Added logging capabilities for all secrets repos. Implemented logging for blob storage repo.

Author: gzuber

src/WebJobs.Script.WebHost/Diagnostics/Extensions/ScriptHostServiceSecurityExtension.cs

@@ -0,0 +1,35 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.Extensions
+{
+    public static class ScriptHostServiceSecurityExtension
+    {
+        // EventId range is 600-699
+
+        private static readonly Action<ILogger, string, string, Exception> _blobStorageSecretRepoError =
+            LoggerMessage.Define<string, string>(
+                LogLevel.Error,
+                new EventId(600, nameof(BlobStorageSecretRepoError)),
+                "There was an error performing a {operation} operation on the Blob Storage Secret Repository. Please ensure the '{appSettingName}' connection string is valid.");
+
+        private static readonly Action<ILogger, string, string, Exception> _blobStorageSecretSasRepoError =
+            LoggerMessage.Define<string, string>(
+                LogLevel.Error,
+                new EventId(601, nameof(BlobStorageSecretSasRepoError)),
+                "There was an error performing a {operation} operation on the Blob Storage Secret Repository. Please ensure the '{appSettingName}' SAS URL has Read, Write, and List permissions.");
+
+        public static void BlobStorageSecretRepoError(this ILogger logger, string operation, string appSettingName)
+        {
+            _blobStorageSecretRepoError(logger, operation, appSettingName, null);
+        }
+
+        public static void BlobStorageSecretSasRepoError(this ILogger logger, string operation, string appSettingName)
+        {
+            _blobStorageSecretSasRepoError(logger, operation, appSettingName, null);
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/KeyManagement/BaseSecretsRepository.cs

@@ -35,8 +35,15 @@ public BaseSecretsRepository(string secretsSentinelFilePath)
             _sentinelFileWatcher.Changed += OnChanged;
         }
 
+        public BaseSecretsRepository(string secretsSentinelFilePath, ILogger logger) : this(secretsSentinelFilePath)
+        {
+            Logger = logger;
+        }
+
         public event EventHandler<SecretsChangedEventArgs> SecretsChanged;
 
+        protected ILogger Logger { get; }
+
         public abstract bool IsEncryptionSupported { get; }
 
         protected string GetSecretsSentinelFilePath(ScriptSecretsType secretsType, string functionName = null)

src/WebJobs.Script.WebHost/Security/KeyManagement/BlobStorageSasSecretsRepository.cs

@@ -2,6 +2,9 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.Extensions;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
+using Microsoft.Extensions.Logging;
 using Microsoft.WindowsAzure.Storage.Blob;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
@@ -12,12 +15,23 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost
     public sealed class BlobStorageSasSecretsRepository : BlobStorageSecretsRepository
     {
         public BlobStorageSasSecretsRepository(string secretSentinelDirectoryPath, string containerSasUri, string siteSlotName)
-            : base(secretSentinelDirectoryPath, containerSasUri, siteSlotName)
-        { }
+            : this(secretSentinelDirectoryPath, containerSasUri, siteSlotName, null)
+        {
+        }
+
+        public BlobStorageSasSecretsRepository(string secretSentinelDirectoryPath, string containerSasUri, string siteSlotName, ILogger logger)
+            : base(secretSentinelDirectoryPath, containerSasUri, siteSlotName, logger)
+        {
+        }
 
         protected override CloudBlobContainer CreateBlobContainer(string containerSasUri)
         {
             return new CloudBlobContainer(new Uri(containerSasUri));
         }
+
+        protected override void LogErrorMessage(string operation)
+        {
+            Logger?.BlobStorageSecretSasRepoError(operation, EnvironmentSettingNames.AzureWebJobsSecretStorageSas);
+        }
     }
 }

src/WebJobs.Script.WebHost/Security/KeyManagement/BlobStorageSecretsRepository.cs

@@ -8,6 +8,8 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.Azure.WebJobs.Script.IO;
+using Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.Extensions;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 using Microsoft.Extensions.Logging;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
@@ -25,7 +27,13 @@ public class BlobStorageSecretsRepository : BaseSecretsRepository
         private readonly string _secretsContainerName = "azure-webjobs-secrets";
         private readonly string _accountConnectionString;
 
-        public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string accountConnectionString, string siteSlotName) : base(secretSentinelDirectoryPath)
+        public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string accountConnectionString, string siteSlotName)
+            : this(secretSentinelDirectoryPath, accountConnectionString, siteSlotName, null)
+        {
+        }
+
+        public BlobStorageSecretsRepository(string secretSentinelDirectoryPath, string accountConnectionString, string siteSlotName, ILogger logger)
+            : base(secretSentinelDirectoryPath, logger)
         {
             if (secretSentinelDirectoryPath == null)
             {
@@ -71,11 +79,18 @@ public override async Task<ScriptSecrets> ReadAsync(ScriptSecretsType type, stri
         {
             string secretsContent = null;
             string blobPath = GetSecretsBlobPath(type, functionName);
-            CloudBlockBlob secretBlob = _blobContainer.GetBlockBlobReference(blobPath);
-
-            if (await secretBlob.ExistsAsync())
+            try
+            {
+                CloudBlockBlob secretBlob = _blobContainer.GetBlockBlobReference(blobPath);
+                if (await secretBlob.ExistsAsync())
+                {
+                    secretsContent = await secretBlob.DownloadTextAsync();
+                }
+            }
+            catch (Exception e)
             {
-                secretsContent = await secretBlob.DownloadTextAsync();
+                LogErrorMessage("read");
+                throw e;
             }
 
             return string.IsNullOrEmpty(secretsContent) ? null : ScriptSecretSerializer.DeserializeSecrets(type, secretsContent);
@@ -89,7 +104,15 @@ public override async Task WriteAsync(ScriptSecretsType type, string functionNam
             }
 
             string blobPath = GetSecretsBlobPath(type, functionName);
-            await WriteToBlobAsync(blobPath, ScriptSecretSerializer.SerializeSecrets(secrets));
+            try
+            {
+                await WriteToBlobAsync(blobPath, ScriptSecretSerializer.SerializeSecrets(secrets));
+            }
+            catch (Exception e)
+            {
+                LogErrorMessage("write");
+                throw e;
+            }
 
             string filePath = GetSecretsSentinelFilePath(type, functionName);
             await FileUtility.WriteAsync(filePath, DateTime.UtcNow.ToString());
@@ -104,7 +127,16 @@ public override async Task WriteSnapshotAsync(ScriptSecretsType type, string fun
 
             string blobPath = GetSecretsBlobPath(type, functionName);
             blobPath = SecretsUtility.GetNonDecryptableName(blobPath);
-            await WriteToBlobAsync(blobPath, ScriptSecretSerializer.SerializeSecrets(secrets));
+
+            try
+            {
+                await WriteToBlobAsync(blobPath, ScriptSecretSerializer.SerializeSecrets(secrets));
+            }
+            catch (Exception e)
+            {
+                LogErrorMessage("write");
+                throw e;
+            }
         }
 
         public override async Task PurgeOldSecretsAsync(IList<string> currentFunctions, ILogger logger)
@@ -118,7 +150,16 @@ public override async Task<string[]> GetSecretSnapshots(ScriptSecretsType type,
             // Prefix is secret blob path without extension
             string prefix = Path.GetFileNameWithoutExtension(GetSecretsBlobPath(type, functionName)) + $".{ScriptConstants.Snapshot}";
 
-            BlobResultSegment segmentResult = await _blobContainer.ListBlobsSegmentedAsync(string.Format("{0}/{1}", _secretsBlobPath, prefix.ToLowerInvariant()), null);
+            BlobResultSegment segmentResult;
+            try
+            {
+                segmentResult = await _blobContainer.ListBlobsSegmentedAsync(string.Format("{0}/{1}", _secretsBlobPath, prefix.ToLowerInvariant()), null);
+            }
+            catch (Exception e)
+            {
+                LogErrorMessage("list");
+                throw e;
+            }
             return segmentResult.Results.Select(x => x.Uri.ToString()).ToArray();
         }
 
@@ -137,5 +178,10 @@ private async Task WriteToBlobAsync(string blobPath, string secretsContent)
                 await writer.WriteAsync(secretsContent);
             }
         }
+
+        protected virtual void LogErrorMessage(string operation)
+        {
+            Logger?.BlobStorageSecretRepoError(operation, "AzureWebJobsStorage");
+        }
     }
 }

src/WebJobs.Script.WebHost/Security/KeyManagement/DefaultSecretManagerProvider.cs

@@ -15,8 +15,7 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost
     public sealed class DefaultSecretManagerProvider : ISecretManagerProvider
     {
         private const string FileStorage = "Files";
-        private const string BlobStorage = "Blob";
-        private readonly ILogger _logger;
+        private readonly ILoggerFactory _loggerFactory;
         private readonly IMetricsLogger _metricsLogger;
         private readonly IOptionsMonitor<ScriptApplicationHostOptions> _options;
         private readonly IHostIdProvider _hostIdProvider;
@@ -39,7 +38,7 @@ public DefaultSecretManagerProvider(IOptionsMonitor<ScriptApplicationHostOptions
             _environment = environment ?? throw new ArgumentNullException(nameof(environment));
             _hostNameProvider = hostNameProvider ?? throw new ArgumentNullException(nameof(hostNameProvider));
 
-            _logger = loggerFactory.CreateLogger(ScriptConstants.LogCategoryHostGeneral);
+            _loggerFactory = loggerFactory;
             _metricsLogger = metricsLogger ?? throw new ArgumentNullException(nameof(metricsLogger));
             _secretManagerLazy = new Lazy<ISecretManager>(Create);
 
@@ -51,7 +50,7 @@ public DefaultSecretManagerProvider(IOptionsMonitor<ScriptApplicationHostOptions
 
         private void ResetSecretManager() => Interlocked.Exchange(ref _secretManagerLazy, new Lazy<ISecretManager>(Create));
 
-        private ISecretManager Create() => new SecretManager(CreateSecretsRepository(), _logger, _metricsLogger, _hostNameProvider);
+        private ISecretManager Create() => new SecretManager(CreateSecretsRepository(), _loggerFactory.CreateLogger<SecretManager>(), _metricsLogger, _hostNameProvider);
 
         internal ISecretsRepository CreateSecretsRepository()
         {
@@ -75,12 +74,12 @@ internal ISecretsRepository CreateSecretsRepository()
             else if (secretStorageSas != null)
             {
                 string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
-                return new BlobStorageSasSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"), secretStorageSas, siteSlotName);
+                return new BlobStorageSasSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"), secretStorageSas, siteSlotName, _loggerFactory.CreateLogger<BlobStorageSasSecretsRepository>());
             }
             else if (storageString != null)
             {
                 string siteSlotName = _environment.GetAzureWebsiteUniqueSlotName() ?? _hostIdProvider.GetHostIdAsync(CancellationToken.None).GetAwaiter().GetResult();
-                return new BlobStorageSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"), storageString, siteSlotName);
+                return new BlobStorageSecretsRepository(Path.Combine(_options.CurrentValue.SecretsPath, "Sentinels"), storageString, siteSlotName, _loggerFactory.CreateLogger<BlobStorageSecretsRepository>());
             }
             else
             {