Exemplo n.º 1
0
        public void DecryptEncryptedKeyTests()
        {
            // get a key pair <unencrypted, encrypted>
            Tuple <string, string>[] keyPairs = SecurityUtility.GenerateSecretStringsKeyPair(1);
            string unencryptedKey             = keyPairs[0].Item1;
            string encryptedKey = keyPairs[0].Item2;

            Assert.Equal(unencryptedKey, SecurityUtility.DecryptSecretString(encryptedKey));
            // try to decrypte an invalid encryptedkey will throw an error
            string malformattedKey = encryptedKey.Substring(1);
            var    exception       = Assert.Throws <FormatException>(() => SecurityUtility.DecryptSecretString(malformattedKey));

            // map CryptographicException to FormatException so that HTTP return 400 instead of 500
            Assert.Equal($"unable to decrypt {malformattedKey}, the key is either invalid or malformed", exception.Message);
            Assert.Equal <Type>(typeof(CryptographicException), exception.InnerException.GetType());
        }
Exemplo n.º 2
0
        private async Task <T> GetKeyObjectFromFile <T>(string name, IKeyJsonOps <T> keyOp)
        {
            var secretStorageType = System.Environment.GetEnvironmentVariable(Constants.AzureWebJobsSecretStorageType);

            if (!string.IsNullOrEmpty(secretStorageType) &&
                secretStorageType.Equals("Blob", StringComparison.OrdinalIgnoreCase))
            {
                throw new InvalidOperationException("Runtime keys are stored on blob storage. This API doesn't support this configuration.");
            }

            string keyPath = GetFunctionSecretsFilePath(name);
            string key     = null;

            if (!FileSystemHelpers.FileExists(keyPath) || FileSystemHelpers.FileInfoFromFileName(keyPath).Length == 0)
            {
                FileSystemHelpers.EnsureDirectory(Path.GetDirectoryName(keyPath));
                try
                {
                    using (var fileStream = FileSystemHelpers.OpenFile(keyPath, FileMode.Create, FileAccess.Write, FileShare.None))
                    // getting the lock early (instead of acquire the lock at "new StreamWriter(fileStream)")
                    // so no redundant work is being done (generate secrets)
                    {
                        string jsonContent = keyOp.GenerateKeyJson(SecurityUtility.GenerateSecretStringsKeyPair(keyOp.NumberOfKeysInDefaultFormat), FunctionSiteExtensionVersion, out key);
                        using (var sw = new StringWriter())
                            using (var sr = new System.IO.StringReader(jsonContent))
                            {
                                // write json to memory
                                // since JsonConvert has no method to format a json string
                                new JsonTextWriter(sw)
                                {
                                    Formatting = Formatting.Indented
                                }.WriteToken(new JsonTextReader(sr));
                                using (var streamWriter = new StreamWriter(fileStream))
                                {
                                    await streamWriter.WriteAsync(sw.ToString());

                                    await streamWriter.FlushAsync();
                                }
                            }
                    }
                    return(keyOp.GenerateKeyObject(key, name));
                }
                catch (IOException)
                {
                    // failed to open file => function runtime has the handler
                    // fallback to read key files
                }
            }

            string jsonStr = null;
            int    timeOut = 5;

            while (true)
            {
                try
                {
                    jsonStr = await FileSystemHelpers.ReadAllTextFromFileAsync(keyPath);

                    break;
                }
                catch (Exception)
                {
                    if (timeOut == 0)
                    {
                        throw new TimeoutException($"Fail to read {keyPath}, the file is being held by another process");
                    }
                    timeOut--;
                    await Task.Delay(250);
                }
            }

            bool isEncrypted;

            key = keyOp.GetKeyValueFromJson(jsonStr, out isEncrypted);
            if (isEncrypted)
            {
                key = SecurityUtility.DecryptSecretString(key);
            }
            return(keyOp.GenerateKeyObject(key, name));
        }
Exemplo n.º 3
0
        private async Task <T> GetKeyObjectFromFile <T>(string name, IKeyJsonOps <T> keyOp)
        {
            string keyPath = GetFunctionSecretsFilePath(name);
            string key     = null;

            if (!FileSystemHelpers.FileExists(keyPath))
            {
                FileSystemHelpers.EnsureDirectory(Path.GetDirectoryName(keyPath));
                try
                {
                    using (var fileStream = FileSystemHelpers.OpenFile(keyPath, FileMode.CreateNew, FileAccess.Write, FileShare.None))
                    // will fail if file exists, prevent reading prematurely
                    // getting the lock early so no redundant work is being done
                    {
                        string jsonContent = keyOp.GenerateKeyJson(SecurityUtility.GenerateSecretStringsKeyPair(keyOp.NumberOfKeysInDefaultFormat), FunctionSiteExtensionVersion, out key);
                        using (var sw = new StringWriter())
                            using (var sr = new System.IO.StringReader(jsonContent))
                            {
                                new JsonTextWriter(sw)
                                {
                                    Formatting = Formatting.Indented
                                }.WriteToken(new JsonTextReader(sr));
                                // if lock acquire lock return false, I wait until write finishes and read keyPath
                                using (var streamWriter = new StreamWriter(fileStream))
                                {
                                    await streamWriter.WriteAsync(sw.ToString());

                                    await streamWriter.FlushAsync();
                                }
                            }
                    }
                    return(keyOp.GenerateKeyObject(key, name));
                }
                catch (IOException)
                {
                    // don't throw exception if the file already existed
                    // fallback to read key files
                }
            }

            string jsonStr = null;
            int    timeOut = 5;

            while (true)
            {
                try
                {
                    jsonStr = await FileSystemHelpers.ReadAllTextFromFileAsync(keyPath);

                    break;
                }
                catch (Exception)
                {
                    if (timeOut == 0)
                    {
                        throw new TimeoutException($"Fail to read {keyPath}, the file is being held by another process");
                    }
                    timeOut--;
                    await Task.Delay(250);
                }
            }

            bool isEncrypted;

            key = keyOp.GetKeyValueFromJson(jsonStr, out isEncrypted);
            if (isEncrypted)
            {
                key = SecurityUtility.DecryptSecretString(key);
            }
            return(keyOp.GenerateKeyObject(key, name));
        }