Honor secure Functions host URIs in Java worker

[larohra]

Summary

JavaWorkerClient always builds ManagedChannelBuilder.forAddress(...).usePlaintext(), so the Java worker ignores the already-parsed --functions-uri and can never join a secure host/worker gRPC channel.

Findings

• Fix necessary: Yes. Today the worker guarantees plaintext and blocks any host-side TLS rollout, leaving any non-local transport exposed to MITM tampering.
• Historical context: Plaintext dates back to the early 2018 same-machine child-process design. In 2023 the worker added prefixed startup args, including functions-uri, plus fallback to legacy args, but JavaWorkerClient was not updated; this looks like an old assumption that became a gap once URI-based startup existed.
• TLS behavior clarification: The fix should honor TLS, not ignore it. When functions-uri uses https, the worker should build a TLS gRPC channel and fail if handshake, certificate, or hostname validation fails. Only http URIs, or legacy startup that supplies just host+port, should continue to use plaintext.
• Regression / breaking change: No new CLI or protocol contract. Existing http and legacy host+port launches keep their current behavior. The only observable behavior change is that a previously ignored or misconfigured https endpoint will stop connecting insecurely and instead fail closed.
• Customer contract: No new flags are required. Trust still comes from the JVM trust configuration already available via existing Java options, so hosts using private CAs do not need a new worker-specific switch.
• Testing today: mvn test currently passes (63 tests, 0 failures/errors/skips). Repo CI also runs build plus emulated, docker, and end-to-end matrices, but there is no direct secure gRPC transport coverage.

Plan

1. Expose the parsed functions-uri through IApplication in a compatibility-safe way.
2. Make JavaWorkerClient choose transport from the URI scheme: https => TLS with no plaintext downgrade, http or legacy host+port => plaintext.
3. Add focused plaintext/TLS transport tests and rerun mvn test.

[larohra]

@copilot address the comments

[Copilot]

@copilot address the comments

Done in 0c9d360 and 5a9ed39. I addressed both review threads, ran targeted tests and full mvn test, and pushed the updates.

[larohra]

@copilot apply changes based on this feedback

[Copilot]

Implemented in f7e6bc4. I updated GrpcTransportTest to scope azure.functions.worker.java.skip.testing with an AutoCloseable (SkipTestingScope) so each test restores the original property value and avoids cross-test leakage. No UI changes were made in this PR, so there is no UI screenshot to provide.

[larohra]

@copilot this is the feedback - These tests set the global system property azure.functions.worker.java.skip.testing but never restore/clear it. Since surefire runs tests in the same JVM by default, this can leak into other tests and make the suite order-dependent. Consider capturing the original value and restoring it in a finally block (or via a small AutoCloseable/JUnit extension similar to TrustStoreScope).

Can you address it please

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/Azure/azure-functions-java-worker/pulls/comments/3228705589
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[larohra]

@copilot can you address these comments - Azure#872 (comment) and Azure#872 (comment)

[Copilot]

@copilot can you address these comments - Azure#872 (comment) and Azure#872 (comment)...

I can’t access those two Azure PR discussion links from this environment right now. Please paste the exact comment text (or screenshots) for discussion_r3245098945 and discussion_r3245102893, and I’ll apply the fixes immediately.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/Azure/azure-functions-java-worker/pulls/comments/3245098945
  • Triggering command: /usr/bin/curl curl -sS REDACTED (http block)
  • Triggering command: /usr/bin/curl curl -i -sS REDACTED (http block)
• https://api.github.com/repos/Azure/azure-functions-java-worker/pulls/comments/3245102893
  • Triggering command: /usr/bin/curl curl -i -sS REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[larohra]

@copilot address these comments

[Copilot]

@copilot address these comments

Addressed in dd4c111.