Serialize Function key generation (#7106) (#7124)

Author: mathewc

src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs

@@ -31,6 +31,7 @@ public class SecretManager : IDisposable, ISecretManager
         private ConcurrentDictionary<string, (string, AuthorizationLevel)> _authorizationCache = new ConcurrentDictionary<string, (string, AuthorizationLevel)>(StringComparer.OrdinalIgnoreCase);
         private HostSecretsInfo _hostSecrets;
         private SemaphoreSlim _hostSecretsLock = new SemaphoreSlim(1, 1);
+        private ConcurrentDictionary<string, SemaphoreSlim> _functionSecretsLocks = new ConcurrentDictionary<string, SemaphoreSlim>(StringComparer.OrdinalIgnoreCase);
         private IMetricsLogger _metricsLogger;
         private string _repositoryClassName;
         private DateTime _lastCacheResetTime;
@@ -149,41 +150,51 @@ public async virtual Task<IDictionary<string, string>> GetFunctionSecretsAsync(s
             {
                 using (_metricsLogger.LatencyEvent(GetMetricEventName(MetricEventNames.SecretManagerGetFunctionSecrets), functionName))
                 {
-                    _logger.LogDebug($"Loading secrets for function '{functionName}'");
+                    var functionSecretsLock = GetFunctionSecretsLock(functionName);
+                    await functionSecretsLock.WaitAsync();
 
-                    FunctionSecrets secrets = await LoadFunctionSecretsAsync(functionName);
-                    if (secrets == null)
+                    try
                     {
-                        // no secrets exist for this function so generate them
-                        string message = string.Format(Resources.TraceFunctionSecretGeneration, functionName);
-                        _logger.LogDebug(message);
-                        secrets = GenerateFunctionSecrets();
+                        _logger.LogDebug($"Loading secrets for function '{functionName}'");
 
-                        await PersistSecretsAsync(secrets, functionName);
-                    }
+                        FunctionSecrets secrets = await LoadFunctionSecretsAsync(functionName);
+                        if (secrets == null)
+                        {
+                            // no secrets exist for this function so generate them
+                            string message = string.Format(Resources.TraceFunctionSecretGeneration, functionName);
+                            _logger.LogDebug(message);
+                            secrets = GenerateFunctionSecrets();
 
-                    try
-                    {
-                        // Read all secrets, which will run the keys through the appropriate readers
-                        secrets.Keys = secrets.Keys.Select(k => _keyValueConverterFactory.ReadKey(k)).ToList();
-                    }
-                    catch (CryptographicException ex)
-                    {
-                        string message = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName, ex);
-                        _logger.LogDebug(message);
-                        await PersistSecretsAsync(secrets, functionName, true);
-                        secrets = GenerateFunctionSecrets(secrets);
-                        await RefreshSecretsAsync(secrets, functionName);
-                    }
+                            await PersistSecretsAsync(secrets, functionName);
+                        }
 
-                    if (secrets.HasStaleKeys)
+                        try
+                        {
+                            // Read all secrets, which will run the keys through the appropriate readers
+                            secrets.Keys = secrets.Keys.Select(k => _keyValueConverterFactory.ReadKey(k)).ToList();
+                        }
+                        catch (CryptographicException ex)
+                        {
+                            string message = string.Format(Resources.TraceNonDecryptedFunctionSecretRefresh, functionName, ex);
+                            _logger.LogDebug(message);
+                            await PersistSecretsAsync(secrets, functionName, true);
+                            secrets = GenerateFunctionSecrets(secrets);
+                            await RefreshSecretsAsync(secrets, functionName);
+                        }
+
+                        if (secrets.HasStaleKeys)
+                        {
+                            _logger.LogDebug(string.Format(Resources.TraceStaleFunctionSecretRefresh, functionName));
+                            await RefreshSecretsAsync(secrets, functionName);
+                        }
+
+                        var result = secrets.Keys.ToDictionary(s => s.Name, s => s.Value);
+                        functionSecrets = _functionSecrets.AddOrUpdate(functionName, result, (n, r) => result);
+                    }
+                    finally
                     {
-                        _logger.LogDebug(string.Format(Resources.TraceStaleFunctionSecretRefresh, functionName));
-                        await RefreshSecretsAsync(secrets, functionName);
+                        functionSecretsLock.Release();
                     }
-
-                    var result = secrets.Keys.ToDictionary(s => s.Name, s => s.Value);
-                    functionSecrets = _functionSecrets.AddOrUpdate(functionName, result, (n, r) => result);
                 }
             }
 
@@ -727,5 +738,12 @@ private string GetEncryptionKeysHashes()
 
             return result;
         }
+
+        private SemaphoreSlim GetFunctionSecretsLock(string functionName)
+        {
+            // We're only serializing access to secrets per-function, not across all functions,
+            // so we need to ensure we're using a single shared lock per-function.
+            return _functionSecretsLocks.GetOrAdd(functionName, k => new SemaphoreSlim(1, 1));
+        }
     }
 }

test/WebJobs.Script.Tests/Security/SecretManagerTests.cs

@@ -2,10 +2,12 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Azure.WebJobs.Extensions.Http;
 using Microsoft.Azure.WebJobs.Logging;
@@ -14,6 +16,7 @@
 using Microsoft.Azure.WebJobs.Script.WebHost.Models;
 using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 using Microsoft.Azure.WebJobs.Script.WebHost.Security;
+using Microsoft.Azure.WebJobs.Script.WebHost.Storage;
 using Microsoft.Extensions.Logging;
 using Microsoft.WebJobs.Script.Tests;
 using Moq;
@@ -337,6 +340,55 @@ public async Task GetHostSecrets_UpdatesStaleSecrets()
             }
         }
 
+        [Fact]
+        public async Task GetFunctionSecretsAsync_SecretGenerationIsSerialized()
+        {
+            var mockValueConverterFactory = GetConverterFactoryMock(false, false);
+            var metricsLogger = new TestMetricsLogger();
+            var testRepository = new TestSecretsRepository(true);
+            string testFunctionName = $"TestFunction";
+
+            using (var secretManager = new SecretManager(testRepository, mockValueConverterFactory.Object, _logger, metricsLogger, _hostNameProvider, _startupContextProvider))
+            {
+                var tasks = new List<Task<IDictionary<string, string>>>();
+                for (int i = 0; i < 10; i++)
+                {
+                    tasks.Add(secretManager.GetFunctionSecretsAsync(testFunctionName));
+                }
+
+                await Task.WhenAll(tasks);
+
+                // verify all calls return the same result
+                Assert.Equal(1, testRepository.FunctionSecrets.Count);
+                var functionSecrets = (FunctionSecrets)testRepository.FunctionSecrets[testFunctionName];
+                string defaultKeyValue = functionSecrets.Keys.Where(p => p.Name == "default").Single().Value;
+                Assert.True(tasks.Select(p => p.Result).All(t => t["default"] == defaultKeyValue));
+            }
+        }
+
+        [Fact]
+        public async Task GetHostSecretsAsync_SecretGenerationIsSerialized()
+        {
+            var mockValueConverterFactory = GetConverterFactoryMock(false, false);
+            var metricsLogger = new TestMetricsLogger();
+            var testRepository = new TestSecretsRepository(true);
+
+            using (var secretManager = new SecretManager(testRepository, mockValueConverterFactory.Object, _logger, metricsLogger, _hostNameProvider, _startupContextProvider))
+            {
+                var tasks = new List<Task<HostSecretsInfo>>();
+                for (int i = 0; i < 10; i++)
+                {
+                    tasks.Add(secretManager.GetHostSecretsAsync());
+                }
+
+                await Task.WhenAll(tasks);
+
+                // verify all calls return the same result
+                var masterKey = tasks.First().Result.MasterKey;
+                Assert.True(tasks.Select(p => p.Result).All(q => q.MasterKey == masterKey));
+            }
+        }
+
         [Fact]
         public async Task GetHostSecrets_WhenNoHostSecretFileExists_GeneratesSecretsAndPersistsFiles()
         {
@@ -1124,5 +1176,84 @@ private void CreateTestSecrets(string path)
             File.WriteAllText(Path.Combine(path, ScriptConstants.HostMetadataFileName), hostSecrets);
             File.WriteAllText(Path.Combine(path, "testfunction.json"), functionSecrets);
         }
+
+        private class TestSecretsRepository : ISecretsRepository
+        {
+            private int _writeCount = 0;
+            private Random _rand = new Random();
+            private bool _enforceSerialWrites = false;
+
+            public TestSecretsRepository(bool enforceSerialWrites)
+            {
+                _enforceSerialWrites = enforceSerialWrites;
+            }
+
+            public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
+
+            public ConcurrentDictionary<string, ScriptSecrets> FunctionSecrets { get; } = new ConcurrentDictionary<string, ScriptSecrets>(StringComparer.OrdinalIgnoreCase);
+
+            public ScriptSecrets HostSecrets { get; private set; }
+
+            public bool IsEncryptionSupported => throw new NotImplementedException();
+
+            public Task<string[]> GetSecretSnapshots(ScriptSecretsType type, string functionName)
+            {
+                return Task.FromResult(new string[0]);
+            }
+
+            public Task PurgeOldSecretsAsync(IList<string> currentFunctions, ILogger logger)
+            {
+                return Task.CompletedTask;
+            }
+
+            public Task<ScriptSecrets> ReadAsync(ScriptSecretsType type, string functionName)
+            {
+                ScriptSecrets secrets = null;
+
+                if (type == ScriptSecretsType.Function)
+                {
+                    FunctionSecrets.TryGetValue(functionName, out secrets);
+                }
+                else
+                {
+                    secrets = HostSecrets;
+                }
+
+                return Task.FromResult(secrets);
+            }
+
+            public async Task WriteAsync(ScriptSecretsType type, string functionName, ScriptSecrets secrets)
+            {
+                if (_enforceSerialWrites && _writeCount > 1)
+                {
+                    throw new Exception("Concurrent writes detected!");
+                }
+
+                Interlocked.Increment(ref _writeCount);
+
+                await Task.Delay(_rand.Next(100, 300));
+
+                if (type == ScriptSecretsType.Function)
+                {
+                    FunctionSecrets[functionName] = secrets;
+                }
+                else
+                {
+                    HostSecrets = secrets;
+                }
+
+                Interlocked.Decrement(ref _writeCount);
+
+                if (SecretsChanged != null)
+                {
+                    SecretsChanged(this, new SecretsChangedEventArgs { SecretsType = type, Name = functionName });
+                }
+            }
+
+            public Task WriteSnapshotAsync(ScriptSecretsType type, string functionName, ScriptSecrets secrets)
+            {
+                return Task.CompletedTask;
+            }
+        }
     }
 }