Require event_name from GitHub Actions token and add configurable ban list (#10665)

Author: joelverhagen

src/NuGet.Services.Configuration/StringArrayConverter.cs

@@ -1,16 +1,15 @@
-// Copyright (c) .NET Foundation. All rights reserved. 
+// Copyright (c) .NET Foundation. All rights reserved. 
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. 
 
 using System;
 using System.ComponentModel;
 using System.Globalization;
+using System.Linq;
 
 namespace NuGet.Services.Configuration
 {
     public class StringArrayConverter : ArrayConverter
     {
-        private static readonly string[] EmptyArray = new string[0];
-
         public override bool CanConvertFrom(ITypeDescriptorContext context, Type sourceType)
         {
             if (sourceType == typeof(string))
@@ -23,16 +22,20 @@ public override bool CanConvertFrom(ITypeDescriptorContext context, Type sourceT
 
         public override object ConvertFrom(ITypeDescriptorContext context, CultureInfo culture, object value)
         {
-            var s = value as string;
-            if (s != null)
+            if (value is null)
+            {
+                return Array.Empty<string>();
+            }
+
+            if (value is string s)
             {
-                if (s == string.Empty)
+                if (string.IsNullOrWhiteSpace(s))
                 {
-                    return EmptyArray;
+                    return Array.Empty<string>();
                 }
                 else
                 {
-                    return s.Split(';');
+                    return s.Split(';').Select(x => x.Trim()).Where(x => x.Length > 0).ToArray();
                 }
             }
 

src/NuGetGallery.Services/Authentication/Federated/FederatedCredentialConfiguration.cs

@@ -42,18 +42,30 @@ public interface IFederatedCredentialConfiguration
         /// Values are separated by a semicolon when provided in the configuration file.
         /// </summary>
         string[] AllowedEntraIdTenants { get; }
+
+        /// <summary>
+        /// Event names in GitHub Actions that are not allowed to be used for OIDC tokens.
+        /// This act as an additional safeguard against misconfigured workflows.
+        /// Full list of events: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
+        /// </summary>
+
+        string[] BannedGitHubActionsEvents { get; }
     }
 
     public class FederatedCredentialConfiguration : IFederatedCredentialConfiguration
     {
         public bool EnableTokenApi { get; set; }
 
         public string? EntraIdAudience { get; set; }
+
         public string? NuGetAudience { get; set; }
 
         public TimeSpan ShortLivedApiKeyDuration { get; set; } = TimeSpan.FromMinutes(15);
 
         [TypeConverter(typeof(StringArrayConverter))]
         public string[] AllowedEntraIdTenants { get; set; } = [];
+
+        [TypeConverter(typeof(StringArrayConverter))]
+        public string[] BannedGitHubActionsEvents { get; set; } = [];
     }
 }

src/NuGetGallery.Services/Authentication/Federated/GitHubTokenPolicyValidator.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Data.Entity.Infrastructure;
 using System.IO;
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Protocols;
@@ -35,6 +36,7 @@ public class GitHubTokenPolicyValidator : TokenPolicyValidator
         private const string EnvironmentClaim = "environment";
         private const string RepositoryOwnerIdClaim = "repository_owner_id";
         private const string RepositoryIdClaim = "repository_id";
+        private const string EventNameClaim = "event_name";
         private const string HttpsPrefix = "https://";
         private const string GitHubPrefix = "github.com/";
         private const string WorkflowPrefix = ".github/workflows/";
@@ -177,10 +179,41 @@ public override async Task<FederatedCredentialPolicyResult> EvaluatePolicyAsync(
                 return FederatedCredentialPolicyResult.NotApplicable;
             }
 
+            // Check for required claims
+            string? error = TryGetRequiredClaim(jwt, RepositoryClaim, out _);
+            if (error != null)
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(error, isErrorDisclosable: true);
+            }
+
+            error = TryGetRequiredClaim(jwt, RepositoryOwnerClaim, out _);
+            if (error != null)
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(error, isErrorDisclosable: true);
+            }
+
+            error = TryGetRequiredClaim(jwt, RepositoryOwnerIdClaim, out string repositoryOwnerId);
+            if (error != null)
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(error, isErrorDisclosable: true);
+            }
+
+            error = TryGetRequiredClaim(jwt, RepositoryIdClaim, out string repositoryId);
+            if (error != null)
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(error, isErrorDisclosable: true);
+            }
+
+            error = TryGetRequiredClaim(jwt, EventNameClaim, out string eventName);
+            if (error != null)
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(error, isErrorDisclosable: true);
+            }
+
             var criteria = GitHubCriteria.FromDatabaseJson(policy.Criteria);
 
             // Validate required GitHub criterias first
-            string? error = ValidateClaimExactMatch(jwt, RepositoryOwnerClaim, criteria.RepositoryOwner, StringComparison.OrdinalIgnoreCase);
+            error = ValidateClaimExactMatch(jwt, RepositoryOwnerClaim, criteria.RepositoryOwner, StringComparison.OrdinalIgnoreCase);
             if (error != null)
             {
                 return FederatedCredentialPolicyResult.Unauthorized(error);
@@ -203,19 +236,6 @@ public override async Task<FederatedCredentialPolicyResult> EvaluatePolicyAsync(
                         isErrorDisclosable: true);
                 }
 
-                // Get repo and owner IDs from the token
-                error = TryGetRequiredClaim(jwt, RepositoryOwnerIdClaim, out string repositoryOwnerId);
-                if (error != null)
-                {
-                    return FederatedCredentialPolicyResult.Unauthorized(error);
-                }
-
-                error = TryGetRequiredClaim(jwt, RepositoryIdClaim, out string repositoryId);
-                if (error != null)
-                {
-                    return FederatedCredentialPolicyResult.Unauthorized(error);
-                }
-
                 // Update the policy with the repo and owner IDs
                 criteria.RepositoryOwnerId = repositoryOwnerId;
                 criteria.RepositoryId = repositoryId;
@@ -266,6 +286,15 @@ public override async Task<FederatedCredentialPolicyResult> EvaluatePolicyAsync(
             // IMPORTANT. By now we validated repo owner and repo. Including IDs.
             // From now on we can report errors as disclosable.
 
+            // Reject banned events
+            if (_configuration.BannedGitHubActionsEvents is not null
+                && _configuration.BannedGitHubActionsEvents.Contains(eventName, StringComparer.OrdinalIgnoreCase))
+            {
+                return FederatedCredentialPolicyResult.Unauthorized(
+                    $"The GitHub Actions event '{eventName}' is not allowed.",
+                    isErrorDisclosable: true);
+            }
+
             // Get workflow ref, e.g. "contoso/contoso-sdk/.github/workflows/release.yml@refs/heads/main"
             error = TryGetRequiredClaim(jwt, JobWorkflowRefClaim, out string workflowRef);
             if (error != null)

tests/NuGet.Services.Configuration.Tests/StringArrayConverterFacts.cs

@@ -1,8 +1,10 @@
-// Copyright (c) .NET Foundation. All rights reserved. 
+// Copyright (c) .NET Foundation. All rights reserved. 
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. 
 
 using Xunit;
 
+#nullable enable
+
 namespace NuGet.Services.Configuration.Tests
 {
     public class StringArrayConverterFacts
@@ -23,15 +25,14 @@ public void SplitsStringBySemicolon()
             var output = target.ConvertFrom("foo;bar  ;  baz");
 
             var array = Assert.IsType<string[]>(output);
-            Assert.Equal(new[] { "foo", "bar  ", "  baz" }, array);
+            Assert.Equal(new[] { "foo", "bar", "baz" }, array);
         }
 
         [Theory]
         [InlineData("foo")]
         [InlineData("foo bar")]
         [InlineData("foo|bar")]
         [InlineData("foo,bar")]
-        [InlineData("   ")]
         public void ReturnsSingleStringWhenThereIsNoDelimeter(string input)
         {
             var target = new StringArrayConverter();
@@ -42,12 +43,15 @@ public void ReturnsSingleStringWhenThereIsNoDelimeter(string input)
             Assert.Equal(new[] { input }, array);
         }
 
-        [Fact]
-        public void ReturnsEmptyArrayWithEmpty()
+        [Theory]
+        [InlineData(null)]
+        [InlineData("")]
+        [InlineData("   ")]
+        public void ReturnsEmptyArrayWithEmpty(string? input)
         {
             var target = new StringArrayConverter();
 
-            var output = target.ConvertFrom(string.Empty);
+            var output = target.ConvertFrom(input);
 
             var array = Assert.IsType<string[]>(output);
             Assert.Empty(array);

tests/NuGetGallery.Facts/Authentication/Federated/GitHubTokenPolicyValidatorFacts.cs

@@ -30,7 +30,8 @@ public class TokenTestHelper
             { "repository_id", "id-456" },
             { "job_workflow_ref", "test-owner/test-repo/.github/workflows/test.yml@refs/heads/main" },
             { "environment", "production" },
-            { "jti", "test-token-id" }
+            { "jti", "test-token-id" },
+            { "event_name", "release"  },
         };
 
         public const string PermanentPolicyCriteria = """
@@ -589,6 +590,7 @@ public async Task RejectsExpiredTemporaryPolicy()
             [InlineData("repository_owner_id")]
             [InlineData("repository")]
             [InlineData("repository_id")]
+            [InlineData("event_name")]
             public async Task RejectsMissingRequiredClaim(string claim)
             {
                 // Arrange
@@ -609,13 +611,37 @@ public async Task RejectsMissingRequiredClaim(string claim)
 
                 // Assert
                 Assert.Equal(FederatedCredentialPolicyResultType.Unauthorized, resultEmpty.Type);
-                Assert.False(resultEmpty.IsErrorDisclosable);
+                Assert.True(resultEmpty.IsErrorDisclosable);
                 Assert.Contains(claim, resultEmpty.Error);
                 Assert.Equal(FederatedCredentialPolicyResultType.Unauthorized, resultMissing.Type);
-                Assert.False(resultMissing.IsErrorDisclosable);
+                Assert.True(resultMissing.IsErrorDisclosable);
                 Assert.Contains(claim, resultMissing.Error);
             }
 
+            [Fact]
+            public async Task RejectsBannedEventName()
+            {
+                // Arrange
+                var createdBy = new User("test-user");
+                var policy = new FederatedCredentialPolicy
+                {
+                    Type = FederatedCredentialType.GitHubActions,
+                    Criteria = TokenTestHelper.PermanentPolicyCriteria,
+                    CreatedBy = createdBy
+                };
+                Configuration.Setup(c => c.BannedGitHubActionsEvents).Returns(["bad_one"]);
+
+                var tokenWithBannedValue = TokenTestHelper.CreateTestJwtWithCustomClaimValue("event_name", "bad_one");
+
+                // Act
+                var result = await Target.EvaluatePolicyAsync(policy, tokenWithBannedValue);
+
+                // Assert
+                Assert.Equal(FederatedCredentialPolicyResultType.Unauthorized, result.Type);
+                Assert.True(result.IsErrorDisclosable);
+                Assert.Contains("bad_one", result.Error);
+            }
+
             [Theory]
             [InlineData("repository_owner", false)]
             [InlineData("repository_owner_id", false)]