[OIDC] Emit audit records during token exchange and policy admin (#10305)

Author: joelverhagen

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialPolicyEvaluator.cs

@@ -11,6 +11,7 @@
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 using NuGet.Services.Entities;
+using NuGetGallery.Auditing;
 
 #nullable enable
 
@@ -24,15 +25,18 @@ public interface IFederatedCredentialPolicyEvaluator
     public class FederatedCredentialPolicyEvaluator : IFederatedCredentialPolicyEvaluator
     {
         private readonly IEntraIdTokenValidator _entraIdTokenValidator;
+        private readonly IAuditingService _auditingService;
         private readonly IDateTimeProvider _dateTimeProvider;
         private readonly ILogger<FederatedCredentialPolicyEvaluator> _logger;
 
         public FederatedCredentialPolicyEvaluator(
             IEntraIdTokenValidator entraIdTokenValidator,
+            IAuditingService auditingService,
             IDateTimeProvider dateTimeProvider,
             ILogger<FederatedCredentialPolicyEvaluator> logger)
         {
             _entraIdTokenValidator = entraIdTokenValidator ?? throw new ArgumentNullException(nameof(entraIdTokenValidator));
+            _auditingService = auditingService ?? throw new ArgumentNullException(nameof(auditingService));
             _dateTimeProvider = dateTimeProvider ?? throw new ArgumentNullException(nameof(dateTimeProvider));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
@@ -43,6 +47,9 @@ public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(I
             // the error message is user-facing and should not leak sensitive information
             var (userError, jwtInfo) = await ValidateJwtByIssuer(bearerToken);
 
+            var externalCredentialAudit = jwtInfo.CreateAuditRecord();
+            await AuditExternalCredentialAsync(externalCredentialAudit);
+
             if (userError is not null)
             {
                 _logger.LogInformation("The bearer token could not be validated. Reason: {UserError}", userError);
@@ -64,6 +71,7 @@ public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(I
                 results.Add(result);
 
                 var success = result.Type == FederatedCredentialPolicyResultType.Success;
+                await AuditPolicyComparisonAsync(externalCredentialAudit, policy, success);
                 if (success)
                 {
                     return EvaluatedFederatedCredentialPolicies.NewMatchedPolicy(results, result.Policy, result.FederatedCredential);
@@ -73,6 +81,19 @@ public async Task<EvaluatedFederatedCredentialPolicies> GetMatchingPolicyAsync(I
             return EvaluatedFederatedCredentialPolicies.NoMatchingPolicy(results);
         }
 
+        private async Task AuditPolicyComparisonAsync(ExternalSecurityTokenAuditRecord externalCredentialAudit, FederatedCredentialPolicy policy, bool success)
+        {
+            await _auditingService.SaveAuditRecordAsync(FederatedCredentialPolicyAuditRecord.Compare(
+                policy,
+                externalCredentialAudit,
+                success));
+        }
+
+        private async Task AuditExternalCredentialAsync(ExternalSecurityTokenAuditRecord externalCredentialAudit)
+        {
+            await _auditingService.SaveAuditRecordAsync(externalCredentialAudit);
+        }
+
         private FederatedCredentialPolicyResult EvaluatePolicy(FederatedCredentialPolicy policy, JwtInfo info)
         {
             // Evaluate the policy and return an unauthorized result if the policy does not match.
@@ -123,6 +144,23 @@ private class JwtInfo
             public string? Identifier { get; set; }
 
             public FederatedCredentialIssuerType IssuerType { get; set; } = FederatedCredentialIssuerType.Unsupported;
+
+            public ExternalSecurityTokenAuditRecord CreateAuditRecord()
+            {
+                var payload = Jwt?.EncodedPayload;
+                string? claims = null;
+                if (!string.IsNullOrWhiteSpace(payload))
+                {
+                    claims = Base64UrlEncoder.Decode(payload);
+                }
+
+                return new ExternalSecurityTokenAuditRecord(
+                    IsValid ? AuditedExternalSecurityTokenAction.Validated : AuditedExternalSecurityTokenAction.Rejected,
+                    IssuerType,
+                    Jwt?.Issuer,
+                    claims,
+                    Identifier);
+            }
         }
 
         /// <summary>

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialService.cs

@@ -6,6 +6,7 @@
 using System.Text.Json;
 using System.Threading.Tasks;
 using NuGet.Services.Entities;
+using NuGetGallery.Auditing;
 using NuGetGallery.Authentication;
 using NuGetGallery.Infrastructure.Authentication;
 
@@ -50,6 +51,7 @@ public class FederatedCredentialService : IFederatedCredentialService
         private readonly IEntraIdTokenValidator _entraIdTokenValidator;
         private readonly ICredentialBuilder _credentialBuilder;
         private readonly IAuthenticationService _authenticationService;
+        private readonly IAuditingService _auditingService;
         private readonly IDateTimeProvider _dateTimeProvider;
         private readonly IFeatureFlagService _featureFlagService;
         private readonly IFederatedCredentialConfiguration _configuration;
@@ -61,6 +63,7 @@ public FederatedCredentialService(
             IEntraIdTokenValidator entraIdTokenValidator,
             ICredentialBuilder credentialBuilder,
             IAuthenticationService authenticationService,
+            IAuditingService auditingService,
             IDateTimeProvider dateTimeProvider,
             IFeatureFlagService featureFlagService,
             IFederatedCredentialConfiguration configuration)
@@ -71,6 +74,7 @@ public FederatedCredentialService(
             _entraIdTokenValidator = entraIdTokenValidator ?? throw new ArgumentNullException(nameof(EntraIdTokenValidator));
             _credentialBuilder = credentialBuilder ?? throw new ArgumentNullException(nameof(credentialBuilder));
             _authenticationService = authenticationService ?? throw new ArgumentNullException(nameof(authenticationService));
+            _auditingService = auditingService ?? throw new ArgumentNullException(nameof(auditingService));
             _dateTimeProvider = dateTimeProvider ?? throw new ArgumentNullException(nameof(dateTimeProvider));
             _featureFlagService = featureFlagService ?? throw new ArgumentNullException(nameof(featureFlagService));
             _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
@@ -112,6 +116,8 @@ public async Task<AddFederatedCredentialPolicyResult> AddEntraIdServicePrincipal
 
             await _repository.AddPolicyAsync(policy, saveChanges: true);
 
+            await _auditingService.SaveAuditRecordAsync(FederatedCredentialPolicyAuditRecord.Create(policy));
+
             return AddFederatedCredentialPolicyResult.Created(policy);
         }
 
@@ -123,7 +129,13 @@ public async Task DeletePolicyAsync(FederatedCredentialPolicy policy)
                 await _authenticationService.RemoveCredential(policy.CreatedBy, credential, commitChanges: false);
             }
 
+            // Initialize the audit record before deletion so details are still available.
+            // Entity Framework unlinks navigation properties.
+            var auditRecord = FederatedCredentialPolicyAuditRecord.Delete(policy, credentials);
+
             await _repository.DeletePolicyAsync(policy, saveChanges: true);
+
+            await _auditingService.SaveAuditRecordAsync(auditRecord);
         }
 
         public async Task<GenerateApiKeyResult> GenerateApiKeyAsync(string username, string bearerToken)
@@ -204,9 +216,18 @@ private static GenerateApiKeyResult NoMatchingPolicy(string username)
             }
             catch (DataException ex) when (ex.IsSqlUniqueConstraintViolation())
             {
+                await _auditingService.SaveAuditRecordAsync(FederatedCredentialPolicyAuditRecord.RejectReplay(
+                    evaluation.MatchedPolicy,
+                    evaluation.FederatedCredential));
+
                 return GenerateApiKeyResult.Unauthorized("This bearer token has already been used. A new bearer token must be used for each request.");
             }
 
+            await _auditingService.SaveAuditRecordAsync(FederatedCredentialPolicyAuditRecord.ExchangeForApiKey(
+                evaluation.MatchedPolicy,
+                evaluation.FederatedCredential,
+                apiKeyCredential));
+
             return null;
         }