[Messaging Clients] Shared Access Credential Fix (Azure#19872)

The focus of these changes is to enhance the shared access credential to
eliminate a benign race condition and properly handle a concurrent update.

Author: jsquire

sdk/eventhub/Azure.Messaging.EventHubs.Shared/src/Authorization/SharedAccessCredential.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
@@ -129,17 +130,17 @@ public override AccessToken GetToken(TokenRequestContext requestContext,
                 if ((!string.Equals(signature.SharedAccessKeyName, name, StringComparison.Ordinal))
                     || (!string.Equals(signature.SharedAccessKey, key, StringComparison.Ordinal)))
                 {
-                    signature = new SharedAccessSignature(signature.Resource, name, key);
-                    Volatile.Write(ref _sharedAccessSignature, signature);
+                    var updatedSignature = new SharedAccessSignature(signature.Resource, name, key);
+                    signature = SafeUpdateSharedAccessSignature(signature, updatedSignature);
                 }
             }
 
             // If the key-based signature is approaching expiration, extend it.
 
             if  (signature.SignatureExpiration <= DateTimeOffset.UtcNow.Add(SignatureRefreshBuffer))
             {
-                signature = signature.CloneWithNewExpiration(SignatureExtensionDuration);
-                Volatile.Write(ref _sharedAccessSignature, signature);
+                var updatedSignature = signature.CloneWithNewExpiration(SignatureExtensionDuration);
+                signature = SafeUpdateSharedAccessSignature(signature, updatedSignature);
             }
 
             return new AccessToken(signature.Value, signature.SignatureExpiration);
@@ -157,5 +158,32 @@ public override AccessToken GetToken(TokenRequestContext requestContext,
         ///
         public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext,
                                                              CancellationToken cancellationToken) => new ValueTask<AccessToken>(GetToken(requestContext, cancellationToken));
+
+        /// <summary>
+        ///   Attempts to update the current shared access signature reference of the credential while respecting concurrent updates.
+        /// </summary>
+        ///
+        /// <param name="cachedSignature">The cached signature that had been previously read.  If this value is not the current <c>_sharedAccessSignature</c>, the update will not be performed.</param>
+        /// <param name="updatedSignature">The signature that was locally updated and intended to replace the <paramref name="cachedSignature"/>.</param>
+        ///
+        /// <returns>The current value of the <see cref="SharedAccessSignature" /> of the credential, after the attempted update.  This will be the <paramref name="updatedSignature"/> if the update was performed.</returns>
+        ///
+        /// <remarks>
+        ///   The class field "_sharedAccessSignature" may be mutated when calling this method.
+        /// </remarks>
+        ///
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private SharedAccessSignature SafeUpdateSharedAccessSignature(SharedAccessSignature cachedSignature,
+                                                                      SharedAccessSignature updatedSignature)
+        {
+            var signature = Interlocked.CompareExchange(ref _sharedAccessSignature, updatedSignature, cachedSignature);
+
+            // If the cached signature doesn't match the active one then the signature was not replaced because it had
+            // already been updated by another caller; assume that active signature is correct and should be used.
+
+            return ReferenceEquals(signature, cachedSignature)
+                ? updatedSignature
+                : signature;
+        }
     }
 }

sdk/eventhub/Azure.Messaging.EventHubs.Shared/tests/Authorization/SharedAccessCredentialTests.cs

@@ -189,7 +189,7 @@ public void GetTokenExtendsAnExpiredTokenWhenCreatedWithTheSharedKey()
             var signature = new SharedAccessSignature("hub-name", "keyName", "key", value, DateTimeOffset.UtcNow.Subtract(TimeSpan.FromHours(2)));
             var credential = new SharedAccessCredential(signature);
 
-            var expectedExpiration = DateTimeOffset.Now.Add(GetSignatureExtensionDuration());
+            var expectedExpiration = DateTimeOffset.UtcNow.Add(GetSignatureExtensionDuration());
             Assert.That(credential.GetToken(new TokenRequestContext(), default).ExpiresOn, Is.EqualTo(expectedExpiration).Within(TimeSpan.FromMinutes(1)));
         }
 
@@ -206,7 +206,7 @@ public void GetTokenExtendsATokenCloseToExpiringWhenCreatedWithTheSharedKey()
             var signature = new SharedAccessSignature("hub-name", "keyName", "key", value, tokenExpiration);
             var credential = new SharedAccessCredential(signature);
 
-            var expectedExpiration = DateTimeOffset.Now.Add(GetSignatureExtensionDuration());
+            var expectedExpiration = DateTimeOffset.UtcNow.Add(GetSignatureExtensionDuration());
             Assert.That(credential.GetToken(new TokenRequestContext(), default).ExpiresOn, Is.EqualTo(expectedExpiration).Within(TimeSpan.FromMinutes(1)));
         }
 

sdk/servicebus/Azure.Messaging.ServiceBus/src/Authorization/SharedAccessCredential.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
@@ -73,8 +74,7 @@ public SharedAccessCredential(AzureSasCredential sourceCredential)
         /// <param name="sourceCredential">The <see cref="AzureNamedKeyCredential"/> to base signatures on.</param>
         /// <param name="signatureResource">The fully-qualified identifier for the resource to which this credential is intended to serve as authorization for.  This is also known as the "token audience" in some contexts.</param>
         ///
-        public SharedAccessCredential(AzureNamedKeyCredential sourceCredential,
-                                      string signatureResource)
+        public SharedAccessCredential(AzureNamedKeyCredential sourceCredential, string signatureResource)
         {
             Argument.AssertNotNull(sourceCredential, nameof(sourceCredential));
             Argument.AssertNotNullOrEmpty(signatureResource, nameof(signatureResource));
@@ -96,8 +96,7 @@ public SharedAccessCredential(AzureNamedKeyCredential sourceCredential,
         ///
         /// <returns>The token representing the shared access signature for this credential.</returns>
         ///
-        public override AccessToken GetToken(TokenRequestContext requestContext,
-                                             CancellationToken cancellationToken)
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
             var signature = Volatile.Read(ref _sharedAccessSignature);
 
@@ -129,17 +128,17 @@ public override AccessToken GetToken(TokenRequestContext requestContext,
                 if ((!string.Equals(signature.SharedAccessKeyName, name, StringComparison.Ordinal))
                     || (!string.Equals(signature.SharedAccessKey, key, StringComparison.Ordinal)))
                 {
-                    signature = new SharedAccessSignature(signature.Resource, name, key);
-                    Volatile.Write(ref _sharedAccessSignature, signature);
+                    var updatedSignature = new SharedAccessSignature(signature.Resource, name, key);
+                    signature = SafeUpdateSharedAccessSignature(signature, updatedSignature);
                 }
             }
 
             // If the key-based signature is approaching expiration, extend it.
 
             if  (signature.SignatureExpiration <= DateTimeOffset.UtcNow.Add(SignatureRefreshBuffer))
             {
-                signature = signature.CloneWithNewExpiration(SignatureExtensionDuration);
-                Volatile.Write(ref _sharedAccessSignature, signature);
+                var updatedSignature = signature.CloneWithNewExpiration(SignatureExtensionDuration);
+                signature = SafeUpdateSharedAccessSignature(signature, updatedSignature);
             }
 
             return new AccessToken(signature.Value, signature.SignatureExpiration);
@@ -155,7 +154,33 @@ public override AccessToken GetToken(TokenRequestContext requestContext,
         ///
         /// <returns>The token representing the shared access signature for this credential.</returns>
         ///
-        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext,
-                                                             CancellationToken cancellationToken) => new ValueTask<AccessToken>(GetToken(requestContext, cancellationToken));
+        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) =>
+            new ValueTask<AccessToken>(GetToken(requestContext, cancellationToken));
+
+        /// <summary>
+        ///   Attempts to update the current shared access signature reference of the credential while respecting concurrent updates.
+        /// </summary>
+        ///
+        /// <param name="cachedSignature">The cached signature that had been previously read.  If this value is not the current <c>_sharedAccessSignature</c>, the update will not be performed.</param>
+        /// <param name="updatedSignature">The signature that was locally updated and intended to replace the <paramref name="cachedSignature"/>.</param>
+        ///
+        /// <returns>The current value of the <see cref="SharedAccessSignature" /> of the credential, after the attempted update.  This will be the <paramref name="updatedSignature"/> if the update was performed.</returns>
+        ///
+        /// <remarks>
+        ///   The class field "_sharedAccessSignature" may be mutated when calling this method.
+        /// </remarks>
+        ///
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private SharedAccessSignature SafeUpdateSharedAccessSignature(SharedAccessSignature cachedSignature, SharedAccessSignature updatedSignature)
+        {
+            var signature = Interlocked.CompareExchange(ref _sharedAccessSignature, updatedSignature, cachedSignature);
+
+            // If the cached signature doesn't match the active one then the signature was not replaced because it had
+            // already been updated by another caller; assume that active signature is correct and should be used.
+
+            return ReferenceEquals(signature, cachedSignature)
+                ? updatedSignature
+                : signature;
+        }
     }
 }

sdk/servicebus/Azure.Messaging.ServiceBus/tests/Authorization/SharedAccessCredentialTests.cs

@@ -189,7 +189,7 @@ public void GetTokenExtendsAnExpiredTokenWhenCreatedWithTheSharedKey()
             var signature = new SharedAccessSignature("hub-name", "keyName", "key", value, DateTimeOffset.UtcNow.Subtract(TimeSpan.FromHours(2)));
             var credential = new SharedAccessCredential(signature);
 
-            var expectedExpiration = DateTimeOffset.Now.Add(GetSignatureExtensionDuration());
+            var expectedExpiration = DateTimeOffset.UtcNow.Add(GetSignatureExtensionDuration());
             Assert.That(credential.GetToken(new TokenRequestContext(), default).ExpiresOn, Is.EqualTo(expectedExpiration).Within(TimeSpan.FromMinutes(1)));
         }
 
@@ -206,7 +206,7 @@ public void GetTokenExtendsATokenCloseToExpiringWhenCreatedWithTheSharedKey()
             var signature = new SharedAccessSignature("hub-name", "keyName", "key", value, tokenExpiration);
             var credential = new SharedAccessCredential(signature);
 
-            var expectedExpiration = DateTimeOffset.Now.Add(GetSignatureExtensionDuration());
+            var expectedExpiration = DateTimeOffset.UtcNow.Add(GetSignatureExtensionDuration());
             Assert.That(credential.GetToken(new TokenRequestContext(), default).ExpiresOn, Is.EqualTo(expectedExpiration).Within(TimeSpan.FromMinutes(1)));
         }