[2FA] Disable nuget.org password login (#9141)

* email logging feature flag

* add emaillogin to accoutn controller

* feature flag enabled by default

* added sign in check

* refresh content service.

* Address PR comments.

* update loging exception list method.

* Test for account pass condition

* Block ForgotPassword workflow when flag is enabled.

* fix test cases.

* updated ForgotPassword_Disabled

* Validation changed to auth service, audit added.

* updated ui and refactor email method.

* Fix tests.

* remove forgot password condition.

Author: Daniel Jacinto

src/AccountDeleter/EmptyFeatureFlagService.cs

@@ -86,6 +86,11 @@ public bool IsDisplayVulnerabilitiesEnabled()
             throw new NotImplementedException();
         }
 
+        public bool IsNuGetAccountPasswordLoginEnabled()
+        {
+            throw new NotImplementedException();
+        }
+
         public bool IsForceFlatContainerIconsEnabled()
         {
             throw new NotImplementedException();

src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs

@@ -279,5 +279,10 @@ public bool IsNewAccount2FAEnforcementEnabled()
         {
             throw new NotImplementedException();
         }
+
+        public bool IsNuGetAccountPasswordLoginEnabled()
+        {
+            throw new NotImplementedException();
+        }
     }
 }

src/NuGetGallery.Core/Auditing/AuditedAuthenticatedOperationAction.cs

@@ -28,6 +28,11 @@ public enum AuditedAuthenticatedOperationAction
         /// <summary>
         /// Symbol package push was attempted by a non-owner of the package
         /// </summary>
-        SymbolsPackagePushAttemptByNonOwner
+        SymbolsPackagePushAttemptByNonOwner,
+
+        /// <summary>
+        /// User attempted to login when password login is unsupported
+        /// </summary>
+        PasswordLoginUnsupported
     }
 }

src/NuGetGallery.Services/Authentication/AuthenticationService.cs

@@ -33,6 +33,7 @@ public class AuthenticationService: IAuthenticationService
         private readonly IDateTimeProvider _dateTimeProvider;
         private readonly IContentObjectService _contentObjectService;
         private readonly ITelemetryService _telemetryService;
+        private readonly IFeatureFlagService _featureFlagService;
 
         /// <summary>
         /// This ctor is used for test only.
@@ -48,7 +49,7 @@ public AuthenticationService(
             IEntitiesContext entities, IAppConfiguration config, IDiagnosticsService diagnostics,
             IAuditingService auditing, IEnumerable<Authenticator> providers, ICredentialBuilder credentialBuilder,
             ICredentialValidator credentialValidator, IDateTimeProvider dateTimeProvider, ITelemetryService telemetryService,
-            IContentObjectService contentObjectService)
+            IContentObjectService contentObjectService, IFeatureFlagService featureFlagService)
         {
             InitCredentialFormatters();
 
@@ -62,6 +63,7 @@ public AuthenticationService(
             _dateTimeProvider = dateTimeProvider ?? throw new ArgumentNullException(nameof(dateTimeProvider));
             _telemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
             _contentObjectService = contentObjectService ?? throw new ArgumentNullException(nameof(contentObjectService));
+            _featureFlagService = featureFlagService ?? throw new ArgumentNullException(nameof(featureFlagService));
         }
 
         public IEntitiesContext Entities { get; private set; }
@@ -83,6 +85,18 @@ public virtual async Task<PasswordAuthenticationResult> Authenticate(string user
             {
                 var user = FindByUserNameOrEmail(userNameOrEmail);
 
+                if (!_featureFlagService.IsNuGetAccountPasswordLoginEnabled() &&
+                !_contentObjectService.LoginDiscontinuationConfiguration.IsEmailOnExceptionsList(userNameOrEmail))
+                {
+                    _trace.Information("Password login unsupported.");
+
+                    await Auditing.SaveAuditRecordAsync(
+                        new FailedAuthenticatedOperationAuditRecord(
+                            userNameOrEmail, AuditedAuthenticatedOperationAction.PasswordLoginUnsupported));
+                    
+                    return new PasswordAuthenticationResult(PasswordAuthenticationResult.AuthenticationResult.PasswordLoginUnsupported);
+                }
+
                 // Check if the user exists
                 if (user == null)
                 {

src/NuGetGallery.Services/Authentication/PasswordAuthenticationResult.cs

@@ -8,6 +8,7 @@ public class PasswordAuthenticationResult
         public enum AuthenticationResult
         {
             AccountLocked, // The account is locked
+            PasswordLoginUnsupported, // Password login is not supported
             BadCredentials, // Bad user name or password provided
             Success // All good
         }

src/NuGetGallery.Services/Configuration/FeatureFlagService.cs

@@ -54,6 +54,7 @@ public class FeatureFlagService : IFeatureFlagService
         private const string ComputeTargetFrameworkFeatureName = GalleryPrefix + "ComputeTargetFramework";
         private const string RecentPackagesNoIndexFeatureName = GalleryPrefix + "RecentPackagesNoIndex";
         private const string NewAccount2FAEnforcementFeatureName = GalleryPrefix + "NewAccount2FAEnforcement";
+        private const string NuGetAccountPasswordLoginFeatureName = GalleryPrefix + "NuGetAccountPasswordLogin";
 
         private const string ODataV1GetAllNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllNonHijacked";
         private const string ODataV1GetAllCountNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllCountNonHijacked";
@@ -368,5 +369,10 @@ public bool IsNewAccount2FAEnforcementEnabled()
         {
             return _client.IsEnabled(NewAccount2FAEnforcementFeatureName, defaultValue: false);
         }
+
+        public bool IsNuGetAccountPasswordLoginEnabled()
+        {
+            return _client.IsEnabled(NuGetAccountPasswordLoginFeatureName, defaultValue: true);
+        }
     }
 }

src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs

@@ -177,7 +177,7 @@ public interface IFeatureFlagService
         /// Whether the user is able to publish the package with an embedded readme file.
         /// </summary>
         bool AreEmbeddedReadmesEnabled(User user);
-        
+
         /// <summary>
         /// Whether the /Packages() endpoint is enabled for the V1 OData API.
         /// </summary>
@@ -262,7 +262,7 @@ public interface IFeatureFlagService
         /// Whether rendering Markdown content to HTML using Markdig is enabled
         /// </summary>
         bool IsMarkdigMdRenderingEnabled();
-        
+
         /// Whether or not the user can delete a package through the API.
         /// </summary>
         bool IsDeletePackageApiEnabled(User user);
@@ -276,7 +276,7 @@ public interface IFeatureFlagService
         /// Whether or not display the banner on nuget.org
         /// </summary>
         bool IsDisplayBannerEnabled();
-        
+
         /// <summary>
         /// Whether or not display target framework badges and table on nuget.org
         /// </summary>
@@ -296,5 +296,10 @@ public interface IFeatureFlagService
         /// Whether or not to enforce 2FA for new external account link or replacement.
         /// </summary>
         bool IsNewAccount2FAEnforcementEnabled();
+
+        /// <summary>
+        /// Whether or not NuGet.org password login is supported. NuGet.org accounts in the <see cref="LoginDiscontinuationConfiguration.ExceptionsForEmailAddresses"/> will always be supported.
+        /// </summary>
+        bool IsNuGetAccountPasswordLoginEnabled();
     }
 }

src/NuGetGallery.Services/Configuration/ILoginDiscontinuationConfiguration.cs

@@ -13,5 +13,6 @@ public interface ILoginDiscontinuationConfiguration
         bool IsUserOnWhitelist(User user);
         bool ShouldUserTransformIntoOrganization(User user);
         bool IsTenantIdPolicySupportedForOrganization(string emailAddress, string tenantId);
+        bool IsEmailOnExceptionsList(string emailAddress);
     }
 }

src/NuGetGallery.Services/Configuration/LoginDiscontinuationConfiguration.cs

@@ -104,6 +104,16 @@ public bool IsPasswordLoginDiscontinuedForAll()
         {
             return IsPasswordDiscontinuedForAll;
         }
+
+        public bool IsEmailOnExceptionsList(string emailAddress)
+        {
+            if (string.IsNullOrEmpty(emailAddress))
+            {
+                return false;
+            }
+
+            return ExceptionsForEmailAddresses.Contains(emailAddress);
+        }
     }
 
     public class OrganizationTenantPair : IEquatable<OrganizationTenantPair>

src/NuGetGallery/App_Data/Files/Content/flags.json

@@ -32,7 +32,8 @@
     "NuGetGallery.ImageAllowlist": "Enabled",
     "NuGetGallery.ShowReportAbuseSafetyChanges": "Enabled",
     "NuGetGallery.ComputeTargetFramework": "Enabled",
-    "NuGetGallery.NewAccount2FAEnforcement": "Disabled"
+    "NuGetGallery.NewAccount2FAEnforcement": "Disabled",
+    "NuGetGallery.NuGetAccountPasswordLogin": "Enabled"
   },
   "Flights": {
     "NuGetGallery.TyposquattingFlight": {