Audit the AddCredential action after we commit to the DB (#9324)

joelverhagen · web-flow · commit 3f92a094e1cb · 2022-12-12T10:40:17.000-08:00
Resolve NuGet/Engineering#4660
diff --git a/src/NuGetGallery.Services/Authentication/AuthenticationService.cs b/src/NuGetGallery.Services/Authentication/AuthenticationService.cs
@@ -473,6 +473,9 @@ public virtual async Task ReplaceCredential(User user, Credential credential)
         {
             await ReplaceCredentialInternal(user, credential);
             await Entities.SaveChangesAsync();
+
+            await Auditing.SaveAuditRecordAsync(new UserAuditRecord(
+                user, AuditedUserAction.AddCredential, credential));
         }
 
         public virtual async Task<Credential> ResetPasswordWithToken(string username, string token, string newPassword)
@@ -501,6 +504,10 @@ public virtual async Task<Credential> ResetPasswordWithToken(string username, st
                 user.FailedLoginCount = 0;
                 user.LastFailedLoginUtc = null;
                 await Entities.SaveChangesAsync();
+
+                await Auditing.SaveAuditRecordAsync(new UserAuditRecord(
+                    user, AuditedUserAction.AddCredential, cred));
+
                 return cred;
             }
 
@@ -590,6 +597,10 @@ public virtual async Task<bool> ChangePassword(User user, string oldPassword, st
 
             // Save changes
             await Entities.SaveChangesAsync();
+
+            await Auditing.SaveAuditRecordAsync(new UserAuditRecord(
+                user, AuditedUserAction.AddCredential, passwordCredential));
+
             return true;
         }
 
@@ -623,10 +634,10 @@ public virtual async Task AddCredential(User user, Credential credential)
                 throw new InvalidOperationException(ServicesStrings.OrganizationsCannotCreateCredentials);
             }
 
-            await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, credential));
             user.Credentials.Add(credential);
             await Entities.SaveChangesAsync();
 
+            await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, credential));
             _telemetryService.TrackNewCredentialCreated(user, credential);
         }
 
@@ -838,9 +849,6 @@ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(
             }
 
             user.Credentials.Add(credential);
-
-            await Auditing.SaveAuditRecordAsync(new UserAuditRecord(
-                user, AuditedUserAction.AddCredential, credential));
         }
 
         private static CredentialKind GetCredentialKind(string type)
@@ -1024,15 +1032,20 @@ private async Task MigrateCredentials(User user, List<Credential> creds, string
             await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.RemoveCredential, toRemove));
 
             // Now add one if there are no credentials left
+            Credential newCred = null;
             if (creds.Count == 0)
             {
-                var newCred = _credentialBuilder.CreatePasswordCredential(password);
-                await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, newCred));
+                newCred = _credentialBuilder.CreatePasswordCredential(password);
                 user.Credentials.Add(newCred);
             }
 
             // Save changes, if any
             await Entities.SaveChangesAsync();
+
+            if (newCred != null)
+            {
+                await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, newCred));
+            }
         }
     }
 }
diff --git a/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
@@ -15,6 +15,8 @@
 using NuGetGallery.Auditing;
 using NuGetGallery.Authentication.Providers;
 using NuGetGallery.Authentication.Providers.MicrosoftAccount;
+using NuGetGallery.Configuration;
+using NuGetGallery.Diagnostics;
 using NuGetGallery.Framework;
 using NuGetGallery.Infrastructure.Authentication;
 using Xunit;
@@ -2071,6 +2073,51 @@ public async Task WritesAuditRecordForTheNewCredential()
                     ar.AffectedCredential[0].Type == cred.Type &&
                     ar.AffectedCredential[0].Identity == cred.Identity));
             }
+
+            [Fact]
+            public async Task WritesAuditRecordAfterDbCommit()
+            {
+                // Arrange
+                var entitiesContext = new Mock<IEntitiesContext>();
+                var auditingService = new Mock<IAuditingService>();
+                var credentialBuilder = new CredentialBuilder();
+
+                var authService = new AuthenticationService(
+                    entitiesContext.Object,
+                    Get<IAppConfiguration>(),
+                    Get<IDiagnosticsService>(),
+                    auditingService.Object,
+                    Enumerable.Empty<Authenticator>(),
+                    credentialBuilder,
+                    Get<ICredentialValidator>(),
+                    Get<IDateTimeProvider>(),
+                    Get<ITelemetryService>(),
+                    Get<IContentObjectService>(),
+                    Get<IFeatureFlagService>());
+                var operations = new List<string>();
+
+                var fakes = Get<Fakes>();
+                var user = fakes.CreateUser("test", credentialBuilder.CreatePasswordCredential(Fakes.Password));
+                var cred = credentialBuilder.CreateExternalCredential("flarg", "glarb", "blarb");
+                Mock
+                    .Get(authService.Auditing)
+                    .Setup(x => x.SaveAuditRecordAsync(It.IsAny<AuditRecord>()))
+                    .Returns(Task.CompletedTask)
+                    .Callback(() => operations.Add(nameof(IAuditingService.SaveAuditRecordAsync)));
+                Mock
+                    .Get(authService.Entities)
+                    .Setup(x => x.SaveChangesAsync())
+                    .ReturnsAsync(() => 0)
+                    .Callback(() => operations.Add(nameof(IEntitiesContext.SaveChangesAsync)));
+
+                // Act
+                await authService.AddCredential(user, cred);
+
+                // Assert
+                Assert.Equal(
+                    new List<string> { nameof(IEntitiesContext.SaveChangesAsync), nameof(IAuditingService.SaveAuditRecordAsync) },
+                    operations);
+            }
         }
 
         public class TheDescribeCredentialMethod : TestContainer

Original file line number	Diff line number	Diff line change
`@@ -473,6 +473,9 @@ public virtual async Task ReplaceCredential(User user, Credential credential)`
`473`	`473`	`{`
`474`	`474`	`await ReplaceCredentialInternal(user, credential);`
`475`	`475`	`await Entities.SaveChangesAsync();`
	`476`	`+`
	`477`	`+ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(`
	`478`	`+ user, AuditedUserAction.AddCredential, credential));`
`476`	`479`	`}`
`477`	`480`
`478`	`481`	`public virtual async Task<Credential> ResetPasswordWithToken(string username, string token, string newPassword)`
`@@ -501,6 +504,10 @@ public virtual async Task<Credential> ResetPasswordWithToken(string username, st`
`501`	`504`	`user.FailedLoginCount = 0;`
`502`	`505`	`user.LastFailedLoginUtc = null;`
`503`	`506`	`await Entities.SaveChangesAsync();`
	`507`	`+`
	`508`	`+ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(`
	`509`	`+ user, AuditedUserAction.AddCredential, cred));`
	`510`	`+`
`504`	`511`	`return cred;`
`505`	`512`	`}`
`506`	`513`
`@@ -590,6 +597,10 @@ public virtual async Task<bool> ChangePassword(User user, string oldPassword, st`
`590`	`597`
`591`	`598`	`// Save changes`
`592`	`599`	`await Entities.SaveChangesAsync();`
	`600`	`+`
	`601`	`+ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(`
	`602`	`+ user, AuditedUserAction.AddCredential, passwordCredential));`
	`603`	`+`
`593`	`604`	`return true;`
`594`	`605`	`}`
`595`	`606`
`@@ -623,10 +634,10 @@ public virtual async Task AddCredential(User user, Credential credential)`
`623`	`634`	`throw new InvalidOperationException(ServicesStrings.OrganizationsCannotCreateCredentials);`
`624`	`635`	`}`
`625`	`636`
`626`		`- await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, credential));`
`627`	`637`	`user.Credentials.Add(credential);`
`628`	`638`	`await Entities.SaveChangesAsync();`
`629`	`639`
	`640`	`+ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, credential));`
`630`	`641`	`_telemetryService.TrackNewCredentialCreated(user, credential);`
`631`	`642`	`}`
`632`	`643`
`@@ -838,9 +849,6 @@ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(`
`838`	`849`	`}`
`839`	`850`
`840`	`851`	`user.Credentials.Add(credential);`
`841`		`-`
`842`		`- await Auditing.SaveAuditRecordAsync(new UserAuditRecord(`
`843`		`- user, AuditedUserAction.AddCredential, credential));`
`844`	`852`	`}`
`845`	`853`
`846`	`854`	`private static CredentialKind GetCredentialKind(string type)`
`@@ -1024,15 +1032,20 @@ private async Task MigrateCredentials(User user, List<Credential> creds, string`
`1024`	`1032`	`await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.RemoveCredential, toRemove));`
`1025`	`1033`
`1026`	`1034`	`// Now add one if there are no credentials left`
	`1035`	`+ Credential newCred = null;`
`1027`	`1036`	`if (creds.Count == 0)`
`1028`	`1037`	`{`
`1029`		`- var newCred = _credentialBuilder.CreatePasswordCredential(password);`
`1030`		`- await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, newCred));`
	`1038`	`+ newCred = _credentialBuilder.CreatePasswordCredential(password);`
`1031`	`1039`	`user.Credentials.Add(newCred);`
`1032`	`1040`	`}`
`1033`	`1041`
`1034`	`1042`	`// Save changes, if any`
`1035`	`1043`	`await Entities.SaveChangesAsync();`
	`1044`	`+`
	`1045`	`+ if (newCred != null)`
	`1046`	`+ {`
	`1047`	`+ await Auditing.SaveAuditRecordAsync(new UserAuditRecord(user, AuditedUserAction.AddCredential, newCred));`
	`1048`	`+ }`
`1036`	`1049`	`}`
`1037`	`1050`	`}`
`1038`	`1051`	`}`