unmanaged node prototype

Author: chkeita

src/ApiService/ApiService/Functions/AgentRegistration.cs

@@ -1,5 +1,4 @@
-using System.Web;
-using Azure.Storage.Sas;
+using Azure.Storage.Sas;
 using Microsoft.Azure.Functions.Worker;
 using Microsoft.Azure.Functions.Worker.Http;
 
@@ -31,17 +30,13 @@ public Async.Task<HttpResponseData> Run(
             });
 
     private async Async.Task<HttpResponseData> Get(HttpRequestData req) {
-        var uri = HttpUtility.ParseQueryString(req.Url.Query);
-        var rawMachineId = uri["machine_id"];
-        if (rawMachineId is null || !Guid.TryParse(rawMachineId, out var machineId)) {
-            return await _context.RequestHandling.NotOk(
-                req,
-                new Error(
-                    ErrorCode.INVALID_REQUEST,
-                    new string[] { "'machine_id' query parameter must be provided" }),
-                "agent registration");
+        var request = await RequestHandling.ParseUri<AgentRegistrationGet>(req);
+        if (!request.IsOk) {
+            return await _context.RequestHandling.NotOk(req, request.ErrorV, "agent registration");
         }
 
+        var machineId = request.OkV.MachineId;
+
         var agentNode = await _context.NodeOperations.GetByMachineId(machineId);
         if (agentNode is null) {
             return await _context.RequestHandling.NotOk(
@@ -82,32 +77,18 @@ private async Async.Task<AgentRegistrationResponse> CreateRegistrationResponse(S
             WorkQueue: workQueue);
     }
 
+    // todo: add agent registration post
     private async Async.Task<HttpResponseData> Post(HttpRequestData req) {
-        var uri = HttpUtility.ParseQueryString(req.Url.Query);
-        var rawMachineId = uri["machine_id"];
-        if (rawMachineId is null || !Guid.TryParse(rawMachineId, out var machineId)) {
-            return await _context.RequestHandling.NotOk(
-                req,
-                new Error(
-                    ErrorCode.INVALID_REQUEST,
-                    new string[] { "'machine_id' query parameter must be provided" }),
-                "agent registration");
-        }
-
-        var rawPoolName = uri["pool_name"];
-        if (rawPoolName is null || !PoolName.TryParse(rawPoolName, out var poolName)) {
-            return await _context.RequestHandling.NotOk(
-                req,
-                new Error(
-                    ErrorCode.INVALID_REQUEST,
-                    new string[] { "'pool_name' query parameter must be provided" }),
-                "agent registration");
+        var request = await RequestHandling.ParseUri<AgentRegistrationPost>(req);
+        if (!request.IsOk) {
+            return await _context.RequestHandling.NotOk(req, request.ErrorV, "agent registration");
         }
 
-        var rawScalesetId = uri["scaleset_id"];
-        var scalesetId = rawScalesetId is null ? (Guid?)null : Guid.Parse(rawScalesetId);
-
-        var version = uri["version"] ?? "1.0.0";
+        var machineId = request.OkV.MachineId;
+        var poolName = request.OkV.PoolName;
+        var scalesetId = request.OkV.ScalesetId;
+        var version = request.OkV.Version;
+        var os = request.OkV.Os;
 
         _log.Info($"registration request: machine_id: {machineId} pool_name: {poolName} scaleset_id: {scalesetId} version: {version}");
         var poolResult = await _context.PoolOperations.GetByName(poolName);
@@ -127,12 +108,23 @@ private async Async.Task<HttpResponseData> Post(HttpRequestData req) {
             await _context.NodeOperations.Delete(existingNode);
         }
 
+        if (os != null && pool.Os != os) {
+            return await _context.RequestHandling.NotOk(
+                req,
+                new Error(
+                    Code: ErrorCode.INVALID_REQUEST,
+                    Errors: new[] { $"OS mismatch: pool '{poolName}' is configured for '{pool.Os}', but agent is running '{os}'" }),
+                "agent registration");
+        }
+
         var node = new Service.Node(
             PoolName: poolName,
             PoolId: pool.PoolId,
             MachineId: machineId,
             ScalesetId: scalesetId,
-            Version: version);
+            Version: version,
+            Os: os ?? pool.Os
+            );
 
         await _context.NodeOperations.Replace(node);
 

src/ApiService/ApiService/Functions/GetPoolConfig.cs

@@ -0,0 +1,58 @@
+using System.Net;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Azure.Functions.Worker;
+using Microsoft.Azure.Functions.Worker.Http;
+
+namespace Microsoft.OneFuzz.Service.Functions;
+
+public class GetPoolConfig {
+    private readonly ILogTracer _log;
+    private readonly IEndpointAuthorization _auth;
+    private readonly IOnefuzzContext _context;
+
+    public GetPoolConfig(ILogTracer log, IEndpointAuthorization auth, IOnefuzzContext context) {
+        _log = log;
+        _auth = auth;
+        _context = context;
+    }
+
+    [Function("GetPoolConfig")]
+    public Async.Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Anonymous, "GET", Route = "pool/getconfig")] HttpRequestData req, ClaimsPrincipal principal)
+        => _auth.CallIfUser(req, r => r.Method switch {
+            "GET" => Get(r),
+            var m => throw new InvalidOperationException("Unsupported HTTP method {m}"),
+        });
+
+    private async Task<HttpResponseData> Get(HttpRequestData req) {
+        var request = await RequestHandling.ParseRequest<PoolSearch>(req);
+        if (!request.IsOk) {
+            return await _context.RequestHandling.NotOk(req, request.ErrorV, "pool get config");
+        }
+
+        var search = request.OkV;
+        OneFuzzResult<Service.Pool> poolResult;
+        if (search.PoolId is Guid poolId) {
+            poolResult = await _context.PoolOperations.GetById(poolId);
+        } else if (search.Name is PoolName name) {
+            poolResult = await _context.PoolOperations.GetByName(name);
+        } else {
+            return await _context.RequestHandling.NotOk(req, new Error(ErrorCode.INVALID_REQUEST, new[] { "missing pool name or id" }), "pool get config");
+        }
+
+        if (!poolResult.IsOk) {
+            return await _context.RequestHandling.NotOk(req, poolResult.ErrorV, context: search.ToString());
+        }
+
+        if (!poolResult.OkV.Managed) {
+            return await _context.RequestHandling.NotOk(req, new Error(ErrorCode.INVALID_REQUEST, new[] { "Pool is a managed pool" }), context: search.ToString());
+        }
+        var poolConfig = await _context.Extensions.CreatePoolConfig(poolResult.OkV);
+
+        var response = req.CreateResponse(HttpStatusCode.OK);
+        await response.WriteAsJsonAsync(poolConfig);
+        return response;
+    }
+
+
+}

src/ApiService/ApiService/OneFuzzTypes/Model.cs

@@ -96,6 +96,7 @@ public record Node
     DateTimeOffset? Heartbeat = null,
     DateTimeOffset? InitializedAt = null,
     NodeState State = NodeState.Init,
+    Os? Os = null,
 
     Guid? ScalesetId = null,
     bool ReimageRequested = false,
@@ -162,7 +163,11 @@ public sealed override string ToString() {
     }
 };
 
-public record UserInfo(Guid? ApplicationId, Guid? ObjectId, String? Upn);
+public record UserInfo(Guid? ApplicationId, Guid? ObjectId, String? Upn, List<string> Roles) {
+    public static UserInfo Create() {
+        return new UserInfo(null, null, null, new List<string>());
+    }
+}
 
 public record TaskDetails(
     TaskType Type,

src/ApiService/ApiService/OneFuzzTypes/Requests.cs

@@ -252,3 +252,17 @@ public record WebhookUpdate(
     string? SecretToken,
     WebhookMessageFormat? MessageFormat
 );
+
+
+public record AgentRegistrationGet(
+    Guid MachineId
+);
+
+
+public record AgentRegistrationPost(
+    PoolName PoolName,
+    Guid? ScalesetId,
+    Guid MachineId,
+    string Version,
+    Os? Os
+);

src/ApiService/ApiService/OneFuzzTypes/Responses.cs

@@ -103,6 +103,7 @@ public record PoolGetResult(
     AgentConfig? Config,
     List<WorkSetSummary>? WorkQueue,
     List<ScalesetSummary>? ScalesetSummary
+//List<Node>? UnmanagedNodes
 ) : BaseResponse();
 
 public record ScalesetResponse(

src/ApiService/ApiService/UserCredentials.cs

@@ -1,4 +1,5 @@
-using System.Net.Http.Headers;
+using System.IdentityModel.Tokens.Jwt;
+using System.Net.Http.Headers;
 using System.Threading.Tasks;
 using Microsoft.Azure.Functions.Worker.Http;
 using Microsoft.IdentityModel.Tokens;
@@ -15,10 +16,12 @@ public interface IUserCredentials {
 public class UserCredentials : IUserCredentials {
     ILogTracer _log;
     IConfigOperations _instanceConfig;
+    private JwtSecurityTokenHandler _tokenHandler;
 
     public UserCredentials(ILogTracer log, IConfigOperations instanceConfig) {
         _log = log;
         _instanceConfig = instanceConfig;
+        _tokenHandler = new JwtSecurityTokenHandler();
     }
 
     public string? GetBearerToken(HttpRequestData req) {
@@ -57,6 +60,8 @@ from t in r.AllowedAadTenants
     }
 
     public virtual async Task<OneFuzzResult<UserInfo>> ParseJwtToken(HttpRequestData req) {
+
+
         var authToken = GetAuthToken(req);
         if (authToken is null) {
             return OneFuzzResult<UserInfo>.Error(ErrorCode.INVALID_REQUEST, new[] { "unable to find authorization token" });
@@ -65,22 +70,24 @@ public virtual async Task<OneFuzzResult<UserInfo>> ParseJwtToken(HttpRequestData
             var allowedTenants = await GetAllowedTenants();
             if (allowedTenants.IsOk) {
                 if (allowedTenants.OkV is not null && allowedTenants.OkV.Contains(token.Issuer)) {
-                    Guid? applicationId = (
-                            from t in token.Claims
-                            where t.Type == "appId"
-                            select (Guid.Parse(t.Value))).FirstOrDefault();
-
-                    Guid? objectId = (
-                            from t in token.Claims
-                            where t.Type == "oid"
-                            select (Guid.Parse(t.Value))).FirstOrDefault();
-
-                    string? upn = (
-                            from t in token.Claims
-                            where t.Type == "upn"
-                            select t.Value).FirstOrDefault();
+                    var userInfo =
+                        token.Payload.Claims.Aggregate(UserInfo.Create(), (acc, claim) => {
+                            switch (claim.Type) {
+                                case "oid":
+                                    return acc with { ObjectId = Guid.Parse(claim.Value) };
+                                case "appId":
+                                    return acc with { ApplicationId = Guid.Parse(claim.Value) };
+                                case "upn":
+                                    return acc with { Upn = claim.Value };
+                                case "roles":
+                                    acc.Roles.Add(claim.Value);
+                                    return acc;
+                                default:
+                                    return acc;
+                            }
+                        });
 
-                    return OneFuzzResult<UserInfo>.Ok(new(applicationId, objectId, upn));
+                    return OneFuzzResult<UserInfo>.Ok(userInfo);
                 } else {
                     _log.Error($"issuer not from allowed tenant: {token.Issuer} - {allowedTenants}");
                     return OneFuzzResult<UserInfo>.Error(ErrorCode.INVALID_REQUEST, new[] { "unauthorized AAD issuer" });

src/ApiService/ApiService/onefuzzlib/EndpointAuthorization.cs

@@ -5,6 +5,7 @@
 namespace Microsoft.OneFuzz.Service;
 
 public interface IEndpointAuthorization {
+
     Async.Task<HttpResponseData> CallIfAgent(
         HttpRequestData req,
         Func<HttpRequestData, Async.Task<HttpResponseData>> method)
@@ -183,6 +184,9 @@ private GroupMembershipChecker CreateGroupMembershipChecker(InstanceConfig confi
     }
 
     public async Async.Task<bool> IsAgent(UserInfo tokenData) {
+        // todo: handle unmanaged node here
+        // check if the request is comming from a geristered app with apprile agent
+
         if (tokenData.ObjectId != null) {
             var scalesets = _context.ScalesetOperations.GetByObjectId(tokenData.ObjectId.Value);
             if (await scalesets.AnyAsync()) {
@@ -202,6 +206,10 @@ public async Async.Task<bool> IsAgent(UserInfo tokenData) {
             return true;
         }
 
+        // if (tokenData.Roles.Contains("unmanagedNode")) {
+        //     return true;
+        // }
+
         return false;
     }
 }

src/ApiService/ApiService/onefuzzlib/Extension.cs

@@ -12,6 +12,9 @@ public interface IExtensions {
     Async.Task<IList<VirtualMachineScaleSetExtensionData>> FuzzExtensions(Pool pool, Scaleset scaleset);
 
     Async.Task<Dictionary<string, VirtualMachineExtensionData>> ReproExtensions(AzureLocation region, Os reproOs, Guid reproId, ReproConfig reproConfig, Container? setupContainer);
+
+    Async.Task<Uri?> BuildPoolConfig(Pool pool);
+    Task<AgentConfig> CreatePoolConfig(Pool pool);
     Task<IList<VMExtensionWrapper>> ProxyManagerExtensions(string region, Guid proxyId);
 }
 
@@ -211,6 +214,14 @@ public static VMExtensionWrapper GenevaExtension(AzureLocation region) {
 
 
     public async Async.Task<Uri?> BuildPoolConfig(Pool pool) {
+        var config = await CreatePoolConfig(pool);
+
+        var fileName = $"{pool.Name}/config.json";
+        await _context.Containers.SaveBlob(new Container("vm-scripts"), fileName, (JsonSerializer.Serialize(config, EntityConverter.GetJsonSerializerOptions())), StorageType.Config);
+        return await ConfigUrl(new Container("vm-scripts"), fileName, false);
+    }
+
+    public async Task<AgentConfig> CreatePoolConfig(Pool pool) {
         var instanceId = await _context.Containers.GetInstanceId();
 
         var queueSas = await _context.Queue.GetQueueSas("node-heartbeat", StorageType.Config, QueueSasPermissions.Add);
@@ -223,11 +234,8 @@ public static VMExtensionWrapper GenevaExtension(AzureLocation region) {
             MicrosoftTelemetryKey: _context.ServiceConfiguration.OneFuzzTelemetry,
             MultiTenantDomain: _context.ServiceConfiguration.MultiTenantDomain,
             InstanceId: instanceId
-            );
-
-        var fileName = $"{pool.Name}/config.json";
-        await _context.Containers.SaveBlob(new Container("vm-scripts"), fileName, (JsonSerializer.Serialize(config, EntityConverter.GetJsonSerializerOptions())), StorageType.Config);
-        return await ConfigUrl(new Container("vm-scripts"), fileName, false);
+        );
+        return config;
     }
 
 

src/ApiService/IntegrationTests/JobsTests.cs

@@ -157,7 +157,7 @@ public async Async.Task Post_CreatesJob_AndContainer() {
         var func = new Jobs(auth, Context);
 
         // need user credentials to put into the job object
-        var userInfo = new UserInfo(Guid.NewGuid(), Guid.NewGuid(), "upn");
+        var userInfo = new UserInfo(Guid.NewGuid(), Guid.NewGuid(), "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult.Ok(userInfo));
 
         var result = await func.Run(TestHttpRequestData.FromJson("POST", _config));

src/ApiService/IntegrationTests/NodeTests.cs

@@ -161,7 +161,7 @@ await Context.InsertAll(
         var auth = new TestEndpointAuthorization(RequestType.User, Logger, Context);
 
         // override the found user credentials
-        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn");
+        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult<UserInfo>.Ok(userInfo));
 
         var req = new NodeGet(MachineId: _machineId);
@@ -189,7 +189,7 @@ await Context.InsertAll(
         var auth = new TestEndpointAuthorization(RequestType.User, Logger, Context);
 
         // override the found user credentials
-        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn");
+        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult<UserInfo>.Ok(userInfo));
 
         var req = new NodeGet(MachineId: _machineId);
@@ -219,7 +219,7 @@ await Context.InsertAll(
         var auth = new TestEndpointAuthorization(RequestType.User, Logger, Context);
 
         // override the found user credentials
-        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: userObjectId, "upn");
+        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: userObjectId, "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult<UserInfo>.Ok(userInfo));
 
         var req = new NodeGet(MachineId: _machineId);
@@ -250,7 +250,7 @@ await Context.InsertAll(
         var auth = new TestEndpointAuthorization(RequestType.User, Logger, Context);
 
         // override the found user credentials
-        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: userObjectId, "upn");
+        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: userObjectId, "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult<UserInfo>.Ok(userInfo));
 
         var req = new NodeGet(MachineId: _machineId);
@@ -279,7 +279,7 @@ await Context.InsertAll(
         var auth = new TestEndpointAuthorization(RequestType.User, Logger, Context);
 
         // override the found user credentials
-        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn");
+        var userInfo = new UserInfo(ApplicationId: Guid.NewGuid(), ObjectId: Guid.NewGuid(), "upn", new List<string>());
         Context.UserCredentials = new TestUserCredentials(Logger, Context.ConfigOperations, OneFuzzResult<UserInfo>.Ok(userInfo));
 
         // all of these operations use NodeGet