feat: add config az func secret store extension (#333)

* feat: add config az func secret store extension

* pr-fix: use net6.0 az func

* pr-fix: use correct docker file

* pr-fix: use correct file paths in docker file

* pr-fix: update with token replacement in app settings

* pr-fix: correct az func routes

* pr-add: az func docker test to release build

Author: stijnmoreels

build/ci-build.yml

@@ -104,20 +104,14 @@ stages:
             inputs:
               artifact: 'Build'
               path: '$(Build.SourcesDirectory)'
-          - task: UseDotNet@2
-            displayName: 'Import .NET Core SDK ($(DotNet.Sdk.VersionBC))'
-            inputs:
-              packageType: 'sdk'
-              version: '$(DotNet.Sdk.VersionBC)'
           - template: 'templates/download-hashicorp-vault.yml'
             parameters:
               targetFolder: '$(Build.SourcesDirectory)'
               version: $(HashiCorp.Vault.Version)
               vaultBinVariableName: 'Arcus.HashiCorp.VaultBin'
-          - template: test/run-integration-tests.yml@templates
+          - template: templates/run-integration-tests.yml
             parameters:
-              dotnetSdkVersion: '$(DotNet.Sdk.Version)'
-              projectName: '$(Project).Tests.Integration'
+              dockerProjectName: '$(Project).Tests.Runtimes.AzureFunctions'
 
   - stage: ReleaseToMyget
     displayName: 'Release to MyGet'

build/nuget-release.yml

@@ -90,20 +90,14 @@ stages:
             inputs:
               artifact: 'Build'
               path: '$(Build.SourcesDirectory)'
-          - task: UseDotNet@2
-            displayName: 'Import .NET Core SDK ($(DotNet.Sdk.VersionBC))'
-            inputs:
-              packageType: 'sdk'
-              version: '$(DotNet.Sdk.VersionBC)'
           - template: 'templates/download-hashicorp-vault.yml'
             parameters:
               targetFolder: '$(Build.SourcesDirectory)'
               version: $(HashiCorp.Vault.Version)
               vaultBinVariableName: 'Arcus.HashiCorp.VaultBin'
-          - template: test/run-integration-tests.yml@templates
+          - template: templates/run-integration-tests.yml
             parameters:
-              dotnetSdkVersion: '$(DotNet.Sdk.Version)'
-              projectName: '$(Project).Tests.Integration'
+              dockerProjectName: '$(Project).Tests.Runtimes.AzureFunctions'
 
   - stage: Release
     displayName: 'Release to NuGet.org'

build/templates/run-integration-tests.yml

@@ -0,0 +1,42 @@
+parameters:
+  dockerProjectName: ''
+
+steps:
+  - bash: |
+      if [ -z "$PROJECT_NAME" ]; then
+        echo "##vso[task.logissue type=error;]Missing template parameter \"dockerProjectName\""
+        echo "##vso[task.complete result=Failed;]"
+      fi
+    env:
+      PROJECT_NAME: ${{ parameters.dockerProjectName }}
+  - task: UseDotNet@2
+    displayName: 'Import .NET Core SDK ($(DotNet.Sdk.VersionBC))'
+    inputs:
+      packageType: 'sdk'
+      version: '$(DotNet.Sdk.VersionBC)'
+  - task: Docker@1
+    displayName: 'Build Docker image from ${{ parameters.dockerProjectName }}'
+    inputs:
+      dockerFile: src/${{ parameters.dockerProjectName }}/Dockerfile
+      imageName: '${{ parameters.dockerProjectName }}:$(Build.BuildId)'
+      useDefaultContext: false
+      buildContext: src
+  - task: Docker@1
+    displayName: 'Run new  project Docker image from ${{ parameters.dockerProjectName }}'
+    inputs:
+      command: 'Run an image'
+      imageName: '${{ parameters.dockerProjectName }}:$(Build.BuildId)'
+      containerName: '${{ parameters.dockerProjectName }}'
+      ports: '$(Arcus.AzureFunctions.HttpPort):80'
+  - template: test/run-integration-tests.yml@templates
+    parameters:
+      dotnetSdkVersion: '$(DotNet.Sdk.Version)'
+      projectName: '$(Project).Tests.Integration'
+  - task: Bash@3
+    inputs:
+      targetType: 'inline'
+      script: |
+        docker logs ${{ parameters.dockerProjectName }}
+      failOnStderr: true
+    displayName: Show ${{ parameters.dockerProjectName }} logs
+    condition: always()

build/variables/test.yml

@@ -1,2 +1,3 @@
 variables:
   HashiCorp.Vault.Version: 1.5.0
+  Arcus.AzureFunctions.HttpPort: "5000"

docs/preview/features/secret-store/azure-functions.md

@@ -28,8 +28,7 @@ namespace MyHttpAzureFunction
     {
         public override void Configure(IFunctionsHostBuilder builder)
         {
-            IConfiguration config = builder.GetContext().Configuration;
-            builder.ConfigureSecretStore(stores =>
+            builder.ConfigureSecretStore((FunctionsHostBuilderContext context, IConfiguration config, SecretStoreBuilder stores) =>
             {
                 var keyVaultName = config["KeyVault_Name"];
                 stores.AddEnvironmentVariables()

src/Arcus.Security.AzureFunctions/Extensions/IFunctionHostBuilderExtensions.cs

@@ -1,6 +1,7 @@
 using System;
 using Arcus.Security.Core;
 using GuardNet;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 
@@ -27,5 +28,23 @@ public static IFunctionsHostBuilder ConfigureSecretStore(this IFunctionsHostBuil
             functionsHostBuilder.Services.AddSecretStore(configureSecretStores);
             return functionsHostBuilder;
         }
+
+        /// <summary>
+        /// Configure an <see cref="ISecretProvider"/> in the application with a given set of stores configured in the given <paramref name="configureSecretStores"/>.
+        /// </summary>
+        /// <param name="functionsHostBuilder">The builder to append the secret store configuration to.</param>
+        /// <param name="configureSecretStores">The customization of the different target secret store sources to include in the final <see cref="ISecretProvider"/>.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="functionsHostBuilder"/> or <paramref name="configureSecretStores"/> is <c>null</c>.</exception>
+        public static IFunctionsHostBuilder ConfigureSecretStore(
+            this IFunctionsHostBuilder functionsHostBuilder,
+            Action<FunctionsHostBuilderContext, IConfiguration, SecretStoreBuilder> configureSecretStores)
+        {
+            Guard.NotNull(functionsHostBuilder, nameof(functionsHostBuilder), "Requires a functions host builder to add the secret store");
+            Guard.NotNull(configureSecretStores, nameof(configureSecretStores), "Requires a function to configure the secret store with potential secret providers");
+
+            FunctionsHostBuilderContext context = functionsHostBuilder.GetContext();
+            functionsHostBuilder.Services.AddSecretStore(stores => configureSecretStores(context, context.Configuration, stores));
+            return functionsHostBuilder;
+        }
     }
 }

src/Arcus.Security.Tests.Integration/AzureFunctions/SecretStoreBuilderTests.cs

@@ -0,0 +1,46 @@
+using System.Net.Http;
+using System.Threading.Tasks;
+using Arcus.Security.Tests.Integration.Fixture;
+using Arcus.Testing.Logging;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Arcus.Security.Tests.Integration.AzureFunctions
+{
+    [Collection("Azure Functions")]
+    public class SecretStoreBuilderTests
+    {
+        private readonly string _defaultRoute;
+        private readonly ILogger _logger;
+
+        private static readonly HttpClient HttpClient = new HttpClient();
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SecretStoreBuilderTests" /> class.
+        /// </summary>
+        public SecretStoreBuilderTests(ITestOutputHelper outputWriter)
+        {
+            var config = TestConfig.Create();
+            var httpPort = config.GetValue<int>("Arcus:AzureFunctions:HttpPort");
+            _defaultRoute = $"http://localhost:{httpPort}/api/order";
+            
+            _logger = new XunitTestLogger(outputWriter);
+        }
+
+        [Fact]
+        public async Task ConfigureSecretStore_WithConfiguration_ReturnsConfigurationSecret()
+        {
+            // Act
+            _logger.LogInformation("GET -> '{Uri}'", _defaultRoute);
+            using (HttpResponseMessage response = await HttpClient.GetAsync(_defaultRoute))
+            {
+                // Assert
+                _logger.LogInformation("{StatusCode} <- {Uri}", response.StatusCode, _defaultRoute);
+                string contents = await response.Content.ReadAsStringAsync();
+                Assert.Equal("TestSecret", contents);
+            }
+        }
+    }
+}

src/Arcus.Security.Tests.Integration/appsettings.json

@@ -22,7 +22,10 @@
       "VaultBin": "#{Arcus.HashiCorp.VaultBin}#"
     },
     "ApplicationInsights": {
-      "InstrumentationKey": "#{Arcus.ApplicationInsights.InstrumentationKey}#" 
+      "InstrumentationKey": "#{Arcus.ApplicationInsights.InstrumentationKey}#"
+    },
+    "AzureFunctions": {
+      "HttpPort": "#{Arcus.AzureFunctions.HttpPort}#"
     } 
   }
 }