Allow for disabling authorization and removing host config when using custom JWT on Bearer (#26)

* Adding support to disable authorize attribute effect on HTTP functions

Author: artmasa

.build/release.props

@@ -6,17 +6,17 @@
         <PackageId>DarkLoop.Azure.Functions.Authorize</PackageId>
         <IsPreview>false</IsPreview>
         <AssemblyVersion>3.0.0.0</AssemblyVersion>
-        <Version>3.1.2</Version>
+        <Version>3.1.3</Version>
         <FileVersion>$(Version).0</FileVersion>
         <RepositoryUrl>https://github.com/dark-loop/functions-authorize</RepositoryUrl>
         <License>https://github.com/dark-loop/functions-authorize/blob/master/LICENSE</License>
         <RepositoryType>Git</RepositoryType>
-        <PackageTags>AuthorizeAttribute, Authorize, Azure Functions, Azure, Bearer, JWT</PackageTags>
+        <PackageTags>AuthorizeAttribute, Authorize, Azure Functions, Azure, Bearer, JWT, Policy based authorization</PackageTags>
         <PackageIconUrl>https://en.gravatar.com/userimage/22176525/45f25acea686a783e5b2ca172d72db71.png</PackageIconUrl>
         <SignAssembly>true</SignAssembly>
         <AssemblyOriginatorKeyFile>dl-sftwr-sn-key.snk</AssemblyOriginatorKeyFile>
         <IsPackable>true</IsPackable>
-		<Description>Azure Functions V3 authentication extensions to enable authentication and authorization on a per function basis.</Description>
+		<Description>Azure Functions V3 authentication extensions to enable authentication and authorization on a per function basis based on ASPNET Core frameworks.</Description>
 		<PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
 

README.md

@@ -89,3 +89,57 @@ public class Functions
 
 ### Builds
 ![master build status](https://dev.azure.com/darkloop/DarkLoop%20Core%20Library/_apis/build/status/Open%20Source/Functions%20Authorize%20-%20Pack?branchName=master)
+
+## Change log
+Adding change log starting with version 3.1.3
+
+### 3.1.3
+- #### Support for disabling `FunctionAuthorize` effect at the application level.
+  Adding support for disabling the effect of `[FunctionAuthorize]` attribute at the application level.  
+  This is useful when wanting to disable authorization for a specific environment, such as local development.
+
+  When configuring services, you can now configure `FunctionsAuthorizationOptions`.
+  ```c#
+  builder.Services.Configure<FunctionsAuthorizationOptions>(options => 
+      options.DisableAuthorization = Configuration.GetValue<bool>("AuthOptions:DisableAuthorization"));
+  ```
+
+  Optionally you can bind it to configuration to rely on providers like User Secrets or Azure App Configuration to disable and re-enable without having to restart your application:
+  ```c#
+  builder.Services.Configure<FunctionsAuthorizationOptions>(
+      Configuration.GetSection("FunctionsAuthorization"));
+  ```
+
+  For function apps targeting .NET 7 or greater, you can also use `AuthorizationBuilder` to set this value:
+  ```c#
+  builder.Services
+      .AddAuthorizationBuilder()
+      .DisableAuthorization(Configuration.GetValue<bool>("AuthOptions:DisableAuthorization"));
+  ```
+
+  It's always recommended to encapsulate this logic within checks for environments to ensure that if the configuration setting is unintentionally moved to a non-desired environment, it would not affect security of our HTTP triggered functions. This change adds a helper method to identify if you are running the function app in the local environment:
+  ```c#
+  if (builder.IsLocalAuthorizationContext())
+  {
+      builder.Services.Configure<FunctionsAuthorizationOptions>(
+          options => options.AuthorizationDisabled = true);
+  }
+  ```
+
+  If you want to output warnings emitted by the library remember to set the log level to `Warning` or lower for `Darkloop` category in your `host.json` file:
+
+  ```json
+  {
+    "logging": {
+      "logLevel": {
+        "DarkLoop": "Warning"
+      }
+    }
+  }
+  ```
+  
+  Thanks to [BenjaminWang1031](https://github.com/BenjaminWang1031) for the suggestion to add this functionality.
+
+- #### Remove Functions bult-in JwtBearer configuration by default
+  Azure Functions recently [added configuration](https://github.com/Azure/azure-functions-host/pull/9678) for issuer and audience validation for the default authentication flows, not the one supported by this package through `FunctionAuthorizeAttribute`, which interferes with token validation when using our own Bearer scheme token configuration.
+  In prior versions, this package has functionality to clear Functions built-in configuration, but it was not enabled by default when using `AddJwtBearer(Action<JwtBearerOptions> configure, bool removeBuiltInConfig = false)`. Since the use of this package is commonly used for custom JWT token, the default value of `removeBuiltInConfig` is now `true`.

sample/Darkloop.Azure.Functions.Authorize.SampleFunctions.V4/Darkloop.Azure.Functions.Authorize.SampleFunctions.V4.csproj

@@ -6,7 +6,7 @@
 	</PropertyGroup>
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
-		<PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="5.0.0" />
+		<PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="6.0.1" />
 		<PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.0.1" />
 	</ItemGroup>
 	<ItemGroup>

sample/Darkloop.Azure.Functions.Authorize.SampleFunctions.V4/Startup.cs

@@ -1,9 +1,12 @@
 using DarkLoop.Azure.Functions.Authorize.SampleFunctions.V4;
+using DarkLoop.Azure.Functions.Authorize.Security;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Azure.Functions.Extensions.DependencyInjection;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.Text;
@@ -56,11 +59,20 @@ public override void Configure(IFunctionsHostBuilder builder)
                 }, true);
 
             builder.Services.AddFunctionsAuthorization();
+
+            // If you want to disable authorization for all functions
+            // decorated with FunctionAuthorizeAttribute you can add the following configuration.
+            // If you bind it to configuration, you can modify the setting remotely using
+            // Azure App Configuration or other configuration providers without the need to restart app.
+            if (builder.IsLocalAuthorizationContext())
+            {
+                builder.Services.Configure<FunctionsAuthorizationOptions>(Configuration.GetSection("AuthOptions"));
+            }
         }
 
         public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
         {
-            builder.ConfigurationBuilder.AddUserSecrets<Startup>();
+            builder.ConfigurationBuilder.AddUserSecrets<Startup>(false, reloadOnChange: true);
 
             Configuration = builder.ConfigurationBuilder.Build();
 

sample/Darkloop.Azure.Functions.Authorize.SampleFunctions.V4/host.json

@@ -1,11 +1,14 @@
 {
     "version": "2.0",
     "logging": {
-        "applicationInsights": {
-            "samplingSettings": {
-                "isEnabled": true,
-                "excludedTypes": "Request"
-            }
+      "applicationInsights": {
+        "samplingSettings": {
+          "isEnabled": true,
+          "excludedTypes": "Request"
         }
+      },
+      "logLevel": {
+        "Darkloop": "Information"
+      }
     }
 }

src/DarkLoop.Azure.Functions.Authorize/DarkLoop.Azure.Functions.Authorize.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
     <PropertyGroup>
-        <TargetFramework>netstandard2.1</TargetFramework>
+        <TargetFrameworks>netstandard2.1;net7.0</TargetFrameworks>
         <Version>0.0.1-preview</Version>
         <Company>DarkLoop</Company>
         <Copyright>DarkLoop - All rights reserved</Copyright>
@@ -25,7 +25,7 @@
       <None Include="..\..\.editorconfig" Link=".editorconfig" />
     </ItemGroup>
 
-    <ItemGroup>
+    <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.1'">
         <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="2.2.0" />
         <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="3.0.3" />
         <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
@@ -36,6 +36,17 @@
             </IncludeAssets>
         </PackageReference>
     </ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'net7.0'">
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="7.0.0" />
+    <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
+    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Http" Version="3.0.2" />
+    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.12">
+      <IncludeAssets>
+        <IsPackable>true</IsPackable>
+      </IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
     <ItemGroup>
         <None Update="local.settings.json">
             <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

src/DarkLoop.Azure.Functions.Authorize/Filters/FunctionAuthorizationFilterIndex.cs

@@ -2,25 +2,28 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Reflection;
+using DarkLoop.Azure.Functions.Authorize.Security;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Azure.WebJobs;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 
 namespace DarkLoop.Azure.Functions.Authorize.Filters
 {
     class FunctionAuthorizationFilterIndex : IFunctionsAuthorizationFilterIndex
     {
         private readonly ConcurrentDictionary<string, IFunctionsAuthorizeFilter> _index =
             new ConcurrentDictionary<string, IFunctionsAuthorizeFilter>();
-        private readonly IAuthorizationPolicyProvider _policyProvider;
-        private readonly IAuthenticationSchemeProvider _schemeProvider;
+
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ObjectFactory _filterFactory;
 
         public FunctionAuthorizationFilterIndex(
-            IAuthenticationSchemeProvider schemeProvider,
-            IAuthorizationPolicyProvider policyProvider)
+            IServiceProvider serviceProvider)
         {
-            _schemeProvider = schemeProvider;
-            _policyProvider = policyProvider;
+            _serviceProvider = serviceProvider;
+            _filterFactory = ActivatorUtilities.CreateFactory(typeof(FunctionsAuthorizeFilter), new[] { typeof(IEnumerable<IAuthorizeData>) });
         }
 
         public void AddAuthorizationFilter(MethodInfo functionMethod, FunctionNameAttribute nameAttribute, IEnumerable<IAuthorizeData> authorizeData)
@@ -29,15 +32,15 @@ public void AddAuthorizationFilter(MethodInfo functionMethod, FunctionNameAttrib
             if (authorizeData is null) throw new ArgumentNullException(nameof(authorizeData));
 
             var name = this.GetFunctionName(functionMethod, nameAttribute);
-            var filter = new FunctionsAuthorizeFilter(_schemeProvider, _policyProvider, authorizeData);
+            var filter = _filterFactory.Invoke(_serviceProvider, new[] { authorizeData }) as FunctionsAuthorizeFilter;
 
-            if (!this._index.TryAdd(name, filter))
+            if (!this._index.TryAdd(name, filter!))
             {
                 throw new InvalidOperationException($"An authorization filter for function {name} has already been processed. Make sure function names are unique within your Functions App.");
             }
         }
 
-        public IFunctionsAuthorizeFilter GetAuthorizationFilter(string functionName)
+        public IFunctionsAuthorizeFilter? GetAuthorizationFilter(string functionName)
         {
             _index.TryGetValue(functionName, out var stored);
 
@@ -48,12 +51,14 @@ private string GetFunctionName(MethodInfo method, FunctionNameAttribute nameAttr
         {
             if (nameAttribute is null)
             {
-                return $"{method.DeclaringType.Name}.{method.Name}";
+                return $"{method.DeclaringType!.Name}.{method.Name}";
             }
             else
             {
                 return nameAttribute.Name;
             }
         }
+
+
     }
 }

src/DarkLoop.Azure.Functions.Authorize/Filters/FunctionsAuthorizeFilter.cs

@@ -6,8 +6,11 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace DarkLoop.Azure.Functions.Authorize.Filters
 {
@@ -18,6 +21,9 @@ internal class FunctionsAuthorizeFilter : IFunctionsAuthorizeFilter
                 new[] { Constants.WebJobsAuthScheme } :
                 new[] { Constants.WebJobsAuthScheme, Constants.ArmTokenAuthScheme };  
 
+        private readonly IOptionsMonitor<FunctionsAuthorizationOptions> _authOptionsMonitor;
+        private readonly ILogger<FunctionsAuthorizeFilter> _logger;
+
         public IEnumerable<IAuthorizeData> AuthorizeData { get; }
 
         public IAuthenticationSchemeProvider SchemeProvider { get; }
@@ -29,8 +35,12 @@ internal class FunctionsAuthorizeFilter : IFunctionsAuthorizeFilter
         public FunctionsAuthorizeFilter(
             IAuthenticationSchemeProvider schemeProvider,
             IAuthorizationPolicyProvider policyProvider,
-            IEnumerable<IAuthorizeData> authorizeData)
+            IEnumerable<IAuthorizeData> authorizeData,
+            IOptionsMonitor<FunctionsAuthorizationOptions> authorizationOptions,
+            ILogger<FunctionsAuthorizeFilter> logger)
         {
+            this._authOptionsMonitor = authorizationOptions;
+            this._logger = logger;
             this.SchemeProvider = schemeProvider;
             this.PolicyProvider = policyProvider;
             this.AuthorizeData = authorizeData;
@@ -59,6 +69,14 @@ from scheme in schemes
 
         public async Task AuthorizeAsync(FunctionAuthorizationContext context)
         {
+            if (this._authOptionsMonitor.CurrentValue.AuthorizationDisabled)
+            {
+                _logger.LogWarning(
+                    $"Authorization through FunctionAuthorizeAttribute is disabled at the application level. Skipping authorization for {context.HttpContext.Request.GetDisplayUrl()}.");
+
+                return;
+            }
+
             if (context is null) throw new ArgumentNullException(nameof(context));
 
             if (context.HttpContext.Items.ContainsKey(Constants.AuthInvokedKey))
@@ -92,7 +110,7 @@ private Task<AuthorizationPolicy> ComputePolicyAsync()
                 throw new InvalidOperationException("Policy cannot be created.");
             }
 
-            return AuthorizationPolicy.CombineAsync(this.PolicyProvider, this.AuthorizeData);
+            return AuthorizationPolicy.CombineAsync(this.PolicyProvider, this.AuthorizeData)!;
         }
     }
 }

src/DarkLoop.Azure.Functions.Authorize/Filters/IFunctionsAuthorizationFilterIndex.cs

@@ -7,7 +7,7 @@ namespace DarkLoop.Azure.Functions.Authorize.Filters
 {
     interface IFunctionsAuthorizationFilterIndex
     {
-        IFunctionsAuthorizeFilter GetAuthorizationFilter(string functionName);
+        IFunctionsAuthorizeFilter? GetAuthorizationFilter(string functionName);
 
         void AddAuthorizationFilter(MethodInfo functionMethod, FunctionNameAttribute nameAttribute, IEnumerable<IAuthorizeData> authorizeData);
     }

src/DarkLoop.Azure.Functions.Authorize/FunctionsHosBuilderExtensions.cs

@@ -0,0 +1,24 @@
+using DarkLoop.Azure.Functions.Authorize.Security;
+using Microsoft.Azure.Functions.Extensions.DependencyInjection;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Functions.Extensions.DependencyInjection
+{
+    /// <summary>
+    /// Extension methods for <see cref="IFunctionsHostBuilder"/>.
+    /// </summary>
+    public static class FunctionsHostBuilderExtensions
+    {
+        /// <summary>
+        /// Returns a value indicating whether the current environment is local development.
+        /// </summary>
+        /// <param name="builder">The current builder.</param>
+        /// <returns></returns>
+        public static bool IsLocalAuthorizationContext(this IFunctionsHostBuilder builder)
+        {
+            return AuthHelper.IsLocalDevelopment;
+        }
+    }
+}