profile support and remove auto-auth to azure

Author: TylerLeonhardt

examples/PSCoreApp/Profile.ps1

@@ -0,0 +1,20 @@
+# This script will be run on every COLD START of the Function App
+# You can define helper functions, run commands, or specify environment variables
+# NOTE: any variables defined that are not environment variables will get reset after the first execution
+
+# Example usecases for a Profile.ps1:
+
+# Authenticating with Azure PowerShell using MSI
+# $tokenAuthURI = $env:MSI_ENDPOINT + "?resource=https://management.azure.com&api-version=2017-09-01"
+# $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
+# Connect-AzAccount -AccessToken $tokenResponse.access_token -AccountId $env:WEBSITE_SITE_NAME
+
+# Enabling legacy AzureRm alias in Azure PowerShell
+# Enable-AzureRmAlias
+
+# Defining a function that you can refernce in any of your PowerShell functions:
+# function Get-MyData {
+#     @{
+#         Foo = 5
+#     }
+# }

src/PowerShell/PowerShellManager.cs

@@ -17,12 +17,19 @@
 
 namespace Microsoft.Azure.Functions.PowerShellWorker.PowerShell
 {
+    using System.Linq;
     using System.Management.Automation;
+    using System.Text;
 
     internal class PowerShellManager
     {
         private readonly ILogger _logger;
         private readonly PowerShell _pwsh;
+        private const string PROFILE_FILENAME = "Profile.ps1";
+
+        // The path to the FunctionApp root. This is set at the first FunctionLoad message
+        //and used for determining the path to the 'Profile.ps1' and 'Modules' folder.
+        internal string FunctionAppRootLocation { get; set; }
 
         internal PowerShellManager(ILogger logger)
         {
@@ -48,69 +55,54 @@ internal PowerShellManager(ILogger logger)
             _pwsh.Streams.Warning.DataAdding += streamHandler.WarningDataAdding;
         }
 
-        internal void AuthenticateToAzure()
+        internal void InvokeProfile()
         {
-            // Check if Az.Profile is available
-            Collection<PSModuleInfo> azProfile = _pwsh.AddCommand("Get-Module")
-                .AddParameter("ListAvailable")
-                .AddParameter("Name", "Az.Profile")
-                .InvokeAndClearCommands<PSModuleInfo>();
-
-            if (azProfile.Count == 0)
+            IEnumerable<string> profiles = Directory.EnumerateFiles(FunctionAppRootLocation, PROFILE_FILENAME);
+            if (profiles.Count() == 0)
             {
-                _logger.Log(LogLevel.Trace, "Required module to automatically authenticate with Azure `Az.Profile` was not found in the PSModulePath.");
+                _logger.Log(LogLevel.Trace, $"No 'Profile.ps1' found at: {FunctionAppRootLocation}");
                 return;
             }
 
-            // Try to authenticate to Azure using MSI
-            string msiSecret = Environment.GetEnvironmentVariable("MSI_SECRET");
-            string msiEndpoint = Environment.GetEnvironmentVariable("MSI_ENDPOINT");
-            string accountId = Environment.GetEnvironmentVariable("WEBSITE_SITE_NAME");
-
-            if (!string.IsNullOrEmpty(msiSecret) &&
-                !string.IsNullOrEmpty(msiEndpoint) &&
-                !string.IsNullOrEmpty(accountId))
+            var dotSourced = new StringBuilder(". ").Append(QuoteEscapeString(profiles.First()));
+            _pwsh.AddScript(dotSourced.ToString()).InvokeAndClearCommands();
+            
+            if (_pwsh.HadErrors)
             {
-                // NOTE: There is a limitation in Azure PowerShell that prevents us from using the parameter set:
-                // Connect-AzAccount -MSI or Connect-AzAccount -Identity
-                // see this GitHub issue https://github.com/Azure/azure-powershell/issues/7876
-                // As a workaround, we can all an API endpoint on the MSI_ENDPOINT to get an AccessToken and use that to authenticate
-                Collection<PSObject> response = _pwsh.AddCommand("Microsoft.PowerShell.Utility\\Invoke-RestMethod")
-                    .AddParameter("Method", "Get")
-                    .AddParameter("Headers", new Hashtable {{ "Secret", msiSecret }})
-                    .AddParameter("Uri", $"{msiEndpoint}?resource=https://management.azure.com&api-version=2017-09-01")
-                    .InvokeAndClearCommands<PSObject>();
+                var logMessage = $"Invoking the Profile had errors. See logs for details. Profile location: {FunctionAppRootLocation}";
+                _logger.Log(LogLevel.Error, logMessage, isUserLog: true);
+                throw new InvalidOperationException(logMessage);
+            }
+        }
 
-                if(_pwsh.HadErrors) 
-                {
-                    _logger.Log(LogLevel.Warning, "Failed to Authenticate to Azure via MSI. Check the logs for the errors generated.");
-                }
-                else
+        /// <summary>
+        /// Wrap a string in quotes to make it safe to use in scripts.
+        /// </summary>
+        /// <param name="path">The path to wrap in quotes.</param>
+        /// <returns>The given path wrapped in quotes appropriately.</returns>
+        private static StringBuilder QuoteEscapeString(string path)
+        {
+            var sb = new StringBuilder(path.Length + 2); // Length of string plus two quotes
+            sb.Append('\'');
+            if (!path.Contains('\''))
+            {
+                sb.Append(path);
+            }
+            else
+            {
+                foreach (char c in path)
                 {
-                    // We have successfully authenticated to Azure so we can return out.
-                    using (ExecutionTimer.Start(_logger, "Authentication to Azure"))
+                    if (c == '\'')
                     {
-                        _pwsh.AddCommand("Az.Profile\\Connect-AzAccount")
-                            .AddParameter("AccessToken", response[0].Properties["access_token"].Value)
-                            .AddParameter("AccountId", accountId)
-                            .InvokeAndClearCommands();
-
-                        if(_pwsh.HadErrors)
-                        {
-                            _logger.Log(LogLevel.Warning, "Failed to Authenticate to Azure. Check the logs for the errors generated.");
-                        }
-                        else
-                        {
-                            // We've successfully authenticated to Azure so we can return
-                            return;
-                        }
+                        sb.Append("''");
+                        continue;
                     }
+
+                    sb.Append(c);
                 }
             }
-            else
-            {
-                _logger.Log(LogLevel.Trace, "Skip authentication to Azure via MSI. Environment variables for authenticating to Azure are not present.");
-            }
+            sb.Append('\'');
+            return sb;
         }
 
         internal void InitializeRunspace()

src/RequestProcessor.cs

@@ -23,9 +23,10 @@ internal class RequestProcessor
         private readonly MessagingStream _msgStream;
         private readonly PowerShellManager _powerShellManager;
 
-        // used to determine if we have already added the Function App's 'Modules'
-        // folder to the PSModulePath
-        private bool _prependedPath;
+        // This is somewhat of a workaround for the fact that the WorkerInitialize message does
+        // not contain the file path of the Function App. Instead, we use this bool during the
+        // FunctionLoad message to initialize the Function App since we have the path.
+        private bool _initializedFunctionApp;
 
         internal RequestProcessor(MessagingStream msgStream)
         {
@@ -106,17 +107,19 @@ internal StreamingMessage ProcessFunctionLoadRequest(StreamingMessage request)
 
                 // if we haven't yet, add the well-known Function App module path to the PSModulePath
                 // The location of this module path is in a folder called "Modules" in the root of the Function App.
-                if (!_prependedPath)
+                if (!_initializedFunctionApp)
                 {
-                    string functionAppModulesPath = Path.GetFullPath(
-                        Path.Combine(functionLoadRequest.Metadata.Directory, "..", "Modules"));
-                    _powerShellManager.PrependToPSModulePath(functionAppModulesPath);
+                    string functionAppRoot = Path.GetFullPath(Path.Combine(functionLoadRequest.Metadata.Directory, ".."));
+                    _powerShellManager.FunctionAppRootLocation = functionAppRoot;
+
+                    // Prepend the Function App's 'Modules' folder to the PSModulePath
+                    _powerShellManager.PrependToPSModulePath(Path.Combine(functionAppRoot, "Modules"));
 
                     // Since this is the first time we know where the location of the FunctionApp is,
-                    // we can attempt to authenticate to Azure at this time.
-                    _powerShellManager.AuthenticateToAzure();
+                    // we can attempt to execute the Profile.
+                    _powerShellManager.InvokeProfile();
 
-                    _prependedPath = true;
+                    _initializedFunctionApp = true;
                 }
             }
             catch (Exception e)