputA.Length != inputB.Length)
+            {
+                return false;
+            }
+
+            bool areSame = true;
+            for (int i = 0; i < inputA.Length; i++)
+            {
+                areSame &= inputA[i] == inputB[i];
+            }
+
+            return areSame;
+        }
+    }
+}

src/WebJobs.Script.WebHost/FunctionSecrets.cs

@@ -2,6 +2,6 @@
 {
     public class FunctionSecrets
     {
-        public string WebHookReceiverKey { get; set; }
+        public string Key { get; set; }
     }
 }

src/WebJobs.Script.WebHost/HostSecrets.cs

@@ -0,0 +1,8 @@
+namespace WebJobs.Script.WebHost
+{
+    public class HostSecrets
+    {
+        public string MasterKey { get; set; }
+        public string FunctionKey { get; set; }
+    }
+}