Merge pull request #6 from dark-loop/security

Adding built-in auth to extension methods to address #5. This should enable setting up authentication at startup and not breaking access to functions in Azure portal as described in Azure/azure-functions-host#6959

Author: artmasa

.build/release.props

@@ -2,19 +2,21 @@
 
     <PropertyGroup>
         <Authors>Arturo Martinez</Authors>
+		<Company>DarkLoop</Company>
         <PackageId>DarkLoop.Azure.Functions.Authorize</PackageId>
         <IsPreview>true</IsPreview>
         <AssemblyVersion>3.0.0.0</AssemblyVersion>
-        <Version>3.0.12</Version>
+        <Version>3.1.0</Version>
         <FileVersion>$(Version).0</FileVersion>
         <RepositoryUrl>https://github.com/dark-loop/functions-authorize</RepositoryUrl>
         <License>https://github.com/dark-loop/functions-authorize/blob/master/LICENSE</License>
         <RepositoryType>Git</RepositoryType>
-        <PackageTags>AuthorizeAttribute, Authorize, Azure Functions</PackageTags>
+        <PackageTags>AuthorizeAttribute, Authorize, Azure Functions, Azure, Bearer, JWT</PackageTags>
         <PackageIconUrl>https://en.gravatar.com/userimage/22176525/45f25acea686a783e5b2ca172d72db71.png</PackageIconUrl>
         <SignAssembly>true</SignAssembly>
         <AssemblyOriginatorKeyFile>dl-sftwr-sn-key.snk</AssemblyOriginatorKeyFile>
         <IsPackable>true</IsPackable>
+		<Description>Azure Functions V3 authentication extensions to enable authentication and authorization on a per function basis.</Description>
     </PropertyGroup>
 
     <PropertyGroup>

sample/DarkLoop.Azure.Functions.Authorize.SampleFunctions/DarkLoop.Azure.Functions.Authorize.SampleFunctions.csproj

@@ -5,7 +5,7 @@
     <UserSecretsId>51dc0b9d-8e74-45ec-aebc-1d3d6934faf5</UserSecretsId>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="3.1.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="3.1.18" />
     <PackageReference Include="Microsoft.AspNetCore.Authorization.Policy" Version="2.2.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="3.1.0" />
     <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.12" />

sample/DarkLoop.Azure.Functions.Authorize.SampleFunctions/Function1.cs

@@ -1,9 +1,13 @@
 using System.IO;
+using System.Reflection;
+using System.Text;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Azure.WebJobs;
 using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 
@@ -17,19 +21,17 @@ public static async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
             ILogger log)
         {
-            log.LogInformation("C# HTTP trigger function processed a request.");
+            var provider = req.HttpContext.RequestServices;
+            var schProvider = provider.GetService<IAuthenticationSchemeProvider>();
 
-            string name = req.Query["name"];
+            var sb = new StringBuilder();
+            foreach (var scheme in await schProvider.GetAllSchemesAsync())
+                sb.AppendLine($"{scheme.Name} -> {scheme.HandlerType}");
 
-            string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
-            dynamic data = JsonConvert.DeserializeObject(requestBody);
-            name = name ?? data?.name;
+            sb.AppendLine();
+            sb.AppendLine(Assembly.GetEntryAssembly().FullName);
 
-            string responseMessage = string.IsNullOrEmpty(name)
-                ? "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
-                : $"Hello, {name}. This HTTP triggered function executed successfully.";
-
-            return new OkObjectResult(responseMessage);
+            return new OkObjectResult(sb.ToString());
         }
     }
 }

sample/DarkLoop.Azure.Functions.Authorize.SampleFunctions/Startup.cs

@@ -18,8 +18,8 @@ class Startup : FunctionsStartup
 
         public override void Configure(IFunctionsHostBuilder builder)
         {
-            builder
-                .AddAuthentication(options=>
+            builder.Services
+                .AddFunctionsAuthentication(options =>
                 {
                     options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                     options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
@@ -34,10 +34,12 @@ public override void Configure(IFunctionsHostBuilder builder)
                     {
                         OnAuthenticationFailed = async x =>
                         {
+                            var body = "Unauthorized request";
                             var response = x.Response;
                             response.ContentType = "text/plain";
-                            response.ContentLength = 5;
-                            await response.WriteAsync("No go");
+                            response.ContentLength = body.Length;
+                            response.StatusCode = 401;
+                            await response.WriteAsync(body);
                             await response.Body.FlushAsync();
                         },
                         OnChallenge = async x =>
@@ -51,9 +53,9 @@ public override void Configure(IFunctionsHostBuilder builder)
                             //await response.Body.FlushAsync();
                         }
                     };
-                });
+                }, true);
 
-            builder.AddAuthorization();
+            builder.Services.AddFunctionsAuthorization();
         }
 
         public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)

src/DarkLoop.Azure.Functions.Authorize/Constants.cs

@@ -8,5 +8,6 @@ internal class Constants
     {
         internal const string AuthInvokedKey = "__WebJobAuthInvoked";
         internal const string WebJobsAuthScheme = "WebJobsAuthLevel";
+        internal const string ArmTokenAuthScheme = "ArmToken";
     }
 }

src/DarkLoop.Azure.Functions.Authorize/Filters/FunctionsAuthorizeFilter.cs

@@ -13,6 +13,11 @@ namespace DarkLoop.Azure.Functions.Authorize.Filters
 {
     internal class FunctionsAuthorizeFilter : IFunctionsAuthorizeFilter
     {
+        private static readonly IEnumerable<string> __dismissedSchemes = 
+            AuthHelper.EnableAuth ? 
+                new[] { Constants.WebJobsAuthScheme } :
+                new[] { Constants.WebJobsAuthScheme, Constants.ArmTokenAuthScheme };  
+
         public IEnumerable<IAuthorizeData> AuthorizeData { get; }
 
         public IAuthenticationSchemeProvider SchemeProvider { get; }
@@ -39,7 +44,7 @@ private void IntegrateSchemes()
             var schemes = this.SchemeProvider.GetAllSchemesAsync().GetAwaiter().GetResult();
             var strSchemes = string.Join(',',
                 from scheme in schemes
-                where scheme.Name != Constants.WebJobsAuthScheme
+                where !__dismissedSchemes.Contains(scheme.Name)
                 select scheme.Name);
 
             foreach (var data in this.AuthorizeData)

src/DarkLoop.Azure.Functions.Authorize/FunctionAuthorizeAttribute.cs

@@ -11,6 +11,9 @@
 
 namespace DarkLoop.Azure.Functions.Authorize
 {
+    /// <summary>
+    /// Represents authorization logic that needs to be applied to a function.
+    /// </summary>
     [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
     [Obsolete("This class is dependent on Azure Functions preview features.")]
     public class FunctionAuthorizeAttribute : FunctionInvocationFilterAttribute, IFunctionInvocationFilter, IAuthorizeData
@@ -22,10 +25,19 @@ public FunctionAuthorizeAttribute(string policy)
             this.Policy = policy;
         }
 
+        /// <summary>
+        /// Gets or sets the name of the authorization policy to apply to function.
+        /// </summary>
         public string? Policy { get; set; }
 
+        /// <summary>
+        /// Gets or sets a comma separated list of roles that are required to execute function.
+        /// </summary>
         public string? Roles { get; set; }
 
+        /// <summary>
+        /// Gets or sets a comma separated list of authentication schemes that are required to apply the authorization logic.
+        /// </summary>
         public string? AuthenticationSchemes { get; set; }
 
         async Task IFunctionInvocationFilter.OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)

src/DarkLoop.Azure.Functions.Authorize/FunctionsAuthExtension.cs

@@ -8,7 +8,7 @@ class FunctionsAuthExtension : IExtensionConfigProvider
     {
         public void Initialize(ExtensionConfigContext context)
         {
-
+            
         }
     }
 }

src/DarkLoop.Azure.Functions.Authorize/Security/AuthHelper.cs

@@ -0,0 +1,58 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+using System;
+using System.Linq.Expressions;
+using System.Reflection;
+
+namespace DarkLoop.Azure.Functions.Authorize.Security
+{
+    internal class AuthHelper
+    {
+        protected static Assembly ScriptWebHostAssembly = Assembly.Load("Microsoft.Azure.WebJobs.Script.WebHost");
+        protected static Type WebHostSvcCollectionExtType =
+            ScriptWebHostAssembly.GetType("Microsoft.Azure.WebJobs.Script.WebHost.WebHostServiceCollectionExtensions");
+        private static Type JwtSecurityExtsType = 
+            ScriptWebHostAssembly.GetType("Microsoft.Extensions.DependencyInjection.ScriptJwtBearerExtensions");
+        private static Func<AuthenticationBuilder, AuthenticationBuilder> __func = BuildFunc();
+        private static Func<IServiceCollection, IServiceCollection> __authorizationFunc = BuildAuthorizationFunc();
+
+        internal static bool EnableAuth { get; private set; }
+
+        static AuthHelper()
+        {
+            var entry = Assembly.GetEntryAssembly();
+            var fullName = entry.FullName;
+            var name = fullName.Substring(0, fullName.IndexOf(','));
+            EnableAuth = name.Equals("Microsoft.Azure.WebJobs.Script.WebHost", StringComparison.OrdinalIgnoreCase);
+        }
+
+        private static Func<AuthenticationBuilder, AuthenticationBuilder> BuildFunc()
+        {
+            var builder = Expression.Parameter(typeof(AuthenticationBuilder), "builder");
+            var method = Expression.Call(JwtSecurityExtsType, "AddScriptJwtBearer", Type.EmptyTypes, builder);
+            var lambda = Expression.Lambda<Func<AuthenticationBuilder, AuthenticationBuilder>>(method, builder);
+
+            return lambda.Compile();
+        }
+
+        private static Func<IServiceCollection, IServiceCollection> BuildAuthorizationFunc()
+        {
+            var services = Expression.Parameter(typeof(IServiceCollection), "services");
+            var method = Expression.Call(WebHostSvcCollectionExtType, "AddWebJobsScriptHostAuthorization", Type.EmptyTypes, services);
+            var lambda = Expression.Lambda<Func<IServiceCollection, IServiceCollection>>(method, services);
+
+            return lambda.Compile();
+        }
+
+        internal static IServiceCollection AddFunctionsBuiltInAuthorization(IServiceCollection services)
+        {
+            return __authorizationFunc(services);
+        }
+
+        internal static FunctionsAuthenticationBuilder AddScriptJwtBearer(FunctionsAuthenticationBuilder builder)
+        {
+            __func(builder);
+            return builder;
+        }
+    }
+}

src/DarkLoop.Azure.Functions.Authorize/Security/AuthenticationExtensions.cs

@@ -1,92 +1,81 @@
 using System;
-using System.Security.Claims;
-using System.Text;
-using System.Threading.Tasks;
-using DarkLoop.Azure.Functions.Authorize;
+using DarkLoop.Azure.Functions.Authorize.Security;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Azure.Functions.Extensions.DependencyInjection;
-using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Extensions.Options;
-using Microsoft.IdentityModel.Tokens;
 
 namespace Microsoft.Extensions.DependencyInjection
 {
     public static class AuthenticationExtensions
     {
-        private const string AuthLevelClaimType = "http://schemas.microsoft.com/2017/07/functions/claims/authlevel";
+        /// <summary>
+        /// Adds Functions built-in authentication.
+        /// </summary>
+        public static FunctionsAuthenticationBuilder AddFunctionsAuthentication(this IServiceCollection services)
+        {
+            if (services is null) throw new ArgumentNullException(nameof(services));
+
+            return services.AddFunctionsAuthentication(delegate { });
+        }
 
-        public static AuthenticationBuilder AddAuthentication(this IFunctionsHostBuilder builder)
+        /// <summary>
+        /// Configures authentication for the Azure Functions app. It will setup Functions built-in authentication.
+        /// </summary>
+        /// <param name="builder">The <see cref="IFunctionsHostBuilder"/> for the current application.</param>
+        /// <returns>A <see cref="FunctionsAuthenticationBuilder"/> instance to configure authentication schemes.</returns>
+        public static FunctionsAuthenticationBuilder AddAuthentication(this IFunctionsHostBuilder builder)
         {
-            if (builder == null)
-            {
-                throw new ArgumentNullException(nameof(builder));
-            }
+            if (builder is null) throw new ArgumentNullException(nameof(builder));
 
-            return builder.AddAuthentication(null);
+            return builder.Services.AddFunctionsAuthentication(delegate { });
         }
 
-        public static AuthenticationBuilder AddAuthentication(
+        /// <summary>
+        /// Configures authentication for the Azure Functions app. It will setup Functions built-in authentication.
+        /// </summary>
+        /// <param name="builder">The <see cref="IFunctionsHostBuilder"/> for the current application.</param>
+        /// <param name="configure">The <see cref="AuthenticationOptions"/> configuration logic.</param>
+        /// <returns>A <see cref="FunctionsAuthenticationBuilder"/> instance to configure authentication schemes.</returns>
+        /// <exception cref="ArgumentNullException">When builder is null.</exception>
+        public static FunctionsAuthenticationBuilder AddAuthentication(
             this IFunctionsHostBuilder builder, Action<AuthenticationOptions>? configure)
         {
-            if (builder == null)
+            if (builder is null) throw new ArgumentNullException(nameof(builder));
+
+            return builder.Services.AddFunctionsAuthentication(configure);
+        }
+
+        /// <summary>
+        /// Configures authentication for the Azure Functions app. It will setup Functions built-in authentication.
+        /// </summary>
+        /// <param name="configure">The <see cref="AuthenticationOptions"/> configuration logic.</param>
+        public static FunctionsAuthenticationBuilder AddFunctionsAuthentication(
+            this IServiceCollection services, Action<AuthenticationOptions>? configure)
+        {
+            var authBuilder = new FunctionsAuthenticationBuilder(services);
+
+            if (AuthHelper.EnableAuth)
             {
-                throw new ArgumentNullException(nameof(builder));
+                EnabledAuthHelper.AddBuiltInFunctionsAuthentication(services);
             }
-
+            else
+            {
+                services.AddAuthentication();
+                AuthHelper.AddScriptJwtBearer(authBuilder);
+                DisabledAuthHelper.AddScriptAuthLevel(authBuilder);
+                DisabledAuthHelper.AddArmToken(authBuilder);
+            }
+            
             if (configure != null)
             {
-                builder.Services.AddSingleton<IConfigureOptions<AuthenticationOptions>>(provider =>
+                services.AddSingleton<IConfigureOptions<AuthenticationOptions>>(provider =>
                     new ConfigureOptions<AuthenticationOptions>(options =>
                     {
                         configure(options);
                     }));
             }
 
-            return builder.Services
-                .AddAuthentication()
-                .AddScriptFunctionsJwtBearer();
-        }
-
-        private static AuthenticationBuilder AddScriptFunctionsJwtBearer(this AuthenticationBuilder builder)
-        {
-            return builder.AddJwtBearer(Constants.WebJobsAuthScheme, options =>
-            {
-                options.Events = new JwtBearerEvents
-                {
-                    OnMessageReceived = c =>
-                    {
-                        options.TokenValidationParameters = CreateTokenValidationParameters();
-                        return Task.CompletedTask;
-                    },
-
-                    OnTokenValidated = c =>
-                    {
-                        c.Principal.AddIdentity(new ClaimsIdentity(new Claim[] { new Claim(AuthLevelClaimType, AuthorizationLevel.Admin.ToString()) }));
-                        c.Success();
-                        return Task.CompletedTask;
-                    }
-                };
-
-                options.TokenValidationParameters = CreateTokenValidationParameters();
-            });
-
-            TokenValidationParameters CreateTokenValidationParameters()
-            {
-                var defaultKey = "2d3a0617-f369-492c-ab7a-f21ec1631376";
-                var result = new TokenValidationParameters();
-
-                if (defaultKey != null)
-                {
-                    result.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(defaultKey));
-                    result.ValidateAudience = true;
-                    result.ValidateIssuer = true;
-                    result.ValidAudience = string.Format("https://{0}.azurewebsites.net/azurefunctions", "func");
-                    result.ValidIssuer = string.Format("https://{0}.scm.azurewebsites.net", "func");
-                }
-
-                return result;
-            }
+            return authBuilder;
         }
     }
 }