[OIDC] DB migration for federated credentials, associate policy with API key (#10285)

Author: joelverhagen

src/NuGet.Services.Entities/Credential.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -86,10 +86,14 @@ public Credential(string type, string value, TimeSpan? expiration)
 
         public bool? WasCreatedSecurely { get; set; }
 
+        public int? FederatedCredentialPolicyKey { get; set; }
+
         public virtual User User { get; set; }
 
         public virtual ICollection<Scope> Scopes { get; set; }
 
+        public virtual FederatedCredentialPolicy FederatedCredentialPolicy { get; set; }
+
         [NotMapped]
         public bool HasExpired
         {

src/NuGetGallery.Core/Entities/EntitiesContext.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -84,6 +84,8 @@ public IDisposable WithQueryHint(string queryHint)
         public DbSet<PackageVulnerability> Vulnerabilities { get; set; }
         public DbSet<VulnerablePackageVersionRange> VulnerableRanges { get; set; }
         public DbSet<PackageRename> PackageRenames { get; set; }
+        public DbSet<FederatedCredentialPolicy> FederatedCredentialPolicies { get; set; }
+        public DbSet<FederatedCredential> FederatedCredentials { get; set; }
 
         /// <summary>
         /// User or organization accounts.
@@ -558,6 +560,54 @@ protected override void OnModelCreating(DbModelBuilder modelBuilder)
                 .WithMany()
                 .HasForeignKey(r => r.ToPackageRegistrationKey)
                 .WillCascadeOnDelete(false);
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .HasKey(x => x.Key);
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .Property(x => x.Created)
+                .HasColumnType("datetime2");
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .Property(x => x.LastMatched)
+                .IsOptional()
+                .HasColumnType("datetime2");
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .HasRequired(x => x.CreatedBy)
+                .WithMany()
+                .HasForeignKey(x => x.CreatedByUserKey)
+                .WillCascadeOnDelete(false); // users are only soft deleted today
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .HasRequired(x => x.PackageOwner)
+                .WithMany()
+                .HasForeignKey(x => x.PackageOwnerUserKey)
+                .WillCascadeOnDelete(false); // users are only soft deleted today
+
+            modelBuilder.Entity<FederatedCredentialPolicy>()
+                .HasMany(x => x.Credentials)
+                .WithOptional(c => c.FederatedCredentialPolicy)
+                .WillCascadeOnDelete(false); // deletion must be done explicitly to improve per-credential auditing
+
+            modelBuilder.Entity<FederatedCredential>()
+                .HasKey(x => x.Key);
+
+            modelBuilder.Entity<FederatedCredential>()
+                .Property(x => x.Created)
+                .HasColumnType("datetime2");
+
+            modelBuilder.Entity<FederatedCredential>()
+                .Property(x => x.Expires)
+                .IsOptional()
+                .HasColumnType("datetime2");
+
+            modelBuilder.Entity<FederatedCredential>()
+                .HasIndex(x => x.Identity)
+                .IsUnique();
+
+            modelBuilder.Entity<FederatedCredential>()
+                .HasIndex(x => x.FederatedCredentialPolicyKey);
         }
 
 #pragma warning restore 618
@@ -578,4 +628,4 @@ public void Dispose()
             }
         }
     }
-}
+}

src/NuGetGallery.Services/Authentication/CredentialBuilder.cs

@@ -45,6 +45,7 @@ public Credential CreateShortLivedApiKey(TimeSpan expiration, FederatedCredentia
             // Tracking: https://github.com/NuGet/NuGetGallery/issues/10212
             var credential = CreateApiKey(expiration, out plaintextApiKey);
 
+            credential.FederatedCredentialPolicy = policy;
             credential.Description = "Short-lived API key generated via a federated credential";
             credential.Scopes = [new Scope(policy.PackageOwner, NuGetPackagePattern.AllInclusivePattern, NuGetScopes.All)];
 

src/NuGetGallery/Migrations/202410302050035_AddFederatedCredentials.Designer.cs

@@ -0,0 +1,63 @@
+namespace NuGetGallery.Migrations
+{
+    using System;
+    using System.Data.Entity.Migrations;
+    
+    public partial class AddFederatedCredentials : DbMigration
+    {
+        public override void Up()
+        {
+            CreateTable(
+                "dbo.FederatedCredentialPolicies",
+                c => new
+                    {
+                        Key = c.Int(nullable: false, identity: true),
+                        Created = c.DateTime(nullable: false, precision: 7, storeType: "datetime2"),
+                        LastMatched = c.DateTime(precision: 7, storeType: "datetime2"),
+                        TypeKey = c.Int(nullable: false),
+                        Criteria = c.String(nullable: false),
+                        CreatedByUserKey = c.Int(nullable: false),
+                        PackageOwnerUserKey = c.Int(nullable: false),
+                    })
+                .PrimaryKey(t => t.Key)
+                .ForeignKey("dbo.Users", t => t.CreatedByUserKey)
+                .ForeignKey("dbo.Users", t => t.PackageOwnerUserKey)
+                .Index(t => t.CreatedByUserKey)
+                .Index(t => t.PackageOwnerUserKey);
+            
+            CreateTable(
+                "dbo.FederatedCredentials",
+                c => new
+                    {
+                        Key = c.Int(nullable: false, identity: true),
+                        TypeKey = c.Int(nullable: false),
+                        FederatedCredentialPolicyKey = c.Int(nullable: false),
+                        Identity = c.String(maxLength: 64),
+                        Created = c.DateTime(nullable: false, precision: 7, storeType: "datetime2"),
+                        Expires = c.DateTime(precision: 7, storeType: "datetime2"),
+                    })
+                .PrimaryKey(t => t.Key)
+                .Index(t => t.FederatedCredentialPolicyKey)
+                .Index(t => t.Identity, unique: true);
+            
+            AddColumn("dbo.Credentials", "FederatedCredentialPolicyKey", c => c.Int());
+            CreateIndex("dbo.Credentials", "FederatedCredentialPolicyKey");
+            AddForeignKey("dbo.Credentials", "FederatedCredentialPolicyKey", "dbo.FederatedCredentialPolicies", "Key");
+        }
+        
+        public override void Down()
+        {
+            DropForeignKey("dbo.FederatedCredentialPolicies", "PackageOwnerUserKey", "dbo.Users");
+            DropForeignKey("dbo.Credentials", "FederatedCredentialPolicyKey", "dbo.FederatedCredentialPolicies");
+            DropForeignKey("dbo.FederatedCredentialPolicies", "CreatedByUserKey", "dbo.Users");
+            DropIndex("dbo.FederatedCredentials", new[] { "Identity" });
+            DropIndex("dbo.FederatedCredentials", new[] { "FederatedCredentialPolicyKey" });
+            DropIndex("dbo.FederatedCredentialPolicies", new[] { "PackageOwnerUserKey" });
+            DropIndex("dbo.FederatedCredentialPolicies", new[] { "CreatedByUserKey" });
+            DropIndex("dbo.Credentials", new[] { "FederatedCredentialPolicyKey" });
+            DropColumn("dbo.Credentials", "FederatedCredentialPolicyKey");
+            DropTable("dbo.FederatedCredentials");
+            DropTable("dbo.FederatedCredentialPolicies");
+        }
+    }
+}

src/NuGetGallery/Migrations/202410302050035_AddFederatedCredentials.cs

@@ -347,6 +347,10 @@
     <Compile Include="Migrations\202205300006043_Int64PackageDownloadCount.designer.cs">
       <DependentUpon>202205300006043_Int64PackageDownloadCount.cs</DependentUpon>
     </Compile>
+    <Compile Include="Migrations\202410302050035_AddFederatedCredentials.cs" />
+    <Compile Include="Migrations\202410302050035_AddFederatedCredentials.Designer.cs">
+      <DependentUpon>202410302050035_AddFederatedCredentials.cs</DependentUpon>
+    </Compile>
     <Compile Include="Modules\CookieComplianceHttpModule.cs" />
     <Compile Include="RequestModels\DeletePackagesApiRequest.cs" />
     <Compile Include="RequestModels\UpdateListedRequest.cs" />
@@ -1707,6 +1711,9 @@
     <EmbeddedResource Include="Migrations\202205300006043_Int64PackageDownloadCount.resx">
       <DependentUpon>202205300006043_Int64PackageDownloadCount.cs</DependentUpon>
     </EmbeddedResource>
+    <EmbeddedResource Include="Migrations\202410302050035_AddFederatedCredentials.resx">
+      <DependentUpon>202410302050035_AddFederatedCredentials.cs</DependentUpon>
+    </EmbeddedResource>
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1packages.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1search.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv2getupdates.json" />