AAD account checks on packages for safety reports (#9360)

drewgillies · web-flow · commit 3f692c3ca34a · 2023-02-07T06:33:41.000+10:00
diff --git a/src/AccountDeleter/EmptyFeatureFlagService.cs b/src/AccountDeleter/EmptyFeatureFlagService.cs
@@ -276,6 +276,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
             throw new NotImplementedException();
         }
 
+        public bool IsAllowAadContentSafetyReportsEnabled()
+        {
+            throw new NotImplementedException();
+        }
+
         public bool IsTyposquattingEnabled()
         {
             throw new NotImplementedException();
diff --git a/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs b/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
@@ -215,6 +215,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
             throw new NotImplementedException();
         }
 
+        public bool IsAllowAadContentSafetyReportsEnabled()
+        {
+            throw new NotImplementedException();
+        }
+
         public bool IsPackageDependentsEnabled(User user)
         {
             throw new NotImplementedException();
diff --git a/src/NuGetGallery.Core/CredentialTypes.cs b/src/NuGetGallery.Core/CredentialTypes.cs
@@ -104,6 +104,7 @@ public static bool IsApiKey(string type)
         {
             return type?.StartsWith(ApiKey.Prefix, StringComparison.OrdinalIgnoreCase) ?? false;
         }
+
         public static bool IsMicrosoftAccount(string type)
         {
             return type?.Equals(External.MicrosoftAccount, StringComparison.OrdinalIgnoreCase) ?? false;
diff --git a/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
@@ -52,6 +52,7 @@ public class FeatureFlagService : IFeatureFlagService
         private const string ImageAllowlistFlightName = GalleryPrefix + "ImageAllowlist";
         private const string DisplayBannerFlightName = GalleryPrefix + "Banner";
         private const string ShowReportAbuseSafetyChanges = GalleryPrefix + "ShowReportAbuseSafetyChanges";
+        private const string AllowAadContentSafetyReports = GalleryPrefix + "AllowAadContentSafetyReports";
         private const string DisplayTargetFrameworkFeatureName = GalleryPrefix + "DisplayTargetFramework";
         private const string ComputeTargetFrameworkFeatureName = GalleryPrefix + "ComputeTargetFramework";
         private const string RecentPackagesNoIndexFeatureName = GalleryPrefix + "RecentPackagesNoIndex";
@@ -333,6 +334,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()
             return _client.IsEnabled(ShowReportAbuseSafetyChanges, defaultValue: false);
         }
 
+        public bool IsAllowAadContentSafetyReportsEnabled()
+        {
+            return _client.IsEnabled(AllowAadContentSafetyReports, defaultValue: false);
+        }
+
         public bool IsMarkdigMdRenderingEnabled()
         {
             return _client.IsEnabled(MarkdigMdRenderingFlightName, defaultValue: false);
diff --git a/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
@@ -258,6 +258,11 @@ public interface IFeatureFlagService
         /// </summary>
         bool IsShowReportAbuseSafetyChangesEnabled();
 
+        /// <summary>
+        /// Whether online safety categories are available to content owned by at least one AAD-authenticated account
+        /// </summary>
+        bool IsAllowAadContentSafetyReportsEnabled();
+
         /// <summary>
         /// Whether rendering Markdown content to HTML using Markdig is enabled
         /// </summary>
diff --git a/src/NuGetGallery/Controllers/PackagesController.cs b/src/NuGetGallery/Controllers/PackagesController.cs
@@ -1385,6 +1385,7 @@ public virtual ActionResult ReportAbuse(string id, string version)
             var model = new ReportAbuseViewModel
             {
                 ReasonChoices = _featureFlagService.IsShowReportAbuseSafetyChangesEnabled()
+                    && (_featureFlagService.IsAllowAadContentSafetyReportsEnabled() || PackageHasNoAadOwners(package))
                     ? ReportAbuseWithSafetyReasons
                     : ReportAbuseReasons,
                 PackageId = id,
@@ -2857,6 +2858,38 @@ await _auditingService.SaveAuditRecordAsync(
             }
         }
 
+        private static bool PackageHasNoAadOwners(Package package)
+        {
+            var owners = package?.PackageRegistration?.Owners;
+            if (owners == null || !owners.Any()) {
+                return true;
+            }
+
+            // First check direct owner credentials
+            if (owners.Any(o => o.Credentials.GetAzureActiveDirectoryCredential() != null))
+            {
+                return false;
+            }
+
+            // Check all members of organization owners
+            var orgOwners = owners.Where(o => o is Organization).Select(o => o as Organization);
+            foreach (var orgOwner in orgOwners)
+            {
+                if (orgOwner.Members == null)
+                {
+                    continue;
+                }
+
+                if (orgOwner.Members.Any(m => m.Member?.Credentials != null &&
+                      m.Member.Credentials.GetAzureActiveDirectoryCredential() != null))
+                {
+                    return false;
+                }
+            }
+
+            return true;
+        }
+
         private async Task DeleteUploadedFileForUser(User currentUser, Stream uploadedFileStream)
         {
             try
diff --git a/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs b/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
@@ -103,6 +103,8 @@ public class FakeFeatureFlagService : IFeatureFlagService
 
         public bool IsShowReportAbuseSafetyChangesEnabled() => throw new NotImplementedException();
 
+        public bool IsAllowAadContentSafetyReportsEnabled() => throw new NotImplementedException();
+
         public bool IsMarkdigMdRenderingEnabled() => throw new NotImplementedException();
 
         public bool IsMarkdigMdSyntaxHighlightEnabled() => throw new NotImplementedException();
diff --git a/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs

Original file line number	Diff line number	Diff line change
`@@ -276,6 +276,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()`
`276`	`276`	`throw new NotImplementedException();`
`277`	`277`	`}`
`278`	`278`
	`279`	`+ public bool IsAllowAadContentSafetyReportsEnabled()`
	`280`	`+ {`
	`281`	`+ throw new NotImplementedException();`
	`282`	`+ }`
	`283`	`+`
`279`	`284`	`public bool IsTyposquattingEnabled()`
`280`	`285`	`{`
`281`	`286`	`throw new NotImplementedException();`
Original file line number	Diff line number	Diff line change
`@@ -215,6 +215,11 @@ public bool IsShowReportAbuseSafetyChangesEnabled()`
`215`	`215`	`throw new NotImplementedException();`
`216`	`216`	`}`
`217`	`217`
	`218`	`+ public bool IsAllowAadContentSafetyReportsEnabled()`
	`219`	`+ {`
	`220`	`+ throw new NotImplementedException();`
	`221`	`+ }`
	`222`	`+`
`218`	`223`	`public bool IsPackageDependentsEnabled(User user)`
`219`	`224`	`{`
`220`	`225`	`throw new NotImplementedException();`
Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,7 @@ public static bool IsApiKey(string type)`
`104`	`104`	`{`
`105`	`105`	`return type?.StartsWith(ApiKey.Prefix, StringComparison.OrdinalIgnoreCase) ?? false;`
`106`	`106`	`}`
	`107`	`+`
`107`	`108`	`public static bool IsMicrosoftAccount(string type)`
`108`	`109`	`{`
`109`	`110`	`return type?.Equals(External.MicrosoftAccount, StringComparison.OrdinalIgnoreCase) ?? false;`