Push BuildScopes and VerifyScopes into ICredentialBuilder (#10213)

joelverhagen · web-flow · commit bac0448d60bb · 2024-10-09T19:20:35.000-04:00
* Push BuildScopes and VerifyScopes into ICredentialBuilder

This allows more code sharing for other places that create credentials.

* Fix typo
diff --git a/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs b/src/NuGetGallery.Services/Authentication/CredentialBuilder.cs
@@ -1,7 +1,8 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using NuGet.Services.Entities;
 using NuGetGallery.Authentication;
@@ -12,6 +13,14 @@ public class CredentialBuilder : ICredentialBuilder
     {
         public const string LatestPasswordType = CredentialTypes.Password.V3;
 
+        private static readonly IReadOnlyDictionary<string, IReadOnlyList<IActionRequiringEntityPermissions>> AllowedActionToActionRequiringEntityPermissionsMap = new Dictionary<string, IReadOnlyList<IActionRequiringEntityPermissions>>
+        {
+            { NuGetScopes.PackagePush, new IActionRequiringEntityPermissions[] { ActionsRequiringPermissions.UploadNewPackageId, ActionsRequiringPermissions.UploadNewPackageVersion } },
+            { NuGetScopes.PackagePushVersion, new [] { ActionsRequiringPermissions.UploadNewPackageVersion } },
+            { NuGetScopes.PackageUnlist, new [] { ActionsRequiringPermissions.UnlistOrRelistPackage } },
+            { NuGetScopes.PackageVerify, new [] { ActionsRequiringPermissions.VerifyPackage } },
+        };
+
         public Credential CreatePasswordCredential(string plaintextPassword)
         {
             return new Credential(
@@ -73,9 +82,81 @@ public Credential CreateExternalCredential(string issuer, string value, string i
             };
         }
 
+        public IList<Scope> BuildScopes(User scopeOwner, string[] scopes, string[] subjects)
+        {
+            var result = new List<Scope>();
+
+            var subjectsList = subjects?.Where(s => !string.IsNullOrWhiteSpace(s)).ToList() ?? new List<string>();
+
+            // No package filtering information was provided. So allow any pattern.
+            if (!subjectsList.Any())
+            {
+                subjectsList.Add(NuGetPackagePattern.AllInclusivePattern);
+            }
+
+            if (scopes != null)
+            {
+                foreach (var scope in scopes)
+                {
+                    result.AddRange(subjectsList.Select(subject => new Scope(scopeOwner, subject, scope)));
+                }
+            }
+            else
+            {
+                result.AddRange(subjectsList.Select(subject => new Scope(scopeOwner, subject, NuGetScopes.All)));
+            }
+
+            return result;
+        }
+
+        public bool VerifyScopes(User currentUser, IEnumerable<Scope> scopes)
+        {
+            if (!scopes.Any())
+            {
+                // All API keys must have at least one scope.
+                return false;
+            }
+
+            foreach (var scope in scopes)
+            {
+                if (string.IsNullOrEmpty(scope.AllowedAction))
+                {
+                    // All scopes must have an allowed action.
+                    return false;
+                }
+
+                // Get the list of actions allowed by this scope.
+                var actions = new List<IActionRequiringEntityPermissions>();
+                foreach (var allowedAction in AllowedActionToActionRequiringEntityPermissionsMap.Keys)
+                {
+                    if (scope.AllowsActions(allowedAction))
+                    {
+                        actions.AddRange(AllowedActionToActionRequiringEntityPermissionsMap[allowedAction]);
+                    }
+                }
+
+                if (!actions.Any())
+                {
+                    // A scope should allow at least one action.
+                    return false;
+                }
+
+                foreach (var action in actions)
+                {
+                    if (!action.IsAllowedOnBehalfOfAccount(currentUser, scope.Owner))
+                    {
+                        // The user must be able to perform the actions allowed by the scope on behalf of the scope's owner.
+                        return false;
+                    }
+                }
+            }
+
+            return true;
+        }
+
         private static string CreateKeyString()
         {
             return Guid.NewGuid().ToString().ToLowerInvariant();
         }
     }
-}
+}
diff --git a/src/NuGetGallery.Services/Authentication/IAuthenticationService.cs b/src/NuGetGallery.Services/Authentication/IAuthenticationService.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Threading.Tasks;
@@ -43,5 +43,12 @@ public interface IAuthenticationService
         /// </summary>
         /// <returns>Returns whether the API key credential is active or not</returns>
         bool IsActiveApiKeyCredential(Credential credential);
+
+        /// <summary>
+        /// Adds a new credential to the user. This method saves changes in the entity context.
+        /// </summary>
+        /// <param name="user">The user who owns the credential.</param>
+        /// <param name="credential">The credential to be added.</param>
+        Task AddCredential(User user, Credential credential);
     }
-}
+}
diff --git a/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs b/src/NuGetGallery.Services/Authentication/ICredentialBuilder.cs
@@ -1,7 +1,8 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using NuGet.Services.Entities;
 
 namespace NuGetGallery.Infrastructure.Authentication
@@ -15,5 +16,9 @@ public interface ICredentialBuilder
         Credential CreatePackageVerificationApiKey(Credential originalApiKey, string id);
 
         Credential CreateExternalCredential(string issuer, string value, string identity, string tenantId = null);
+
+        IList<Scope> BuildScopes(User scopeOwner, string[] scopes, string[] subjects);
+
+        bool VerifyScopes(User currentUser, IEnumerable<Scope> scopes);
     }
 }
diff --git a/src/NuGetGallery/Controllers/UsersController.cs b/src/NuGetGallery/Controllers/UsersController.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -1025,8 +1025,8 @@ public virtual async Task<JsonResult> GenerateApiKey(string description, string
                 return Json(Strings.UserNotFound);
             }
 
-            var resolvedScopes = BuildScopes(scopeOwner, scopes, subjects);
-            if (!VerifyScopes(resolvedScopes))
+            var resolvedScopes = _credentialBuilder.BuildScopes(scopeOwner, scopes, subjects);
+            if (!_credentialBuilder.VerifyScopes(GetCurrentUser(), resolvedScopes))
             {
                 Response.StatusCode = (int)HttpStatusCode.BadRequest;
                 return Json(Strings.ApiKeyScopesNotAllowed);
@@ -1079,7 +1079,7 @@ public virtual async Task<JsonResult> EditCredential(string credentialType, int?
 
             var scopeOwner = cred.Scopes.GetOwnerScope();
             var scopes = cred.Scopes.Select(x => x.AllowedAction).Distinct().ToArray();
-            var newScopes = BuildScopes(scopeOwner, scopes, subjects);
+            var newScopes = _credentialBuilder.BuildScopes(scopeOwner, scopes, subjects);
 
             await AuthenticationService.EditCredentialScopes(user, cred, newScopes);
 
@@ -1111,86 +1111,6 @@ private async Task<CredentialViewModel> GenerateApiKeyInternal(string descriptio
             return credentialViewModel;
         }
 
-        private static IDictionary<string, IActionRequiringEntityPermissions[]> AllowedActionToActionRequiringEntityPermissionsMap = new Dictionary<string, IActionRequiringEntityPermissions[]>
-        {
-            { NuGetScopes.PackagePush, new IActionRequiringEntityPermissions[] { ActionsRequiringPermissions.UploadNewPackageId, ActionsRequiringPermissions.UploadNewPackageVersion } },
-            { NuGetScopes.PackagePushVersion, new [] { ActionsRequiringPermissions.UploadNewPackageVersion } },
-            { NuGetScopes.PackageUnlist, new [] { ActionsRequiringPermissions.UnlistOrRelistPackage } },
-            { NuGetScopes.PackageVerify, new [] { ActionsRequiringPermissions.VerifyPackage } },
-        };
-
-        private bool VerifyScopes(IEnumerable<Scope> scopes)
-        {
-            if (!scopes.Any())
-            {
-                // All API keys must have at least one scope.
-                return false;
-            }
-
-            foreach (var scope in scopes)
-            {
-                if (string.IsNullOrEmpty(scope.AllowedAction))
-                {
-                    // All scopes must have an allowed action.
-                    return false;
-                }
-
-                // Get the list of actions allowed by this scope.
-                var actions = new List<IActionRequiringEntityPermissions>();
-                foreach (var allowedAction in AllowedActionToActionRequiringEntityPermissionsMap.Keys)
-                {
-                    if (scope.AllowsActions(allowedAction))
-                    {
-                        actions.AddRange(AllowedActionToActionRequiringEntityPermissionsMap[allowedAction]);
-                    }
-                }
-
-                if (!actions.Any())
-                {
-                    // A scope should allow at least one action.
-                    return false;
-                }
-
-                foreach (var action in actions)
-                {
-                    if (!action.IsAllowedOnBehalfOfAccount(GetCurrentUser(), scope.Owner))
-                    {
-                        // The user must be able to perform the actions allowed by the scope on behalf of the scope's owner.
-                        return false;
-                    }
-                }
-            }
-
-            return true;
-        }
-
-        private IList<Scope> BuildScopes(User scopeOwner, string[] scopes, string[] subjects)
-        {
-            var result = new List<Scope>();
-
-            var subjectsList = subjects?.Where(s => !string.IsNullOrWhiteSpace(s)).ToList() ?? new List<string>();
-
-            // No package filtering information was provided. So allow any pattern.
-            if (!subjectsList.Any())
-            {
-                subjectsList.Add(NuGetPackagePattern.AllInclusivePattern);
-            }
-
-            if (scopes != null)
-            {
-                foreach (var scope in scopes)
-                {
-                    result.AddRange(subjectsList.Select(subject => new Scope(scopeOwner, subject, scope)));
-                }
-            }
-            else
-            {
-                result.AddRange(subjectsList.Select(subject => new Scope(scopeOwner, subject, NuGetScopes.All)));
-            }
-
-            return result;
-        }
-
         private static IList<Scope> BuildScopes(IEnumerable<Scope> scopes)
         {
             return scopes.Select(scope => new Scope(scope.Owner, scope.Subject, scope.AllowedAction)).ToList();
