Use protected configuration provider instead of reflection (#8098)

Address https://github.com/NuGet/Engineering/issues/3206

Author: joelverhagen

…tGallery/App_Start/SessionPersistence.cs …alleryMachineKeyConfigurationProvider.cssrc/NuGetGallery/App_Start/SessionPersistence.cs renamed to src/NuGetGallery/App_Start/GalleryMachineKeyConfigurationProvider.cs src/NuGetGallery/App_Start/SessionPersistence.cs renamed to src/NuGetGallery/App_Start/GalleryMachineKeyConfigurationProvider.cs

@@ -1,45 +1,46 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Configuration;
-using System.Reflection;
-using System.Web.Configuration;
+using System.Web.Mvc;
+using System.Xml;
 using NuGetGallery.Configuration;
 
 namespace NuGetGallery
 {
-    public static class SessionPersistence
+    public class GalleryMachineKeyConfigurationProvider : ProtectedConfigurationProvider
     {
-        public static void Setup(IGalleryConfigurationService config)
+        public override XmlNode Decrypt(XmlNode encryptedNode)
         {
+            var xmlDoc = new XmlDocument();
+            xmlDoc.XmlResolver = null;
+            xmlDoc.AppendChild(xmlDoc.CreateElement(string.Empty, "machineKey", string.Empty));
+
             // The machine keys are used for encrypting/decrypting cookies used by ASP.NET, these are usually set by IIS in 'Auto' mode. 
             // During a deployment to Azure cloud service the same machine key values are set on all the instances of a given cloud service,
             // thereby providing session persistence across different instances in the same deployment slot. However, across different slots(staging vs production)
             // these session keys are different. Thereby causing the loss of session upon a slot swap. Manually setting these values on role start ensures same
             // keys are used by all the instances across all the slots of a Azure cloud service. See more analysis here: https://github.com/NuGet/Engineering/issues/1329
+            var config = DependencyResolver.Current.GetService<IGalleryConfigurationService>();
             if (config.Current.EnableMachineKeyConfiguration
                 && !string.IsNullOrWhiteSpace(config.Current.MachineKeyDecryption)
                 && !string.IsNullOrWhiteSpace(config.Current.MachineKeyDecryptionKey)
                 && !string.IsNullOrWhiteSpace(config.Current.MachineKeyValidationAlgorithm)
                 && !string.IsNullOrWhiteSpace(config.Current.MachineKeyValidationKey))
             {
-                var mksType = typeof(MachineKeySection);
-                var mksSection = ConfigurationManager.GetSection("system.web/machineKey") as MachineKeySection;
-                var resetMethod = mksType.GetMethod("Reset", BindingFlags.NonPublic | BindingFlags.Instance);
-
-                var machineKeyConfig = new MachineKeySection();
-                machineKeyConfig.ApplicationName = mksSection.ApplicationName;
-                machineKeyConfig.CompatibilityMode = mksSection.CompatibilityMode;
-                machineKeyConfig.DataProtectorType = mksSection.DataProtectorType;
-                machineKeyConfig.Validation = mksSection.Validation;
+                xmlDoc.DocumentElement.SetAttribute("decryptionKey", config.Current.MachineKeyDecryptionKey);
+                xmlDoc.DocumentElement.SetAttribute("decryption", config.Current.MachineKeyDecryption);
+                xmlDoc.DocumentElement.SetAttribute("validationKey", config.Current.MachineKeyValidationKey);
+                xmlDoc.DocumentElement.SetAttribute("validation", config.Current.MachineKeyValidationAlgorithm);
+            }
 
-                machineKeyConfig.DecryptionKey = config.Current.MachineKeyDecryptionKey;
-                machineKeyConfig.Decryption = config.Current.MachineKeyDecryption;
-                machineKeyConfig.ValidationKey = config.Current.MachineKeyValidationKey;
-                machineKeyConfig.ValidationAlgorithm = config.Current.MachineKeyValidationAlgorithm;
+            return xmlDoc.DocumentElement;
+        }
 
-                resetMethod.Invoke(mksSection, new object[] { machineKeyConfig });
-            }
+        public override XmlNode Encrypt(XmlNode node)
+        {
+            throw new NotImplementedException();
         }
     }
-}
+}

src/NuGetGallery/App_Start/OwinStartup.cs

@@ -64,8 +64,6 @@ public static void Configuration(IAppBuilder app)
             var config = dependencyResolver.GetService<IGalleryConfigurationService>();
             var auth = dependencyResolver.GetService<AuthenticationService>();
 
-            // Configure machine key for session persistence across slots
-            SessionPersistence.Setup(config);
             // Refresh the content for the ContentObjectService to guarantee it has loaded the latest configuration on startup.
             var contentObjectService = dependencyResolver.GetService<IContentObjectService>();
             HostingEnvironment.QueueBackgroundWorkItem(async token =>

src/NuGetGallery/NuGetGallery.csproj

@@ -125,12 +125,12 @@
   </ItemGroup>
   <ItemGroup>
     <Compile Include="ActionName.cs" />
+    <Compile Include="App_Start\GalleryMachineKeyConfigurationProvider.cs" />
     <Compile Include="App_Start\LatestVersionRouteConstraint.cs" />
     <Compile Include="App_Start\NuGetODataV2FeedConfig.cs" />
     <Compile Include="App_Start\NuGetODataV1FeedConfig.cs" />
     <Compile Include="App_Start\NuGetODataConfig.cs" />
     <Compile Include="App_Start\StorageDependent.cs" />
-    <Compile Include="App_Start\SessionPersistence.cs" />
     <Compile Include="App_Start\WebApiConfig.cs" />
     <Compile Include="App_Start\AutofacConfig.cs" />
     <Compile Include="Areas\Admin\Controllers\ApiKeysController.cs" />

src/NuGetGallery/Web.config

@@ -18,6 +18,11 @@
     <section name="dataCacheClients" type="Microsoft.ApplicationServer.Caching.DataCacheClientsSection, Microsoft.ApplicationServer.Caching.Core" allowLocation="true" allowDefinition="Everywhere"/>
     <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
   </configSections>
+  <configProtectedData>
+    <providers>
+      <add name="GalleryMachineKeyConfigurationProvider" type="NuGetGallery.GalleryMachineKeyConfigurationProvider, NuGetGallery"/>
+    </providers>
+  </configProtectedData>
   <appSettings>
     <!-- If you're running in Azure, we suggest you set these in your .cscfg file. -->
     <!-- ******************* -->
@@ -354,6 +359,9 @@
       <error statusCode="500" redirect="~/App_500.aspx"/>
     </customErrors>
     <sessionState mode="Off"/>
+    <machineKey configProtectionProvider="GalleryMachineKeyConfigurationProvider">
+      <EncryptedData />
+    </machineKey>
   </system.web>
   <system.webServer>
     <tracing>