Adding runtime site name to valid JWT audiences (slot scenarios). (#1…

…0186)
Azure · May 30, 2024 · f3c64e7 · f3c64e7
1 parent 23e71b5
commit f3c64e7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 4 deletions.
diff --git a/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs b/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
@@ -86,7 +86,7 @@ public static AuthenticationBuilder AddScriptJwtBearer(this AuthenticationBuilde
  }
  });
 
- private static string[] GetValidAudiences()
+ private static IEnumerable<string> GetValidAudiences()
  {
  if (SystemEnvironment.Instance.IsPlaceholderModeEnabled()
  && SystemEnvironment.Instance.IsLinuxConsumptionOnAtlas())
@@ -97,11 +97,22 @@ private static string[] GetValidAudiences()
  };
  }
 
- return new string[]
+ string siteName = ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName);
+ string runtimeSiteName = ScriptSettingsManager.Instance.GetSetting(AzureWebsiteRuntimeSiteName);
+ var audiences = new List<string>
  {
- string.Format(SiteAzureFunctionsUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName)),
- string.Format(SiteUriFormat, ScriptSettingsManager.Instance.GetSetting(AzureWebsiteName))
+ string.Format(SiteAzureFunctionsUriFormat, siteName),
+ string.Format(SiteUriFormat, siteName)
  };
+
+ if (!string.IsNullOrEmpty(runtimeSiteName) && !string.Equals(siteName, runtimeSiteName, StringComparison.OrdinalIgnoreCase))
+ {
+ // on a non-production slot, the runtime site name will differ from the site name
+ // we allow both for audience
+ audiences.Add(string.Format(SiteUriFormat, runtimeSiteName));
+ }
+
+ return audiences;
  }
 
  public static TokenValidationParameters CreateTokenValidationParameters()

diff --git a/test/WebJobs.Script.Tests/Extensions/ScriptJwtBearerExtensionsTests.cs b/test/WebJobs.Script.Tests/Extensions/ScriptJwtBearerExtensionsTests.cs
@@ -67,5 +67,43 @@ public void CreateTokenValidationParameters_HasExpectedAudience(bool isPlacehold
  }
  }
  }
+
+ [Theory]
+ [InlineData("testsite", "testsite")]
+ [InlineData("testsite", "testsite__5bb5")]
+ [InlineData("testsite", null)]
+ [InlineData("testsite", "")]
+ public void CreateTokenValidationParameters_NonProductionSlot_HasExpectedAudiences(string siteName, string runtimeSiteName)
+ {
+ string azFuncAudience = string.Format(ScriptConstants.SiteAzureFunctionsUriFormat, siteName);
+ string siteAudience = string.Format(ScriptConstants.SiteUriFormat, siteName);
+ string runtimeSiteAudience = string.Format(ScriptConstants.SiteUriFormat, runtimeSiteName);
+
+ var testEnv = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+ {
+ { EnvironmentSettingNames.AzureWebsiteName, siteName },
+ { EnvironmentSettingNames.AzureWebsiteRuntimeSiteName, runtimeSiteName },
+ { ContainerEncryptionKey, Convert.ToBase64String(TestHelpers.GenerateKeyBytes()) }
+ };
+
+ using (new TestScopedSettings(ScriptSettingsManager.Instance, testEnv))
+ {
+ var tokenValidationParameters = ScriptJwtBearerExtensions.CreateTokenValidationParameters();
+ var audiences = tokenValidationParameters.ValidAudiences.ToArray();
+
+ Assert.Equal(audiences[0], azFuncAudience);
+ Assert.Equal(audiences[1], siteAudience);
+
+ if (string.Compare(siteName, runtimeSiteName, StringComparison.OrdinalIgnoreCase) == 0)
+ {
+ Assert.Equal(2, audiences.Length);
+ }
+ else if (!string.IsNullOrEmpty(runtimeSiteName))
+ {
+ Assert.Equal(3, audiences.Length);
+ Assert.Equal(audiences[2], runtimeSiteAudience);
+ }
+ }
+ }
  }
 }