Merge pull request #110 from PerfectThymeTech/marvinbuss/bugfix_header_auth

Bugfix Header Auth Health Endpoint

Author: marvinbuss

code/function/fastapp/core/config.py

@@ -21,6 +21,7 @@ class Settings(BaseSettings):
     WEBSITE_AUTH_ENCRYPTION_KEY: str = Field(
         default="", alias="WEBSITE_AUTH_ENCRYPTION_KEY"
     )
+    WEBSITE_OS_TYPE: str = Field(default="test", alias="WEBSITE_OS_TYPE")
     MY_SECRET_CONFIG: str = Field(default="", alias="MY_SECRET_CONFIG")
 
 

code/function/fastapp/health/validate_request.py

@@ -4,24 +4,28 @@
 
 from fastapi import Header, HTTPException
 from fastapp.core.config import settings
+from fastapp.utils import setup_logging
+
+logger = setup_logging(__name__)
 
 
 async def verify_health_auth_header(
-    x_ms_auth_internal_token: Annotated[str, Header()]
+    x_ms_auth_internal_token: Annotated[str | None, Header()] = None
 ) -> bool:
     """Returns true if SHA256 of header_value matches WEBSITE_AUTH_ENCRYPTION_KEY.
+    This only works on Windows-based app services. Therefore, this feature is turned off for other OS types.
     Documentation: https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=python#authentication-and-security
 
     x_ms_auth_internal_token: Value of the x-ms-auth-internal-token header.
     RETURNS (bool): Specifies whether the header matches.
     """
-    website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY
-    hash = base64.b64encode(
-        sha256(website_auth_encryption_key.encode("utf-8")).digest()
-    ).decode("utf-8")
-    if hash != x_ms_auth_internal_token:
-        raise HTTPException(
-            status_code=400, detail="x-ms-auth-internal-token is invalid"
-        )
-    else:
-        return True
+    if settings.WEBSITE_OS_TYPE.lower() == "windows":
+        website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY
+        hash = base64.b64encode(
+            sha256(website_auth_encryption_key.encode("utf-8")).digest()
+        ).decode("utf-8")
+        if hash != x_ms_auth_internal_token:
+            raise HTTPException(
+                status_code=400, detail="x-ms-auth-internal-token is invalid"
+            )
+    return True

code/infra/function.tf

@@ -121,6 +121,10 @@ resource "azapi_resource" "function" {
             name  = "WEBSITE_CONTENTOVERVNET"
             value = "1"
           },
+          {
+            name  = "WEBSITE_OS_TYPE"
+            value = azurerm_service_plan.service_plan.os_type
+          },
           {
             name  = "WEBSITE_RUN_FROM_PACKAGE"
             value = "0"

code/infra/logging.tf

@@ -16,32 +16,32 @@ resource "azurerm_application_insights" "application_insights" {
   workspace_id                          = azurerm_log_analytics_workspace.log_analytics_workspace.id
 }
 
-data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" {
-  resource_id = azurerm_application_insights.application_insights.id
-}
-
-resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
-  name                       = "logAnalytics"
-  target_resource_id         = azurerm_application_insights.application_insights.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
-
-  dynamic "enabled_log" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
-    content {
-      category_group = entry.value
-    }
-  }
-
-  dynamic "metric" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
-    content {
-      category = entry.value
-      enabled  = true
-    }
-  }
-}
+# data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" { # Disable to avoid duplicate logs in Application Insights
+#   resource_id = azurerm_application_insights.application_insights.id
+# }
+
+# resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
+#   name                       = "logAnalytics"
+#   target_resource_id         = azurerm_application_insights.application_insights.id
+#   log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+#   dynamic "enabled_log" {
+#     iterator = entry
+#     for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
+#     content {
+#       category_group = entry.value
+#     }
+#   }
+
+#   dynamic "metric" {
+#     iterator = entry
+#     for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
+#     content {
+#       category = entry.value
+#       enabled  = true
+#     }
+#   }
+# }
 
 resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
   name                = "${local.prefix}-log001"

code/infra/storage.tf

@@ -34,6 +34,10 @@ resource "azurerm_storage_account" "storage" {
     default_action             = "Deny"
     ip_rules                   = []
     virtual_network_subnet_ids = []
+    private_link_access {
+      endpoint_resource_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Security/datascanners/storageDataScanner"
+      endpoint_tenant_id   = data.azurerm_client_config.current.tenant_id
+    }
   }
   nfsv3_enabled                 = false
   public_network_access_enabled = false