Fix email verification issue for AAD/MSA registration (#6548)

* Fix email verification issue for AAD/MSA registration

* Add email match logic

* Use default comparison for emails

* Refactor logic and add unit tests

* Add unit tests

Author: zhhyu

src/NuGetGallery/Authentication/AuthenticateExternalLoginResult.cs

@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using System.Collections.Generic;
 using System.Security.Claims;
 using NuGetGallery.Authentication.Providers;
 
@@ -15,6 +13,7 @@ public class AuthenticateExternalLoginResult
         public Authenticator Authenticator { get; set; }
         public Credential Credential { get; set; }
         public ExternalLoginSessionDetails LoginDetails { get; set; }
+        public IdentityInformation UserInfo { get; set; }
     }
 
     public class ExternalLoginSessionDetails

src/NuGetGallery/Authentication/AuthenticationService.cs

@@ -299,7 +299,7 @@ private async Task<Claim[]> GetUserLoginClaims(AuthenticatedUser user, bool wasM
             return claims.ToArray();
         }
 
-        public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential)
+        public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential, bool autoConfirm = false)
         {
             if (_config.FeedOnlyMode)
             {
@@ -332,7 +332,7 @@ public virtual async Task<AuthenticatedUser> Register(string username, string em
             // Add a credential for the password
             newUser.Credentials.Add(credential);
 
-            if (!_config.ConfirmEmailAddresses)
+            if (!_config.ConfirmEmailAddresses || autoConfirm)
             {
                 newUser.ConfirmEmailAddress();
             }
@@ -651,7 +651,8 @@ public virtual async Task<AuthenticateExternalLoginResult> ReadExternalLoginCred
                     ExternalIdentity = externalIdentity,
                     Authenticator = authenticator,
                     Credential = _credentialBuilder.CreateExternalCredential(userInfo.AuthenticationType, userInfo.Identifier, identity, userInfo.TenantId),
-                    LoginDetails = new ExternalLoginSessionDetails(userInfo.Email, userInfo.UsedMultiFactorAuthentication)
+                    LoginDetails = new ExternalLoginSessionDetails(userInfo.Email, userInfo.UsedMultiFactorAuthentication),
+                    UserInfo = userInfo
                 };
             }
             catch (Exception ex)

src/NuGetGallery/Controllers/AuthenticationController.cs

@@ -271,7 +271,9 @@ public virtual async Task<ActionResult> Register(LogOnViewModel model, string re
                     user = await _authService.Register(
                         model.Register.Username,
                         model.Register.EmailAddress,
-                        result.Credential);
+                        result.Credential,
+                        (result.Credential.IsExternal() && string.Equals(result.UserInfo?.Email, model.Register.EmailAddress))
+                        );
                 }
                 else
                 {

tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs

@@ -759,7 +759,8 @@ public async Task GivenPlainTextPassword_ItSaltsHashesAndPassesThru()
                         It.Is<Credential>(c => VerifyPasswordHash(
                             c.Value,
                             CredentialBuilder.LatestPasswordType,
-                            password))))
+                            password)),
+                        It.IsAny<bool>()))
                     .CompletesWithNull()
                     .Verifiable();
 
@@ -844,6 +845,57 @@ public async Task WillSaveTheNewUserAsConfirmedWhenConfigured()
                 auth.Entities.VerifyCommitChanges();
             }
 
+            [Theory]
+            [InlineData("MicrosoftAccount")]
+            [InlineData("AzureActiveDirectory")]
+            public async Task WillSaveTheNewUserWithExternalCredentialAndMatchEmailAsConfirmed(string credType)
+            {
+                // Arrange
+                var configurationService = GetConfigurationService();
+                configurationService.Current.ConfirmEmailAddresses = true;
+
+                var auth = Get<AuthenticationService>();
+
+                // Act
+                var authUser = await auth.Register(
+                    "newUser",
+                    "theEmailAddress",
+                    new CredentialBuilder().CreateExternalCredential(credType, "blorg", "Bloog"),
+                    true);
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                Assert.True(authUser.User.Confirmed);
+                Assert.True(string.Equals(authUser.User.EmailAddress, "theEmailAddress"));
+                auth.Entities.VerifyCommitChanges();
+            }
+
+            [Theory]
+            [InlineData("MicrosoftAccount")]
+            [InlineData("AzureActiveDirectory")]
+            public async Task WillSaveTheNewUserWithExternalCredentialAndNotMatchEmailAsNotConfirmed(string credType)
+            {
+                // Arrange
+                var configurationService = GetConfigurationService();
+                configurationService.Current.ConfirmEmailAddresses = true;
+
+                var auth = Get<AuthenticationService>();
+
+                // Act
+                var authUser = await auth.Register(
+                    "newUser",
+                    "theEmailAddress",
+                    new CredentialBuilder().CreateExternalCredential(credType, "blorg", "Bloog"),
+                    false);
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                auth.Entities.VerifyCommitChanges();
+                Assert.True(string.Equals(authUser.User.UnconfirmedEmailAddress, "theEmailAddress"));
+                Assert.NotNull(authUser.User.EmailConfirmationToken);
+                Assert.False(authUser.User.Confirmed);
+            }
+
             [Fact]
             public async Task SetsAConfirmationToken()
             {

tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs

@@ -720,7 +720,7 @@ public async Task WillShowTheViewWithErrorsIfTheModelStateIsInvalid()
             public async Task WillInvalidateModelStateAndShowTheViewWhenAnEntityExceptionIsThrow()
             {
                 GetMock<AuthenticationService>()
-                    .Setup(x => x.Register(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<Credential>()))
+                    .Setup(x => x.Register(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<Credential>(), It.IsAny<bool>()))
                     .Throws(new EntityException("aMessage"));
 
                 var controller = GetController<AuthenticationController>();
@@ -756,7 +756,7 @@ public async Task WillCreateAndLogInTheUserWhenNotLinking()
                 var authenticationService = GetMock<AuthenticationService>();
                 var controller = GetController<AuthenticationController>();
 
-                authenticationService.Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, It.IsAny<Credential>()))
+                authenticationService.Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, It.IsAny<Credential>(), It.IsAny<bool>()))
                     .CompletesWith(authUser);
 
                 authenticationService
@@ -807,7 +807,7 @@ public async Task WillNotSendConfirmationEmailWhenConfirmEmailAddressesIsOff()
                 configurationService.Current.ConfirmEmailAddresses = false;
 
                 GetMock<AuthenticationService>()
-                    .Setup(x => x.Register("theUsername", "[email protected]", It.IsAny<Credential>()))
+                    .Setup(x => x.Register("theUsername", "[email protected]", It.IsAny<Credential>(), It.IsAny<bool>()))
                     .CompletesWith(authUser);
 
                 var controller = GetController<AuthenticationController>();
@@ -830,6 +830,182 @@ public async Task WillNotSendConfirmationEmailWhenConfirmEmailAddressesIsOff()
                     }, "/theReturnUrl", linkingAccount: false);
 
                 // Assert
+                GetMock<AuthenticationService>()
+                    .Verify(x => x.Register("theUsername", "[email protected]", It.IsAny<Credential>(), false));
+
+                GetMock<IMessageService>()
+                    .Verify(x => x.SendNewAccountEmailAsync(
+                        It.IsAny<User>(),
+                        It.IsAny<string>()), Times.Never());
+            }
+
+            [Fact]
+            public async Task WillNotAutoConfirmAndWillSendConfirmationEmailWhenNotExternalCredential()
+            {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername")
+                    {
+                        UnconfirmedEmailAddress = "[email protected]",
+                        EmailConfirmationToken = "t0k3n"
+                    },
+                    new Credential());
+
+                var authenticationServiceMock = GetMock<AuthenticationService>();
+                var controller = GetController<AuthenticationController>();
+                authenticationServiceMock
+                    .Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, It.IsAny<Credential>(), It.IsAny<bool>()))
+                    .CompletesWith(authUser);
+                authenticationServiceMock
+                    .Setup(x => x.CreateSessionAsync(controller.OwinContext, authUser, false))
+                    .Returns(Task.FromResult(0))
+                    .Verifiable();
+                authenticationServiceMock
+                    .Setup(x => x.ReadExternalLoginCredential(controller.OwinContext))
+                    .CompletesWith(new AuthenticateExternalLoginResult()
+                    {
+                        ExternalIdentity = new ClaimsIdentity(),
+                        Credential = new Credential(),
+                        UserInfo = new IdentityInformation("", "", authUser.User.UnconfirmedEmailAddress, "")
+                    });
+
+                // Act
+                var result = await controller.Register(
+                    new LogOnViewModel()
+                    {
+                        Register = new RegisterViewModel
+                        {
+                            Username = "theUsername",
+                            EmailAddress = authUser.User.UnconfirmedEmailAddress,
+                        }
+                    }, "/theReturnUrl", linkingAccount: true);
+
+                // Assert
+                authenticationServiceMock.VerifyAll();
+
+                GetMock<AuthenticationService>()
+                    .Verify(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, It.IsAny<Credential>(), false));
+
+                GetMock<IMessageService>()
+                    .Verify(x => x.SendNewAccountEmailAsync(
+                        authUser.User,
+                        TestUtility.GallerySiteRootHttps + "account/confirm/" + authUser.User.Username + "/" + authUser.User.EmailConfirmationToken));
+
+                ResultAssert.IsSafeRedirectTo(result, "/theReturnUrl");
+            }
+
+            [Fact]
+            public async Task WillNotAutoConfirmAndWillSendConfirmationEmailWhenModelRegisterEmailAndExternalCredentialEmailNotMatch()
+            {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername")
+                    {
+                        UnconfirmedEmailAddress = "[email protected]",
+                        EmailConfirmationToken = "t0k3n"
+                    },
+                    new Credential());
+
+                var externalCred = new CredentialBuilder().CreateExternalCredential("MicrosoftAccount", "blorg", "Bloog");
+
+                var authenticationServiceMock = GetMock<AuthenticationService>();
+                var controller = GetController<AuthenticationController>();
+                authenticationServiceMock
+                    .Setup(x => x.Register(authUser.User.Username, "[email protected]", externalCred, It.IsAny<bool>()))
+                    .CompletesWith(authUser);
+                authenticationServiceMock
+                    .Setup(x => x.CreateSessionAsync(controller.OwinContext, authUser, false))
+                    .Returns(Task.FromResult(0))
+                    .Verifiable();
+                authenticationServiceMock
+                    .Setup(x => x.ReadExternalLoginCredential(controller.OwinContext))
+                    .CompletesWith(new AuthenticateExternalLoginResult()
+                    {
+                        ExternalIdentity = new ClaimsIdentity(),
+                        Credential = externalCred,
+                        UserInfo = new IdentityInformation("", "", "[email protected]", "")
+                    });
+
+                // Act
+                var result = await controller.Register(
+                    new LogOnViewModel()
+                    {
+                        Register = new RegisterViewModel
+                        {
+                            Username = "theUsername",
+                            EmailAddress = "[email protected]",
+                        }
+                    }, "/theReturnUrl", linkingAccount: true);
+
+                // Assert
+                authenticationServiceMock.VerifyAll();
+
+                GetMock<AuthenticationService>()
+                    .Verify(x => x.Register(authUser.User.Username, "[email protected]", externalCred, false));
+
+                GetMock<IMessageService>()
+                    .Verify(x => x.SendNewAccountEmailAsync(
+                        authUser.User,
+                        TestUtility.GallerySiteRootHttps + "account/confirm/" + authUser.User.Username + "/" + authUser.User.EmailConfirmationToken));
+
+                ResultAssert.IsSafeRedirectTo(result, "/theReturnUrl");
+            }
+
+            [Fact]
+            public async Task WillAutoConfirmAndWillNotSendConfirmationEmailWhenIsExternalCredentialAndModelRegisterEmailAndExternalCredentialEmailMatch()
+            {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername")
+                    {
+                        UnconfirmedEmailAddress = "[email protected]",
+                        EmailConfirmationToken = "t0k3n"
+                    },
+                    new Credential());
+
+                var externalCred = new CredentialBuilder().CreateExternalCredential("MicrosoftAccount", "blorg", "Bloog");
+
+                var authenticationServiceMock = GetMock<AuthenticationService>();
+                var controller = GetController<AuthenticationController>();
+                authenticationServiceMock
+                    .Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, externalCred, It.IsAny<bool>()))
+                    .CompletesWith(authUser)
+                    .Callback(() =>
+                     {
+                         authUser.User.EmailAddress = authUser.User.UnconfirmedEmailAddress;
+                         authUser.User.UnconfirmedEmailAddress = null;
+                     });
+
+                authenticationServiceMock
+                    .Setup(x => x.CreateSessionAsync(controller.OwinContext, authUser, false))
+                    .Returns(Task.FromResult(0))
+                    .Verifiable();
+                authenticationServiceMock
+                    .Setup(x => x.ReadExternalLoginCredential(controller.OwinContext))
+                    .CompletesWith(new AuthenticateExternalLoginResult()
+                    {
+                        ExternalIdentity = new ClaimsIdentity(),
+                        Credential = externalCred,
+                        UserInfo = new IdentityInformation("", "", authUser.User.UnconfirmedEmailAddress, "")
+                    });
+
+                // Act
+                var result = await controller.Register(
+                    new LogOnViewModel()
+                    {
+                        Register = new RegisterViewModel
+                        {
+                            Username = "theUsername",
+                            EmailAddress = authUser.User.UnconfirmedEmailAddress,
+                        }
+                    }, "/theReturnUrl", linkingAccount: true);
+
+                // Assert
+                authenticationServiceMock.VerifyAll();
+
+                GetMock<AuthenticationService>()
+                    .Verify(x => x.Register(authUser.User.Username, authUser.User.EmailAddress, externalCred, true));
+
                 GetMock<IMessageService>()
                     .Verify(x => x.SendMessageAsync(
                         It.IsAny<NewAccountMessage>(), It.IsAny<bool>(), It.IsAny<bool>()),
@@ -868,7 +1044,7 @@ public async Task GivenExpiredExternalAuth_ItRedirectsBackToLogOnWithExternalAut
                 GetMock<AuthenticationService>()
                     .Verify(x => x.CreateSessionAsync(It.IsAny<IOwinContext>(), It.IsAny<AuthenticatedUser>(), false), Times.Never());
                 GetMock<AuthenticationService>()
-                    .Verify(x => x.Register("theUsername", "theEmailAddress", It.IsAny<Credential>()), Times.Never());
+                    .Verify(x => x.Register("theUsername", "theEmailAddress", It.IsAny<Credential>(), It.IsAny<bool>()), Times.Never());
             }
 
             [Fact]
@@ -888,7 +1064,7 @@ public async Task GivenValidExternalAuth_ItCreatesAccountAndLinksCredential()
                 var authenticationServiceMock = GetMock<AuthenticationService>();
                 var controller = GetController<AuthenticationController>();
                 authenticationServiceMock
-                    .Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, externalCred))
+                    .Setup(x => x.Register(authUser.User.Username, authUser.User.UnconfirmedEmailAddress, externalCred, It.IsAny<bool>()))
                     .CompletesWith(authUser);
                 authenticationServiceMock
                     .Setup(x => x.CreateSessionAsync(controller.OwinContext, authUser, false))
@@ -900,7 +1076,8 @@ public async Task GivenValidExternalAuth_ItCreatesAccountAndLinksCredential()
                     .CompletesWith(new AuthenticateExternalLoginResult()
                     {
                         ExternalIdentity = new ClaimsIdentity(),
-                        Credential = externalCred
+                        Credential = externalCred,
+                        UserInfo = new IdentityInformation("", "", "", "")
                     });
 
                 // Simulate the model state error that will be added when doing an external account registration (since password is not present)
@@ -959,7 +1136,7 @@ public async Task GivenAdminLogsInWithExternalIdentity_ItChallengesWhenNotUsingR
                     externalCred);
 
                 GetMock<AuthenticationService>()
-                    .Setup(x => x.Register("theUsername", "theEmailAddress", externalCred))
+                    .Setup(x => x.Register("theUsername", "theEmailAddress", externalCred, It.IsAny<bool>()))
                     .CompletesWith(authUser);
 
                 EnableAllAuthenticators(Get<AuthenticationService>());
@@ -985,7 +1162,8 @@ public async Task GivenAdminLogsInWithExternalIdentity_ItChallengesWhenNotUsingR
                     .CompletesWith(new AuthenticateExternalLoginResult()
                     {
                         ExternalIdentity = new ClaimsIdentity(),
-                        Credential = externalCred
+                        Credential = externalCred,
+                        UserInfo = new IdentityInformation("", "", "theEmailAddress", "")
                     });
 
                 // Act