[OIDC] Add IFederatedCredentialValidator for additional token validation (#10306)

Author: joelverhagen

Directory.Packages.props

@@ -63,6 +63,7 @@
     <PackageVersion Include="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" Version="3.6.0" />
     <PackageVersion Include="Microsoft.Data.Services.Client" Version="5.8.4" />
     <PackageVersion Include="Microsoft.Data.Services" Version="5.8.4" />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.CommandLineUtils" Version="1.1.1" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />

src/NuGetGallery.Core/Authentication/FederatedCredentialValidation.cs

@@ -0,0 +1,45 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#nullable enable
+
+namespace NuGetGallery.Services.Authentication
+{
+    public enum FederatedCredentialValidationType
+    {
+        /// <summary>
+        /// The federated credential validation resulted in the request being unauthorized. A user visible error may be provided.
+        /// This result will take precedence over other results. This may be due to a bad credential format or another failure reason.
+        /// </summary>
+        Unauthorized = 1,
+
+        /// <summary>
+        /// The validator is not applicable to the given input. If no other validator is available, the token should be considered invalid.
+        /// </summary>
+        NotApplicable = 2,
+
+        /// <summary>
+        /// The token is valid. This will take precedence over other <see cref="NotApplicable"/> results.
+        /// </summary>
+        Valid = 3,
+    }
+
+    public class FederatedCredentialValidation
+    {
+        private static readonly FederatedCredentialValidation ValidInstance = new(FederatedCredentialValidationType.Valid, userError: null);
+        private static readonly FederatedCredentialValidation NotApplicableInstance = new(FederatedCredentialValidationType.NotApplicable, userError: null);
+
+        private FederatedCredentialValidation(FederatedCredentialValidationType type, string? userError)
+        {
+            Type = type;
+            UserError = userError;
+        }
+
+        public FederatedCredentialValidationType Type { get; }
+        public string? UserError { get; }
+
+        public static FederatedCredentialValidation Unauthorized(string? userError) => new(FederatedCredentialValidationType.Unauthorized, userError);
+        public static FederatedCredentialValidation NotApplicable() => NotApplicableInstance;
+        public static FederatedCredentialValidation Valid() => ValidInstance;
+    }
+}

src/NuGetGallery.Core/Authentication/IFederatedCredentialValidator.cs

@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#nullable enable
+
+using System.Collections.Generic;
+using System.Collections.Specialized;
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace NuGetGallery.Services.Authentication
+{
+    /// <summary>
+    /// A validator for federated credentials, in addition to any built-in validations.
+    /// </summary>
+    public interface IFederatedCredentialValidator
+    {
+        /// <summary>
+        /// Validate the request headers of a given federated credential type.
+        /// </summary>
+        /// <param name="requestHeaders">The request headers containing the federated credential.</param>
+        /// <param name="issuer">The detected issuer type.</param>
+        /// <param name="unvalidatedClaims">
+        /// The claims provided by the federated credential.
+        /// It is the responsiblity of this method to validate claims before using them.</param>
+        Task<FederatedCredentialValidation> ValidateAsync(
+            NameValueCollection requestHeaders,
+            FederatedCredentialIssuerType issuer,
+            IEnumerable<Claim>? unvalidatedClaims);
+    }
+}

src/NuGetGallery.Core/NuGetGallery.Core.csproj

@@ -44,6 +44,7 @@
     <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Azure.Storage.Blobs" />
     <PackageReference Include="EntityFramework" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
     <PackageReference Include="NuGet.Packaging" />
     <PackageReference Include="System.Formats.Asn1" />
   </ItemGroup>

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialPolicyEvaluator.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Collections.Specialized;
 using System.Linq;
 using System.Text.Json;
 using System.Threading.Tasks;
@@ -19,40 +20,53 @@ namespace NuGetGallery.Services.Authentication
 {
     public interface IFederatedCredentialPolicyEvaluator
     {
-        Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(IReadOnlyCollection<FederatedCredentialPolicy> policies, string bearerToken);
+        Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(
+            IReadOnlyCollection<FederatedCredentialPolicy> policies,
+            string bearerToken,
+            NameValueCollection requestHeaders);
     }
 
     public class FederatedCredentialPolicyEvaluator : IFederatedCredentialPolicyEvaluator
     {
         private readonly IEntraIdTokenValidator _entraIdTokenValidator;
+        private readonly IReadOnlyList<IFederatedCredentialValidator> _additionalValidators;
         private readonly IAuditingService _auditingService;
         private readonly IDateTimeProvider _dateTimeProvider;
         private readonly ILogger<FederatedCredentialPolicyEvaluator> _logger;
 
         public FederatedCredentialPolicyEvaluator(
             IEntraIdTokenValidator entraIdTokenValidator,
+            IReadOnlyList<IFederatedCredentialValidator> additionalValidators,
             IAuditingService auditingService,
             IDateTimeProvider dateTimeProvider,
             ILogger<FederatedCredentialPolicyEvaluator> logger)
         {
             _entraIdTokenValidator = entraIdTokenValidator ?? throw new ArgumentNullException(nameof(entraIdTokenValidator));
+            _additionalValidators = additionalValidators ?? throw new ArgumentNullException(nameof(additionalValidators));
             _auditingService = auditingService ?? throw new ArgumentNullException(nameof(auditingService));
             _dateTimeProvider = dateTimeProvider ?? throw new ArgumentNullException(nameof(dateTimeProvider));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
 
-        public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(IReadOnlyCollection<FederatedCredentialPolicy> policies, string bearerToken)
+        public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(
+            IReadOnlyCollection<FederatedCredentialPolicy> policies,
+            string bearerToken,
+            NameValueCollection requestHeaders)
         {
             // perform basic validations not specific to any federated credential policy
             // the error message is user-facing and should not leak sensitive information
             var (userError, jwtInfo) = await ValidateJwtByIssuer(bearerToken);
 
+            // Whether or not we have detected a problem already, pass the information to all additional validators.
+            // This allows custom logic to execute but will not override any initial failed validation result.
+            userError = await ExecuteAdditionalValidatorsAsync(requestHeaders, userError, jwtInfo);
+
             var externalCredentialAudit = jwtInfo.CreateAuditRecord();
             await AuditExternalCredentialAsync(externalCredentialAudit);
 
             if (userError is not null)
             {
-                _logger.LogInformation("The bearer token could not be validated. Reason: {UserError}", userError);
+                _logger.LogInformation("The bearer token failed validation. Reason: {UserError}", userError);
                 return EvaluatedFederatedCredentialPolicies.BadToken(userError);
             }
 
@@ -81,6 +95,53 @@ public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(I
             return EvaluatedFederatedCredentialPolicies.NoMatchingPolicy(results);
         }
 
+        private async Task<string?> ExecuteAdditionalValidatorsAsync(NameValueCollection requestHeaders, string? userError, JwtInfo jwtInfo)
+        {
+            bool hasUnauthorized = false;
+            foreach (var validator in _additionalValidators)
+            {
+                var result = await validator.ValidateAsync(requestHeaders, jwtInfo.IssuerType, jwtInfo.Jwt?.Claims);
+                switch (result.Type)
+                {
+                    case FederatedCredentialValidationType.Unauthorized:
+                        // prefer the first user error, which will be the built-in user error if the bearer token is already rejected
+                        userError ??= result.UserError;
+                        hasUnauthorized = true;
+                        if (jwtInfo.IsValid)
+                        {
+                            _logger.LogWarning(
+                                "With issuer type {IssuerType}, the additional validator {Type} rejected the request, but the base validation accepted the bearer token. " +
+                                "Additional validator user message: {UserError}",
+                                jwtInfo.IssuerType,
+                                validator.GetType().FullName,
+                                result.UserError ?? "(none)");
+                        }
+                        break;
+                    case FederatedCredentialValidationType.Valid:
+                        if (!jwtInfo.IsValid)
+                        {
+                            _logger.LogWarning(
+                                "With issuer type {IssuerType}, the additional validator {Type} accepted the request, but the base validation rejected the bearer token.",
+                                jwtInfo.IssuerType,
+                                validator.GetType().FullName);
+                        }
+                        break;
+                    case FederatedCredentialValidationType.NotApplicable:
+                        break;
+                    default:
+                        throw new NotImplementedException("Unsupported validation type:" + result.Type);
+                }
+            }
+
+            if (hasUnauthorized)
+            {
+                userError ??= "The request could not be authenticated.";
+                jwtInfo.IsValid = false;
+            }
+
+            return userError;
+        }
+
         private async Task AuditPolicyComparisonAsync(ExternalSecurityTokenAuditRecord externalCredentialAudit, FederatedCredentialPolicy policy, bool success)
         {
             await _auditingService.SaveAuditRecordAsync(FederatedCredentialPolicyAuditRecord.Compare(

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialService.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Specialized;
 using System.Data;
 using System.Text.Json;
 using System.Threading.Tasks;
@@ -22,8 +23,9 @@ public interface IFederatedCredentialService
         /// </summary>
         /// <param name="username">The username of the user account that owns the federated credential policy.</param>
         /// <param name="bearerToken">The bearer token to use for federated credential evaluation.</param>
+        /// <param name="requestHeaders">The HTTP headers used for the request. This provides full context needed for additional request validation.</param>
         /// <returns>The result, successful if <see cref="GenerateApiKeyResult.Type"/> is <see cref="GenerateApiKeyResultType.Created"/>.</returns>
-        Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, string bearerToken);
+        Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, string bearerToken, NameValueCollection requestHeaders);
 
         /// <summary>
         /// Adds a new federated credential policy for an Entra ID service principal. The policy will be owned by the user account
@@ -138,7 +140,7 @@ public async Task DeletePolicyAsync(FederatedCredentialPolicy policy)
             await _auditingService.SaveAuditRecordAsync(auditRecord);
         }
 
-        public async Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, string bearerToken)
+        public async Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, string bearerToken, NameValueCollection requestHeaders)
         {
             var currentUser = _userService.FindByUsername(username, includeDeleted: false);
             if (currentUser is null)
@@ -147,7 +149,7 @@ public async Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, str
             }
 
             var policies = _repository.GetPoliciesCreatedByUser(currentUser.Key);
-            var policyEvaluation = await _evaluator.GetMatchingPolicyAsync(policies, bearerToken);
+            var policyEvaluation = await _evaluator.GetMatchingPolicyAsync(policies, bearerToken, requestHeaders);
             switch (policyEvaluation.Type)
             {
                 case EvaluatedFederatedCredentialPoliciesType.BadToken:

src/NuGetGallery/App_Start/DefaultDependenciesModule.cs

@@ -586,6 +586,18 @@ private static void ConfigureFederatedCredentials(ContainerBuilder builder, Conf
                 .As<IEntraIdTokenValidator>()
                 .InstancePerLifetimeScope();
 
+            builder
+                .Register(c =>
+                {
+                    var configurationFactory = c.Resolve<IConfigurationFactory>();
+                    return GetAddInServices<IFederatedCredentialValidator>(sp =>
+                    {
+                        sp.ComposeExportedValue(configurationFactory);
+                    }).ToList();
+                })
+                .As<IReadOnlyList<IFederatedCredentialValidator>>() // a singleton, materialized list
+                .SingleInstance();
+
             builder
                 .RegisterType<FederatedCredentialPolicyEvaluator>()
                 .As<IFederatedCredentialPolicyEvaluator>()

src/NuGetGallery/Web.config

@@ -532,6 +532,14 @@
   </system.diagnostics>
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+      <dependentAssembly>
+        <assemblyIdentity name="Microsoft.Extensions.Caching.Memory" publicKeyToken="ADB9793829DDAE60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-8.0.0.1" newVersion="8.0.0.1"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="Microsoft.Extensions.Caching.Abstractions" publicKeyToken="ADB9793829DDAE60" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0"/>
+      </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="WebGrease" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
         <bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930"/>